Access Control

Msc Vuong Thi Nhung

Faculty of Information Technology
Hanoi University
Sept 13, 2015
Email: nhungfit@hanu.edu.vn

1
Basic Concept
 In the fields of physical security and information
security, access control is the selective restriction of
access to a place or other resources. 
 The act of accessing may mean consuming, entering, or
using.

Object
Read/Write/Exec

2
Physical Security: Access Control

3
Identification, Authentication and
Authorization
authorization

Information

Authentication Access Control

Subject Object
Audit

Log
4
Identification, Authentication and
Authorization
 Identification
 Method of establishing the subject’s (user, program, process)
identity.
 Use of user name or other public information.
 Know identification component requirements.
 Authentication
 Method of proving the identity.
 Something a person is, has, or does.
 Use of biometrics, passwords, passphrase, token, or other private
information.
 Strong Authentication is important
 Authorization
 Determines that the proven identity has some set of characteristics
associated with it that gives it the right to access the requested
resources.

5
Access Control Models

6
Discretionary Access Control
 Each object has a owner.
 In DAC, the data owner determines who can
access specific resources.
 For example, a system administrator may create a
hierarchy of files to be accessed based on certain
permissions

7
Windows: DAC

8
Mandatory Access Control
 Implemented by sensitivity labels, which are assigned
to each subject and object. A subject's label specifies
its level of trust, and an object's label specifies the
level of trust that is required to access it.
 An approach to restricting system access to
authorized users. It is used by the majority of
enterprises with more than 500 employees.
 For example, security clearance of users and
classification of data (as confidential, secret or top
secret) are used as security labels to define the level
of trust.

9
MAC: example

10
Role Based Access Control

 Role-Based Access Control (RBAC)

RBAC allows access based on the job title.
 For example, a human resources specialist
should not have permissions to create network
accounts; this should be a role reserved for
network administrators

11
Role-based Access Control: Example

12
Firewall
 Isolates organization’s internal net from larger
Internet, allowing some packets to pass,
blocking others.

privately administered Internet

222.22.0.0/16
13
Firewall goals
 All traffic from outside to inside and vice-
versa passes through the firewall.
 Only authorized traffic, as defined by local
security policy, will be allowed to pass.

14
Firewalls: taxonomy
1. Packet filters
 filters often combined Major firewall vendors:
with router, creating a Cisco PIX
firewall
2. Stateful filters
3. Application gateways

15
16
Packet filters
Analyzes each datagram going through it; makes drop/allow
decision based on:
 source IP address
 destination IP address
 source port
 destination port
 TCP flag bits
 SYN bit set: datagram for
connection initiation
 ACK bit set: part of
established connection
 TCP or UDP or ICMP
 Firewalls often configured
to block all UDP
 direction
 Is the datagram leaving
or entering the internal
network?
 router interface
 decisions can be different
for different interfaces
17
Packet filters

Implicit “Allow all” by default: allows all traffic to

pass through the firewall except traffic that is
specifically denied.
Implicit “Deny all” by default blocks all traffic from

passing through the firewall except for traffic that is

explicitly allowed.

18
19
Filtering Rules - Examples
Policy
No outside Web access.
Prevent IPTV from eating up the
available bandwidth.
Prevent your network from being
used for a Smurf DoS attack.
Prevent your network from being
tracerouted
Firewall Setting
Drop all outgoing packets to any
IP address, port 80
Drop all incoming UDP packets -
except DNS and router
broadcasts.
Drop all ICMP packets going to a
“broadcast” address (eg
222.22.255.255).
Drop all outgoing ICMP
20
Access control lists
Apply rules from top to bottom:
source
dest source dest flag
action addres protocol
address port port bit
s
outside of any
allow 222.22/16
222.22/16
TCP > 1023 80

allow outside of 222.22/16

222.22/16
TCP 80 > 1023 Any

outside of
allow 222.22/16
222.22/16
UDP > 1023 53 ---

allow outside of 222.22/16

222.22/16
UDP 53 > 1023 ----

deny all all all all all all

21
-Is Web traffic allowed ?
- Is IPTV allowed?
- Is Telnet allowed?

22
Port Filtering
 The first thing to know is that out of 65,535 ports
 Ports 0-1023: well-known ports for services/applications
 1024 - 49,151: User ports
 49,152 - 65,535: Dynamic/private ports

 Unfortunately, for nearly every possible port number,

there is a virus or Trojan horse application that could be
running there.

23
Well-known Ports
20 FTP Active Mode Control Port
21 FTP Active Mode Data Port
22 Secure Shell (SSH)
23 Telnet
25 Simple Mail Transfer Protocol (SMTP)
80 Hypertext Transfer Protocol (HTTP)
110 Post Office Protocol 3 (POP3)
119 Network News Transfer Protocol (NNTP)
143 Internet Message Access Protocol (IMAP)
443 Secure Sockets Layer (SSL) (HTTPS)

24
Examples: Ports used by Trojan

For a more comprehensive list of Trojans listed by the port visit:

www.blackcode.com/trojans/ports.php.

25
Drawbacks of Packet Filtering
Firewall
 A port is either open or closed. When a port is open,
there is always a hole in the firewall waiting for someone
to attack.
 With this configuration, there is no way of simply opening
a port in the firewall when a specific application needs it
and then closing it when the transaction is complete.
 It does not understand the contents of any packet
beyond the header. With a valid header, it can contain
any payload.

26
Application firewalls/Proxy

 It examines the entire packet and determines

what should be done with the packet based
on specific defined rules.
 Used by proxy servers

27
28
 When using an application layer gateway, the
client/server architecture is broken as the
packets no longer flow between the client and
the server. Instead, they are deconstructed and
reconstructed at the firewall.
 The client makes a connection to the firewall at
which point the packet is analyzed, then the
firewall creates a connection to the server for the
client. By doing this, the firewall is acting as a
proxy between the client and the server

29
Benefits of Application Firewall

 One of the major benefits: it can determine

more information from a packet than a simple
packet filter
 For example, the application layer gateway
can tell if packets containing controls for a
Trojan horse application are being sent to the
HTTP port (80) and thus, can block them.

30
Drawbacks of Application Firewall
 Application layer gateways are much slower
than packet filters.
 Finally, the application layer gateway must
then rebuild the packet from the top down
and send it back out. This slows the firewall
down even further

31
Stateful Inspection Firewall
 Stateful inspection is a compromise between
these two existing technologies.
 It overcomes the drawbacks of both simple
packet filtering and application layer
gateways, while enhancing the security
provided by the firewall.

32
 Stateful inspection technology doesn’t
actually break the client/server architecture
by disassembling and rebuilding the packet.
 With stateful inspection, the firewall simply
examines the packet then allows the back-
connection to go through the firewall on the
port previously specified by the requesting
packet.

33
34
 The primary feature of stateful inspection is
the monitoring of application and
communication states.
 This allows the firewall to open or close ports
when needed.
 Ports are closed when the requested
transactions are completed, which provides
another layer of security.

35
Benefits of Stateful Inspection
Firewall
 It is much faster than an application layer
gateway due to the way packets are handled.
 It is also more secure than a packet-filtering
firewall, due to application layer awareness
and the introduction of application- and
communication-derived state awareness.

36
Access Control in Hanu Domitory Internet

 Block UDP (for TV stream)

 Set number of max connection for each user
based on the number of online users
 Block spam out
 Block botnet (port 8800)
 Use Squid – Web Cache

37
Routers

 They are often used to segment networks

into smaller subnets or to link multiple
networks together.
 The router decides how and when to forward
packets between the networks based on an
internal routing table.

38
Router Access Control List (ACL)

 In addition to the routing table, a typical

router also supports access control lists
(ACLs) that specify which packets to allow or
explicitly block
 access-list <list_number> <permit/deny>
<source_addresss> <mask>

39
Switch Port Security
 Control MAC address(es) and/or number of
MAC addresses of the connected device
 3 different ways that MAC addresses can be
configured onto a port:
 Statically
 Dynamically
 Sticky

40
Static port security

 A statically-configured MAC address is rather

simple; a single MAC address is configured
to be allowed on a port:
router#configure terminal
router(config)#interface interface
router(config-if)#switchport port-security mac-
address mac-address

41
Dynamic port security

 A dynamic MAC address is one that is

learned on an interface and is held in the
Content-Addressable Memory (CAM) table
until it times out (5 minutes); these are
enabled by default.

42
Sticky port security

 A sticky address is dynamically learned and

then immediately converted into a sticky secure
MAC address; this “sticks” the specific MAC
address to this port alone.
 Sticky MAC addresses are lost on reboot unless
the running configuration is saved.
router#configure terminal
router(config)#interface interface
router(config-if)#switchport port-security mac-address sticky

43