Page 994 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 994
account vulnerable to an attack if someone else accesses the browser.
The Open Web Application Security Project (OWASP)
publishes many different “cheat sheets” that provide specific
recommendations for application developers. The Session
Management Cheat Sheet provides information about web sessions
and various methods used to secure them. URLs change, but you
can find the cheat sheet by using the search feature at
https://www.owasp.org.
AAA Protocols
Several protocols provide authentication, authorization, and
accounting and are referred to as AAA protocols. These provide
centralized access control with remote access systems such as virtual
private networks (VPNs) and other types of network access servers.
They help protect internal LAN authentication systems and other
servers from remote attacks. When using a separate system for remote
access, a successful attack on the system only affects the remote access
users. In other words, the attacker won’t have access to internal
accounts. Mobile IP, which provides access to mobile users with
smartphones, also uses AAA protocols.
These AAA protocols use the access control elements of identification,
authentication, authorization, and accountability as described earlier
in this chapter. They ensure that users have valid credentials to
authenticate and verify that the user is authorized to connect to the
remote access server based on the user’s proven identity. Additionally,
the accounting element can track the user’s network resource usage,
which can be used for billing purposes. Some common AAA protocols
are covered next.
RADIUS
Remote Authentication Dial-in User Service (RADIUS) centralizes
authentication for remote connections. It is typically used when an
organization has more than one network access server (or remote
