CSS 211 - Introduction to Network Security

Lesson 5 - Access Control, Authentication

Objectives:

This lesson covers chapters 7 and 8 in the text. It discusses allowing devices and users to access networks. Objectives important to this lesson:

  1. Access control, access control models
  2. Logical access control methods
  3. Physical access control
  4. Authentication
  5. Credentials
  6. Authentication models
  7. Authentication servers
  8. Protocols
  9. VPN
Concepts:

Chapter 7 begins with a horror story, as usual, making the point that if thieves are not kept from resources, they will help themselves. Surprised? I didn't think so.

Page 227 continues with one of the author's metaphors that seems to fall apart. A baby sitter is instructed to allow a package service to pick up a package from the home where she is watching a child. She follows four steps to accomplish this, and the author is oblivious that she messes up one of them. Read the story, then come back here.

Did you see which step she got wrong?

  1. Identification - The babysitter asks for identification from the driver (e.g. FedEx, UPS). This would be like asking for a user ID and a password. The driver provides it.
  2. Authentication - The baby sitter reads the driver's badge and decides it is real. Really? No one can drive a painted delivery van and make a fake ID? If this were a network, this would be like accepting any data as a user ID and any password that met our complexity requirements, without checking for a match on the system.
  3. Authorization - The babysitter tells the driver he can access the porch, where the package is waiting.
  4. Access - The babysitter opens the door to the porch.
  5. Exploit - The axe murderer, who killed the real FedEx driver down the street, enters the house and...

In our example from the book there is no part five. It is not a monster movie or a thriller. The point is that it could have been. Could the babysitter have called FedEx to check on the identity of the supposed driver? Yes, and in most circumstances she would have been thought paranoid. If you are not protecting important assets, you are not expected to take precautions. When you are protecting a network, you must take precautions. (And if you are protecting a child in a monster movie, grab a baseball bat and tell the killer to come back next week.)

The book points out that there is a distinction between authorization and access. Authorization is permission, and access is means. Other than that, page 228 brings up more vocabulary words without elaborating on any but the last three:

  • owner - A person responsible for the integrity and security of an asset.
  • custodian - A person who maintains the security of a system, perhaps by adding and removing access by user accounts. (This concept is also called administrator.)
  • end user - One who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but cannot change access rights to the asset. This concept is also called a "subject" in this chapter.
  • Subjects (users or processes acting for users) perform operations on objects (assets).

The text turns specifically to the topic of access control. In a previous chapter, this phrase meant making sure devices were "clean" before they were allowed to connect to the network. This chapter uses the more familiar meaning, allowing, restricting, and denying access to resources. Page 229 introduces four access control methods. You should know something about each of them for the exam objectives:

  • Mandatory Access Control (MAC) - the most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it
  • Role Based Access Control (RBAC) - access is granted to roles (groups) defined on the systems, end users are assigned to roles so they can access assets needed for their jobs; the text uses Windows Server 2008 as an example of a system that can use this model
  • Rule Based Access Control (RBAC) - may be the most complex model; rules can change which role a user is assigned to, changing the level of access the user has
  • Discretionary Access Control (DAC) - least restrictive model; subjects (end users) can own objects, and have total control over them (like a Sharepoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels; see the discussion on page 231 of the way Vista modifies this method with levels of User Access Control

The book points out that two of the acronyms above are the same. This is dumb, and it may explain why most Internet resources seem to present only three of the four methods. Note the other names given for rule based access control: rule-based role-based access control, and automated provisioning. Remember to breathe in, then out.

The text continues with a set of best practices that might be used along with the models above:

  • separation of duties - don't give any one person the ability to defraud the system; checks and balances of power are better
  • job rotation - move people out of sensitive positions on a regular basis; this could backfire by making you unsure who was responsible for a breach
  • least privilege - give only the access needed for a job, adding and removing as the job assignments change
  • implicit deny - if a permission is not explicitly granted, it should be assumed to be denied; this is not as strong as explicitly denying a permission
Logical Access Control

This set of methods is more related to software than hardware.

Access Control Lists

You can think of an ACL (Access Control List) as a property of an object that lists what users have what permissions regarding that object. The example on page 234 shows a UNIX file that has various read, write, and execute permissions set for various entities on the system. The example on page 235 shows a text file in a Windows environment. Three entities have been given explicit permissions to the file. Selecting each entity in turn would display the assigned permissions on the Security tab of the object's properties. Setting permissions in an access control list allows granular control, but it is labor intensive for administrators.

Group Policies

Group Policies are a feature of Windows Active Directory, the database system used to manage users and assets in a Windows based network. As the text explains, Group Policies can affect users when they log in, and devices when they boot up. Systems check for updates at intervals controlled by network administrators. A Group Policy can have an effect on multiple domains.

The text describes Local Group Policies as having fewer options, having smaller scope, and being associated with older systems that are not using Active Directory.

Account Restrictions

Page 237 shows an example of time restrictions applied to a user. In this case the example is of Parental Controls, but user accounts can be restricted the same way in an enterprise environment by user account or by Group Policy.

Account Expiration

The text describes an orphan account, an account that belonged to someone who left the organization, as being a waste of resources and a security vulnerability. It proposes that this vulnerability can be reduced by using preset expiration dates for user accounts, or setting an account to expire once the associated password has been expired for a specific number of days.

Passwords

The text discusses some myths about passwords. Its main point is that passwords should be longer, should be memorable to the user, and should be changed frequently. The text describes some password attack methods:

  • brute force attack - trying all possible password combinations; this is confounded by a system that locks out an account once a set number of login failures have occurred
  • stealing the hash file - user passwords are stored on a system in a hashed (encrypted) format; an attacker may try to steal the hash file in order to break the code and determine passwords
  • dictionary attack - trying each word in a file, possibly an actual dictionary; variations usually include common substitutions of numbers or symbols for letters
  • rainbow tables - rainbow tables are precomputed tables of hash values and passwords, constructed to enhance the speed of cracking a hashed password

Microsoft uses a newer version of the hash algorithm, NTLM hash, that eliminates some of the shortcomings of the LM hash algorithm. The problem with this, discussed on page 241, is that the LM hash algorithm is still used in many versions of Windows (along with NTLM hash) unless the password is longer than 14 characters.

The text mentions the use of salt in creating hashes, and that LM and NTLM hashes do not include these random bits to enhance the encryption of a password.

The author moves on to discuss passwords themselves again, advocating a strong password policy: mixture of character types, no actual words, longer when possible, and so on. He adds the idea of using characters that are not on the keyboard but are available in Windows through holding down an Alt key and entering a four character code on the numeric keypad. The main problem with this idea is this method is not available on all systems, and the codes are not memorable unless you use them frequently.

Domain Password Policy

Most users who log in to a Windows domain use passwords that must meet the restrictions set in the Domain Password Policy. Page 243 lists six attributes that can be set for domain passwords. The maximum settings given were true at the time the text was printed

  • Enforce password history - sets the number of passwords that a user must set and use before a specific previous password can be used again; 10 seems to be a common setting, but the book recommends 24
  • Maximum password age - the age at which a password must be changed; note that Active Directory notifies users (daily) when their passwords are within 14 days of expiration, and users are given no grace logins once the password actually expires
  • Minimum password age - the age at which a password may voluntarily be changed; this is set to keep users from changing passwords too rapidly (for instance, trying to cycle through a list to get back to a favorite)
  • Minimum password length - self explanatory
  • Complexity requirements - when enabled, requires that the password include three out of four kinds of characters: upper case, lower case, numerals, symbols
  • Store passwords with reversible encryption - not recommended, this setting is for legacy applications that require access to the user's password
Physical Access Control (or, Lock the Door!)

The text discusses some aspects of physical security:

  • dead bolt locks are better than preset locks (key-in-knob locks)
  • cipher locks (illustrated on page 247) typically require a user to enter a code on a series of buttons; an advantage is that this kind of lock can be reprogrammed instead of rekeyed, and can be controlled remotely; like an ATM, users must hide their code from eavesdroppers
  • physical tokens - typically implemented as an ID badge that can be swiped through a reader, passed near a sensor, or carried close enough to an RFID reader
  • man trap - essentially an air lock in which you contain people before deciding to let them in, throw them out, or call the police; needs to be coupled with another system or security personnel, or there is no point
  • video surveillance - self explanatory, usually implemented as closed circuit TV; this system can fail when unmonitored, badly lit, or badly focused
  • physical access log - either a log file created when access is granted by other means, or a paper document maintained by users or security staff

Chapter 8 begins with a definition that is sort of two. Authentication was defined in the last chapter as the second phase of access control: when the requester's credentials are checked and confirmed.

The second meaning offered here for authentication is more of a second context. A new slant on security is presented on page 267, telling us that authentication is one of three key elements to security:

  • authentication - confirmation of identity
  • authorization - granting permissions that are linked to the user's account
  • accounting - tracking what the user does

As he has done before, the author expands a bullet into three more. Three reasons to gather accounting information are listed:

  • find evidence of problems, including attacks
  • billing - As Mr. Heinlein observed, when the question begins with "why do they" or "why don't they", the answer usually involves money
  • planning - if you don't measure what the system is used for, you can't make sensible plans for growth and change

The author uses a story problem to illustrate a simple principle. Most security is based on one or more of three types of things: something you have (like a key or an ID card), something you know (like a PIN or a password), or something you are (like a fingerprint). When a person logs in from a standard workstation in a normal environment, one level of protection, like a password may be secure enough. For a situation that is more vulnerable, like logging in from a remote location through a public data network, two levels may be required, such as a user name-password pair along with a one-time password from a security device (that may require a PIN as well).

One-Time Passwords

This category includes the passwords that a vendor sends you in an email when you need access to your account to set a new password. Such one-time passwords are time-synchronized because they expire after a stated time limit, or one use, whichever comes first.

The example in the text describes the use of a token that generates a new numeric password at a set rate, like once a minute. Each password is good only once, and must match the same password that is generated by receiving software on the system end. An example of such a device is the RSA SecurID. This device works on two factors, requiring you to know a Personal ID number for their system, and to have the current OTP from the device you have been issued.

Some devices support the use of challenges. A challenge would be a code that the login interface would give to you. You would input the challenge into an interface on the token, which would generate a response that would be used as the password.

Standard Biometrics

Biometric devices measure something about a living being, such a fingerprint, face shape, hand print, iris pattern, and retina pattern. The text discusses two kinds of fingerprint scanners. Static fingerprint scanners read a print from a finger that is placed on a scanner. This technology has some known spoofs, such as using gummy bears. Dynamic fingerprint scanners require a finger to be passed across a reader that uses electrical resistance to create the image of the fingerprint.

Behavioral Biometrics

Measuring how a person performs a task is the concept behind behavioral biometrics. Several possibilities are listed, each with their own faults and virtues:

  • keystroke dynamics - how the user types on a keyboard
  • voice recognition - how the user says particular phrases
  • computer footprinting - a pattern of use including time of day, location, and the computer being used to access a system

Cognitive Biometrics

This method asks the user for particular facts about specific life events. This seems to be a faulty idea. If I were to respond to a series of questions about a wedding, wouldn't most other people who had attended the same event share the same knowledge about it? As an indicator of the possible failure rate for this type of metric, I note that a search on the Internet for the company mentioned as an example in the text came up empty.

Authentication Models

Multifactor

As noted above, it is much more secure to rely on two or three factors for identification rather than one.

Single Sign-on

The ability to access multiple resources with one login is desirable to many users. Within a given company, logging in to one interface and then being authorized to access multiple resources is an example of single sign-on. Presently, when you log in to the Baker Solar system you use the same ID and password that you use to log in to the Baker email system. This is not an example of single sign-on because you are still required to log in to each service separately.

Accessing the resources of multiple companies with a single log in is an example of federated identity management (FIM). The text offers some examples of this kind of service:

The drawback to this concept seems to be that not every service is accepted by every vendor, so you still have to manage multiple IDs and recall how to sign in with each one.

Authentication Servers

The text discusses four kinds of authentication servers, which may perform authentication only, or may perform authorization and accounting functions as well.

RADIUS

Remote Authentication User Dial-In Service has some specific and non-intuitive terminology.

  • supplicant - a wireless device requesting to join a WLAN, or a dial up device requesting to join a LAN
  • authenticator - an access point that accepts or rejects supplicants
  • RADIUS client - an access point that is sending credentials to a RADIUS server
  • RADIUS server - performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.

Kerberos

The text says that Kerberos is an authentication system. It is also proper to call it a protocol. It is noteworthy because it can be used on Windows, Linux, and Mac OS X networks. As the text explains, a network user requests access to services, Kerberos issues an identifying ticket, and the ticket is examined by the entity that grants access to the service. This is a standard part of logging in to an Active Directory network.

Terminal Access Control Access Control System (TACACS+)

TACACS+ must have been created by someone with a love for redundancy. It performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.

Lightweight Directory Access Protocol (LDAP)

The text waits until this discussion to mention that Directory Service is a database service on a network. (It is one of the classic services of a network.) LDAP is a protocol that is used to access such databases. The text contrasts it to DAP (its big brother):

  • LDAP runs in a TCP/IP environment, DAP requires special software
  • LDAP will run on a PC, DAP typically will not
  • Both are used to access information from X.500 compliant databases
  • LDAP is lighter, simpler, easier to use
Extended Authentication Protocols

The chapter lists three legacy protocols that are no longer used, two protocols that are not recommended, then finally two protocols that are recommended:

Not used much any more

  • Password Authentication Protocol (PAP)
  • Challenge Handshake Authentication Protocol (CHAP)
  • Microsoft Challenge Handshake Authentication Protocol (MS-CHAP)

Not recommended

  • Extended Authentication Protocol - MD5 (EAP-MD5)
  • Lightweight EAP (LEAP)

Recommended

  • EAP with Transport Layer Security (EAP-TLS)
  • EAP with Tunneled TLS (EAP-TTLS)
    A packet that is tunneled is one that has been wrapped in another kind of packet to make it more acceptable to the network it must pass through.
Remote Authentication and Security

This is the last major topic of the chapter. It concerns connections from staff who work remotely.

Remote Access Services

The book gives a vague definition of this service, as any combination of hardware and software that enables a remote user to access network resources. This could include dedicated data lines, modems, public networks, and the equipment that must be set up to accept connection from these sources.

Virtual Private Networks (VPNs)

A VPN is one type of remote access. The use of an RSA SecurID device is a common method of creating a secure data channel across a public network, like the Internet. This is an example of the first type of VPN described in the text, a remote access VPN that connects a user to a LAN through a VPN server. The connection can be made by IP address or by dial up connection. Dial up connections are typically used when there is no Internet access.

The second type of VPN described in the text is a connection between sites, called a site-to-site VPN.

Remote Access Policies

The text briefly discusses the need for consistent policies and consistent application of them to minimize risks that VPN connections can create.