In a Zero Trust environment, subjects receive no implicit or inherent privileges based solely on the network location or asset ownership. Which of the following is the best design to avoid reconnaissance attacks and connect to transportation services? (Wentz QOTD)
A. 802.1X (EAP over LAN)
B. OpenID Connect (OIDC)
C. Single Packet Authorization (SPA)
D. eXtensible Access Control Markup Language (XACML)
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Single Packet Authorization (SPA).
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
Zero Trust always verifies subjects and resource requests at various layers or aspects. For example, 802.1X is implemented to authenticate local area network access at layer 2, Single Packet Authorization (SPA) at layer 4 to open TCP or UDP ports dynamically, OIDC for user authentication, and XACML for authorization.
Avoiding reconnaissance attacks and connecting to transportation services are concerns at layer 4 (TCP or UDP). Single Packet Authorization (SPA) is a port knocking technique that can be implemented to dynamically open ports.
- IEEE 802.1X
- ZERO TRUST: SINGLE PACKET AUTHORIZATION | PASSIVE AUTHORIZATION
- Microsoft identity platform and OpenID Connect protocol
在零信任環境中，主體不會獲得僅基於網絡位置或資產所有權的隱含或固有特權。 以下哪一項是避免偵察攻擊並連接到傳輸服務的最佳設計？ (Wentz QOTD)
A. 802.1X（EAP over LAN）
B. OpenID 連接 (OIDC)