Chapter-5

Security Technology
Access Control
Access control is the method by which systems determine whether and how to admit a user into
a trusted area of the organization—that is, information systems, restricted areas such as
computer rooms, and the entire physical location.
Access control is achieved through a combination of policies, programs, and technologies.
Access controls are focused on the permissions or privileges that a subject (user or system) has
on an object (resource), including if a subject may access an object and how the subject may use
that object.
In general, access controls can be discretionary or nondiscretionary
Discretionary access controls (DACs)
Discretionary access controls (DACs) provide the ability to share resources in a peer-to-peer
configuration that allows users to control and possibly provide access to information or
resources at their disposal.
The users can allow general, unrestricted access, or they can allow specific people or groups of
people to access these resources.
For example, a user might have a hard drive that contains information to be shared with office
coworkers. This user can elect to allow access to specific coworkers by providing access by name
in the share control function.
Nondiscretionary access controls
(NDACs)
Nondiscretionary access controls (NDACs) are managed by a central authority in the
organization.
A form of nondiscretionary access controls is called lattice-based access control (LBAC), in which
users are assigned a matrix of authorizations for areas of access.
The authorization may vary between levels, depending on the classification of authorizations
that users possess for each group of information or resources.
The lattice structure contains subjects and objects, and the boundaries associated with each pair
are demarcated.
Lattice based control specifies the level of access each subject has to each object, as
implemented in access control lists (ACLs) and capability tables.
RBACs and TBACs
Some lattice-based controls are tied to a person’s duties and responsibilities; such controls
include role-based access controls (RBACs) and task-based access controls (TBACs).
Role based controls are associated with the duties a user performs in an organization, such as a
position or temporary assignment like project manager, while task-based controls are tied to a
particular chore or responsibility, such as a department’s printer administrator.
These controls make it easier to maintain the restrictions associated with a particular role or
task, especially if different people perform the role or task.
Instead of constantly assigning and revoking the privileges of employees who come and go, the
administrator simply assigns access rights to the role or task.
Roles tend to last for a longer term and be related to a position, whereas tasks are much more
granular and short-term.
Mandatory access controls (MACs)
Mandatory access controls (MACs) are also a form of lattice-based, nondiscretionary access
controls that use data classification schemes; they give users and data owners limited control
over access to information resources.
In a data classification scheme, each collection of information is rated, and all users are rated to
specify the level of information they may access.
These ratings are often referred to as sensitivity levels, and they indicate the level of
confidentiality the information requires.
Attribute-based access controls (ABACs)
There are characteristics or attributes of a subject such as name, date of birth, home address,
training record, and job function that may, either individually or when combined, comprise a
unique identity that distinguishes that person from all others.
These characteristics are often called subject attributes.
An ABAC system simply uses one of these attributes to regulate access to a particular set of data.
ABAC is actually the parent approach to lattice-based, MAC, and RBAC controls, as they all are
based on attributes.
Access Control Mechanisms
In general, all access control approaches rely on the following four mechanisms, which represent
the four fundamental functions of access control systems:
● Identification: I am a user of the system.
● Authentication: I can prove I’m a user of the system.
● Authorization: Here’s what I can do with the system.
● Accountability: You can verify my use of the system
Identification
Identification is a mechanism whereby unverified entities—called supplicants—who seek access
to a resource provide a label by which they are known to the system.
This label is called an identifier (ID), and it must be mapped to one and only one entity within
the security domain.
Sometimes the supplicant supplies the label, and sometimes it is applied to the supplicant.
Some organizations use composite identifiers by concatenating elements—department codes,
random numbers, or special characters—to make unique identifiers within the security domain.
Other organizations generate random IDs to protect resources from potential attackers.
Most organizations use a single piece of unique information, such as a complete name or the
user’s first initial and surname.
Authentication
Authentication is the process of validating a supplicant’s purported
identity. There are three widely used authentication mechanisms, or authentication factors:
-Something a supplicant knows: This factor of authentication relies on what the supplicant
knows and can recall—for example, a password, passphrase, or other unique authentication
code, such as a personal identification number (PIN).
-Something a supplicant has: This authentication factor relies on something a supplicant has and
can produce when necessary. One example is dumb cards, such as ID cards or
ATM cards with magnetic stripes that contain the digital (and often encrypted) user PIN,
which is compared against the number the user enters.
-Something a supplicant is
Authorization
Authorization is the matching of an authenticated entity to a list of information assets and
corresponding access levels.
In general, authorization can be handled in one of three ways:
● Authorization for each authenticated user, in which the system performs an authentication
process to verify each entity and then grants access to resources for only that entity. This
process quickly becomes complex and resource-intensive in a computer system.
● Authorization for members of a group, in which the system matches authenticated entities to
a list of group memberships and then grants access to resources based on the group’s access
rights. This is the most common authorization method.
● Authorization across multiple systems, in which a central authentication and authorization
system verifies an entity’s identity and grants it a set of credentials
Accountability
Accountability, also known as auditability, ensures that all actions on a system—authorized or
unauthorized—can be attributed to an authenticated identity.
Accountability is most often accomplished by means of system logs, database journals, and the
auditing of these records.
Systems logs record specific information, such as failed access attempts and systems
modifications.
Logs have many uses, such as intrusion detection, determining the root cause of a system
failure, or simply tracking the use of a particular resource.
Firewalls
A firewall in an information security program is like a building’s firewall in that it prevents
specific types of information from moving between two different levels of networks, such as an
untrusted network like the Internet and a trusted network like the organization’s internal
network.
Some organizations place firewalls that have different levels of trust between portions of their
network environment, often to add extra security for the most important applications and data.
The firewall may be a separate computer system, a software service running on an existing
router or server, or a separate network that contains several supporting devices.
Firewalls can be categorized by processing mode, development era, or structure.
Firewall Processing Modes
Packet-Filtering Firewalls- The packet-filtering firewall examines the header information of data packets
that come into a network.
A packet-filtering firewall installed on a TCP/IP-based network typically functions at the IP level and
determines whether to deny (drop) a packet or allow (forward) it to the next network connection, based
on the rules programmed into the firewall.
Packet-filtering firewalls examine every incoming packet header and can selectively filter packets based
on header information such as destination address, source address, packet type, and other key
information.
Packet-filtering firewalls are based on a combination of the following:
◦ IP source and destination address
◦ Direction (inbound or outbound)
◦ Protocol, for firewalls capable of examining the IP protocol layer
◦ Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source and destination port requests,
Firewall Processing Modes
Application Layer Firewall-The application layer firewall, also known as an application firewall, is
frequently installed on a dedicated computer separate from the filtering router, but it is
commonly used in conjunction with a filtering router.
The application firewall is also known as a proxy server (or reverse proxy) because it can be
configured to run special software that acts as a proxy for a service request.
The proxy server is placed in an unsecured area of the network so that it is exposed to the higher
levels of risk from less trusted networks, rather than exposing the Web server to such risks.
Additional filtering routers can be implemented behind the proxy server, limiting access to the
more secure internal system and providing further protection.
Firewall Processing Modes
MAC Layer Firewalls-A firewall designed to operate at the media access control sublayer of the
network’s data link layer.
MAC layer firewalls make filtering decisions based on the specific host computer’s identity, as
represented by its MAC or network interface card (NIC) address.
Thus, MAC layer firewalls link the addresses of specific host computers to ACL entries that
identify the specific types of packets that can be sent to each host, and block all other traffic
Firewall Processing Modes
Hybrid Firewalls-Hybrid firewalls combine the elements of other types of firewalls—that is, the
elements of packet filtering and proxy services or of packet filtering and circuit gateways.
A hybrid firewall system may actually consist of two separate firewall devices; each is a separate
firewall system, but they are connected so that they work in tandem.
For example, a hybrid firewall system might include a packet-filtering firewall that is set up to
screen all acceptable requests, then pass the requests to a proxy server, which in turn requests
services from a Web server deep inside the organization’s networks.
An added advantage to the hybrid firewall approach is that it enables an organization to make a
security improvement without completely replacing its existing firewalls.
Firewall Architectures
All firewall devices can be configured in several network connection architectures.
These approaches are sometimes mutually exclusive, but sometimes they can be combined.
The configuration that works best for a particular organization depends on three factors:
◦ The objectives of the network
◦ The organization’s ability to develop and implement the architectures
◦ The budget available for the function
Although hundreds of variations exist, there are four common architectural implementations:
◦ packet-filtering routers
◦ dual homed firewalls (also known as bastion hosts)
◦ screened host firewalls
◦ screened subnet firewalls.
Firewall Architectures
Packet-Filtering Routers- Most organizations with an Internet connection have some form of a
router at the boundary between the organization’s internal networks and the external service
provider.
Many of these routers can be configured to reject packets that the organization does not want to
allow into the network.
This is a simple but effective way to lower the organization’s risk from external attack.
The drawbacks to this type of system include a lack of auditing and strong authentication.
Firewall Architectures
Bastion Hosts -The next option in firewall architecture is a single firewall that provides protection behind
the organization’s router.
It can be a rich target for external attacks and should be very thoroughly secured.
Because the bastion host stands as a sole defender on the network perimeter, it is commonly referred to
as the sacrificial host.
This device may be configured by being connected to the network via a common switch with all traffic
routed through it, or it may be in-line between the router and the inside network. If the firewall is
configured in this manner, it is referred to as a dual-homed firewall.
When this architectural approach is used, the bastion host contains two NICs (network interface cards).
One NIC is connected to the external network, and one is connected to the internal network, providing
an additional layer of protection.
With two NICs, all traffic must physically go through the firewall to move between the internal and
external networks
Firewall Architectures
Screened Host Firewalls- Screened host firewalls combine the packet-filtering router with a
separate, dedicated firewall, such as an application proxy server, which retrieves information on
behalf of other system users and often caches copies of Web pages and other needed
information on its internal drives to speed up access.
This approach allows the router to prescreen packets to minimize the network traffic and load
on the internal proxy.
The application proxy examines an application layer protocol, such as HTTP, and performs the
proxy services.
Because an application proxy may retain working copies of some Web documents to improve
performance, unanticipated losses can result if it is compromised.
This configuration requires the external attack to compromise two separate systems before the
attack can access internal data.
Firewall Architectures
Screened Subnet Firewalls (with DMZ)- The dominant architecture today is the screened subnet
firewall used with a DMZ. The DMZ can be a dedicated port on the firewall device linking a single
bastion host, or it can be connected to a screened subnet.
In a screened subnet firewall setup, the network architecture has three components.
•The first is a public interface that connects to the global Internet.
•The second is a middle zone, often called a demilitarized zone, that acts as a buffer.
•The third is an additional subnet that connects to an intranet or other local architecture.
The additional third subnet helps to filter attacks or attract them to a particular network
component to further protect the intranet.
Selecting the Right Firewall
When trying to determine the best firewall for an organization, you should consider the
following questions:
1. Which type of firewall technology offers the right balance between protection and cost for the needs
of the organization?
2. What features are included in the base price? What features are available at extra cost? Are all cost
factors known?
3. How easy is it to set up and configure the firewall? How accessible are the staff technicians who can
competently configure the firewall?
4. Can the candidate firewall adapt to the growing network in the target organization?
The most important factor, of course, is the extent to which the firewall design provides the
required protection.
The next important factor is cost, which may keep a certain make, model, or type of firewall out
of reach.
Protecting Remote Connections
The networks that organizations create are seldom used only by people at one location.
When connections are made between networks, the connections are arranged and managed carefully.
Installing such network connections requires using leased lines or other data channels provided by
common carriers; therefore, these connections are usually permanent and secured under the
requirements of a formal service agreement.
However, a more flexible option for network access must be provided for employees working in their
homes, contract workers hired for specific assignments, or other workers who are traveling.
In the past, organizations provided these remote connections exclusively through dial-up services like
Remote Authentication Service (RAS).
As high-speed Internet connections have become mainstream, other options such as virtual private
networks (VPNs) have become more popular.
Remote Access
RADIUS, Diameter, and TACACS- RADIUS and TACACS are systems that authenticate the credentials of
users who are trying to access an organization’s network via a dial-up connection.
Typical dial-up systems place the responsibility for user authentication on the system directly connected
to the modems.
If there are multiple points of entry into the dial-up system, this authentication system can become
difficult to manage.
The Remote Authentication Dial-In User Service (RADIUS) system centralizes the responsibility for
authenticating each user on the RADIUS server.
The Diameter protocol defines the minimum requirements for a system that provides authentication,
authorization, and accounting (AAA) services and that can go beyond these basics and add commands
and/or object attributes.
Diameter security uses respected encryption standards such as Internet Protocol Security (IPSec) or
Transport Layer Security (TLS).
Remote Access
Kerberos-Kerberos and SESAME. Kerberos—named after the three-headed dog of Greek
mythology that guards the gates to the underworld—uses symmetric key encryption to validate
an individual user to various network resources.
Kerberos keeps a database containing the private keys of clients and servers—in the case of a
client, this key is simply the client’s encrypted password.
Network services running on servers in the network register with Kerberos, as do the clients that
use those services.
The Kerberos system knows these private keys and can authenticate one network node (client or
server) to another.
Kerberos also generates temporary session keys, which are private keys given to the two parties
in a conversation.
Remote Access
SESAME- The Secure European System for Applications in a Multivendor Environment (SESAME)
is the result of a European research and development project partly funded by the European
Commission.
SESAME is like Kerberos in that the user is first authenticated to an authentication server and
receives a token.
The token is then presented to a privilege attribute server, instead of a ticket-granting service as
in Kerberos, as proof of identity to gain a privilege attribute certificate (PAC).
SESAME also builds on the Kerberos model by adding sophisticated access control features,
more scalable encryption systems, improved manageability, auditing features, and the option to
delegate responsibility for allowing access.
Virtual Private Networks (VPNs)
Virtual private networks (VPNs) are implementations of cryptographic technology.
VPNs are commonly used to securely extend an organization’s internal network connections to
remote locations. The VPNC defines three VPN technologies: trusted VPNs, secure VPNs, and
hybrid VPNs.
A trusted VPN, also known as a legacy VPN, uses leased circuits from a service provider and
conducts packet switching over these leased circuits. The organization must trust the service
provider, who gives contractual assurance that no one else is allowed to use these circuits and
that the circuits are properly maintained and protected—hence the name trusted VPN.
Secure VPNs use security protocols to encrypt traffic transmitted across unsecured public
networks like the Internet.
A hybrid VPN combines the two, providing encrypted transmissions (as in secure VPN) over
some or all of a trusted VPN network.
Virtual Private Networks
A VPN that proposes to offer a secure and reliable capability while relying on public networks
must accomplish the following, regardless of the specific technologies and protocols being used:
● Encapsulation of incoming and outgoing data, in which the native protocol of the client is
embedded within the frames of a protocol that can be routed over the public network and be
usable by the server network environment.
● Encryption of incoming and outgoing data to keep the data contents private while in transit
over the public network, but usable by the client and server computers and/or the local
networks on both ends of the VPN connection.
● Authentication of the remote computer and perhaps the remote user as well. Authentication
and subsequent user authorization to perform specific actions are predicated on accurate and
reliable identification of the remote system and user.
Virtual Private Networks
VPN allows a user to turn the Internet into a private network.
As you know, the Internet is anything but private. However, an individual user or organization
can set up tunneling points across the Internet and send encrypted data back and forth, using
the IP packet-within-an-IP packet method to transmit data safely and securely.
VPNs are simple to set up and maintain, and usually require only that the tunneling points be
dual-homed—that is, connecting a private network to the Internet or to another outside
connection point.
VPN support is built into most Microsoft server software and client support for VPN services is
built into most Windows clients.
While connections for true private network services can cost hundreds of thousands of dollars to
lease, configure, and maintain, an Internet VPN can cost very little.