Download presentation
Presentation is loading. Please wait.
Published byGeorgina Rogers Modified over 8 years ago
2
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC
3
Security+ Chapter 1 – Controlling Access Brian E. Brzezicki
4
Access Control (100) In the first chapter we discussed some ways to authenticate users (subjects). Now that subjects have been authenticated we can now control access to resources (objects). This process is called Access Control. Access control is generally the idea of controlling access of subjects to objects. Look for this phrasing on the Security+ exam.
5
Access Control Models (100) 4 models for access control we will discuss in the following slides Mandatory Access Control (MAC) Discretionary Access Control (DAC) Role Based Access Control Rule Based Access Control
6
MAC (101)
7
Mandatory Access Control, means that the system is configured with a set of RULES for access and strictly enforce them. The Data Owner is not able to arbitrarily set permissions for users or groups. Military system use MAC system, usually in a “clearance level” model (more)
8
MAC and clearances (101) Clearance Levels – objects are classified into a level by the data owner and marked with an appropriate “label” Top Secret – exceptionally grave damage to national security Secret – serious damage to national security Confidential – damaging national security Unclassified – public (more)
9
MAC and clearances Now users are given a clearance level For example: Bob has secret clearance If bob want to access a document, the OS looks at the documents classification and Bobs clearance level Bob only will only be allowed to read the object if his clearance “dominates” the objects label. Bob CAN write up to objects with higher level “labels”, however he cannot read those objects.
10
Example question 1 Budget.txt classification: secret Bob Clearance: top secret Can bob read the file budget.txt?
11
Example question2 super-secret-file.txt – classification: Top Secret Bob Clearance: secret Can bob access the file “super-secret-file.txt?”
12
Discretionary Access Control (103) Concept that a resource owner is allowed authorize access to subjects. This is based on their discretion. Most commercial solutions implement Discretionary Access Control ACLs are a common implementation of access controls in Discretionary systems
13
Discretionary access control (103)
14
User Based User Based – a DAC method where every user is assigned a unique ID. Permissions are granted to each individual user. If a user has permissions to a resource.. They can access it. Advantages? Problems?
15
Group Based A DAC method where groups are created. Users are placed in Groups. Permissions are given to groups. If a user is in a group that has permission to a resource.. Then that user has permission to the resource Advantages? Problems?
16
Group Based Access Control
17
Role Based Access Control (104-105) Access to resources are given to job positions or roles. Users are assigned to roles, and then they have the access rights that the roles have. This is also called non-discretionary access control This is NOT the same as groups with DAC More scalable model than DAC Great for large companies Avoids Authorization Creep Great if there is a lot of turn over
18
Rule Based Access Control (104-105) The Decision to grant access to an item is based on a set of rules, (yes or no questions) Example: You may access a file IF You are in the management group The time is between 9AM-5PM Monday-Friday Advantages: Very flexible type of control Can be combined with other types of access controls Firewalls use rule based access control to analyze a packet and see if should be allowed based on the “firewall rules”
19
Physical Security Access Control
20
Security Zones (108) Fences, Walls, Bollards, etc along with access control mechanisms can be brought together to create “security” zones. Each zone has some different security level or work type. Example. – Lobby – low security, public access – Offices – medium security, restricted access – R&D – high security, extremely restricted access – (see next slide)
21
Security Zones (108) Each inner level becomes more restricted and more secure Stronger authentication, access control, and monitoring at the entry point to each zone
22
ID Badges (108) Used in most large organizations or organizations concerned with security. Can be combined with other authorization technologies. Why is it important that everyone display an ID badge?
23
Physical Access Lists and Logs (109) I’m on the VIP list… can I jump through the line? What the purpose Why bother logging?
24
Physical Tokens (110) Authentication device that enable access to a resources. User Activated – KeyFob (RSA SecureID) – Smart Card – Memory Card Proximity Devices – How do these work? – Advantages – Disadvtanges
25
Cipher Lock (110)
26
Cipher Locks What is a Cipher Lock? Advantages Disadvantages Two Types Fail Safe Fail Secure
27
Piggybacking (109) What is Piggybacking? Countermeasures?
28
Man Trap (111)
29
What other Advantages besides anti-piggybacking do man traps offer?
30
Bollards (n/b)
31
Bollards What is the purpose of a Bollard?
32
Walls (n/b) You know what they are Choose a wall with the strength to support the security application. This might also include fire rating! If using Strong walls… ensure that a “bad guy” cannot simply subvert the walls and go around them. – Raised floors – Plenum area
33
Fencing (n/b) Can deter and delay intruders, first line of defense Fences 3-4 feet high only deter casual trespassers Fences 6-7 feet high are considered too high to climb easily Fences 8 feet high should are considered serious. Use for Critical areas
34
Hardware Locks (112)
35
Lock Picking (n/b)
36
Surveillance (114) CCTVs and recording devices to record video of site. It deters criminal activity Can be used later as evidence or to determine what happened. Can be color or B&W Can be low-light Can be wired or wireless – What’s a concern of each? CCTVs should generally have PTZ capability, and auto-irises. Placement is very important especially if PTZ and zoon features do not exist.
37
Logical (Technical) Access Control Methods
38
Logical Access Control Logical (technical) access controls use technology based means of restricting access. This is different than physical access control that we just described. Some types of Logical Access Control systems that we will discuss in the next couple slides are Access Control Lists Group Policies Account Restrictions
39
ACLs (115) For each object, list all the subjects that have access to that object and the level of access they have. Access Control lists are used on files and printers… but ALSO with firewalls. Ex. permit tcp any any host www.me.com eq 80www.me.com
40
Bitmap Permissions (n/b) Unix uses a different type of logical access control called “unix permissions”. They consist of 3 “rights” that can be assigned to 3 different categories of subjects. rights = read write execute subjects = user_owner group_owner everyone_else Example: rwxr-xr-- brianb it_dept/home/brianb/myfile
41
Group Policies (116) In Windows “domain” (Active Directory) environments. A way to centrally control access and policies. Can be applied to users/groups or Can be applied to groups of computers
42
Group Polices (115-118) Common uses of group polices – Enforcing password policies – Enabling or disabling services – Forcing IE security and configuration settings – Disabling USB storage Why is this important? – Disabling Autorun Why is this important?
43
Account Restrictions (119) In Windows accounts can be Domain accounts (centralized) Local accounts (on each machine) What is the pros and cons of each? (Unix has similar functionality with NIS and LDAP)
44
Time of Day Restrictions (120) Windows also allows users login times to be strictly enforced. Unix systems can also enforce this type of restriction via PAM (Pluggable Authentication Modules)
45
Account Expirations (121) A good practice when creating accounts is to also provide an account expiration date, if it is known. This is very good for temporary/contract workers. Both Unix and Windows systems provide this functionality.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.