CompTIA’s Network+ certification Study Guide part 47 is a globally-recognized, vendor neutral exam that has helped over 235,000 IT professionals reach further and higher in their careers. The 2009 Network+ exam (N10-004) is a major update with more focus on security and wireless aspects of networking. Our new study guide has been updated accordingly with focus on network, systems, and WAN security and complete coverage of today’s wireless networking standards. | 446 CHAPTER 9 Security Standards and Services FIGURE Authentication Path for Logon Access in a Kerberos Realm. FIGURE Resource Access in Kerberos Realms. As seen in Figure two events are occurring as credentials are presented password Smart Card biometrics to the KDC for authentication. This is due to the dual role of the KDC. It acts as both an Authentication Server and as a Ticket Granting Server. First the authentication credential is presented to the KDC where it is authenticated using the Authentication Server mechanism. Second the KDC issues a Ticket Granting Ticket TGT through the Ticket Granting Server mechanism that is associated with the access token while you are actively logged in and authenticated. This TGT expires when you or the service disconnect or log off the network or after it times out. The Kerberos administrator can alter the expiry timeout as needed to fit the organizational needs but the default is one day 86 400 s . This TGT is cached locally for use during the active session. Figure shows the process for resource access in a Kerberos realm. It starts by presenting the previously granted TGT to the authenticating KDC. The authenticating KDC returns a session ticket to the entity wishing access to the resource. This session ticket is then presented to the remote resource server. The remote resource server after accepting the session ticket allows the session to be established to the resource. Kerberos uses a time stamp and we need to understand where and when the time stamp is used. The time stamp is used to limit the possibility Network Access Security 447 of replay or spoofing of credentials. Replay is the capture of information modification of the captured information and retransmission of the modified information to the entity waiting to receive the communication. If unchecked this allows for impersonation of credentials when seeking access. Spoofing is the substitution of addressing or authentication information to .