Presentation is loading. Please wait.

Presentation is loading. Please wait.

Access Control Chapter 3 Part 3 Pages 209 to 227.

Published byIsabel Pillman Modified over 9 years ago

Similar presentations

Presentation on theme: "Access Control Chapter 3 Part 3 Pages 209 to 227."— Presentation transcript:

1 Access Control Chapter 3 Part 3 Pages 209 to 227

2 SSO Page 219

3 Kerberos Authentication protocol Mid-1980’s MIT Has been used for years in UNIX, Windows 2000, 2003, 2008 Kerberos is a single sign-on system for distributed environments Use symmetric key cryptography (shared secret key)

4 Kerberos Figure 3-12 on page 211 KDC – Key Distribution Center – Holds all users’ and services’ secret keys AS – Authentication Service – On KDC – Send your username and password – TGT – Ticket Granting Ticket encrypted with secret key

5 Kerberos To access print server send TGT to TGS – Ticket Granting Service TGS sends a ticket with two copies of session key (one encrypted with user’s secret key and one with the print server’s secret key) User extract session key sends the ticket to print server User can send document.

6 Kerberos None of the principals trust each other User enter username and password only once – SSO KDC is a single point of failure Secret keys are temporarily stored on user’s workstation – possible attack OS needs to prevent password guessing by tracking login attempts

7 SESAME Extends Kerberos by using asymmetric (public key) technology to sign PAC (Privileged Attribute Certificate) using PAS private key – PAC contains user’s identity, access time period

8 Security Domain Domain is a set of resources available to a subject Figure 3-14 on page 216 Security domain – domain working under the one security policy and managed by the one group Separated by logical boundaries such as firewalls with ACLs

9 Security Domains Figure 3-14 on page 216 Hierarchical Isolated by using subnets Figure 3-15 subject access different domains depending on trust level

10 Directory Services Network directory service – Identifies all resources (printer, file domain controllers) using a hierarchical naming to identify resources logical and physical location using X.500 standard – Request use LDAP (Lightweight Directory Access Protocol) – Enforce security policy

11 Thin Clients Diskless computers Computer cannot do anything on their own so enforces strict security policy No USB or CD-ROM for theft of information

12 SSO Page 219

13 Access Control Models Discretionary Mandatory Role Based Built into the kernel of the OS

14 Discretionary Access Control Owner of the resource determines which can access the resource Most commonly uses ACLs (Access Control Lists) Windows, UNIX, Mac Flexible, less administration

15 Discretionary Access Control Malware can install itself under the security context of the user Constant battle between functionality and security Nondiscretionary access – Classroom computers – Cannot install software

16 Mandatory Access Control User do not have discretion of determining who can access objects Cannot install software – Malware cannot be installed Used by military to maintain top secret information

17 Mandatory Access Control User is given security clearance (confidential, secret, top secret) Data is given security label (confidential, secret, top secret) SE Linux A lot of administrative overhead, expensive, and not user-friendly

18 Sensitivity Labels = Security Labels Classification – Confidential, Secret, Top Secret Category – UN, Information warfare, Treasury

19 Role-Based Access Control Job role with an organization Centrally administered Best if high employee turnover Organizations are moving toward RBAC

20 Core RBAC When user logins roles and groups are assigned Can be configured for time of day and location

21 Hierarchical RBAC Models organizational structure The higher you are in the chain of command, the more access you will most likely have

22 Separation of Duties Static Separation of Duty Relationship through RBAC – Deter fraud – Cashier and Accounts receivable Dynamic Separation of Duties through RBAC – Deter fraud by constraining the combination of privileges

23 Access Control Models Page 227

Download ppt "Access Control Chapter 3 Part 3 Pages 209 to 227."

Similar presentations

SCSC 455 Computer Security

SCSC 455 Computer Security
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Access Control Methodologies

Access Control Methodologies
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Security+ Guide to Network Security Fundamentals, Fourth Edition

Security+ Guide to Network Security Fundamentals, Fourth Edition
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Active Directory: Final Solution to Enterprise System Integration

Active Directory: Final Solution to Enterprise System Integration
Understanding Active Directory

Understanding Active Directory
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.

KerberSim CMPT 495 Fall 2004 Jerry Frederick. Project Goals Become familiar with Kerberos flow Create a simple Kerberos simulation.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.

2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.
Lecture 7 Access Control

Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.

7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Introduction to Kerberos Kerberos and Domain Authentication.

Introduction to Kerberos Kerberos and Domain Authentication.
Understanding Active Directory

Understanding Active Directory

Similar presentations

Ads by Google