Professional Documents
Culture Documents
05 Access Control
05 Access Control
1
Basic Concept
In the fields of physical security and information
security, access control is the selective restriction of
access to a place or other resources.
The act of accessing may mean consuming, entering, or
using.
Object
Read/Write/Exec
2
Physical Security: Access Control
3
Identification, Authentication and
Authorization
authorization
Information
Subject Object
Audit
Log
4
Identification, Authentication and
Authorization
Identification
Method of establishing the subject’s (user, program, process)
identity.
Use of user name or other public information.
Know identification component requirements.
Authentication
Method of proving the identity.
Something a person is, has, or does.
Use of biometrics, passwords, passphrase, token, or other private
information.
Strong Authentication is important
Authorization
Determines that the proven identity has some set of characteristics
associated with it that gives it the right to access the requested
resources.
5
Access Control Models
6
Discretionary Access Control
Each object has a owner.
In DAC, the data owner determines who can
access specific resources.
For example, a system administrator may create a
hierarchy of files to be accessed based on certain
permissions
7
Windows: DAC
8
Mandatory Access Control
Implemented by sensitivity labels, which are assigned
to each subject and object. A subject's label specifies
its level of trust, and an object's label specifies the
level of trust that is required to access it.
An approach to restricting system access to
authorized users. It is used by the majority of
enterprises with more than 500 employees.
For example, security clearance of users and
classification of data (as confidential, secret or top
secret) are used as security labels to define the level
of trust.
9
MAC: example
10
Role Based Access Control
11
Role-based Access Control: Example
12
Firewall
Isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.
14
Firewalls: taxonomy
1. Packet filters
filters often combined Major firewall vendors:
with router, creating a Cisco PIX
firewall
2. Stateful filters
3. Application gateways
15
16
Packet filters
Analyzes each datagram going through it; makes drop/allow
decision based on:
source IP address TCP or UDP or ICMP
destination IP address Firewalls often configured
to block all UDP
source port
direction
destination port Is the datagram leaving
TCP flag bits or entering the internal
SYN bit set: datagram for network?
connection initiation router interface
ACK bit set: part of decisions can be different
established connection for different interfaces
17
Packet filters
18
19
Filtering Rules - Examples
Policy Firewall Setting
Prevent IPTV from eating up the Drop all incoming UDP packets -
available bandwidth. except DNS and router
broadcasts.
Prevent your network from being Drop all ICMP packets going to a
used for a Smurf DoS attack. “broadcast” address (eg
222.22.255.255).
Prevent your network from being Drop all outgoing ICMP
tracerouted
20
Access control lists
Apply rules from top to bottom:
source
dest source dest flag
action addres protocol
address port port bit
s
outside of any
allow 222.22/16
222.22/16
TCP > 1023 80
outside of
allow 222.22/16
222.22/16
UDP > 1023 53 ---
22
Port Filtering
The first thing to know is that out of 65,535 ports
Ports 0-1023: well-known ports for services/applications
1024 - 49,151: User ports
49,152 - 65,535: Dynamic/private ports
23
Well-known Ports
20 FTP Active Mode Control Port
21 FTP Active Mode Data Port
22 Secure Shell (SSH)
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
80 Hypertext Transfer Protocol (HTTP)
110 Post Office Protocol 3 (POP3)
119 Network News Transfer Protocol (NNTP)
143 Internet Message Access Protocol (IMAP)
443 Secure Sockets Layer (SSL) (HTTPS)
24
Examples: Ports used by Trojan
25
Drawbacks of Packet Filtering
Firewall
A port is either open or closed. When a port is open,
there is always a hole in the firewall waiting for someone
to attack.
With this configuration, there is no way of simply opening
a port in the firewall when a specific application needs it
and then closing it when the transaction is complete.
It does not understand the contents of any packet
beyond the header. With a valid header, it can contain
any payload.
26
Application firewalls/Proxy
27
28
When using an application layer gateway, the
client/server architecture is broken as the
packets no longer flow between the client and
the server. Instead, they are deconstructed and
reconstructed at the firewall.
The client makes a connection to the firewall at
which point the packet is analyzed, then the
firewall creates a connection to the server for the
client. By doing this, the firewall is acting as a
proxy between the client and the server
29
Benefits of Application Firewall
30
Drawbacks of Application Firewall
Application layer gateways are much slower
than packet filters.
Finally, the application layer gateway must
then rebuild the packet from the top down
and send it back out. This slows the firewall
down even further
31
Stateful Inspection Firewall
Stateful inspection is a compromise between
these two existing technologies.
It overcomes the drawbacks of both simple
packet filtering and application layer
gateways, while enhancing the security
provided by the firewall.
32
Stateful inspection technology doesn’t
actually break the client/server architecture
by disassembling and rebuilding the packet.
With stateful inspection, the firewall simply
examines the packet then allows the back-
connection to go through the firewall on the
port previously specified by the requesting
packet.
33
34
The primary feature of stateful inspection is
the monitoring of application and
communication states.
This allows the firewall to open or close ports
when needed.
Ports are closed when the requested
transactions are completed, which provides
another layer of security.
35
Benefits of Stateful Inspection
Firewall
It is much faster than an application layer
gateway due to the way packets are handled.
It is also more secure than a packet-filtering
firewall, due to application layer awareness
and the introduction of application- and
communication-derived state awareness.
36
Access Control in Hanu Domitory Internet
37
Routers
38
Router Access Control List (ACL)
39
Switch Port Security
Control MAC address(es) and/or number of
MAC addresses of the connected device
3 different ways that MAC addresses can be
configured onto a port:
Statically
Dynamically
Sticky
40
Static port security
41
Dynamic port security
42
Sticky port security
43