Access Control Systems & Methodology

Topics to be covered

Overview Tokens/SSO Access control Kerberos implementation Attacks/Vulnerabilities/Monitoring Types of access control IDS MAC & DAC Object reuse Orange Book TEMPEST Authentication RAS access control Passwords Penetration Testing Biometrics
2

What is access control?

Access control is the heart of security Definitions:

The ability to allow only authorized users, programs or processes system or resource access The granting or denying, according to a particular security model, of certain permissions to access a resource An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.
3

Access control nomenclature

Authentication Process through which one proves and verifies certain information Identification Process through which one ascertains the identity of another person or entity Confidentiality Protection of private data from unauthorized viewing Integrity Data is not corrupted or modified in any unauthorized manner Availability System is usable. Contrast with DoS.
4

How can AC be implemented?

Hardware Software

Application Protocol (Kerberos, IPSec)

Physical Logical (policies)

What does AC hope to protect?

Data - Unauthorized viewing, modification or copying System - Unauthorized use, modification or denial of service It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure
6

Proactive access control

Awareness training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures
7

Physical access control

Guards Locks Mantraps ID badges CCTV, sensors, alarms Biometrics Fences Card-key and tokens Guard dogs
8

AC & privacy issues

Expectation of privacy Policies Monitoring activity, Internet usage, email Login banners should detail expectations of privacy and state levels of monitoring
9

Varied types of Access Control

Discretionary (DAC) Mandatory (MAC) Lattice/Role/Task Formal models:

Biba Clark/Wilson Bell/LaPadula

Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access.
10

Problems with formal models

Based on a static infrastructure Defined and succinct policies These do not work in corporate systems which are extremely dynamic and constantly changing None of the previous models deals with:

Viruses/active content Trojan horses firewalls

11

Limited documentation on how to build these systems

MAC vs. DAC

Discretionary Access Control

You decided how you want to protect and share your data

Mandatory Access Control

The system decided how the data will be shared

12

Mandatory Access Control

Assigns sensitivity levels, labels Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level. Only the administrators, not object owners, make change the object level Generally more secure than DAC Orange book B-level Used in systems where security is critical, i.e., military Hard to program for and configure & implement
13

Mandatory Access Control

(Continued)

Downgrade in performance Relies on the system to control access Example: If a file is classified as confidential, MAC will prevent anyone from writing secret or top secret information into that file. All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level
14

Discretionary Access Control

Access is restricted based on the authorization granted to the user Orange book C-level Prime use is to separate and protect users from unauthorized data Used by Unix, NT, NetWare, Linux, Vines, etc. Relies on the object owner to control access

15

Access control lists (ACL)

A file used by the access control system to determine who may access what programs and files, in what method and at what time Different operating systems have different ACL terms Types of access:

Read/Write/Create/Execute/Modify/Delete/Rename

16

Orange Book

DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983 Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in them For stand-alone systems only

17

Orange book levels

A - Verified protection A1 Boeing SNS, Honeywell SCOMP B - MAC B1/B2/B3 C - DAC C1/C2 D - Minimal security. Systems that have been evaluated, but failed

18

Bell-LaPadula

Formal description of allowable paths of information flow in a secure system Used to define security requirements for systems handling data at different sensitivity levels *-property - prevents write-down, by preventing subjects with access to high level data from writing the information to objects of lower access
19

Bell-LaPadula

Model defines secure state

Access between subjects, objects in accordance with specific security policy

Model central to TCSEC (TCSEC is an implementation of the Bell-LaPadula model) Bell-LaPadula model only applies to secrecy of information

identifies paths that could lead to inappropriate disclosure the next model covers more . . .
20

Biba Integrity Model

Biba model covers integrity levels, which are analagous to sensitivity levels in Bell-LaPadula Integrity levels cover inappropriate modification of data Prevents unauthorized users from making modifications (1st goal of integrity) Read Up, Write Down model - Subjects cannot read objects of lesser integrity, subjects cannot write to objects of higher integrity
21

Clark & Wilson Model

An Integrity Model, like Biba Addresses all 3 integrity goals

Prevents unauthorized users from making modifications Maintains internal and external consistency Prevents authorized users from making improper modifications

T - cannot be Tampered with while being changed L - all changes must be Logged C - Integrity of data is Consistent

22

Clark & Wilson Model

Proposes Well Formed Transactions

perform steps in order perform exactly the steps listed authenticate the individuals who perform the steps

Calls for separation of duty

23

Problems with the Orange Book

Based on an old model, Bell-LaPadula Stand alone, no way to network systems Systems take a long time (1-2 years) to certify

Any changes (hot fixes, service packs, patches) break the certification

Has not adapted to changes in client-server and corporate computing Certification is expensive For the most part, not used outside of the government sector 24

Red Book

Used to extend the Orange Book to networks Actually two works:

Trusted Network Interpretation of the TCSEC (NCSC-TG-005) Trusted Network Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011)
25

Authentication
3 types of authentication:
q

Something you know - Password, PIN, mothers maiden name, passcode, fraternity chant Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport Something you are - Fingerprint, voice scan, iris scan, retina scan, DNA
26

Multi-factor authentication
q

2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. y ATM card + PIN y Credit card + signature y PIN + fingerprint y Username + Password (NetWare, Unix, NT default) 3-factor authentication -- For highest security y Username + Password + Fingerprint y Username + Passcode + SecurID token
27

Problems with passwords

q

Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc. Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords. y Dictionary attacks are only feasible because users choose easily guessed passwords! Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction

28

Classic password rules

The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin Dont use:

common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults

29

Password management

Configure system to use string passwords Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and changes Use last login dates in banners

30

Password Attacks

Brute force

l0phtcrack Crack John the Ripper

Dictionary

Trojan horse login program

31

Biometrics

Authenticating a user via human characteristics Using measurable physical characteristics of a person to prove their identification

Fingerprint signature dynamics Iris retina voice face DNA, blood

32

Advantages of fingerprintbased biometrics

q

Cant be lent like a physical key or token and cant be forgotten like a password Good compromise between ease of use, template size, cost and accuracy Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases Basically lasts forever Makes network login & authentication effortless
33

q q

Biometric Disadvantages
q q

Still relatively expensive per user Companies & products are often new & immature No common API or other standard Some hesitancy for user acceptance

q q

34

Biometric privacy issues

q

Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs
35

Practical biometric applications

q q q q

Network access control Staff time and attendance tracking Authorizing financial transactions Government benefits distribution (Social Security, welfare, etc.) Verifying identities at point of sale Using in conjunction with ATM , credit or smart cards Controlling physical access to office buildings or homes Protecting personal property Prevent against kidnapping in schools, play areas, etc. Protecting children from fatal gun accidents
36

q q q q q q

Tokens

Used to facilitate one-time passwords Physical card SecurID S/Key Smart card Access token

37

Single sign-on

User has one password for all enterprise systems and applications That way, one strong password can be remembered and used All of a users accounts can be quickly created on hire, deleted on dismissal Hard to implement and get working Kerberos, CA-Unicenter, Memco Proxima, IntelliSoft SnareWorks, Tivoli Global Sign-On, x.509
38

Kerberos

Part of MITs Project Athena Kerberos is an authentication protocol used for network wide authentication All software must be kerberized Tickets, authenticators, key distribution center (KDC)

39

Kerberos roles

KDC divided into Authentication Server & Ticket Granting Server (TGS) Authentication Server - authentication the identities of entities on the network TGS - Generates unique session keys between two parties. Parties then use these session keys for message encryption
40

Kerberos authentication

User must have an account on the KDC KDC must be a trusted server in a secured location Shares a DES key with each user When a user want to access a host or application, they request a ticket from the KDC via klogin & generate an authenticator that validates the tickets User provides ticket and authenticator to the application, which processes them for validity and will then grant access. 41

Problems with Kerberos

Each piece of software must be kerberized Requires synchronized time clocks Relies on UDP which is often blocked by many firewalls Kerberos v4 binds tickets to a single network address for a hosts. Host with multiple NICs will have problems using tickets

42

Attacks

Passive attack - Monitor network traffic and then use data obtained or perform a replay attack. Hard to detect Active attack - Attacker is actively trying to break-in. Exploit system vulnerabilities Spoofing Crypto attacks Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation Smurf, SYN Flood, Ping of death Mail bombs
43

Vulnerabilities

Physical Natural Floods, earthquakes, terrorists, power outage, lightning Hardware/Software Media Corrupt electronic media, stolen disk drives Emanation Communications Human Social engineering, disgruntled staff

44

Monitoring

IDS Logs Audit trails Network tools

Tivoli OpenView

45

Intrusion Detection Systems

IDS monitors system or network for attacks IDS engine has a library and set of signatures that identify an attack Adds defense in depth Should be used in conjunction with a system scanner (CyberCop, ISS ) for maximum security
46

Object reuse

Must ensure that magnetic media must not have any remnance of previous data Also applies to buffers, cache and other memory allocation Required at TCSEC B2/B3/A1 level Secure Deletion of Data from Magnetic and Solid-State Memory, Objects must be declassified Magnetic media must be degaussed or have secure overwrites
47

TEMPEST

Electromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards. TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations WANG Federal is the leading provider of TEMPEST hardware TEMPEST hardware is extremely expensive and can only be serviced by certified technicians Rooms & buildings can be TEMPEST-certified TEMPEST standards NACSEM 5100A NACSI 5004 are classified documents

48

Banners

Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored Not foolproof, but a good start, especially from a legal perspective Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.
49

RAS access control

RADIUS (Remote Authentication Dial-In User Service) client/server protocol & software that enables RAS to communicate with a central server to authenticate dial-in users & authorize their access to requested systems TACACS/TACACS+ (Terminal Access Controller Access Control System) - Authentication protocol that allows a RAS to forward a users logon password to an authentication server. TACACS is an unencrypted protocol and therefore less secure than the later TACACS+ and RADIUS protocols. A later version of TACACS is XTACACS (Extended TACACS).

50

Penetration Testing

Basically Improving the Security of Your Site by Breaking Into it, by Dan Farmer/Wietse Venema http://www.fish.com/security/admin-guide-tocracking.html Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies Discovery and footprint analysis Exploitation Physical Security Assessment Social Engineering

51

Penetration Testing

Attempt to identify vulnerabilities and gain access to critical systems within organization Identifies and recommends corrective action for the systemic problems which may help propagate these vulnerabilities throughout an organization Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks

52

Rule of least privilege

One of the most fundamental principles of infosec States that: Any object (user, administrator, program, system) should have only the least privileges the object needs to perform its assigned task, and no more. An AC system that grants users only those rights necessary for them to perform their work Limits exposure to attacks and the damage an attack can cause Physical security example: car ignition key vs. door key

53

Implementing least privilege

Ensure that only a minimal set of users have root access Dont make a program run setuid to root if not needed. Rather, make file group-writable to some group and make the program run setgid to that group, rather than setuid to root Dont run insecure programs on the firewall or other trusted host
54

Access Control Systems & Methodology

Any questions?

Files graciously shared by Ben Rothke. Reformatted and edited for Slide presentation

55