Chapter 11 Presentation

Editor's Notes

1. CompTIA Security+ Guide to Network Security Fundamentals, Fifth Edition Chapter 11 Access Control Fundamentals
2. Objectives Define access control and list the four access control models Describe how to implement access control Explain the different types of authentication services
3. What Is Access Control? Access Control Granting or denying approval to use specific resources Physical access control Consists of fencing, hardware door locks, and mantraps to limit contact with devices Technical access control Consists of technology restrictions that limit users on computers from accessing data There are four standard access control models
4. Access Control Terminology Identification Presenting credentials Example: delivery driver presenting employee badge Authentication Checking the credentials Example: examining the delivery driver’s badge Authorization Granting permission to take action Example: allowing delivery driver to pick up package
5. Access Control Terminology Table 11-1 Basic steps in access control
6. Access Control Terminology Object A specific resource Example: file or hardware device Subject A user or process functioning on behalf of a user Example: computer user Operation The action taken by the subject over an object Example: deleting a file
7. Access Control Terminology Table 11-2 Roles in access control
8. Access Control Terminology Figure 11-1 Technical access control process and terminology
9. Access Control Models Access control model Standards that provide a predefined framework for hardware or software developers Use the appropriate model to configure the necessary level of control Four major access control models Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role Based Access Control (RBAC) Rule Based Access Control (RBAC)
10. Access Control Models Discretionary Access Control (DAC) Least restrictive model Every object has an owner Owners have total control over their objects Owners can give permissions to other subjects over their objects Used on operating systems such as most types of UNIX and Microsoft Windows
11. Access Control Models Figure 11-2 Windows Discretionary Access Control (DAC)
12. Access Control Models DAC weaknesses Relies on decisions by end user to set proper security level Incorrect permissions may be granted Subject’s permissions will be “inherited” by any programs the subject executes Malware downloaded onto a user’s computer that uses the DAC model would then run at the same high level as the user’s privileges
13. Access Control Models Mandatory Access Control (MAC) Most restrictive access control model Typically found in military settings Two elements Labels - Every entity is an object and is assigned a classification label that represents the relative importance of the object Subjects are assigned a privilege label (clearance) Levels - a hierarchy based on the labels is used Top secret has a higher level than secret, which has a higher level than confidential
14. Access Control Models MAC grants permissions by matching object labels with subject labels Labels indicate level of privilege To determine if file may be opened: Object and subject labels are compared The subject must have equal or greater level than object to be granted access Two major implementations of MAC Lattice model Bell-LaPadula model
15. Access Control Models Lattice model Subjects and objects are assigned a “rung” on the lattice Multiple lattices can be placed beside each other Bell-LaPadula (BLP) model Similar to lattice model Subjects may not create a new object or perform specific functions on lower level objects
16. Access Control Models Microsoft Windows uses a MAC implementation called Mandatory Integrity Control (MIC) A security identifier (SID) is issued to the user, group, or session Each time a user logs in, the SID is retrieved from the database for that user SID is used to identify user with subsequent interactions with Windows Windows links the SID to an integrity level User Access Control (UAC) - a Windows feature that controls user access to resources
17. Access Control Models Figure 11-3 Windows User Account Control (UAC) prompt
18. Access Control Models Role Based Access Control (RBAC) Also called Non-Discretionary Access Control Access permissions are based on user’s job function RBAC assigns permissions to particular roles in an organization Users are assigned to those roles Rule Based Access Control (RBAC) Dynamically assigns roles to subjects based on a set of rules defined by a custodian
19. Access Control Models Rule Based Access Control (cont’d.) Each resource object contains access properties based on the rules When user attempts access, system checks object’s rules to determine access permission Often used for managing user access to one or more systems Business changes may trigger application of the rules specifying access changes
20. Access Control Models Table 11-3 Access control models
21. Best Practices for Access Control Establishing best practices for limiting access Can help secure systems and data Examples of best practices Separation of duties Job rotation Least privilege Implicit deny Mandatory vacations
22. Best Practices for Access Control Separation of duties Fraud can result from single user being trusted with complete control of a process Requires two or more people responsible for functions related to handling money The system is not vulnerable to actions of a single person Job rotation Individuals periodically moved between job responsibilities
23. Best Practices for Access Control Job rotation (cont’d.) Employees can rotate within their department or across departments Advantages of job rotation Limits amount of time individuals are in a position to manipulate security configurations Helps expose potential avenues for fraud Individuals have different perspectives and may uncover vulnerabilities Reduces employee burnout
24. Best Practices for Access Control Least privilege Limiting access to information based on what is needed to perform a job function Helps reduce attack surface by eliminating unnecessary privileges Should apply to users and to processes running on the system Processes should run at minimum security level needed to correctly function
25. Best Practices for Access Control Table 11-4 Challenges of least privilege
26. Best Practices for Access Control Implicit deny If a condition is not explicitly met, access request is rejected Example: network router rejects access to all except conditions matching the rule restrictions Mandatory vacations Limits fraud, because perpetrator must be present daily to hide fraudulent actions Audit of employee’s activities usually scheduled during vacation for sensitive positions
27. Implementing Access Control Technologies used to implement access control Access control lists Group Policy Account restrictions
28. Access Control Lists Access control list (ACL) A set of permissions attached to an object Specifies which subjects may access the object and what operations they can perform When a subject requests to perform an operation: System checks ACL for an approved entry ACLs are usually viewed in relation to operating system files
29. Access Control Lists Figure 11-4 UNIX file permissions
30. Access Control Lists Each entry in the ACL table is called access control entry (ACE) ACE structure (Windows) Security identifier (SID) for the user or group account or logon session Access mask that specifies access rights controlled by ACE Flag that indicates type of ACE Set of flags that determine whether objects can inherit permissions
31. Group Policies Group Policy A Microsoft Windows feature that provides centralized management and configuration of computers and remote users using Active Directory (AD) Usually used in enterprise environments Settings stored in Group Policy Objects (GPOs) Local Group Policy Has fewer options than a Group Policy Used to configure settings for systems not part of AD
32. Account Restrictions Time of day restrictions Limits the time of day a user may log onto a system Time blocks for permitted access are chosen Can be set on individual systems Figure 11-5 Time-of-day restrictions setting specific times and days
33. Account Restrictions Figure 6-11 Time-of-day restrictions using GUI
34. Account Restrictions Account expiration Orphaned accounts: accounts that remain active after an employee has left the organization Dormant accounts: not accessed for a lengthy period of time Recommendations for dealing with orphaned or dormant accounts Establish a formal process Terminate access immediately Monitor logs
35. Account Restrictions Orphaned accounts remain a problem in today’s organizations Account expiration Sets a user’s account to expire Password expiration sets a time when user must create a new password Different from account expiration Account expiration can be a set date, or a number of days of inactivity
36. Authentication Services Authentication Process of verifying credentials Authentication services provided on a network Dedicated authentication server A server that performs authentication, authorization, and accounting is called a AAA server Common types of authentication and AAA servers RADIUS, Kerberos, Terminal Access Control Access Control Systems (TACACS), generic servers built on the Lightweight Directory Access Protocol (LDAP), Security Assertion and Markup Language (SAML)
37. RADIUS Remote Authentication Dial In User Service Developed in 1992 Became an industry standard Suitable for high volume service control applications Such as dial-in access to corporate network Still in use today RADIUS client Typically a device such as a wireless AP Responsible for sending user credentials and connection parameters to the RADIUS server
38. RADIUS Figure 11-7 RADIUS authentication
39. RADIUS RADIUS user profiles are stored in a central database that all remote servers can share Advantages of a central service Increases security due to a single administered network point Easier to track usage for billing and keeping network statistics
40. Kerberos Authentication system developed at MIT Uses encryption and authentication for security Most often used in educational and government settings Works like using a driver’s license to cash a check Kerberos ticket characteristics: Difficult to copy Contains information linking it to the user User presents ticket to network for a service Expires in a few hours or a day
41. Terminal Access Control Access Control System (TACACS) Authentication service similar to RADIUS Commonly used on UNIX devices Communicates by forwarding user authentication information to a centralized server The current version is TACACS+
42. Terminal Access Control Access Control System (TACACS) Table 11-5 Comparison of RADIUS and TACAS+
43. Lightweight Directory Access Protocol (LDAP) A directory service is a database stored on a network Contains information about users and network devices Keeps track of network resources and user’s privileges to those resources Grants or denies access based on its information Standard for directory services X.500
44. Lightweight Directory Access Protocol X.500 standard defines protocol for client application to access the DAP LDAP A simpler subset of DAP Designed to run over TCP/IP Encodes protocol elements in simpler way than X.500 LDAP traffic is transmitted in cleartext Can be made secure by using SSL or TLS Known as Secure LDAP or LDAP over SSL (LDAPS)
45. Lightweight Directory Access Protocol Weakness of LDAP Can be subject to LDAP injection attacks Similar to SQL injection attacks Occurs when user input is not properly filtered
46. Security Assertion Markup Language (SAML) SAML An Extensible Markup Language (XML) standard that allows secure web domains to exchange user authentication and authorization data Allows a user’s login credentials to be stored with a single identity provider instead of being stored on each web service provider’s server Used extensively for online e-commerce business-to-business (B2B) and business-to-customer (B2C) transactions
47. Security Assertion Markup Language (SAML) Figure 11-8 SAML transaction
48. Summary Access control is the process by which resources or services are denied or granted Four major access control models exist Best practices for implementing access control Separation of duties Job rotation Least privilege Mandatory vacations
49. Summary Access control lists define which subjects are allowed to access which objects Specify which operations they may perform Group Policy is a Windows feature that provides centralized management and configuration Authentication services can be provided on a network by a dedicated AAA or authentication server RADIUS is the industry standard