Chapter 11 begins with a cautionary tale about a city official who stole a great deal of money from the city over several years. The problem could have been noticed years before it was if the city had used appropriate controls on its money. This chapter is about such controls, in regard to a network resources.
Access control is defined on page 443 as "granting or denying approval to use specific resources". This can be a physical use, like entering a building, or a logical use, like using a printer or a database.
On page 444, the author continues a metaphor meant to illustrate the steps a secure system would use to make sure someone is allowed to access resources. A baby sitter is instructed to allow a package service to pick up a package from the home where the sitter is watching a child. He follows four steps to accomplish this safely, and the author is oblivious that he messes up one of them. Read the story, then come back here.
Did you see which step he got wrong?
In our example from the book there is no part five. It is not a monster movie or a thriller. My point is that it could have been. Could the babysitter have called FedEx to check on the identity of the supposed driver? Yes, and in most circumstances he would have been thought paranoid. If you are not protecting important assets, you are not expected to take precautions. When you are protecting a network, you must take precautions. (And if you are protecting a child in a monster movie, grab a baseball bat, tell the killer to come back next week, and be ready for trouble.)
The author points out that many people confuse authorization and access. Authorization means having been granted permission to do something. Access means being given a method to do it. Authorization is permission, and access is means.
Page 445 brings up more vocabulary words without elaborating on many of them:
The text turns specifically to the topic of access control. In a previous chapter, this phrase meant making sure devices were "clean" before they were allowed to connect to the network. This chapter uses the more familiar meaning, allowing, restricting, and denying access to resources. Page 446 introduces four access control methods. You should know something about each of them. I think this order makes more sense:
Two of the acronyms for the models above are the same. This is dumb, and it may explain why most Internet resources seem to present only three of the four methods. Note the other names given for rule based access control: rule-based role-based access control, and automated provisioning. Remember to breathe in, then out.
The text continues with a set of best practices that might be used along with the models above:
Logical Access Control
This set of methods is more related to software than hardware.
Access Control Lists
You can think of an ACL (Access Control List) as a property of an object that lists what users have what permissions regarding that object. The example on page 454 shows a UNIX file that has various read, write, and execute permissions set for various entities on the system. Three entities have been given explicit permissions to the file. Setting permissions in an access control list allows granular control, but it is labor intensive for administrators.
Group Policies are a feature of Windows Active Directory, the database system used to manage users and assets in a Windows based network. As the text explains, Group Policies can affect users when they log in, and devices when they boot up. Systems check for updates at intervals controlled by network administrators. A Group Policy can have an effect on multiple domains.
The text describes Local Group Policies as having fewer options, having smaller scope, and being associated with older systems that are not using Active Directory.
Page 456 shows an example of time restrictions applied to a user. In this case, the example is of Parental Controls, but user accounts can be restricted the same way in an enterprise environment by user account or by Group Policy.
The text describes an orphan account, an account that belonged to someone who left the organization, as being a waste of resources and a security vulnerability. It proposes that this vulnerability can be reduced by using preset expiration dates for user accounts, or setting an account to expire once the associated password has been expired for a specific number of days.
The text discusses five kinds of authentication services, which may perform authentication only, or may perform authorization and accounting functions as well.
Remote Authentication User Dial-In Service has some specific and non-intuitive terminology.
The text says that Kerberos is an authentication system. It is also proper to call it a protocol. It is noteworthy because it can be used on Windows, Linux, and Mac OS X networks. As the text explains, a network user requests access to services, Kerberos issues an identifying ticket, and the ticket is examined by the entity that grants access to the service. This is a standard part of logging in to an Active Directory network.
Terminal Access Control Access Control System (TACACS+)
TACACS+ must have been created by someone with a love for redundancy. It performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.
Lightweight Directory Access Protocol (LDAP)
The text waits until this discussion to mention that Directory Service is a database service on a network. (It is one of the classic services of a network.) LDAP is a protocol that is used to access such databases. The text contrasts it to DAP (its big brother):
Security Assertion Markup Language (SAML)
The describes an SAML transaction in which a web service provider is required to check an external source (an identity provider) which stores the credentials of a user who wants to log in and use the web service. You should know that this process exists, what it is, and what it is called.
Chapter 12 continues the discussion with more details on authentication. Authentication was defined in the last chapter as the second phase of access control: when the requester's credentials are checked and confirmed. It is one of three key elements to security:
security is based on one or more of three types of things:
The text adds two more elements to this list in the story on page 480:
The text continues with a discussion of the something you know concept.
The text discusses some myths about passwords. Its main point is that passwords should be longer, should be memorable to the user, and should be changed frequently.
A new section talks about attacks meant to discover passwords. There is a bit of overlap across them:
The text also describes some classic password attack methods:
The author moves on to discuss passwords themselves again, advocating a strong password policy: mixture of character types, no actual words, longer when possible, and so on. He adds the idea of using characters that are not on the keyboard but are available in Windows through holding down an Alt key and entering a four character code on the numeric keypad. The main problem with this idea is this method is not available on all systems, and the codes are not memorable unless you use them frequently.
Some of his advice is based on the behavior of known password attack programs. The best
advice is to avoid using these variations in your passwords:
On page 490 the text discusses some aspects of password hashing used by Microsoft networks. Microsoft uses a newer version of the hash algorithm, NTLM hash, that eliminates some of the shortcomings of the LM hash algorithm that are described on that page. The problem with this is that the LM hash algorithm was used in many versions of Windows (along with NTLM hash) unless the password is longer than 14 characters.
The text mentions the use of salt
in creating hashes, and that adding
the random salt phrase to a password before it is hashed will eliminate
the problem of two users who choose identical passwords having the same
hash saved in the security file.
On page 492, the text discusses commonly used solutions that address something you have.
On page 495, the text discusses commonly used solutions that address something you are.
Biometric devices measure something about a living being, such a fingerprint, face shape, hand print, iris pattern, and retina pattern. The text discusses two kinds of fingerprint scanners. Static fingerprint scanners read a print from a finger that is placed on a scanner. This technology has some known spoofs, such as using gummy bears. Dynamic fingerprint scanners require a finger to be passed across a reader that uses electrical resistance to create the image of the fingerprint.
Measuring how a person performs a task is the concept behind behavioral biometrics. Several possibilities are listed, each with their own faults and virtues:
This method asks the user for particular facts about specific life events. This seems to be a faulty idea. If I were to respond to a series of questions about a wedding, wouldn't most other people who had attended the same event share the same knowledge about it?
The text expands its discussion of somewhere you are on page 499. This time it makes a better case for using this information in a negative way. If someone is attempting to log in to a system across the Internet, and we can tell they are in a location where the actual user is unlikely to be, the connection may be refused. This makes more sense than allowing the connection because the requester is somewhere we know the proper user has been.
The last important point in the chapter begin on page 502.
Account Management is about maintaining rules, policies, and standards
that relate to accounts on a system.
Most users who log in to a Windows domain use passwords that must meet the restrictions set in the Domain Password Policy. Page 503 lists six attributes that can be set for domain passwords. The maximum settings given were true at the time the text was printed
The book did not previously mention three other settings you may want to know about. This edition lists them on page 504: