lab 8 Access Controls

Assessment 8
1. Where can you store your public keys or public certificate files in the public domain? Is this the same thing as a Public Key Infrastructure (KI) server?
A- Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; and Windows Server 2003, Datacenter Edition, store a certificate locally on the computer or device that requested it or, in the case of a user, on the computer or device that the user used to request it. The storage location is called the certificate store. A certificate store will often have numerous certificates, possibly issued from a number of different certification authorities.
B- Yes

2. What do you need to do if you want to decrypt encrypted message and files from a trusted sender?
A- You need the private key to decrypt the encrypted message or files.

3. When referring to IPSec tunnel mode, what two types of headers are available and how do they differ?
A- Authentication Header (AH) and Encapsulating Security Payload (ESP)

4. Provide a step by step progression for a typical Certificate Enrollment process with a Certificate Authority.
A –

5. When designing a PKI infrastructure what are the advantages and disadvantages of making the CA available publicly over the Internet or keeping it within the private network?
Advantages
Disadvantages
CA Located in a Private Network
Supports cross-certification of other CA server hierarchies on the Enterprise Corporate Private Enterprise private network.

The CA server is protected from public access, and from intrusion or DoS attacks from the public Internet.
Requires a slightly more complicated VPN router configuration. Because the CA server can not be reached on the public Internet, enrolling a new branch requires a VPN administrator to certificate enroll the VPN routers in one of the following ways:

–Locally in the enterprise campus prior to shipping them to a remote location

–Over an IPSec pre-shared tunnel connection.

–Interactively through cut-and-paste certificate enrollment over a telnet/ssh session to a remote VPN router.

Because the CA server cannot be reached from the public Internet it cannot be used for other Cisco-specific applications that have public X.509 certificates requirements.

CA Located in a Public Network
•Provides a CA server that can be used for IPSec tunnels or other Cisco-specific applications that have public X.509 certificates requirements.

•Provides the simplest enrollment for the VPN endpoint routers.

•Provides for cross-certification of other CA servers hierarchies on the public Internet.
•Because the CA server is available to the public it is a possible target for intrusion or DoS attacks. Precautions must be taken to protect the server.

6. Designing a PKI involves several steps. Per the Windows Best Practices for Designing a PKI, what are those steps? IN your own words, explain what each step is meant to do.
A- Defining your certificate requirements – by defining these requirements, it makes the rest of the steps a bit easier
B- Creating a design for your infrastructure – by creating a design for the infrastructure, it alleviates the confusion of where each is located
C- Creating a certificate management plan – the certificate management plan is designed to manage the certificates
D- Deploying your PKI solution – putting it into use

7. When deploying a PKI, it is important to understand how many CAs will be necessary to properly implement the infrastructure, Provide 3-5 important considerations that must be taken into account before deploying a PKI for a large environment.
A- Connectivity
B- Routing and Switching Capabilities
C- Network Security
D- Access Controls

8. What is the main function of the certutil.exe command line tool available in Microsoft Windows?
A - You can use Certutil to extract and display CA configuration information, configure Certificate Services, back up and restore CA components, and verify certificates, key pairs, and certificate chains.

9. What is the OpenSSL project and their mission?
A - The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The project is managed by a worldwide community of volunteers that use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

10. What is the purpose of Single Sign-on? Provide one example of how it benefits security and one example as to how it can increase security risk.
A – It allows a user to use a single login and password to access everything in a network. The benefit of it is that the user only has to remember one username and password. It can increase security risk if someone manages to get a hold of a user’s username and password.

11. True or False. You can enable VPN technology for remote access for mobile workers using the public Internet and also for Wireless LANs (WLAN) within the LAN Domain to ensure confidentiality.
A - True

12. Relate back to the C-I-A tenets of information system security. Hashing provide file Confidentiality. While encryption provides file Integrity.

13. Which method of hashing provides for stronger file integrity verification and why? MD5 or SHA-1?
A- SHA-1 provides for stronger file integrity verification because is 160 bit compared to MD5 at 128 bit.

14. True or False. By Public Key Infrastructure, it is acceptable to share and host your key for all to see and use on a public or shared help server.
A- True

15. True or False. You can host your public key at http://pgp.mit.edu/ because MIT hosts a Public Key Infrastructure for all to use.
A- True