C H A P TER 4:
A C C ESS C O N TR O L
�Access ControlO bjectives
IAAA
Authentication
Type 1
Type 2
Type 3
Authorization
SSO
Access Control Models
Administration
2
�Access Controls
Access controls are security features
that control how people can interact
with systems, and resources.
�Access ControlO bjectives
IAAA
Authentication
Type 1
Type 2
Type 3
Authorization
SSO
Access Control Models
Administration
4
�Access
Access is the data flow between an
subject and an object.
Subject is a person, process or program
Object is a resource (file, printer etc)
Access controls should support the CIA
triad and regulate what a subject can do
with an object
�Access Controls
Access controls are security features
that control how people can interact
with systems, and resources.
Logical
Physical
Administrative
�IAAA ofAccess Control
The component of Access Control that we
are about to discuss are:
Identification:
Make a claim (userid etc)
Authentication:
Provide support (proof) for your claim
Authorization:
What rights and permissions you have
Auditing:
Accountabilitymatching actions to subjects
7
�Identifi
cation
Public Information (usually we arent
concerned with protecting identities)
Identification must be unique for
accountability
Standard naming schemes should be
used
Identifier should not indicate extra
information about user (like job position)
User ID
Account Number
RFID
IP or MAC address
�Authentication
Proving your identity
Type 1: Something you know
Type 2: Something you have
Type 3: Something you are
�Type 1:Som ething You Know
Passwords/Passphrases/Cognitive
Password
Best practices
No less than 8 characters
Change on a regular basis
Enforce password history
Consider brute force and dictionary
10
attacks
Ease of cracking cognitive passwords
Graphic Image
Enable clipping levels and respond
�Type 2:Som ething you have
Token Devices
Smart Card
Memory Card
Hardware Key
Cryptographic Key
Certificate
Cookies
11
�Token D evices:O ne Tim e Passw ord
G enerators
Password that is used only once then
no longer valid
One time password reduces vulnerability
12
associated with sniffing passwords.
Simple device to implement
Can be costly
Users can lose or damage
Two Types: Synchronous/Asynchronous
�Synchronous Token D evices
Rely upon synchronizing with
authentication server.
Frequently time based, but
could be event based
If damaged, or battery fails,
must be re-synchronized
Authentication server knows
what password to expect
based on time or event.
13
�Asynchronous Token D evices
Asynchronous/ Challenge Response
User logs in
Authentication returns a
14
challenge to the user
User types challenge string into
token device and presses enter.
Token devices returns a reply
Only that specific users token
device could respond with the
expected reply.
More Complex than synchronous
May provide better protection
against sniffing
�M em ory Cards
15
�M em ory Cards
NOT a smart card
Holds information, does NOT process
A memory card holds authentication
info, usually youll want to pair this
with a PIN WHY?
A credit card or ATM card is a type of
memory card, so is a key/swipe card
Usually insecure, easily copied.*
16
�Sm art Card
17
�Sm art Card (191)
Much more secure than memory cards
Can actually process information
Includes a microprocessor and ICs
Can provide two factor authentication, as
you the card can store authentication
protected by a pin. (so you need the card,
and you need to know something)
Two types
Contact
Contactless
18
�Sm art Card Attacks
There are attacks against smart cards
1. Fault generation manipulate environmental
controls and measure errors in order to reverse
engineer logic
2. Side Channel Attacks Measure the cards while
they work
Differential power analysis measure power emissions
Electromagnetic analysis example frequencies emitted
3. Micro probing* - using needles to vibrations to
remove the outer protection on the cards circuits.
Then tap into ROMS if possible or die ROMS to
read data.
19
�Type 3: Som ething You Are
Biometrics
Static: Should not significantly change
over time. Bound to a users
physiological traits
Fingerprint, hand geometry, iris, retina, etc
Dynamic: Based on behavioral traits
Voice, gait, signature, keyboard cadence,
etc
Even though these can be modified
temporarily, they are very difficult to
modify for any significant length of time.
20
�Biom etric Concerns
Accuracy
Type I Error: False Rejection--A legitimate user is
21
barred from access. Is caused when a system
identifies too much information. This causes
excessive overhead.
Type II Error: False AcceptanceAn impostor is
allowed access. This is a security threat and comes
when a system doesnt evaluate enough information
As FRR goes down, FAR goes up and vice versa
The level at which the two meet is called CER
(Crossover Error Rate). The lower the number, the
more accurate the system
Iris Scans are the most accurate
�Biom etric Concerns
User Acceptance
Many users feel biometrics are
intrusive
Retina scans can reveal health care
information
Time for enrollment and verification
can make users resistant
Cost/benefit analysis
No way to revoke biometrics
22
�Biom etric Concerns
Cost
Biometric systems can be very costly
and require unwieldy technology
Though costs are coming down for
means like fingerprint recognition,
other technologies still remain
prohibitive
23
�Strong Authentication
Strong Authentication is the combination
of 2 or more of these and is encouraged!
Strong Authentication provides a higher level
of assurance*
Strong Authentication is also called multifactor authentication*
Watch out! Most people want to choose
biometrics as the best authentication, but
any one source can be compromised. Always
look for more than one type!
Mutual Authentication is beneficial
24
�Authorization
The concept of ensuring that someone
who is authenticated is allowed
access to a resource.
Authorization is a preventative control
Race conditions would try to cause
authorization happen before
authentication
25
�Auditing
Logging and reviewing accesses to
objects.
What is the purpose of auditing?
Auditing is a detective control*
26
�A U TH O R IZ ATIO N
�Authorization
Now that I proved I am who I say I am,
what can I do?
Both OSes and Applications can provide
this functionality.
Authorization can be provided based on
user, groups, roles, rules, physical
location, time of day (temporal
isolation)* or transaction type (example
a teller may be able to withdrawal small
amounts, but require manager for large
withdrawals)
28
�Authorization principals
Default NO access (implicit deny)* -
Unless a subject is explicitly given
access to an object, then they are
implicitly denied access.
Principle of Least Privelege
Need to know
Content-based
29
�Authorization Creep
As a subject stays in an environment
over time, their permissions
accumulate even after they are no
longer needed.
Auditing authorization can help mitigate
this. SOX requires yearly auditing.
30
�Single Sign O n
As environments get larger and more
complex it becomes harder and
harder to manage users accounts
securely.
Multiple users to create/disable
Passwords to remember, leads to
31
passwords security issues
Reduces user frustration as well as IT
frustration!
Wastes your IT budget trying to manage
disparate accounts.
�Single Sign O n
Single sign on systems try to mitigate
this problem. Some SSO systems are.
Kerberos
LDAP
Sesame
KryptoKnight
32
�SSO Single Sign-on Pros and Cons
Pros
Ease of use for end users
Centralized Control
Ease of administration
Cons
Single point of failure
Standards necessary
Keys to the kingdom
33
�SSO technologies
Kerberos
SESAME
LDAP
Microsoft Active Directory*
34
�Kerberos
A network authentication protocol
35
designed from MITs project Athena.
Kerberos tries to ensure authentication
security in an insecure environment
Used in Windows2000+ and some Unix
Allows for single sign on
Never transfers passwords
Uses Symmetric encryption to verify
Identifications
Avoids replay attacks
�Kerberos Com ponents
Principals users or network services
KDC Key Distribution Center, stores secret
keys (passwords) for principals
Authenticating Service (AS)
Ticket Granting Service (TGS)
Tickets: provide access to specific network
services (ex. File sharing)
Realms a grouping of principals that a KDC
provides service for, looks like a domain
name
Example: somedepartment.mycompany.com
36
�Welcome to
the
Kerberos
Carnival
37
Realm
�Database
Server
Welcome to
the
Kerberos
Carnival
File Server
Realm
TGS
G
3. T
t
rin
P
to
nt
i
r
op
----
et
k
c
-- -4. Ti
-A-
R
T+
r
rve
e
S
tt
s
e
u
eq
---
--
et +
k
c
i
T
5.
bo
J
t
n
P ri
1. Username
2. TGT
38
Print
Server A
------
AS
----
----
---------
�Kerberos Concerns
Computers must have clocks synchronized
39
within 5 minutes of each other
Tickets are stored on the workstation. If
the workstation is compromised your
identity can be forged.
If your KDC is hacked, security is lost
A single KDC is a single point of failure
and performance bottleneck
Still vulnerable to password guessing
attacks
�SESAM E
European technology, developed to extend
Kerberos and improve on its weaknesses
Sesame uses both symmetric and asymmetric
cryptography.
Uses Privileged Attribute Certificates rather
than tickets, PACS are digitally signed and contain
the subjects identity, access capabilities for the
object, access time period and lifetime of the PAC.
PACS come from the Privileged Attribute Server.
40
�KryptoKnight
Should only be known as an older
obsolete SSO Technology
41
�A C C ESS C O N TR O L
M O D ELS
�Access ControlM odels
A framework that dictates how subjects access
objects.
Uses access control technologies and security
mechanisms to enforce the rules
Supported by Access Control Technologies
Business goals and culture of the
organization will prescribe which model is
used
Every OS has a security kernel/reference
monitor (talk about in another chapter) that
enforces the access control model.
43
�Access ControlM odels
The models we are about to discuss
are
From the TCSEC(Trusted Computer
System Evaluation CriteriaOrange
Book)
DAC (Discretionnary Access Control)
MAC (Mandatory Access Control)
Established Later
RBAC (Role based Access Control)
44
�D AC
Discretionary Access Control
Security of an object is at the owners
discretion
Access is granted through an ACL
(Access Control List)
Commonly implemented in commercial
products and all client based systems
Identity Based
45
�M AC
Mandatory Access Control*
Data owners cannot grant access!
OS makes the decision based on a
security label system
Subjects label must dominate the objects
label
Users and Data are given a clearance
level (confidential, secret, top secret etc)*
Rules for access are configured by the
security officer and enforced by the OS.
46
�M AC
MAC is used where classification and
confidentiality is of utmost
importance military.
Generally you have to buy a specific
MAC system, DAC systems dont do
MAC
SELinux
Trusted Solaris (now called Solaris with
Trusted Extensions)
47
�M AC sensitivity labels
All objects in a MAC system have a
security label*
Security labels can be defined the
organization.
They also have categories to support
need to know at a certain level.
Categories can be defined by the
organization
48
�Role Based Access Control
49
�Role Based Access Control
Also called non-discretionary.
Uses a set of controls to determine how
subjects and objects interact.
Dont give rights to users directly. Instead
create roles which are given rights. Assign
users to roles rather than providing users
directly with privileges.
Advantages:
This scales better than DAC methods
Fights authorization creep*
50
�Role based Access control
When to use*
If you need centralized access
If you DONT need MAC ;)
If you have high turnover
51
�Access Controltechnologies that support
access controlm odels
We will talk more in depth of each in the next
few slides.
Rule-based Access Control
Constrained User Interfaces
Access Control Matrix
Access Control Lists
Content-Dependant Access Control
Context-Dependant Access Control
52
�Rule Based Access Control
Uses specific rules that indicate what can and
cannot transpire between subject and object.
if x then y logic
Before a subject can access and object it
must meet a set of predefined rules.
ex. If a user has proper clearance, and its
between 9AM -5PM then allow access (Context
based access control)
However it does NOT have to deal
specifically with identity/authorization
Ex. May only accept email attachments 5M or less
53
�Rules Based Access Control
Is considered a
54
compulsory
control because
the rules are
strictly enforced
and not
modifiable by
users.
Routers and
firewalls use Rule
�Constrained U ser Interfaces
Restrict user access by not allowing them see
certain data or have certain functionality (see
slides)
Views only allow access to certain data (canned
interfaces)
Restricted shell like a real shell but only with
certain commands. (like Cisco's non-enable mode)
Menu similar but more gui
Physically constrained interface show only
certain keys on a keypad/touch screen. like an
ATM. (a modern type of menu) Difference is you
are physically constrained from accessing them.
55
�View
56
�Shell
57
�Physically Constrained
Interface
58
�Content D ependant Access Controls
Access is determined by the type of
data.
Example, email filters that look for
specific things like confidential, SSN,
images.
Web Proxy servers may be content
based.
59
�Context D ependant Access Control
System reviews a Situation then
makes a decision on access.
A firewall is a great example of this, if
session is established, then allow traffic
to proceed.
In a web proxy, allow access to certain
body imagery if previous web sessions
are referencing medical data otherwise
deny access.
60
�Review ofAccess ControlTechnology /
Techniques
Constrained User Interfaces
view, shell, menu, physical
Access Control Matrix
Capability Tables
ACL
Content Dependant Access Control
Context Dependant Access Control
61
�A C C ESS C O N TR O L
A D M IN IS TR ATIO N
�Centralized Access ControlAdm inistration
A centralized place for configuring and
managing access control
All the ones we will talk about (next) are
AAA protocols
63
Authentication
Authorization
Auditing
�Centralized Access ControlTechnologies
We will talk about each of these in the
upcoming slides
Radius
TACACS, TACACS+
Diameter
64
�RAD IU S
Remote Authentication Dial-in User Service (RADIUS) is an
authentication protocol that authenticates and authorizes
users
Handshaking protocol that allows the RADIUS server to
provide authentication and authorization information to
network server (RADIUS client)
Users usually dial in to an access server (RADIUS client)
65
that
communicates with the RADIUS server
RADIUS server usually contains a database of users and
credentials
Communication between the RADIUS client and server is
protected
�Radius Pros/Cons
Radius Pros
Its been around, a lot of vendor support
Radius Cons
Radius can share symmetric key between NAS
and Radius server, but does not encrypt
attribute value pairs, only user info. This could
provide info to people doing reconnaissance
66
�TACACS+
Provides the same functionality of
Radius
TACACS+ uses TCP port 49
TACACS+ can support one time
passwords
Encrypts ALL traffic data
TACACS+ separates each AAA
function.
For example can use an AD for
67
authentication, and an SQL server for
�D iam eter
DIAMETER is a protocol designed as the next generation
RADIUS
RADIUS is limited to authenticating users via SLIP and
PPP dial-up modem connections
Other device types use different protocol types
Internet protocol that supports seamless and continuous
connectivity for mobile devices - such as PDAs, laptops,
or cell phones with Internet data capabilities
Move between service provider networks and change
their points of attachment to the Internet
Including better message transport, proxying, session
control, and higher security for AAA transactions
68
�Centralized Access Controls overview
Idea centralize access control
Radius, TACACS+, diameter
Decentralized is simply maintaining
access control on all nodes
separately.
69
�A C C ESS C O N TR O L
M ETH O D S
�Unauthorized D isclosure ofInform ation
Sometimes data is un-intentionally
released.
Examples:
Object reuse
Countermeasures
Destruction
Degaussing
overwriting
Emanations Security (EMSEC)
71
�Em anation Security
All devices give off electrical /
magnetic signals.
A non-obvious example is reading
info from a CRT bouncing off
something like a pair of sunglasses.
Tempest is a standard to develop
countermeasures to protect against
this.
72
�Em anation Counterm easures
Faraday cage a metal mesh cage
around an object, it negates a lot of
electrical/magnetic fields.
White Noise a device that emits
radio frequencies designed to
disguise meaningful transmission.
Control Zones protect sensitive
devices in special areas with special
walls etc.
73
�Access ControlO bjectives
IAAA
Authentication
Type 1
Type 2
Type 3
Authorization
SSO
Access Control Models
Administration
74
