CSS 211 - Introduction to Network Security

Lesson 7 - Chapter 11, Access Control; Chapter 12, Authentication and Account Management

Objectives:

This lesson covers chapters 11 and 12 in the text. It discusses access and authentication in a network. Objectives important to this lesson:

  1. Access control models
  2. Implementing access control
  3. Authentication services
  4. Authentication credentials
  5. Securing accounts and passwords
Concepts:

Chapter 11 begins with a cautionary tale about a city official who stole a great deal of money from the city over several years. The problem could have been noticed years before it was if the city had used appropriate controls on its money. This chapter is about such controls, in regard to a network resources.

Access control is defined on page 443 as "granting or denying approval to use specific resources".  This can be a physical use, like entering a building, or a logical use, like using a printer or a database.

On page 444, the author continues a metaphor meant to illustrate the steps a secure system would use to make sure someone is allowed to access resources. A baby sitter is instructed to allow a package service to pick up a package from the home where the sitter is watching a child. He follows four steps to accomplish this safely, and the author is oblivious that he messes up one of them. Read the story, then come back here.

Did you see which step he got wrong?

  1. Identification - The babysitter asks for identification from the driver (e.g. FedEx, UPS). This would be like asking for a user ID and a password. The driver provides it.
  2. Authentication - The baby sitter reads the driver's badge and decides it is real. Really? No one can drive a painted delivery van and make a fake ID? If this were a network, this would be like accepting any data as a user ID and any password that met our complexity requirements, without checking for a match on the system.
  3. Authorization - The babysitter tells the driver she can access the porch, where the package is waiting.
  4. Access - The babysitter opens the door to the porch.
  5. What really happened next: Exploit - The ax murderer, who killed the real FedEx driver down the street, enters the house and...

In our example from the book there is no part five. It is not a monster movie or a thriller. My point is that it could have been. Could the babysitter have called FedEx to check on the identity of the supposed driver? Yes, and in most circumstances he would have been thought paranoid. If you are not protecting important assets, you are not expected to take precautions. When you are protecting a network, you must take precautions. (And if you are protecting a child in a monster movie, grab a baseball bat, tell the killer to come back next week, and be ready for trouble.)

The author points out that many people confuse authorization and access. Authorization means having been granted permission to do something. Access means being given a method to do it. Authorization is permission, and access is means.

Page 445 brings up more vocabulary words without elaborating on many of them:

  • owner - A person responsible for the integrity and security of an asset.
  • custodian - A person who maintains the security of aa system, perhaps by adding and removing access by user accounts. (This concept is also called administrator.)
  • end user - One who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but cannot change access rights to the asset. This concept is also called a "subject" in this chapter.
  • Subjects (users or processes acting for users) perform operations on objects (assets).

The text turns specifically to the topic of access control. In a previous chapter, this phrase meant making sure devices were "clean" before they were allowed to connect to the network. This chapter uses the more familiar meaning, allowing, restricting, and denying access to resources. Page 446 introduces four access control methods. You should know something about each of them. I think this order makes more sense:

  • Mandatory Access Control (MAC) - the most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it
  • Role Based Access Control (RBAC) - access is granted to roles (groups) defined on the systems, end users are assigned to roles so they can access assets needed for their jobs
  • Rule Based Access Control (RBAC) - may be the most complex model; rules can change which role a user is assigned to, changing the level of access the user has
  • Discretionary Access Control (DAC) - least restrictive model; subjects (end users) can own objects, and have total control over them (like a Sharepoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels

Two of the acronyms for the models above are the same. This is dumb, and it may explain why most Internet resources seem to present only three of the four methods. Note the other names given for rule based access control: rule-based role-based access control, and automated provisioning. Remember to breathe in, then out.

The text continues with a set of best practices that might be used along with the models above:

  • separation of duties - don't give any one person the ability to defraud the system; checks and balances of power are better
  • job rotation - move people out of sensitive positions on a regular basis; this could backfire by making you unsure who was responsible for a breach
  • least privilege - give only the access needed for a job, adding and removing as the job assignments change
  • implicit deny - if a permission is not explicitly granted, it should be assumed to be denied; this is not as strong as explicitly denying a permission
  • mandatory vacations - if a person is running a scam, they will be reluctant to take time off and to give anyone else the authority to do their job
Logical Access Control

This set of methods is more related to software than hardware.

Access Control Lists

You can think of an ACL (Access Control List) as a property of an object that lists what users have what permissions regarding that object. The example on page 454 shows a UNIX file that has various read, write, and execute permissions set for various entities on the system. Three entities have been given explicit permissions to the file. Setting permissions in an access control list allows granular control, but it is labor intensive for administrators.

Group Policies

Group Policies are a feature of Windows Active Directory, the database system used to manage users and assets in a Windows based network. As the text explains, Group Policies can affect users when they log in, and devices when they boot up. Systems check for updates at intervals controlled by network administrators. A Group Policy can have an effect on multiple domains.

The text describes Local Group Policies as having fewer options, having smaller scope, and being associated with older systems that are not using Active Directory.

Account Restrictions

Page 456 shows an example of time restrictions applied to a user. In this case, the example is of Parental Controls, but user accounts can be restricted the same way in an enterprise environment by user account or by Group Policy.

Account Expiration

The text describes an orphan account, an account that belonged to someone who left the organization, as being a waste of resources and a security vulnerability. It proposes that this vulnerability can be reduced by using preset expiration dates for user accounts, or setting an account to expire once the associated password has been expired for a specific number of days.

Authentication Services

The text discusses five kinds of authentication services, which may perform authentication only, or may perform authorization and accounting functions as well.

RADIUS

Remote Authentication User Dial-In Service has some specific and non-intuitive terminology.

  • supplicant - a wireless device requesting to join a WLAN, or a dial up device requesting to join a LAN
  • authenticator - an access point that accepts or rejects supplicants
  • RADIUS client - an access point that is sending credentials to a RADIUS server
  • RADIUS server - performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.

Kerberos

The text says that Kerberos is an authentication system. It is also proper to call it a protocol. It is noteworthy because it can be used on Windows, Linux, and Mac OS X networks. As the text explains, a network user requests access to services, Kerberos issues an identifying ticket, and the ticket is examined by the entity that grants access to the service. This is a standard part of logging in to an Active Directory network.

Terminal Access Control Access Control System (TACACS+)

TACACS+ must have been created by someone with a love for redundancy. It performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.

Lightweight Directory Access Protocol (LDAP)

The text waits until this discussion to mention that Directory Service is a database service on a network. (It is one of the classic services of a network.) LDAP is a protocol that is used to access such databases. The text contrasts it to DAP (its big brother):

  • LDAP runs in a TCP/IP environment, DAP requires special software
  • LDAP will run on a PC, DAP typically will not
  • Both are used to access information from X.500 compliant databases
  • LDAP is lighter, simpler, easier to use

Security Assertion Markup Language (SAML)

The describes an SAML transaction in which a web service provider is required to check an external source (an identity provider) which stores the credentials of a user who wants to log in and use the web service. You should know that this process exists, what it is, and what it is called.

Chapter 12 continues the discussion with more details on authentication. Authentication was defined in the last chapter as the second phase of access control: when the requester's credentials are checked and confirmed. It is one of three key elements to security:

  • authentication - confirmation of identity
  • authorization - granting permissions that are linked to the user's account
  • accounting - tracking what the user does

Most security is based on one or more of three types of things:

  • something you have (like a key or an ID card)
  • something you know (like a PIN or a password)
  • something you are (like recognizing your fingerprint or your face)

The text adds two more elements to this list in the story on page 480:

  • something you do - The hero of the story is recognized for an ability he has. This is a little shaky, since he is not the only person in the world with a particular skill.
  • somewhere you are - Our hero is supposedly authenticated by being where a person with his identity is allowed to be. I do not buy this one at all. The logic would also say that if I hear someone walking down my front hallway at three in the morning, it must be someone who is supposed to be there because they are there. Are we supposed to believe that the only people on a military base are military people? This is not true.

The text continues with a discussion of the something you know concept.

Passwords

The text discusses some myths about passwords. Its main point is that passwords should be longer, should be memorable to the user, and should be changed frequently.

A new section talks about attacks meant to discover passwords. There is a bit of overlap across them:

  • social engineering - the text mentions shoulder surfing (watching someone enter the password), phishing (asking for the password in an email scam), and dumpster diving (looking through someone's trash; you would be surprised how many people will tell you their password if you just ask
  • capturing - using a key logger; staging a man in the middle attack
  • resetting - if a person can be lured away from their computer while it is unlocked, the attacker may be able to set the password to one they like; resetting it after booting from a disc or a USB drive can let the attacker run a reset program from that device

The text also describes some classic password attack methods:

  • brute force attack - trying all possible password combinations; this is confounded by a system that locks out an account once a set number of login failures have occurred
  • stealing the hash file - user passwords are stored on a system in a hashed (encrypted) format; an attacker may try to steal the hash file in order to break the code and determine passwords
  • dictionary attack - trying each word in a file, possibly an actual dictionary; variations usually include common substitutions of numbers or symbols for letters
  • rainbow tables - rainbow tables are precomputed tables off hash values and passwords, constructed to enhance the speed of cracking a hashed password

The author moves on to discuss passwords themselves again, advocating a strong password policy: mixture of character types, no actual words, longer when possible, and so on. He adds the idea of using characters that are not on the keyboard but are available in Windows through holding down an Alt key and entering a four character code on the numeric keypad. The main problem with this idea is this method is not available on all systems, and the codes are not memorable unless you use them frequently.

Some of his advice is based on the behavior of known password attack programs. The best advice is to avoid using these variations in your passwords:

  • try words from a dictionary
  • try common passwords: password, 123456, letmein
  • add common suffixes to the words you try
  • substitute common symbols for letters: @ for a, 3 for e, 1 for i, 0 for o, $ for s
  • try common sequences
  • try meaningful dates (meaningful to the password owner)

On page 490 the text discusses some aspects of password hashing used by Microsoft networks. Microsoft uses a newer version of the hash algorithm, NTLM hash, that eliminates some of the shortcomings of the LM hash algorithm that are described on that page. The problem with this is that the LM hash algorithm was used in many versions of Windows (along with NTLM hash) unless the password is longer than 14 characters.

The text mentions the use of salt in creating hashes, and that adding the random salt phrase to a password before it is hashed will eliminate the problem of two users who choose identical passwords having the same hash saved in the security file.

On page 492, the text discusses commonly used solutions that address something you have.

  • tokens - typically a device that fits in a pocket or on a key chain, featuring an LCD display that changes to a new password on a set schedule (often once a minute); must be synchronized with matching software on the authentication server you use to enter the system in question
  • cards - smart cards that include a computer circuit that typically communicates with a sensor by Near Field Communication to authenticate the holder of the card
  • cell phones - the user runs an app on the phone to request a pass code that is sent by a system that generates a new code with each request

On page 495, the text discusses commonly used solutions that address something you are.

Standard Biometrics

Biometric devices measure something about a living being, such a fingerprint, face shape, hand print, iris pattern, and retina pattern. The text discusses two kinds of fingerprint scanners. Static fingerprint scanners read a print from a finger that is placed on a scanner. This technology has some known spoofs, such as using gummy bears. Dynamic fingerprint scanners require a finger to be passed across a reader that uses electrical resistance to create the image of the fingerprint.

Behavioral Biometrics

Measuring how a person performs a task is the concept behind behavioral biometrics. Several possibilities are listed, each with their own faults and virtues:

  • keystroke dynamics - how the user types on a keyboard
  • voice recognition - how the user says particular phrases
  • computer footprinting - a pattern of use including time of day, location, and the computer being used to access a system

Cognitive Biometrics

This method asks the user for particular facts about specific life events. This seems to be a faulty idea. If I were to respond to a series of questions about a wedding, wouldn't most other people who had attended the same event share the same knowledge about it?

The text expands its discussion of somewhere you are on page 499. This time it makes a better case for using this information in a negative way. If someone is attempting to log in to a system across the Internet, and we can tell they are in a location where the actual user is unlikely to be, the connection may be refused. This makes more sense than allowing the connection because the requester is somewhere we know the proper user has been.

The last important point in the chapter begin on page 502. Account Management is about maintaining rules, policies, and standards that relate to accounts on a system.

Most users who log in to a Windows domain use passwords that must meet the restrictions set in the Domain Password Policy. Page 503 lists six attributes that can be set for domain passwords. The maximum settings given were true at the time the text was printed

  • Enforce password history - sets the number of passwords that a user must set and use before a specific previous password can be used again; 10 seems to be a common setting, but the book recommends 24
  • Maximum password age - the age at which a password must be changed; note that Active Directory notifies users (daily) when their passwords are within 14 days of expiration, and users are given no grace logins once the password actually expires
  • Minimum password age - the age at which a password may voluntarily be changed; this is set to keep users from changing passwords too rapidly (for instance, trying to cycle through a list to get back to a favorite)
  • Minimum password length - self explanatory
  • Complexity requirements - when enabled, requires that the password include three out of four kinds of characters: upper case, lower case, numerals, symbols
  • Store passwords with reversible encryption - not recommended, this setting is for legacy applications that require access to the user's password

The book did not previously mention three other settings you may want to know about. This edition lists them on page 504:

  • account lockout threshold - the number of failed login attempts thatt must occur to automatically lock an account; it may be unlocked by an administrator, or by the duration period expiring; if this property is set to 0, the account will never lock (not recommended)
  • account lockout duration - the time that must expire for a locked aaccount to unlock automatically; if this property is set to 0, the account will not unlock automatically, and must be unlocked by an administrator
  • reset account lockout after - this is the time that must expire after the last failed login attempt for the bad login counter to reset to 0; the system counts bad login attempts and this counter is the trigger to lock an account; the value of this property must be the same or less than the value of account lockout duration


Assignment:

Individual: Answer the 20 review questions for chapter 11 that begin on page 466, and the review questions for chapter 12 that begin on page 507. Turn in your answers by the beginning of the next class.


Group: Form a group. Work on Case Project 12-1 on page 518. Turn in a one or two page response, including the names of your group members by the beginning of the next class.