ITS 2110 - Introduction to Network Security

Lesson 12 - Chapter 12, Access Management

Objectives:

This lesson covers chapter 12 in the text. It discusses access rights in a network. Objectives important to this lesson:


  1. Access control models
  2. Best practices and implementing access control
Concepts:

Chapter 12 begins with a cautionary tale about a city official who stole a great deal of money from the city over several years. The problem could have been noticed years before it was if the city had used appropriate controls on its money. This chapter is about such controls, in regard to network resources.

Access control is defined on page 523 as "granting or denying approval to use specific resources".  This can be a physical use, like entering a building, or a logical use, like using a printer or a database.

On page 524, the author continues with a metaphor meant to illustrate the steps a secure system would use to make sure someone is allowed to access resources. A baby sitter is instructed to allow a package service to pick up a package from the home where the sitter is watching a child. He follows four steps to accomplish this safely, and the author ignores the fact that the sitter messes up one of them. Read the story, then come back here.

Did you see which step he got wrong?

  1. Identification - The babysitter asks for identification from the driver (e.g. FedEx, UPS). This would be like asking for a user ID and a password. The driver provides it.
  2. Authentication - The baby sitter reads the driver's badge and decides it is real. Really? No one can drive a painted delivery van and make a fake ID? If this were a network, this would be like accepting any data as a user ID and any password that met our complexity requirements, without checking for a match on the system.
  3. Authorization - The babysitter tells the driver she can access the porch, where the package is waiting.
  4. Access - The babysitter opens the door to the porch.
  5. What really happened next: Exploit - The axe murderer, who killed the real FedEx driver down the street, enters the house and...

In our example from the book there is no part five. It is not a monster movie or a thriller. My point is that it could have been. Could the babysitter have called FedEx to check on the identity of the supposed driver? Yes, and in most circumstances he would have been thought paranoid. If you are not protecting important assets, you are not expected to take precautions. When you are protecting a network, you must take precautions. (And if you are protecting a child in a monster movie, grab a baseball bat, tell the killer to come back next week, and be ready for trouble. I can testify that a baseball bat to a knee will end a threat very quickly.)

The author points out that many people confuse authorization and access. Authorization means having been granted permission to do something. Access means being given a method to do it. Authorization is permission, and access is means.

Pages 525 and 526 bring up more vocabulary words:

  • owner - A person responsible for the integrity and security of an asset.
  • custodian - A person who maintains the security of a system, perhaps by adding and removing access by user accounts. (This concept is also called administrator.)
  • end user - One who uses the asset, such as reading a file, opening a web page, or printing some data from a database, but cannot change access rights to the asset. This concept is also called a "subject" in this chapter.
  • subjects - users (or processes acting for users) who perform operations on objects (assets).

The text turns specifically to the topic of access control. In a previous chapter, this phrase meant making sure devices were "clean" before they were allowed to connect to the network. This chapter uses the more familiar meaning, allowing, restricting, and denying access to resources. Page 527 introduces four classic access control methods. You should know something about each of them. I think this order makes more sense:

  • Mandatory Access Control (MAC) - the most restrictive model; the owner defines a security policy, the custodian implements it, and the end users cannot change it
  • Role Based Access Control (RBAC) - access is granted to roles (groups) defined on the systems, end users are assigned to roles so they can access assets needed for their jobs
  • Rule Based Access Control (RBAC) - may be the most complex model; rules can change which role a user is assigned to, changing the level of access the user has
  • Discretionary Access Control (DAC) - least restrictive model; subjects (end users) can own objects, and have total control over them (like a SharePoint web server system); end users must set and maintain security for their assets, which most people will do badly; processes run by end users inherit their permission levels

A fifth method is discussed briefly. Attribute Based Access Control (ABAC) allows the system to check the attributes of an subject to determine if access should be allowed. It is very much like role based control, but the data that grants access is stored in the user object instead of in a group object that the user is or is not a member of. This may be most practical in small organizations.

Two of the acronyms for the models above are the same. This is dumb, and it may explain why most Internet resources seem to present only three of the four methods. Note the other names given for rule based access control: rule-based role-based access control, and automated provisioning. Remember to breathe in, then out. When you are in a position of authority, encourage people use words that make sense.

The text continues with a set of best practices that might be used along with the models above:

  • separation of duties - don't give any one person the ability to defraud the system; checks and balances of power are better
  • job rotation - move people out of sensitive positions on a regular basis; this could backfire by making you unsure who was responsible for a breach
  • least privilege - give only the access needed for a job, adding and removing as the job assignments change
  • implicit deny - if a permission is not explicitly granted, it should be assumed to be denied; this is not as strong as explicitly denying a permission
  • mandatory vacations - if a person is running a scam, they will be reluctant to take time off and to give anyone else the authority to do their job
Logical Access Control

This set of methods is more related to software than hardware.

Access Control Lists

You can think of an ACL (Access Control List) as a property of an object that lists what users have what permissions regarding that object. The example on page 454 shows a UNIX file that has various read, write, and execute permissions set for various entities on the system. Three entities have been given explicit permissions to the file. Setting permissions in an access control list allows granular control, but it is labor intensive for administrators.

Group Policies

Group Policies are a feature of Windows Active Directory, the database system used to manage users and assets in a Windows based network. As the text explains, Group Policies can affect users when they log in, and devices when they boot up. Systems check for updates at intervals controlled by network administrators. A Group Policy can have an effect on multiple domains.

The text describes Local Group Policies as having fewer options, having smaller scope, and being associated with older systems that are not using Active Directory.

Account Restrictions

Page 456 shows an example of time restrictions applied to a user. In this case, the example is of Parental Controls, but user accounts can be restricted the same way in an enterprise environment by user account or by Group Policy.

Account Expiration

The text describes an orphan account, an account that belonged to someone who left the organization, as being a waste of resources and a security vulnerability. It proposes that this vulnerability can be reduced by using preset expiration dates for user accounts, or setting an account to expire once the associated password has been expired for a specific number of days.

Authentication Services

The text discusses five kinds of authentication services, which may perform authentication only, or may perform authorization and accounting functions as well.

RADIUS

Remote Authentication User Dial-In Service has some specific and non-intuitive terminology.

  • supplicant - a wireless device requesting to join a WLAN, or a dial up device requesting to join a LAN
  • authenticator - an access point that accepts or rejects supplicants
  • RADIUS client - an access point that is sending credentials to a RADIUS server
  • RADIUS server - performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.

Kerberos

The text says that Kerberos is an authentication system. It is also proper to call it a protocol. It is noteworthy because it can be used on Windows, Linux, and Mac OS X networks. As the text explains, a network user requests access to services, Kerberos issues an identifying ticket, and the ticket is examined by the entity that grants access to the service. This is a standard part of logging in to an Active Directory network.

Terminal Access Control Access Control System (TACACS+)

TACACS+ must have been created by someone with a love for redundancy. It performs authentication, authorization, and accounting functions, and is meant to support a large number of connections.

Lightweight Directory Access Protocol (LDAP)

The text waits until this discussion to mention that Directory Service is a database service on a network. (It is one of the classic services of a network.) LDAP is a protocol that is used to access such databases. The text contrasts it to DAP (its big brother):

  • LDAP runs in a TCP/IP environment, DAP requires special software
  • LDAP will run on a PC, DAP typically will not
  • Both are used to access information from X.500 compliant databases
  • LDAP is lighter, simpler, easier to use

Security Assertion Markup Language (SAML)

The describes an SAML transaction in which a web service provider is required to check an external source (an identity provider) which stores the credentials of a user who wants to log in and use the web service. You should know that this process exists, what it is, and what it is called.