368 Appendix ■ Answers
8 8. B. The Simple Authentication and Security Layer (SASL) for LDAP provides support for a
range of authentication types, including secure methods. Anonymous authentication does
not require or provide security, and simple authentication can be tunneled over SSL or TLS
but does not provide security by itself. S-LDAP is not an LDAP protocol.- C. Palm scans compare the vein patterns in the palm to a database to authenticate a user.
Vein patterns are unique, and this method is a better single-factor authentication method
than voice pattern recognition, hand geometry, and pulse patterns, each of which can be
more difficult to uniquely identify between individuals or can be fooled more easily. - B. Allowing the relying party to provide the redirect to the OpenID provider could allow
a phishing attack by directing clients to a fake OpenID provider that can capture valid
credentials. Since the OpenID provider URL is provided by the client, the relying party
cannot select the wrong provider. The relying party never receives the user’s password,
which means that they can’t steal it. Finally, the relying party receives the signed assertion
but does not send one. - A. IDaaS, or identity as a service, provides an identity platform as a third-party service.
This can provide benefits including integration with cloud services and removing overhead
for maintenance of traditional on-premises identity systems, but it can also create risk due
to third-party control of identity services and reliance on an offsite identity infrastructure. - B. Drives in a RAID-5 array are intended to handle failure of a drive. This is an example
of a recovery control, which is used to return operations to normal function after a failure.
Administrative controls are policies and procedures. Compensation controls help cover for
issues with primary controls or improve them. Logical controls are software and hardware
mechanisms used to protect resources and systems. - D. The Linux filesystem allows the owners of objects to determine the access rights
that subjects have to them. This means that it is a discretionary access control. If the
system enforced a role-based access control, Alex wouldn’t set the controls; they would
be set based on the roles assigned to each subject. A rule-based access control system
would apply rules throughout the system, and a mandatory access control system uses
classification labels. - D. Diameter was designed to provide enhanced, modern features to replace RADIUS.
Diameter provides better reliability and a broad range of improved functionality.
RADIUS-NG does not exist, Kerberos is not a direct competitor for RADIUS, and
TACACS is not an open protocol. - A. In this example, uid=ben,ou=sales,dc=example,dc=com, the items proceed from most
specific to least specific (broadest) from left to right, as required by a DN. - D. Kerberos relies on properly synchronized time on each end of a connection to function.
If the local system time is more than five minutes out of sync, valid TGTs will be invalid
and the system won’t receive any new tickets. - A. Kerberos, KryptoKnight, and SESAME are all single sign-on, or SSO, systems. PKI
systems are public key infrastructure systems, CMS systems are content management
systems, and LDAP and other directory servers provide information about services,
resources, and individuals.