Access Control Lists and Access Control Entries
The chapter open with some definitions:
Models for Enterprises
We have discussed this before, so it should still be familiar to you. This chapter takes a different slant on the subject, talking about four access control models, each of which has a different approach to using ACLs.
The text returns to a discussion of authentication factors that are typically used, offers some advice about them, and generally tells us nothing new about such things.
On page 215, the text starts several pages about Kerberos, a network protocol that is used in Microsoft networks for the encryption of passwords before they are submitted to the system for authentication. Microsoft classes usually describe how Kerberos is used for several purposes associated with authentication.
Kerberos uses the concept of tickets. A ticket is small amount of encrypted, session specific data issued by the domain controller. When a client needs to access a server on the network, it first obtains a ticket from the domain controller for that server. The ticket and other data supplied by the client vouches for the client's identity and provides a way for the client to authenticate the server as well, which means Kerberos provides mutual authentication of both client and server. Each device knows it can trust the other one. Using time stamps and other techniques, Kerberos protects tickets from cracking or replay attacks by eavesdroppers on the network.
Some of the weaknesses of a Kerberos system are listed on page 219. Despite this long list, this is still a system that Windows networks depend on. Administrators should plan their networks carefully to provide coverage in case of failures.
Layer 2 and Layer 3 controls
On page 220, the text turns to access controls that are implemented by network devices. You should know that the ISO-OSI network model has seven layers, and that Layer 2 is associated with communication inside a network, while Layer 3 is associated with communication from one network to another network.
Layer 2 is the layer associated with MAC
(Media Access Control) addresses,
the addresses that are assigned to network interface cards. MAC addresses
may be written several ways, but a common notation is shown on page 221:
six pairs of hexadecimal digits, each pair separated from the others by
colons. A typical address might look like this:
In case you are not aware of it, the first three pairs, reading from left to right, stand for the manufacturer of the NIC. The last three pairs are the serial number of the NIC. Each MAC address is meant to be unique. The text tells us that switches take note of two things when they receive messages. The port on which the message is received is stored in an address table, along with the MAC address of the sending device. In this way, the switch learns which port to associate with particular devices. The switch uses this table as a reference when deciding what port to use for any message it needs to forward. Managed switches can be programmed to allow access to certain ports/paths through a network by filtering MAC addresses. The text warns us that a hacker may spoof (impersonate) a MAC address on the approved list in order to gain access to the protected network segment.
The text is not very specific about its recommendations for Layer 2, but it is a bit better in the section about VLANs, Virtual LANs, that are used to artificially separate devices into separate networks. Your switches can be set to do this by MAC address, or by the port used by the device. There is a better lesson on this web site. It is only six short "pages", so look it over.
Layer 3 controls are discussed on page 223.
The text moves on to wireless network material on page 224. It is a bit light, and a bit silly. It spends several lines explaining Wired Equivalent Privacy (WEP) before finally getting around to advising us not to use it. It is no longer considered to be secure. This will happen to all security protocols over time. Presently we are advised to use WPA or WPA2 protocols to encrypt data on wireless LANs. WPA3 should be available soon (late 2019).