Chapter 9, Physical Security and Access Control;
Chapter 10, Access Control in the Enterprise
This lesson discusses physical security issues and access controls
in enterprise environments. Objectives important to this lesson:
What is physical security
Designing a physical security plan
Physiological and biometric controls
Outsourcing physical security
Access Control Lists and Access Control Entries
Models for enterprises
Layer 2 and Layer 3 controls
Wireless access controls
This chapter starts with an observation that technical staff often overlook
physical security. Perhaps this is because they are too occupied managing
data to think about managing a physical location. The text does not define
physical security in the first section. It begins with a discussion of
various components that limit or prevent physical access.
Designing a Plan
Perimeter security is concerned
with placing a boundary around some
area, whether it is a room, a building, a complex, or a larger site. A basic
concern for any room is a door with
a lock, assuming that there are
walls that prevent access other
than by the door. For a larger area, we might start with a fence
and locked or guarded
text mentions landscaping, which many of us would ignore. It is better
not to ignore it. Lovely trees that someone decides to plant around our
fence may provide a route over
that fence. The text suggests that plants with strong thorns
would be a better deterrent.
I had the pleasure once of visiting a facility that took a different
approach. There was no sign outside
the building, no number on it,
and no indication that was a secure facility. The perimeter was fenced,
and gated, and the gate was operated
remotely by a guard. The fence was surrounded by tall slender yews,
which blocked the view of the perimeter from both sides. They were also
frail enough that no one could climb them. Yes, they made it difficult
for people inside to watch what was happening outside the building. However,
the intention was to block the view of the building from outsiders, and
to draw no attention. Huge trees with nasty thorns are unusual and they
might draw the attention of someone with an eye for what looks odd. Yews
are just nice landscaping. A good way to keep a secret is to never hint
that the secret even exists. That perimeter followed that logic.
Visibility is what you think about when you plan lighting
and surveillance cameras. Sometimes
you need more lights because something you can't remove casts a shadow.
Sometimes you need another camera, because you can't see through or around
that thing the way it is. Your surveillance system needs to cover what
your guards need to see even if they do walk around the interior or the
grounds. They cannot be everywhere at once, unless you have lots of guards.
The text mentions that tracking who enters and who leaves
a location are equally important. This is easier in a well run installation,
where you use the same protocols to enter and to leave. In most locations,
people are in more of a hurry to leave. The text suggests that keeping
video records of people entering and exiting can provide a post-event
record if you can live without a live stream of information. Sometimes,
the exit of a person is the more important event, such as
the provided example of a day care center, as well as in some hospitals
and most prisons. The text warns us that exit points must be watched
carefully in such cases. It should observe that we should watch known
exit points, and be watchful for exits that those seeking them may discover.
If you want to allow foot traffic, but restrict the approach of vehicles,
you should consider the text's recommendation to use bollards.
You may not know the word, but you have probably seen these posts in parking
lots or outside buildings. Follow this
link to a web page that defines them as being available in several
types: visual guides, physical barriers, flexible, and decorative. The
text is most concerned with the physical barrier type, which may simply
be a painted concrete and steel post, or it may have a decorative cover
to make it look less like a barrier. Some locations that require frequent
traffic with the need for restriction in emergencies may lead us to install
bollards that are retractable.
The text continues with a discussion of physical access controls inside
buildings. The text recommends that guards and cameras should
be made visible in general work areas, to act as deterrents to unwanted
behavior. Barriers between general work areas and sensitive areas
should be clearly defined. The text mentions banks as a commonly
available example of businesses with areas for the general public, and
areas that are for staff only. Banks often have high counters, gates,
security barriers, guards, and bullet resistant glass or plastic barriers
between staff and customers. Data centers do not generally provide service
to the public, but is not uncommon to have a data center share a building
with another service from your company that does invite customer traffic.
When this is the case, there must be controls to prevent access by people
who should not have access.
On page 182, you will see a list of five classifications for government
buildings, based on floor space, number of employees,
amount of contact with the public, and shared space with
other agencies. Note that the list is flawed. As we go from level
I to level V, every one of the parameters increases, which will not always
be accurate. We may need to increase one or two parameters, but not the
others, which causes the list to fail to apply to all situations. Let's
recognize this concept, but move on to the next one.
The text discusses data centers in a few paragraphs that give "dark"
data centers more words than they need. You will not work in a dark center,
because such locations are run remotely or by automated devices. You should
be more concerned with data centers that employ staff if you are planning
to work in one.
On page 183, the topic changes to authentication, specifically biometric
authentication. We are reminded that biometrics include something
you are and something you can do. The discussion starts with
physical characteristics. In a way, this method works like a password,
in that a user provides information for authentication, which is compared
to data previously saved on the system.
The text refers to the process of sampling and saving
the reference data as enrollment. A user must be enrolled in
the system before that user can be authenticated by it.
Once a user has been enrolled, that user can authenticate with biometric
data. The process of providing this data to a scanner to gain access
is called identification.
Physiological and Biometric Controls
The text discusses several physical characteristics that are used
for enrollment and identification. It reminds us that some of these characteristics
change a lot between childhood and adulthood.
Fingerprints are characteristics that do not change with age.
Two aspect of fingerprints are scanned for identification:
Ridges - the raised parts of a fingerprint that
form its pattern of lines, called loops, whorls, and arches
Valleys - the lower areas between the ridges
These characteristics may be compared to a reference photo
of your fingerprint, or they may be compared to a capacitance
pattern. Ridges contact a capacitance scanning device,
valleys do not, which makes it possible to scan the fingerprint
in this way on a sufficiently dense scanner. Capacitance scanning
on some smart phones is a possibility.
Matching with the reference data may be done on the pattern
of the fingerprint, or the pattern of the minutiae.
Minutiae are locations in a fingerprint where a ridge changes,
such as branching into two ridges, stopping at a dead end, or joining
Retina scans examine the inside, rear surface of your eye.
This is the surface that receives and interprets light. The idea is
to shine a light into your eye, and take a picture of the pattern of
blood vessels in that area which is believed to be a unique pattern
for each person. Eye surgery can affect this area, so it is not foolproof.
Iris scans examine the part of the eye that is usually blue,
brown, green, or other such colors. The pattern of the muscle in this
area can be scanned and matched. The text tells us this is less likely
to be affected by eye surgery, glasses, or contact lenses that a retinal
Hand geometry does what it sounds like: it measures the shape
of a person's hand, and may measure the ridges on that hand as well.
It occurs to me that changes in a hand are more likely with age, injury,
and arthritis than changes in fingerprints or eyes would be.
Facial recognition scans the
shape and location
of a person's facial features. The location of a feature is measured
in relation to other features, such as the distance of the eyes from
each other. As usual, these measurements are compared to saved reference
The text moves on to behavioral recognition, the other type of
biometric measurement. Several variations are discussed on pages 185 and
Typing is something people tend to do the same way each time,
given a similar console. Measurement is usually done on typing a known
phrase or typing your password. Your typing rhythm is different when
you are on a real keyboard from when you are trying to type on a smart
phone, but if measurements are taken on the same kind of equipment each
time, there can be a reliable consistency. Note that the text address
the length of time keys are depressed and the time between keystrokes.
This assumes a standard keyboard, either rigged for measurement or connected
to software that is taking measurements. The text warns us that this
measurement has a high rate of false negatives, deciding that the typist
is not really the user in question. As you might imagine, there are
many problems that could change the way a person types.
Signature analysis does not measure the shape of a signature.
It measures the speed and pressure a person uses to write each letter,
which means it must be done on a pad that can measure that, like most
art pads. Like the typing measurement, it relies on the user being able
to enter the data in the same way each time.
Voice recognition involves having the user speak a set phrase
into a microphone, and relies on the physical shape of the user's mouth
and larynx to produce sounds that have unique wave properties.
The text changes topics to discuss problems with all of these
techniques. One is lack of user acceptance, which may be from lack
of familiarity, or from fear of the technology being used, such as the
one that scans a retina. Others have to do with the techniques
False acceptance - This can also be called a false positive
or a Type II error. It means that the system accepts someone
as a known user who is not a known user. The text explains that
this can be caused by too little sensitivity in the scanner, which could
cause an iris scanner to see all users blue-eyed scans as belonging
to a known user with blue eyes.
False rejection - This can also be called a false negative
or a Type I error. It means that an enrolled user is not
recognized. The text offers an example of a fingerprint scanner
rejecting a user because there is something on the user's finger obscuring
it. This could happen on a capacitance scanner if something on the finger
changed its electrical properties, like a conductive fluid.
Crossover Error Rate (CER) - Now for the really good
news: all of these systems produce Type I and Type II
errors. We can reduce the rate of either type, but that
will increase the rate of the other type. The image on
page 187 shows both error rates plotted on a graph's vertical axis,
and the sensitivity of the system plotted on the graph's horizontal
axis. More sensitivity give us more type I errors. Less sensitivity
gives us more Type II errors. Users don't like Type I errors, and security
staff don't like Type II errors. The Crossover Error Rate is the point
on that graph where the rates of the two kinds of errors are equal.
Note that the graph in the text is pretty symmetrical. This is not always
the case: actual system performance may be skewed toward one side or
the other for the CER. In any case, the CER rate gives us a way to measure
a system on two scales at once.
Failure to enroll rate - This sounds like a fault of the user,
but it is not. The failure in this case is the failure
of the system to save a sample data
set for a user. The total number of such failuresdivided by the total number
of attempts to save enrollment
information is the Failure to Enroll Rate.
Failure to capture rate -
This refers to a failure of the system to create a useful data set for
a user, such as not being able to scan the user's face due to a lens
problem. The number of such failures
divided by the total number of attempts
to create enrollment information is the Failure to Capture Rate.
The text continues with some material that discusses what characteristics
make good choices for biometrics. As it has already discussed, the characteristic
being measured must be something that all users have, that is unique to
each user, that will not change over time, and that can be scanned quickly
enough to operate an automated entry system. The section is repetitive,
so we will move on.
On pages 192 and 193, the text changes topics to discuss technological
access control systems. It is a short list, so let's consider the items
on it. This
article on Wikipedia discusses some of the same physical
locks use wards which,
we are told, are permanent projections
inside a key operated lock that prevent a key from turning unless it
is cut so that it avoids the wards. This sort of lock is the simplest
one in the list and it can be picked easily, even with a thin key cut
to miss most wards.
Tumbler locks are more common,
and harder to pick because they require the key to push several pins,
that are attached to springs, up to different correct heights. When
the two-part pins are in the right position, each will allow the cylinder
of the lock to turn. The picture on the right shows this kind of lock.
Combination locks - The combination
locks most of us have used operate on a different system that makes
them much harder to pick. Wheels
inside the lock must align to
make it possible to open the lock. The text warns us that electronic
versions of these locks do not work the same way. They are really just
password systems that use a number as the password.
Cipher locks - You can run
search on this kind of lock to see that there are many styles. The
typically have several buttons that can stand for numbers or letters,
and they can be set to open to most any combination of key presses that
the user wants. The text explains that they can also work with swipe
cards and with biometric sensors.
more interesting concept is in the middle of page 183, about fobs
and tokens. Typically a fob may also be called a hard token, and
I showed you a photo of one back in the notes for the first chapter. The
text refers to the physical device
as the fob and to the number
it generates and displays as the token.
This is also correct. This system can also be implemented in software
on a computer, but the same concept is used: a one time only password
is generated for an account, usually once a minute, on a device the user
has and on a device on the periphery of a network that authenticates users.
Different users have different passwords, so having one person's fob will
not let you in as someone else.
The chapter ends its new material with some thoughts about outsourcing
physical security. Like other security issues, it may be best to outsource
when your company is not big enough or
experienced enough to do it right. It is also possible that the
text is correct when it says that a guard from an outside company may
have an easier time being strict
about rules than one who works directly for your company. This may not
be the case, but it is possible. The text offers a list of criteria
that should be part of your evaluation process for an external security
vendor on pages 194 and 195. You should review this list, and think about
what else belongs on it.
Access Control Lists and Access Control Entries
The chapter open with some definitions:
Access Control List (ACL)
- a list of entities and the
rights they have for a particular
object. Each object will have
its own ACL.
Access Control Entry (ACE)
- a record in an object's Access
Control List. Each ACE will include a security
identifier (SID) (e.g.
a user name) and the security authorizations
that SID has been granted to the object in question.
Models for Enterprises
We discussed this in week 6, so it should still be familiar to you. This
chapter takes a different slant on the subject, talking about four access
control models, each of which has a different approach to using ACLs.
Discretionary Access Control
(DAC) - Weeding through the text, it tells us that rights that are granted
to a subject under this system may be granted by that subject to other
subjects in the system. This means that the owner
of an object can assign rights to other subjects (users) without needing
the intervention of an administrator.
Mandatory Access Control (MAC)
- In this one, there is more restriction. The text explains that objects
are assigned to security classes,
and that subjects (users) are assigned security
clearance levels. The result is that a user who has a clearance
only for Confidential (and below) information cannot be assigned rights
to an object classified as Secret or Top Secret.
Role-based Access Control
(RBAC) - Roles are like groups. Users can be assigned to either and
rights can be inherited from the group or or role by the user. The text
that subjects must be assigned
that the role a subject
is assigned to must be allowed
(authorized) for the subject, which is not usually done with groups,
and that transactions must
be authorized for the role
a subject is in, else the subject cannot perform them.
Attribute-based Access Control
(ABAC) - In this system, rights are not authorized for subjects unless
a particular attribute of the subject matches a criterion set for the
right, such as having an address in the right city or zip code
The text returns to a discussion of authentication factors that are typically
used, offers some advice about them, and generally tells us nothing new
about such things.
On page 215, the text starts several pages about Kerberos,
a network protocol that is used in Microsoft networks for the encryption
of passwords before they are submitted to the system for authentication.
Microsoft classes usually describe how Kerberos is used for several purposes
associated with authentication.
Kerberos uses the concept of tickets.
A ticket is small amount of encrypted,
session specific data issued by
the domain controller. When a client needs to access a server on the network,
it first obtains a ticket from the domain controller for that server.
The ticket and other data supplied by the client vouches for the client's
identity and provides a way for the client to authenticate the server
as well, which means Kerberos provides mutual authentication of both client
and server. Using time stamps and other techniques, Kerberos protects
tickets from cracking or replay attacks by eavesdroppers on the network.
Some of the weaknesses of a Kerberos system are listed on page 219. Despite
this long list, this is still a system that Windows networks depend on.
Administrators should plan their networks carefully to provide coverage
in case of failures.
Layer 2 and Layer 3 controls
On page 220, the text turns to access controls that are implemented by
network devices. You should know that the ISO-OSI network model has seven
layers, and that Layer 2 is associated
with communication inside a network, while Layer
3 is associated with communication from one network to another
Layer 2 is the layer associated with MAC
(Media Access Control) addresses,
the addresses that are assigned to network interface cards. MAC addresses
may be written several ways, but a common notation is shown on page 221:
six pairs of hexadecimal digits, each pair separated from the others by
colons. A typical address might look like this:
In case you are not aware of it, the first
three pairs, reading from left to right, stand for the manufacturer
of the NIC. The last three pairs
are the serial number of the NIC.
Each MAC address is meant to be unique.
The text tells us that switches take note of two things when they receive
messages. The port on which the
message is received is stored in an address table, along with the MAC
address of the sending device. In this way, the switch learns which
port to associate with particular devices. The switch uses this table
as a reference when deciding what port to use for any message it needs
to forward. Managed switches can be programmed to allow access to certain
ports/paths through a network by filtering MAC addresses. The text warns
us that a hacker may spoof (impersonate) a MAC address on the approved
list in order to gain access to the protected network segment.
The text is not very specific about its recommendations for Layer 2,
but it is a bit better in the section about VLANs, Virtual LANs, that
are used to artificially separate devices into separate networks. Your
switches can be set to do this by MAC address, or by the port used by
the device. There is a better lesson on
this web site. It is only six short "pages", so look it
Layer 3 controls are discussed on page 223.
Note the method of configuring access control lists on routers to
allow or block traffic based on IP address or protocol being used.
Route maps are another method used on routers to send traffic to specific
addresses, usually gateways to internal networks or resources. Route
maps can also drop traffic that does not meet the criteria for being
The text moves on to wireless network material on page 224. It is a bit
light, and a bit silly. It spends several lines explaining Wired Equivalent
Privacy (WEP) before finally getting around to advising us
not to use it. It is no longer considered to be secure. This will happen
to all security protocols over time. Presently we are advised to use WPA
or WPA2 protocols to encrypt data on wireless LANs. These will
fall out of favor eventually and be replaced by other protocols.
Assignments for Chapters 9 and 10
Complete the Review Questions posted for these chapters in the
Review for Test 3, numbers 1 through 14.
Pick one of the case studies at the end of either chapter.
Briefly explain what you see as right and wrong about the situation
and the solution proposed by the authors. Is there another recommendation
you would make?