Professional Documents
Culture Documents
Module 1
Module 1
Technology
Information Assurance Security 2
OUTLINE
1. Access Control
1. Identification
2. Authentication
3. Authorization
4. Accountability
2. Firewalls
1. Firewall Processing Models
2. Firewalls Categorized by Generation
3. Firewalls Categorized by Structure
4. Firewall Architecture
5. Selecting the Right Firewall
6. Configuring and Managing Firewalls
7. Content Filters
3. Protecting Remote Connections
1. Remote Access
2. Virtual Private Networks
INTRODUCTION
Access control is the method by which systems determine whether and how to admit
a user into a trusted area of the organization—that is, information systems, restricted
areas such as computer rooms, and the entire physical location.
ACCESS CONTROL
In general, all access control approaches rely on the following four mechanisms,
which represent the four fundamental functions of access control systems:
● Identification: I am a user of the system.
● Authentication: I can prove I’m a user of the system.
● Authorization: Here’s what I can do with the system.
● Accountability: You can track and monitor my use of the system.
IDENTIFICATION
● This factor of authentication relies on what the unverified user or system knows
and can recall
○ Password
○ Passphrase
○ Other unique authentication code such as a personal identification number
(PIN)
AUTHENTICATION – Something You Know – Password
○ The smart card contains a computer chip that can verify and validate
several pieces of information instead of just a PIN.
○ Token – a card or key fob with a computer chip and a LCD that shows a
computer-generated number used to support remote login authentication.
AUTHENTICATION – Something You Have - Tokens
○ Synchronous tokens are synchronized with a server, both the server and
token use the same time or a time-based database to generate a number that
must be entered during the user login phase.
○ Asynchronous tokens don’t require that the server and tokens maintain the
same time setting.
AUTHENTICATION – Something You Have - Tokens
AUTHENTICATION – Something You Are or Can Produce
○ Biometrics
AUTHORIZATION
● Authorization credentials, which are also called authorization tickets, are issued
by an authenticator and are honored by many or all systems within the
authentication domain (single sign-on (SSO) or reduced sign-on).
ACCOUNTABILITY
● Systems logs record specific information, such as failed access attempts and
systems modifications.
● Logs have many uses, such as intrusion detection, determining the root cause of
a system failure, or simply tracking the use of a particular resource.
BIOMETRIC ACCESS CONTROL
Among all possible biometrics, only three human characteristics are usually
considered truly unique:
● Fingerprints
● Retina of the eye (blood vessel pattern)
● Iris of the eye (random pattern of features found in the iris, including freckles,
pits, striations, vasculature, coronas, and crypts)
BIOMETRIC ACCESS CONTROL
BIOMETRIC ACCESS CONTROL
● Most of the technologies that scan human characteristics convert these images to
some form of minutiae.
● Signature and voice recognition technologies are also considered to be biometric
access control measures.
EFFECTIVENESS OF BIOMETRICS
● the level at which the number of false rejections equals the false acceptances.
● The crossover error rate (CER), the point at which false reject and false accept
rates intersect, is possibly the most common and important overall measure of
accuracy for a biometric system.
ACCEPTABILITY OF BIOMETRICS
● Security access control architecture models, which are often referred to simply
as architecture models, illustrate access control implementations and can help
organizations quickly make improvements through adaptation.
TCSEC’s TRUSTED COMPUTING BASE
● The Graham-Denning access control model has three parts: a set of objects, a
set of subjects, and a set of rights.
○ The domain is the set of constraints that control how subjects may
access objects.
○ The set of rights governs how subjects may manipulate the passive
objects.
GRAHAM-DENNING ACCESS CONTROL MODEL
HRU is built on an access control matrix and includes a set of generic rights and
a specific set of commands. These include:
● Create subject/create object
● Enter right X into
● Delete right X from
● Destroy subject/destroy object
BREWER-NASH MODEL (CHINESE WALL)
● Media Access Control layer firewalls make filtering decisions based on the
specific host computer’s identity, as represented by its media access control
(MAC) or network interface card (NIC) address, which operates at the data
link layer of the OSI model or the subnet layer of the TCP/IP model.
MEDIA ACCESS CONTROL LAYER FIREWALLS
HYBRID FIREWALLS
● When selecting a firewall, size does matter. CPU size and capability,
memory, and drive space are system factors that need to be scaled depending
on the amount of traffic that will be processed by the firewall device.
● The most common categories of firewalls are commercial-grade and small
office/home office (SOHO).
● Most commercial-grade firewalls are dedicated appliances.
FIREWALL ARCHITECTURES
● Any system, router, or firewall that is exposed to the untrusted network can
be referred to as a bastion host.
● The bastion host is sometimes referred to as a sacrificial host because it
stands alone on the network perimeter.
SINGLE BASTION HOSTS
● The dominant architecture today is the screened subnet used with a DMZ.
● The DMZ can be a dedicated port on the firewall device linking a single
bastion host, or it can be connected to a screened subnet.
SCREENED SUBNET ARCHITECTURE (WITH DMZ)