Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security+ Guide to Network Security Fundamentals, Fifth Edition

Published byEdgar Atkinson Modified over 7 years ago

Similar presentations

Presentation on theme: "Security+ Guide to Network Security Fundamentals, Fifth Edition"— Presentation transcript:

1 Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 11 Access Control Fundamentals Chapter 11 Access Control Fundamentals

2 Objectives Define access control and list the four access control models Describe how to implement access control Explain the different types of authentication services Objectives Define access control and list the four access control models Describe how to implement access control Explain the different types of authentication services Security+ Guide to Network Security Fundamentals, Fifth Edition

3 Introduction Users first must be identified as authorized user, such as by logging in with user name and password to laptop computer Because laptop connects to corporate network that contains critical data, important also to restrict user access to only software, hardware, and other resources for which user has been approved These two acts—authenticating only approved users and controlling their access to resources—are important foundations in information security Introduction Users first must be identified as authorized user, such as by logging in with user name and password to laptop computer Because laptop connects to corporate network that contains critical data, important also to restrict user access to only software, hardware, and other resources for which user has been approved These two acts—authenticating only approved users and controlling their access to resources—are important foundations in information security Security+ Guide to Network Security Fundamentals, Fifth Edition

4 What Is Access Control? Access control - Granting or denying approval to use specific resources; it is controlling access Physical access control - Fencing, hardware door locks, and mantraps that limit contact with devices Technical access control - Technology restrictions that limit users on computers from accessing data Access control has set of associated terminology to describe actions Four standard access control models Specific practices used to enforce access control What Is Access Control? Access control - Granting or denying approval to use specific resources; it is controlling access Physical access control - Fencing, hardware door locks, and mantraps that limit contact with devices Technical access control - Technology restrictions that limit users on computers from accessing data Access control has set of associated terminology to describe actions Four standard access control models Specific practices used to enforce access control Security+ Guide to Network Security Fundamentals, Fifth Edition

5 Access Control Terminology
Identification - Presenting credentials (Example: delivery driver presenting employee badge) Authentication - Checking credentials (Example: examining the delivery driver’s badge) Authorization - Granting permission to take action (Example: allowing delivery driver to pick up package) Access Control Terminology Identification - Presenting credentials (Example: delivery driver presenting employee badge) Authentication - Checking credentials (Example: examining the delivery driver’s badge) Authorization - Granting permission to take action (Example: allowing delivery driver to pick up package) Security+ Guide to Network Security Fundamentals, Fifth Edition

6 Basic Steps In Access Control (Table 11-1)
A table with four columns and five rows. The first row is composed of column headers: Action, Description, Scenario example, and Computer process. Row 2. Action: Identification Description: Review of credentials Scenario example: Delivery person shows employee badge Computer process: User enters user name Row 3. Action: Authentication Description: Validate credentials as genuine Scenario example: Gabe reads badge to determine it is real Computer process: User provides password Row 4. Action: Authorization Description: Permission granted for admittance Scenario example: Gabe opens door to allow delivery person in Computer process: User authorized to log in Row 5. Action: Access Description: Right given to access specific resources Scenario example: Delivery person can only retrieve box by door Computer process: User allowed to access only specific data Security+ Guide to Network Security Fundamentals, Fifth Edition

7 Impose Technical Access Control
Object - Specific resource (Example: file or hardware device) Subject - User or process functioning on behalf of a user (Example: computer user) Operation - Action taken by the subject over an object (Example: deleting file) Impose Technical Access Control Object - Specific resource (Example: file or hardware device) Subject - User or process functioning on behalf of a user (Example: computer user) Operation - Action taken by the subject over an object (Example: deleting file) Security+ Guide to Network Security Fundamentals, Fifth Edition

8 Roles In Access Control (Table 11-2)
A table with four columns and four rows. The first row is composed of column headers: Role, Description, Duties, and Example. Row 2. Role: Owner Description: Person responsible for the information Duties: Determines the level of security needed for the data and delegates security duties as required Example: Determines that the file SALARY.XLSX can be read only by department managers Row 3. Role: Custodian Description: Individual to whom day-to-day actions have been assigned by the owner Duties: Periodically reviews security settings and maintains records of access by end-users Example: Sets and reviews security settings on SALARY.XLSX Row 4. Role: End-user Description: User who accesses information in the course of routine job responsibilities Duties: Follows organization’s security guidelines and does not attempt to circumvent security Example: Opens SALARY.XLSX Security+ Guide to Network Security Fundamentals, Fifth Edition

9 Technical Access Control Process And Terminology (Figure 11-1)
A figure. An icon of personal labeled “End-user” and “Subject.” An icon of a second person labeled “Owner” and “SALARY.XLSX can be read only by department managers.” An icon of a third person labeled “Custodian” and “Reviews security settings on SALARY.XLSX.” A computer with the information “Username: Mwiley” labeled “Identification”; “Password” labeled “Authentication”; “Welcome, MWiley” labeled “Authorization”; and “Open SALARY.XLSX” labeled “Access.” A line links the computer to a folder labeled “SALARY.XLSX” and “Object.” Security+ Guide to Network Security Fundamentals, Fifth Edition

10 Access Control Models Access control model - Hardware and software predefined framework that custodian can use for controlling access Access control models used by custodians for access control are neither created nor installed by custodians or users; instead, these models are already part of software and hardware. Four major access control models Access Control Models Access control model - Hardware and software predefined framework that custodian can use for controlling access Access control models used by custodians for access control are neither created nor installed by custodians or users; instead, these models are already part of software and hardware. Four major access control models Security+ Guide to Network Security Fundamentals, Fifth Edition

11 Discretionary Access Control (DAC)
Discretionary Access Control (DAC) - Least restrictive model Every object has owner, who has total control over that object Owners can create and access their objects freely Owner can give permissions to other subjects over these objects DAC used on operating systems like UNIX and Microsoft Windows Discretionary Access Control (DAC) Discretionary Access Control (DAC) - Least restrictive model Every object has owner, who has total control over that object Owners can create and access their objects freely Owner can give permissions to other subjects over these objects DAC used on operating systems like UNIX and Microsoft Windows Security+ Guide to Network Security Fundamentals, Fifth Edition

12 Windows Discretionary Access Control (DAC) (Figure 11-2)
A screen capture. The Permissions folder listing in the upper pane System, User, and Administrators. The lower pane lists permissions “Full control,” “Modify”, “Read & Execute”, “Read”, and “Write.” Each of these has an “Allow” and “Deny” option. Security+ Guide to Network Security Fundamentals, Fifth Edition

13 Discretionary Access Control (DAC): Weaknesses
DAC has two significant weaknesses: DAC relies on decisions by end-user to set proper level of security; incorrect permissions might be granted to subject or permissions might be given to unauthorized subject Subject’s permissions will be “inherited” by any programs that subject executes; attackers often take advantage of this inheritance because end-users frequently have a high level of privileges Discretionary Access Control (DAC): Weaknesses DAC has two significant weaknesses: DAC relies on decisions by end-user to set proper level of security; incorrect permissions might be granted to subject or permissions might be given to unauthorized subject Subject’s permissions will be “inherited” by any programs that subject executes; attackers often take advantage of this inheritance because end-users frequently have a high level of privileges Security+ Guide to Network Security Fundamentals, Fifth Edition

14 Mandatory Access Control (MAC)
Mandatory Access Control (MAC) - Opposite of DAC and is most restrictive access control model MAC assigns users’ access controls strictly according to custodian’s desires and user has no freedom to set any controls Mandatory Access Control (MAC) Mandatory Access Control (MAC) - Opposite of DAC and is most restrictive access control model MAC assigns users’ access controls strictly according to custodian’s desires and user has no freedom to set any controls Security+ Guide to Network Security Fundamentals, Fifth Edition

15 Mandatory Access Control (MAC): Elements
Two key elements to MAC: Labels - Every entity is an object (laptops, files, projects, and so on) and assigned classification label (confidential, secret, and top secret) while subjects assigned privilege label (a clearance) Levels - Hierarchy based on labels is also used, both for objects and subjects (Top secret higher level than secret) MAC grants permissions by matching object labels with subject labels based on their respective levels Mandatory Access Control (MAC): Elements Two key elements to MAC: Labels - Every entity is an object (laptops, files, projects, and so on) and assigned classification label (confidential, secret, and top secret) while subjects assigned privilege label (a clearance) Levels - Hierarchy based on labels is also used, both for objects and subjects (Top secret higher level than secret) MAC grants permissions by matching object labels with subject labels based on their respective levels Security+ Guide to Network Security Fundamentals, Fifth Edition

16 Mandatory Access Control (MAC): Major Implementations
Lattice model - Subjects and objects are assigned “rung” on lattice and multiple lattices can be placed beside each other Bell-LaPadula - Similar to lattice model but subjects may not create new object or perform specific functions on lower level objects Biba Integrity model - Goes beyond BLP model and adds protecting data integrity and confidentiality Mandatory Integrity Control (MIC) - Based on Biba model, MIC ensures data integrity by controlling access to securable objects Mandatory Access Control (MAC): Major Implementations Lattice model - Subjects and objects are assigned “rung” on lattice and multiple lattices can be placed beside each other Bell-LaPadula - Similar to lattice model but subjects may not create new object or perform specific functions on lower level objects Biba Integrity model - Goes beyond BLP model and adds protecting data integrity and confidentiality Mandatory Integrity Control (MIC) - Based on Biba model, MIC ensures data integrity by controlling access to securable objects Security+ Guide to Network Security Fundamentals, Fifth Edition

17 Windows User Account Control (UAC) Prompt (Figure 11-3)
A screen capture. User Account Control popup that says, “Windows needs your permission to continue: If you started this action, please continue.” There are two buttons, “Continue” and “Cancel.” Security+ Guide to Network Security Fundamentals, Fifth Edition

18 Role Based Access Control (RBAC)
Role Based Access Control (RBAC) - Considered more “real-world” access control than other models because access based on user’s job function within organization Instead of setting permissions for each user or group assigns permissions to particular roles in organization and then assigns users to those roles Objects are set to be a certain type, to which subjects with that particular role have access Role Based Access Control (RBAC) Role Based Access Control (RBAC) - Considered more “real-world” access control than other models because access based on user’s job function within organization Instead of setting permissions for each user or group assigns permissions to particular roles in organization and then assigns users to those roles Objects are set to be a certain type, to which subjects with that particular role have access Security+ Guide to Network Security Fundamentals, Fifth Edition

19 Rule Based Access Control (RBAC)
Rule Based Access Control (RBAC) - Dynamically assign roles to subjects based on set of rules defined by custodian Each resource object contains set of access properties based on rules When user attempts to access that resource, system checks rules contained in object to determine if access is permissible Rule Based Access Control (RBAC) Rule Based Access Control (RBAC) - Dynamically assign roles to subjects based on set of rules defined by custodian Each resource object contains set of access properties based on rules When user attempts to access that resource, system checks rules contained in object to determine if access is permissible Security+ Guide to Network Security Fundamentals, Fifth Edition

20 Access control models (Table 11-3)
A table with three columns and five rows. The first row is composed of column headers: Name, Restrictions, and Description. Row 2. Name: Mandatory Access Control (MAC) Restrictions: End-user cannot set controls Description: Most restrictive model Row 3. Name: Discretionary Access Control (DAC) Restrictions: Subject has total control over objects Description: Least restrictive model Row 4. Name: Role Based Access Control (RBAC) Restrictions: Assigns permissions to particular roles in the organization and then users are assigned to roles Description: Considered a more “real-world” approach Row 5. Name: Rule Based Access Control (RBAC) Restrictions: Dynamically assigns roles to subjects based on a set of rules defined by a custodian Description: Used for managing user access to one or more systems Security+ Guide to Network Security Fundamentals, Fifth Edition

21 Best Practices for Access Control
Establishing best practices for limiting access can help secure systems and data Examples of best practices: Separation of duties Job rotation Least privilege Implicit deny Mandatory vacations Security+ Guide to Network Security Fundamentals, Fifth Edition

22 Separation of Duties Separation of duties - Not to give one person total control Fraud can result from single user being trusted with complete control of a process Requiring two or more people responsible for functions related to handling money System is not vulnerable to actions of a single person Separation of Duties Separation of duties - Not to give one person total control Fraud can result from single user being trusted with complete control of a process Requiring two or more people responsible for functions related to handling money System is not vulnerable to actions of a single person Security+ Guide to Network Security Fundamentals, Fifth Edition

23 Job Rotation Job rotation - Individuals periodically moved between job responsibilities Employees can rotate within their department or across departments Advantages of job rotation: Limits amount of time individuals are in position to manipulate security configurations Helps expose potential avenues for fraud Reduces employee burnout Job Rotation Job rotation - Individuals periodically moved between job responsibilities Employees can rotate within their department or across departments Advantages of job rotation: Limits amount of time individuals are in position to manipulate security configurations Helps expose potential avenues for fraud Reduces employee burnout Security+ Guide to Network Security Fundamentals, Fifth Edition

24 Least Privilege Least privilege - Limiting access to information based on what is needed to perform a job function Helps reduce attack surface by eliminating unnecessary privileges Should apply to users and processes on the system Processes should run at minimum security level needed to correctly function Temptation to assign higher levels of privilege is great Least Privilege Least privilege - Limiting access to information based on what is needed to perform a job function Helps reduce attack surface by eliminating unnecessary privileges Should apply to users and processes on the system Processes should run at minimum security level needed to correctly function Temptation to assign higher levels of privilege is great Security+ Guide to Network Security Fundamentals, Fifth Edition

25 Challenges of least privilege (Table 11-4)
A table with two columns and four rows. The first row is composed of column headers: Challenge and Explanation. Row 2. Challenge: Legacy applications Explanation: Many older software applications were designed to run only with a high level of privilege. Many of these applications were internally developed and are no longer maintained or are third-party applications that are no longer supported. Redeveloping the application may be seen as too costly. An alternative is to run the application in a virtualized environment. Row 3. Challenge: Common administrative tasks Explanation: In some organizations, basic system administration tasks are performed by the user, such as connecting printers or defragmenting a disk. Without a higher level of privilege, users must contact the help desk so that a technician can help with the tasks. Row 4. Challenge: Software installation/upgrade Explanation: A software update that is not centrally deployed can require a higher privilege level, which can mean support from the local help desk. This usually results in decreased productivity and increased support costs. Security+ Guide to Network Security Fundamentals, Fifth Edition

26 Implicit Deny Implicit deny - If condition is not explicitly met, access request is rejected Example: Network router rejects access to all except conditions matching the rule restrictions When creating access control restrictions, recommended that unless condition is specifically met then access should be denied Implicit Deny Implicit deny - If condition is not explicitly met, access request is rejected Example: Network router rejects access to all except conditions matching the rule restrictions When creating access control restrictions, recommended that unless condition is specifically met then access should be denied Security+ Guide to Network Security Fundamentals, Fifth Edition

27 Mandatory Vacations Mandatory vacations - Limits fraud, because perpetrator must be present daily to hide fraudulent actions Audit of employee’s activities usually scheduled during vacation for sensitive positions Mandatory Vacations Mandatory vacations - Limits fraud, because perpetrator must be present daily to hide fraudulent actions Audit of employee’s activities usually scheduled during vacation for sensitive positions Security+ Guide to Network Security Fundamentals, Fifth Edition

28 Implementing Access Control
Several technologies can be used to implement access control: Access control lists Group Policy Account restrictions Implementing Access Control Several technologies can be used to implement access control: Access control lists Group Policy Account restrictions Security+ Guide to Network Security Fundamentals, Fifth Edition

29 Access Control Lists (ACLs)
Access control list (ACL) - Set of permissions attached to an object Specifies which subjects may access the object and what operations they can perform When subject requests to perform an operation system checks ACL for an approved entry ACLs usually viewed in relation to operating system files Access Control Lists (ACLs) Access control list (ACL) - Set of permissions attached to an object Specifies which subjects may access the object and what operations they can perform When subject requests to perform an operation system checks ACL for an approved entry ACLs usually viewed in relation to operating system files Security+ Guide to Network Security Fundamentals, Fifth Edition

30 UNIX file permissions (Figure 11-4)
A screen capture. The first line is “$ setfacl –m user:tdk:rw-samplefile.” The second line is “$getacl samplefile.” The third line is #file: samplefile.” The fourth line is “#owner: reo.” The first line is “#group: sysadmin.” The sixth line is “user::rw-user:” The seventh line is “tdk:rw-”. The eighth line is “group::r—”. The ninth line is “mask:r—”. The last line is “other:r—”. Security+ Guide to Network Security Fundamentals, Fifth Edition

31 Access Control List (ACLs): Structure
Each entry in the ACL table is called access control entry (ACE) ACE structure (Windows) Security identifier for the user or group account or logon session Access mask that specifies access rights controlled by ACE Flag that indicates type of ACE Set of flags that determine whether objects can inherit permissions Access Control List (ACLs): Structure Each entry in the ACL table is called access control entry (ACE) ACE structure (Windows) Security identifier for the user or group account or logon session Access mask that specifies access rights controlled by ACE Flag that indicates type of ACE Set of flags that determine whether objects can inherit permissions Security+ Guide to Network Security Fundamentals, Fifth Edition

32 Access Control List (ACLs): Limitations
Although widely used, ACLs have limitations: Using ACLs is not efficient - ACL for each file, process, or resource must be checked every time the resource is accessed. Can be difficult to manage in an enterprise setting where many users need to have different levels of access to many different resources; selectively adding, deleting, and changing ACLs on individual files, or even groups of files, can be time-consuming and open to errors, particularly if changes must be made frequently Access Control List (ACLs): Limitations Although widely used, ACLs have limitations: Using ACLs is not efficient - ACL for each file, process, or resource must be checked every time the resource is accessed. Can be difficult to manage in an enterprise setting where many users need to have different levels of access to many different resources; selectively adding, deleting, and changing ACLs on individual files, or even groups of files, can be time-consuming and open to errors, particularly if changes must be made frequently Security+ Guide to Network Security Fundamentals, Fifth Edition

33 Group Policies Group Policy - Microsoft Windows feature that provides centralized management and configuration of computers and remote users using Active Directory (AD) Usually used in enterprise environments Settings stored in Group Policy Objects (GPOs) Local Group Policy has fewer options than a Group Policy and used to configure settings for systems not part of AD Group Policies Group Policy - Microsoft Windows feature that provides centralized management and configuration of computers and remote users using Active Directory (AD) Usually used in enterprise environments Settings stored in Group Policy Objects (GPOs) Local Group Policy has fewer options than a Group Policy and used to configure settings for systems not part of AD Security+ Guide to Network Security Fundamentals, Fifth Edition

34 Account Restrictions: Time of Day Restrictions
Time of day restrictions - Limits the time of day a user may log onto a system Time blocks for permitted access are chosen Can be set on individual systems Account Restrictions: Time of Day Restrictions Time of day restrictions - Limits the time of day a user may log onto a system Time blocks for permitted access are chosen Can be set on individual systems Security+ Guide to Network Security Fundamentals, Fifth Edition

35 Time Of Day Restrictions Setting Specific Times And Days (Figure 11-5)
A figure. A column to the left labeled “Days to Block:” has the days of the week listed beneath it, with Sunday, Tuesday, Wednesday, Friday and Saturday checked. To the right the “Time of day to block:” section has “Starting Blocking 18 Hour 30 Minute” and “End Blocking 24 Hour 0 Minute” indicated. The “Time Zone” entry has “(GMT-06:00) Central America, Central Time (US & Canada)” indicated. The box “Automatically adjust for daylight savings time” is not checked. Security+ Guide to Network Security Fundamentals, Fifth Edition

36 Time Of Day Restrictions Using GUI (Figure 11-6)
A figure. A grid of rows and columns. The Row entries along the left side are Monday through Sunday, while the column entries are Hours 00 through 24. A legend of Allow (white) and Blocked (Black) is at the top of the figure. On the row Monday and Tuesday the hours 17:30-22:00 are blacked out. On the row Wednesday the time 03:00-03:30 and 08:00-09:00 and blacked out. On the row Thursday the time 16:00-21:30 is blacked out. On the row Saturday the time 09:00-13:30 is blacked out. Security+ Guide to Network Security Fundamentals, Fifth Edition

37 Account Restrictions: Account Expiration
Orphaned accounts - Accounts that remain active after employee has left organization Dormant accounts – Accounts not accessed for lengthy period of time Both can be security risks Account expiration - Process of setting a user’s account to expire Account expiration can be explicit (account expires on a set date) or based on specific number of days of inactivity Account Restrictions: Account Expiration Orphaned accounts - Accounts that remain active after employee has left organization Dormant accounts – Accounts not accessed for lengthy period of time Both can be security risks Account expiration - Process of setting a user’s account to expire Account expiration can be explicit (account expires on a set date) or based on specific number of days of inactivity Security+ Guide to Network Security Fundamentals, Fifth Edition

38 Authentication Services
Authentication - Process of verifying credentials Authentication services provided on a network: Dedicated authentication server AAA server Common types of authentication and AAA servers: Kerberos RADIUS TACACS LDAP SAML Authentication Services Authentication - Process of verifying credentials Authentication services provided on a network: Dedicated authentication server AAA server Common types of authentication and AAA servers: Kerberos RADIUS TACACS LDAP SAML Security+ Guide to Network Security Fundamentals, Fifth Edition

39 RADIUS RADIUS (Remote Authentication Dial In User Service) - Developed in 1992 and became industry standard Originally designed for remote dial-in access to corporate network Remote in name almost misnomer: RADIUS authentication used for more than connecting to remote networks With development of IEEE 802.1x port security for both wired and wireless LANs, RADIUS seen even greater usage RADIUS RADIUS (Remote Authentication Dial In User Service) - Developed in 1992 and became industry standard Originally designed for remote dial-in access to corporate network Remote in name almost misnomer: RADIUS authentication used for more than connecting to remote networks With development of IEEE 802.1x port security for both wired and wireless LANs, RADIUS seen even greater usage Security+ Guide to Network Security Fundamentals, Fifth Edition

40 RADIUS: Clients RADIUS client is not device requesting authentication
RADIUS client is device like wireless AP or dial-up server responsible for sending user credentials and connection parameters in form of RADIUS message to RADIUS server RADIUS server authenticates and authorizes RADIUS client request and sends back RADIUS message response RADIUS clients also send RADIUS accounting messages to RADIUS servers RADIUS: Clients RADIUS client is not device requesting authentication RADIUS client is device like wireless AP or dial-up server responsible for sending user credentials and connection parameters in form of RADIUS message to RADIUS server RADIUS server authenticates and authorizes RADIUS client request and sends back RADIUS message response RADIUS clients also send RADIUS accounting messages to RADIUS servers Security+ Guide to Network Security Fundamentals, Fifth Edition

41 RADIUS Authentication (Figure 11-7)
A figure. A laptop is connected to an AP with the legend “1. UserID=BJ_Deboer and Password egu74gbd63.” The AP is connected to the RADIUS server with the legend “2. Authentication request.” A user database icon is connected to the RADIUS server with the legend “3. Comapares with user database.” The RADIUS server is connected to the AP with the legend “4. Authentication acknowledgement.” The RADIUS server is connected to the icon Accounting Database with the legend “6. Records in accounting database.” The AP is connected to the laptop icon with the legend “6. Approval to laptop.” Security+ Guide to Network Security Fundamentals, Fifth Edition

42 Kerberos Kerberos - Authentication system developed at MIT that uses encryption and authentication for security Most often used in educational and government settings Kerberos ticket: Contains information linking it to the user User presents ticket to network for a service Difficult to copy Expires after a few hours or a day Kerberos Kerberos - Authentication system developed at MIT that uses encryption and authentication for security Most often used in educational and government settings Kerberos ticket: Contains information linking it to the user User presents ticket to network for a service Difficult to copy Expires after a few hours or a day Security+ Guide to Network Security Fundamentals, Fifth Edition

43 Terminal Access Control Access Control System (TACACS)
Terminal Access Control Access Control System (TACACS) - Authentication service commonly used on UNIX devices Communicates by forwarding user authentication information to a centralized server Extended TACACS (XTACACS) - Later version introduced in 1990. TACACS+ - Current version Terminal Access Control Access Control System (TACACS) Terminal Access Control Access Control System (TACACS) - Authentication service commonly used on UNIX devices Communicates by forwarding user authentication information to a centralized server Extended TACACS (XTACACS) - Later version introduced in 1990. TACACS+ - Current version Security+ Guide to Network Security Fundamentals, Fifth Edition

44 Comparison Of RADIUS And TACACS+ (Table 11-5)
A table with three columns and six rows. The first row is composed of column headers: Feature, RADIUS, and TACACS+. Row 2. Feature: Transport protocol RADIUS: User Datagram Protocol (UDP) TACACS+: Transmission Control Protocol (TCP) Row 3. Feature: Authentication and authorization RADIUS: Combined TACACS+: Separated Row 4. Feature: Communication RADIUS: Unencrypted TACACS+: Encrypted Row 5. Feature: Interacts with Kerberos RADIUS: No TACACS+: Yes Row 6. Feature: Can authenticate network devices RADIUS: No TACACS+: Yes Security+ Guide to Network Security Fundamentals, Fifth Edition

45 Directory Services Directory service - Database stored on a network that contains information about users and network devices Keeps track of network resources and user’s privileges to those resources Grants or denies access based on its information X Standard for directory services Directory Services Directory service - Database stored on a network that contains information about users and network devices Keeps track of network resources and user’s privileges to those resources Grants or denies access based on its information X Standard for directory services Security+ Guide to Network Security Fundamentals, Fifth Edition

46 Lightweight Directory Access Protocol (LDAP)
X.500 defines protocol for client application access Directory Access Protocol (DAP) Lightweight Directory Access Protocol (LDAP) -Simpler subset of DAP Designed to run over TCP/IP Has simpler functions Encodes protocol elements simpler way than X.500 Secure LDAP - LDAP over SSL (LDAPS) LDAP injection attacks - Attacks when user input not properly filtered Lightweight Directory Access Protocol (LDAP) X.500 defines protocol for client application access Directory Access Protocol (DAP) Lightweight Directory Access Protocol (LDAP) -Simpler subset of DAP Designed to run over TCP/IP Has simpler functions Encodes protocol elements simpler way than X.500 Secure LDAP - LDAP over SSL (LDAPS) LDAP injection attacks - Attacks when user input not properly filtered Security+ Guide to Network Security Fundamentals, Fifth Edition

47 Security Assertion Markup Language (SAML)
Security Assertion Markup Language (SAML) - Extensible Markup Language (XML) standard allows secure web domains exchange user authentication and authorization data Allows user’s login credentials be stored with single identity provider instead of being stored on each web service provider’s server SAML is used extensively for online e-commerce business-to-business (B2B) and business-to-consumer (B2C) transactions Security Assertion Markup Language (SAML) Security Assertion Markup Language (SAML) - Extensible Markup Language (XML) standard allows secure web domains exchange user authentication and authorization data Allows user’s login credentials be stored with single identity provider instead of being stored on each web service provider’s server SAML is used extensively for online e-commerce business-to-business (B2B) and business-to-consumer (B2C) transactions Security+ Guide to Network Security Fundamentals, Fifth Edition

48 Security Assertion Markup Language (SAML): Steps 1-3
User attempts to reach website of service provider that requires username and password Service provider generates SAML authentication request encoded and embedded into URL Service provider sends redirect URL to user's browser that includes encoded SAML authentication request, which then sent to identity provider Security Assertion Markup Language (SAML): Steps 1-3 User attempts to reach website of service provider that requires username and password Service provider generates SAML authentication request encoded and embedded into URL Service provider sends redirect URL to user's browser that includes encoded SAML authentication request, which then sent to identity provider Security+ Guide to Network Security Fundamentals, Fifth Edition

49 Security Assertion Markup Language (SAML): Steps 4-6
Identity provider decodes SAML request and extracts embedded URL, then attempts authenticate user either by asking for login credentials or checking for valid session cookies Identity provider generates SAML response that contains authenticated user's username Identity provider encodes SAML response and returns that information to the user's browser Security Assertion Markup Language (SAML): Steps 4-6 Identity provider decodes SAML request and extracts embedded URL, then attempts authenticate user either by asking for login credentials or checking for valid session cookies Identity provider generates SAML response that contains authenticated user's username Identity provider encodes SAML response and returns that information to the user's browser Security+ Guide to Network Security Fundamentals, Fifth Edition

50 Security Assertion Markup Language (SAML): Steps 7-8
Within the SAML response, mechanism so that user’s browser can forward information back to service provider, either by displaying a form that requires the user to click on a Submit button or by automatically sending to the service provider. Service provider verifies the SAML response by using the identity provider’s public key; if response successfully verified, user is logged in Security Assertion Markup Language (SAML): Steps 7-8 Within the SAML response, mechanism so that user’s browser can forward information back to service provider, either by displaying a form that requires the user to click on a Submit button or by automatically sending to the service provider. Service provider verifies the SAML response by using the identity provider’s public key; if response successfully verified, user is logged in Security+ Guide to Network Security Fundamentals, Fifth Edition

51 SAML Transaction (Figure 11-8)
A figure. Three boxes are labeled “Service Provider,” “User”, and “Identity Provider.” A line from User to Service provider is labeled “1. The user attempts to reach a website of a service provider that requires a username and password.” The Service Provider box contains “2. The service provider generates a SAML authentication request that is then encoded and embedded into a URL. “ A line from the Service Provider to the User box contains “3. The service provider sends a redirect URL to the user's browser that includes the encoded SAML authentication request, which is then sent to the identity provider.” A line form the User to the Identity Provide contains “Redirect URL sent.” The Identity Provider contains, “4. The identity provider decodes the SAML request and extracts the embedded URL.” The Identithy Provider box contains, “5. SAML response created and signed.” A line form the Identity provider to user contains “6. SAML response returned.” A line from the User to the Service Provider contains, “7. User’s browser forwards SAML request.” The Service Provider box contains, “8. SAML request verified and user logged in.” Security+ Guide to Network Security Fundamentals, Fifth Edition

52 Summary Access control is the process by which resources or services are denied or granted Four major access control models exist Best practices for implementing access control Separation of duties Job rotation Least privilege Mandatory vacations Security+ Guide to Network Security Fundamentals, Fifth Edition

53 Summary (cont’d.) Access control lists define which subjects are allowed to access which objects Specify which operations they may perform Group Policy is a Windows feature that provides centralized management and configuration Authentication services can be provided on a network by a dedicated AAA or authentication server RADIUS is the industry standard Security+ Guide to Network Security Fundamentals, Fifth Edition

54 Security+ Guide to Network Security Fundamentals, Fifth Edition
Chapter 11 Access Control Fundamentals Chapter 11 Access Control Fundamentals

Download ppt "Security+ Guide to Network Security Fundamentals, Fifth Edition"

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies

Access Control Methodologies
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.

Chapter 9 Chapter 9: Managing Groups, Folders, Files, and Object Security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
12.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

12.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.

Security+ Guide to Network Security Fundamentals, Third Edition Chapter 8 Authentication.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
10.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.

10.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 9: Implementing and Using Group Policy.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
7.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.

7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Check Disk. Disk Defragmenter Using Disk Defragmenter Effectively Run Disk Defragmenter when the computer will receive the least usage. Educate users.

Similar presentations

Ads by Google