Scribd Logo
Upload

Welcome to Scribd!

  • 02 AccessControl

    Uploaded by

    Đạt Trần
    21 views33 pages

    Original Title

    02_AccessControl

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    21 views33 pages

    02 AccessControl

    Uploaded by

    Đạt Trần

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 33

    Chng 2: iu khin truy cp

    Tng quan Mc tiu Vn xc thc Cc m hnh iu khin truy cp Qun l iu khin truy cp

    Khi nim
    Access Control - iu khin truy cp Bao hm cc quy trnh, tin trnh iu khin an ninh, qua vic truy cp ti cc i tng c cp php hay t chi da trn cc chnh sch hoc cc lut nh trc.

    Access control object-subjectsystem

    Mc tiu ca iu khin truy cp


    Cp quyn truy cp
    Nhn din Xc thc Cp quyn

    m bo an ninh
    Bo mt Ton vn Kh dng Chu trch nhim
    4

    Cp quyn truy cp

    m bo an ninh
    Bo mt: Giao dch c c gi b mt khng? Ton vn: i tng c truy cp c c m bo ton vn (khng b thay i)? Kh dng: i tng c truy cp c sn sng khi cn thit? Chu trch nhim: H thng c chu trch nhim s xc thc ca mnh?
    6

    Cc kiu xc thc
    Thng tin ngi dng bit: Thng tin ghi nh nh password, PINs, d kin c bit Thng tin s hu vt l: Smart cards, Keys Thng tin sinh trc hc: Vn tay, ch k, ging ni

    Xc thc trong phm vi t chc


    ng nhp 1 ln (Single Sign-On): Ngi dng ch cn xc thc 1 ln nhng c cng nhn trn ton h thng. Xc thc truy cp t xa: Dng cho cc truy cp t xa ti h thng cc b.

    ng nhp 1 ln: Kerberos

    ng nhp 1 ln: Kerberos

    10

    Xc thc truy cp t xa
    TACACS: Terminal Access Controller Access Control System RADIUS: Remote Authentication Dial-In User Service

    11

    RADIUS

    12

    Qun tr mt khu
    La chn mt khu: di, k t cho php, khng dng thng tin c bn, khng dng mt khu mc nh Qun l mt khu: Reset mt khu, thi hn mt khu, gii hn s ln ng nhp li Kim sot mt khu: Audit logs

    13

    Phng php iu khin truy cp


    Tp trung: Cc yu cu iu khin truy cp c chuyn ti mt h thng xc thc duy nht. Phn tn: Vic xc thc c thc hin bi nhiu h thng con.

    14

    M hnh iu khin truy cp


    iu khin truy cp ty (Discretionary): Da trn i tng truy cp. iu khin truy cp bt buc (Madatory): Da trn mc nhy cm ca ti nguyn. iu khin truy cp khng ty (NonDiscretionary): iu khin truy cp theo vai tr (Role).
    15

    iu khin truy cp ty
    Mi i tng truy cp c gn 1 s quyn nht nh. Ngi dng hoc ng dng s hu i tng c truy cp c th gn quyn ty . Mc tiu ch yu nhm ngn chn cc truy cp khng c php. c s dng rng ri trn cc HH thng dng (UNIX, Windows )
    16

    iu khin truy cp ty
    S dng Danh sch truy cp cho cc i tng:

    17

    iu khin truy cp bt buc


    Cc i tng c gn cho mt mc nhy cm an ninh (khng thay i c). Vic cp quyn truy cp da trn vic khp cc mc nhy cm. An ton hn DAC do mi i tng u c gn mc nhy cm v tun th quy tc. Phc tp khi trin khai (thng p dng trong qun i, c quan anh ninh ).
    18

    iu khin truy cp theo vai tr


    Gn nhn cho cc i tng c truy cp. Gn vai tr cho cc i tng truy cp, v gn quyn truy cp theo vai tr. Quyn truy cp c th c k tha. phc tp thp hn m hnh MAC

    19

    iu khin truy cp theo vai tr

    20

    Cc m hnh chun
    M hnh Bell-LaPadula: Ch trng vo tnh bo mt. Da trn 2 quy tc:
    i tng c mc bo mt thp hn khng c c i tng c mc bo mt cao hn (no read-up) i tng c mc bo mt cao hn khng ghi c vo i tng c mc bo mt thp hn (no write-down)

    21

    Cc m hnh chun
    M hnh Biba: Ch trng vo tnh ton vn. Da trn 2 quy tc:
    i tng khng c xem cc ni dung mc an ninh ton vn thp hn (no read-down) i tng khng c to/ghi cc ni dung mc an ninh ton vn cao hn (no write-up)

    22

    Cc m hnh chun
    M hnh Clark - Wilson: Cng ch trng vo tnh ton vn, nhng s dng phng php tip cn khc. C 5 thnh t: Users Transformation procedures: TP Constrained Data Items: CDI Unconstrained Data Items: UDI Integrity Verification Procedures: IVP
    23

    Cc m hnh chun
    M hnh Clark - Wilson:

    24

    Qun l iu khin truy cp


    Qun l ti khon Xc nh quyn truy cp Qun l cc i tng c truy cp Qun l d liu m

    25

    Qun l Ti khon
    Qun l cc ti khon ngi dng, ti khon h thng, ti khon dch v Bao gm 3 hot ng:
    Thit lp Duy tr Hy b

    26

    Qun l Ti khon

    27

    Xc nh quyn truy cp
    Ngi s hu d liu c truy cp cn bit v vic cp quyn truy cp. Nguyn tc quyn hn ti thiu

    28

    Qun l cc i tng
    Qun l cc thit b lu tr m bo phn loi d liu ng n (m hnh MAC) m bo cc i tng b xa khng th khi phc

    29

    Qun l d liu m
    Cache: Nhm tng tc truy cp m bo an ton d liu m:
    Xa hon ton d liu m khi chng trnh kt thc Vng cha d liu m cn c bo v Xa hon ton khi d liu m khng c s dng trong 1 khong thi gian

    30

    Tn cng iu khin truy cp


    T in mt khu -> Khng dng cc t quen thuc Tn cng vn cn mt khu -> Dng mt khu di Tn cng t chi dch v -> chn cc a ch c gi tin tn cng Tn cng gi mo: IP spoofing, Session Hijacking, ARP spoofing

    31

    Tn cng iu khin truy cp


    Tn cng k th 3 gia (MITM):

    32

    Tn cng iu khin truy cp


    Tn cng nghe ln (sniffer): S dng phn mm bt gi tin trn mng.
    S dng ch hn tp ca giao din mng. S dng phng php thay i bng MAC ca switch. C th dng trong gim st mng

    33

    You might also like