ACCESS CONTROLS SZABIST – Spring 2012. Access Controls This chapter presents the following:  Identification methods and technologies  Authentication.

Slides:



Advertisements
Similar presentations
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Advertisements

SCSC 455 Computer Security
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Akshat Sharma Samarth Shah
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
CISSP Luncheon Series: Access Control Systems & Methodology
Access Control Chapter 3 Part 3 Pages 209 to 227.
CSC 386 – Computer Security Scott Heggen. Agenda Authentication Passwords Reducing the probability of a password being guessed Reducing the probability.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Access Control Methodologies
Authentication & Kerberos
Security+ Guide to Network Security Fundamentals, Fourth Edition
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 2 Operating System Security Fundamentals.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Dr. John P. Abraham Professor UTPA.  Particularly attacks university computers  Primarily originating from Korea, China, India, Japan, Iran and Taiwan.
OV Copyright © 2011 Element K Content LLC. All rights reserved. System Security  Computer Security Basics  System Security Tools  Authentication.
E-business Security Dana Vasiloaica Institute of Technology Sligo 22 April 2006.
Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.
Tonight 1) Where we are 2) Article Presentation(s) 3) Quiz 4) Lecture 5) In-class lab(s)
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
CSE 4482, Fall 2009, D Chan Session 2 – Common Security Techniques.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Information Systems Security
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.
Network Security. Security Threats 8Intercept 8Interrupt 8Modification 8Fabrication.
Environment for Information Security n Distributed computing n Decentralization of IS function n Outsourcing.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.
Designing Authentication for a Microsoft Windows 2000 Network Designing Authentication in a Microsoft Windows 2000 Network Designing Kerberos Authentication.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Chapter 21 Distributed System Security Copyright © 2008.
1 Introduction to Microsoft Windows 2000 Windows 2000 Overview Windows 2000 Architecture Overview Windows 2000 Directory Services Overview Logging On to.
Kerberos. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open source or in supported commercial software.
Protection in General- Purpose OS Week-3. Our Main Concern In what way do operating systems protect one user’s process from inadvertent or malicious interaction.
Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.
Operating System Security Fundamentals Dr. Gabriel.
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Database Security Cmpe 226 Fall 2015 By Akanksha Jain Jerry Mengyuan Zheng.
Authentication What you know? What you have? What you are?
Access Control / Authenticity Michael Sheppard 11/10/10.
Privilege Management Chapter 22.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
LEARNING AREA 1 : INFORMATION AND COMMUNICATION TECHNOLOGY PRIVACY AUTHENTICATION VERIFICATION.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
1 Access Control Systems & Methodology. Access control is the collection of mechanisms that permits managers of a system to exercise a directing or restraining.
ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.
Information Systems Design and Development Security Precautions Computing Science.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Access control Presented by: Pius T. S. : Christian C. : Gabes K. : Ismael I. H. : Paulus N.
Chapter One: Mastering the Basics of Security
Configuring Windows Firewall with Advanced Security
Secure Software Confidentiality Integrity Data Security Authentication
Radius, LDAP, Radius used in Authenticating Users
Designing IIS Security (IIS – Internet Information Service)
Protection Mechanisms in Security Management
Presentation transcript:

ACCESS CONTROLS SZABIST – Spring 2012

Access Controls This chapter presents the following:  Identification methods and technologies  Authentication methods, models, and technologies  Discretionary, mandatory, and nondiscretionary models  Accountability, monitoring, and auditing practices  Intrusion detection and prevention systems  Possible threats to access control practices and technologies

Access Controls – An Overview  Access controls give organizations the ability to control, restrict, monitor, and protect resource availability, integrity, and confidentiality.  Examples of Access Controls?

Identification, Authentication, Authorization, and Accountability  Identification – Should have necessary credentials?  Public Information - User ID  Authentication – Are credentials correct?  Private Information - Password, smart token, PIN  Authorization – Once authenticated. Are you authorized to access?  Accountability – You are liable for all the actions performed.  Now Example!!!!

Identification, Authentication, Authorization, and Accountability – Diagrammatic View

Identification, Authentication, Authorization, and Accountability  Identification Component Requirements  should be unique, for user accountability  should not be shared between users  Authentication  Two / Three Factor Authentication something a person knows, something a person has, and something a person is.

Identity Management “Identity management is a broad term that encompasses the use of different products to identify, authenticate, and authorize users through automated means”.  What are Identity Management Solutions?

Identity Management

 The following are many of the common questions enterprises deal with today in controlling access to assets:  What should each user have access to?  Who approves and allows access?  Do former employees still have access?  How do we keep up with our dynamic and ever-changing environment?  What is the process of revoking access?  How is access controlled and monitored centrally?  Why do employees have eight passwords to remember?  We have five different operating platforms. How do we centralize access when each platform (and application) requires its own type of credential set?  How do we control access for our employees, customers, and partners?

 What is the traditional process to grant access over the systems?  ACLs, Profiles???  Identity Management Solutions  Refer to the Diagram ‘IDENTITY MANAGEMENT’!!!  Main goals of identity management (IdM) technologies are: to streamline the management of identity, authentication, authorization, and the auditing of subjects on multiple systems throughout the enterprise. Identity Management

Identity Management Technologies IDENTIFICATION and AUTHENTICATION  Following are the types of technologies at least you should be aware of:  Directories  Web access management  Legacy single sign-on  Account management  Profile update

IDENTIFICATION  Directory Services  an Integral Part of IDM Identity Management Technologies

IDENTIFICATION – (contd.)  Working of Directory Services  LDAP  Meta Directory Identity Management Technologies

IDENTIFICATION – (contd.)  Web Access Management  Communication Process  Cookies?? Identity Management Technologies

AUTHENTICATION – (contd.)  Biometrics  Physiological – “What you are?”  Behavioral – “What you do?” Type 1 Error (False Rejection Rate) Type 2 Error (False Acceptance Rate) Minimize both the errors specially Type 2 Crossover Error Rate (CER) Percentage / Ratio of Type 1 and Type 2 A lower of CER represent more reliability of system Identity Management Technologies

AUTHENTICATION – (contd.)  Biometric Authentication Process Identity Management Technologies

AUTHENTICATION – (contd.)  Various Biometric Technologies  Finger Print  Palm Scan  Hand Geometry  Retina Scan  Iris Scan  Signature Dynamics  Keystroke Dynamics  Voice Print  Facial Scan  Passwords What are the possible attacks on Passwords? Identity Management Technologies

AUTHENTICATION – (contd.)  Various Biometric Technologies  Finger Print  Palm Scan  Hand Geometry  Retina Scan  Iris Scan  Signature Dynamics  Keystroke Dynamics  Voice Print  Facial Scan  Passwords What are the possible attacks on Passwords Electronic monitoring, Access the password file, Brute force attacks, Dictionary attacks, Social engineering; etc Identity Management Technologies

AUTHENTICATION – (contd.)  Password  Passwords Protection Mechanism Password Hashing and Encryption (Encryption will be discussed in later chapters) MD4 and MD5  One time Password Token Device / Secure IDs Identity Management Technologies

AUTHENTICATION – (contd.)

 Cryptographic Keys  Passphrase  Smart Cards  Smart Card Attacks? Fault Generation Side Channel Attacks Microprobing Identity Management Technologies

AUTHORIZATION  a two-step process that determines whether an individual is allowed to access a particular resource.  Access Criteria  Roles  Groups  Physical and Logical Locations  Time of day  Temporary Access  Transaction Type  Default to No Access!!  Need to Know Access.

AUTHENTICATION and AUTHORIZATION  KERBEROS  designed in the mid-1980s as part of MIT’s Project Athena.  Provides end to end security in a client/server model and is based on symmetric key cryptography  Initially developed and used in UNIX systems Currently the default authentication method for Microsoft OS, Apple’s Mac OS X, Sun’s Solaris, and Red Hat Enterprise Linux  Main Components in Kerberos

AUTHENTICATION and AUTHORIZATION  KERBEROS  Main Components in Kerberos

AUTHORIZATION  KERBEROS  Working of Kerberos User enters the authentication credentials into the Kerberos software installed on user’s computer. Username is sent to the authentication service (AS) on the KDC, which in turn sends an initial ticket that is encrypted with user’s password (secret key). If the password is correct, then the ticket is decrypted and user gains access to the local workstation. When user needs to send a print job to the print server, the system sends the initial ticket to the ticket granting service (TGS) which runs on the KDC. (proves that user is authenticated and allows to request access to the print server.) The TGS creates and sends a second ticket to user, which will be used to authenticate to the print server.

AUTHORIZATION  KERBEROS - Working of Kerberos This second ticket contains two instances of the same session key, one encrypted with user’s secret key and the other encrypted with the print server’s secret key. Also contains an authenticator, which contains identification information of user, the system’s IP address, sequence number, and a timestamp. User’s system receives the second ticket, decrypts and extracts the session key, adds a second authenticator set of identification information to the ticket, and sends the ticket to the print server. The print server receives the ticket, decrypts and extracts the session key, and decrypts and extracts the two authenticators in the ticket. If the printer server can decrypt and extract the session key, it knows the KDC created the ticket, because only the KDC has the secret key used to encrypt the session key. If the authenticator information that the KDC and the user put into the ticket matches, then the print server knows it received the ticket from the correct principal. Once this is completed, it means user is properly authenticated to the print server and the server prints the document.

AUTHORIZATION  KERBEROS  Weaknesses of Kerberos Open architecture therefore interoperability issues The KDC can be a single point of failure. If the KDC goes down, no one can access needed resources. Redundancy is necessary for the KDC. The KDC must be able to handle the number of requests it receives in a timely manner. It must be scalable. Secret keys are temporarily stored on the users’ workstations, which means it is possible for an intruder to obtain these cryptographic keys. Session keys are decrypted and reside on the users’ workstations, either in a cache or in a key table. Again, an intruder can capture these keys. If the keys are too short, they can be vulnerable to brute force attacks.

AUTHORIZATION  SESAME (The Secure European System for Applications in a Multi-vendor Environment)  Extension to KERBEROS functionality  Uses symmetric and asymmetric cryptographic techniques to authenticate subjects to network resources.  Assignment 2  Thin Clients

Access Control Models  Mandatory Access Controls (MAC)  Discretionary Access Controls (DAC)  Role Based Access Controls (RBAC)

Access Control Models  Access Controls List (ACL)  Access Controls Matrix

Access Controls Administration  Centralized Access Control Administration  Decentralized Access Control Administration

Accountability  Accountability is tracked by recording user, system, and application activities.  Auditing capabilities ensure users are accountable for their actions.  System-level events  Application-level events  User-level events  Review of Audit Information  Protecting Audit Data and Log Information

Access Controls Monitoring  Intrusion Detection System (IDS)  Network Based IDS (NIDS) Identify attacks within the monitored network and issue a warning to the operator. If placed between the Internet and the firewall, it will detect all the attack attempts, whether or not they enter the firewall. If placed between a firewall and the corporate network, it will detect those attacks that enter the firewall (it will detect intruders).  Host Based IDS (HIDS) Configured for a specific environment and will monitor various internal resources of the operating system to warn of a possible attack. They can detect the modification of executable programs, detect the deletion of files and issue a warning when an attempt is made to use a privileged command.

Access Controls Monitoring  Intrusion Detection System (IDS) – contd. HIDS and NIDS can be one of the following types:  Signature-based Pattern matching Stateful matching  Anomaly-based Statistical anomaly–based Protocol anomaly–based Traffic anomaly–based  Rule- or Heuristic-based

Access Controls Monitoring  Intrusion Prevention System (IPS)  Honey Pots  Network Sniffers

A Few Threats to Access Controls  Dictionary Attacks  Countermeasures Do not allow passwords to be sent in cleartext. Encrypt the passwords with encryption algorithms or hashing functions. Employ one-time password tokens. Use hard-to-guess passwords. Rotate passwords frequently. Employ an IDS to detect suspicious behavior. Use dictionary cracking tools to find weak passwords chosen by users (Ethical Hacking).

A Few Threats to Access Controls  Brute Force Attacks  Countermeasures Perform brute force attacks to find weaknesses and hanging modems (internal penetration testing). Monitor and audit for such activity. Employ an IDS to watch for suspicious activity. Set account lockout thresholds.

A Few Threats to Access Controls  Spoofing at Logon  Fake logon screen  Fake error message will appear  Phishing  Type of social engineering might become

A Few Threats to Access Controls  DNS Poisoning (Pharming)

A Few Threats to Access Controls  Countermeasures  Be skeptical of s indicating you must make changes to your accounts, or warnings stating an account will be terminated if you don’t perform some online activity.  Call the legitimate company to find out if this is a fraudulent message.  Review the address bar to see if the domain name is correct.  When submitting any type of financial information or credential data, an SSL connection should be set up, which is indicated in the address bar ( and a closed-padlock icon in the browser at the bottom-right corner.  Do not click an HTML link within an . Type the URL out manually instead.

End of Chapter 3  Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.