Chapter 12 begins with a cautionary tale about a city official who stole a great deal of money from the city over several years. The problem could have been noticed years before it was if the city had used appropriate controls on its money. This chapter is about such controls, in regard to network resources.
Access control is defined on page 523 as "granting or denying approval to use specific resources". This can be a physical use, like entering a building, or a logical use, like using a printer or a database.
On page 524, the author continues with a metaphor meant to illustrate the steps a secure system would use to make sure someone is allowed to access resources. A baby sitter is instructed to allow a package service to pick up a package from the home where the sitter is watching a child. He follows four steps to accomplish this safely, and the author ignores the fact that the sitter messes up one of them. Read the story, then come back here.
Did you see which step he got wrong?
In our example from the book there is no part five. It is not a monster movie or a thriller. My point is that it could have been. Could the babysitter have called FedEx to check on the identity of the supposed driver? Yes, and in most circumstances he would have been thought paranoid. If you are not protecting important assets, you are not expected to take precautions. When you are protecting a network, you must take precautions. (And if you are protecting a child in a monster movie, grab a baseball bat, tell the killer to come back next week, and be ready for trouble. I can testify that a baseball bat to a knee will end a threat very quickly.)
The author points out that many people confuse authorization and access. Authorization means having been granted permission to do something. Access means being given a method to do it. Authorization is permission, and access is means.
Pages 525 and 526 bring up more vocabulary words:
The text turns specifically to the topic of access control. In a previous chapter, this phrase meant making sure devices were "clean" before they were allowed to connect to the network. This chapter uses the more familiar meaning, allowing, restricting, and denying access to resources. Page 527 introduces four classic access control methods. You should know something about each of them. I think this order makes more sense:
A fifth method is discussed briefly. Attribute Based Access Control (ABAC) allows the system to check the attributes of an subject to determine if access should be allowed. It is very much like role based control, but the data that grants access is stored in the user object instead of in a group object that the user is or is not a member of. This may be most practical in small organizations.
Two of the acronyms for the models above are the same. This is dumb, and it may explain why most Internet resources seem to present only three of the four methods. Note the other names given for rule based access control: rule-based role-based access control, and automated provisioning. Remember to breathe in, then out. When you are in a position of authority, encourage people use words that make sense.
The text continues with a set of best practices that might be used along with the models above:
Logical Access Control
This set of methods is more related to software than hardware.
Access Control Lists
You can think of an ACL (Access Control List) as a property of an object that lists what users have what permissions regarding that object. The example on page 454 shows a UNIX file that has various read, write, and execute permissions set for various entities on the system. Three entities have been given explicit permissions to the file. Setting permissions in an access control list allows granular control, but it is labor intensive for administrators.
Group Policies are a feature of Windows Active Directory, the database system used to manage users and assets in a Windows based network. As the text explains, Group Policies can affect users when they log in, and devices when they boot up. Systems check for updates at intervals controlled by network administrators. A Group Policy can have an effect on multiple domains.
The text describes Local Group Policies as having fewer options, having smaller scope, and being associated with older systems that are not using Active Directory.
Page 456 shows an example of time restrictions applied to a user. In this case, the example is of Parental Controls, but user accounts can be restricted the same way in an enterprise environment by user account or by Group Policy.
The text describes an orphan account, an account that belonged to someone who left the organization, as being a waste of resources and a security vulnerability. It proposes that this vulnerability can be reduced by using preset expiration dates for user accounts, or setting an account to expire once the associated password has been expired for a specific number of days.
The text discusses five kinds of authentication services, which may perform authentication only, or may perform authorization and accounting functions as well.
Remote Authentication User Dial-In Service has some specific and non-intuitive terminology.
The text says that Kerberos is an authentication system. It is also proper to call it a protocol. It is noteworthy because it can be used on Windows, Linux, and Mac OS X networks. As the text explains, a network user requests access to services, Kerberos issues an identifying ticket, and the ticket is examined by the entity that grants access to the service. This is a standard part of logging in to an Active Directory network.
Terminal Access Control Access Control System (TACACS+)
TACACS+ must have been created by someone with a love for redundancy. It performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.
Lightweight Directory Access Protocol (LDAP)
The text waits until this discussion to mention that Directory Service is a database service on a network. (It is one of the classic services of a network.) LDAP is a protocol that is used to access such databases. The text contrasts it to DAP (its big brother):
Security Assertion Markup Language (SAML)
The describes an SAML transaction in which a web service provider is required to check an external source (an identity provider) which stores the credentials of a user who wants to log in and use the web service. You should know that this process exists, what it is, and what it is called.