ITS 4210 - Access Control, Authentication, and PKI

Chapter 10, Access Control in the Enterprise

Objectives:

This lesson discusses access controls in enterprise environments. Objectives important to this lesson:

  1. Access Control Lists and Access Control Entries
  2. Models for enterprises
  3. Authentication factors
  4. Kerberos
  5. Layer 2 and Layer 3 controls
  6. Wireless access controls

Concepts:

Chapter 10

Access Control Lists and Access Control Entries

The chapter open with some definitions:

  • Access Control List (ACL) - a list of entities and the rights they have for a particular object. Each object will have its own ACL.
  • Access Control Entry (ACE) - a record in an object's Access Control List. Each ACE will include a security identifier (SID) (e.g. a user name) and the security authorizations that SID has been granted to the object in question.
Models for Enterprises

We have discussed this before, so it should still be familiar to you. This chapter takes a different slant on the subject, talking about four access control models, each of which has a different approach to using ACLs.

  • Discretionary Access Control (DAC) - Weeding through the text, it tells us that rights that are granted to a subject under this system may be granted by that subject to other subjects in the system. This means that the owner of an object can assign rights to other subjects (users) without needing the intervention of an administrator.
  • Mandatory Access Control (MAC) - In this one, there is more restriction. The text explains that objects are assigned to security classes, and that subjects (users) are assigned security clearance levels. The result is that a user who has a clearance only for Confidential (and below) information cannot be assigned rights to an object classified as Secret or Top Secret.
  • Role-based Access Control (RBAC) - Roles are like groups. Users can be assigned to either and rights can be inherited from the group or or role by the user. The text explains:
    • that subjects must be assigned to roles,
    • that the role a subject is assigned to must be allowed (authorized) for the subject, which is not usually done with groups,
    • and that transactions must be authorized for the role a subject is in, else the subject cannot perform them.
  • Attribute-based Access Control (ABAC) - In this system, rights are not authorized for subjects unless a particular attribute of the subject matches a criterion set for the right, such as having an address in the right city or zip code
Authentication factors

The text returns to a discussion of authentication factors that are typically used, offers some advice about them, and generally tells us nothing new about such things.

Kerberos

On page 215, the text starts several pages about Kerberos, a network protocol that is used in Microsoft networks for the encryption of passwords before they are submitted to the system for authentication. Microsoft classes usually describe how Kerberos is used for several purposes associated with authentication.

Kerberos uses the concept of tickets. A ticket is small amount of encrypted, session specific data issued by the domain controller. When a client needs to access a server on the network, it first obtains a ticket from the domain controller for that server. The ticket and other data supplied by the client vouches for the client's identity and provides a way for the client to authenticate the server as well, which means Kerberos provides mutual authentication of both client and server. Each device knows it can trust the other one. Using time stamps and other techniques, Kerberos protects tickets from cracking or replay attacks by eavesdroppers on the network.

Some of the weaknesses of a Kerberos system are listed on page 219. Despite this long list, this is still a system that Windows networks depend on. Administrators should plan their networks carefully to provide coverage in case of failures.

Layer 2 and Layer 3 controls

On page 220, the text turns to access controls that are implemented by network devices. You should know that the ISO-OSI network model has seven layers, and that Layer 2 is associated with communication inside a network, while Layer 3 is associated with communication from one network to another network.

Layer 2 is the layer associated with MAC (Media Access Control) addresses, the addresses that are assigned to network interface cards. MAC addresses may be written several ways, but a common notation is shown on page 221: six pairs of hexadecimal digits, each pair separated from the others by colons. A typical address might look like this:
A2:25:BB:F2:19:05

In case you are not aware of it, the first three pairs, reading from left to right, stand for the manufacturer of the NIC. The last three pairs are the serial number of the NIC. Each MAC address is meant to be unique. The text tells us that switches take note of two things when they receive messages. The port on which the message is received is stored in an address table, along with the MAC address of the sending device. In this way, the switch learns which port to associate with particular devices. The switch uses this table as a reference when deciding what port to use for any message it needs to forward. Managed switches can be programmed to allow access to certain ports/paths through a network by filtering MAC addresses. The text warns us that a hacker may spoof (impersonate) a MAC address on the approved list in order to gain access to the protected network segment.

The text is not very specific about its recommendations for Layer 2, but it is a bit better in the section about VLANs, Virtual LANs, that are used to artificially separate devices into separate networks. Your switches can be set to do this by MAC address, or by the port used by the device. There is a better lesson on this web site. It is only six short "pages", so look it over.

Layer 3 controls are discussed on page 223.

  • Note the method of configuring access control lists on routers to allow or block traffic based on IP address or protocol being used.
  • Route maps are another method used on routers to send traffic to specific addresses, usually gateways to internal networks or resources. Route maps can also drop traffic that does not meet the criteria for being forwarded.

The text moves on to wireless network material on page 224. It is a bit light, and a bit silly. It spends several lines explaining Wired Equivalent Privacy (WEP) before finally getting around to advising us not to use it. It is no longer considered to be secure. This will happen to all security protocols over time. Presently we are advised to use WPA or WPA2 protocols to encrypt data on wireless LANs. WPA3 should be available soon (late 2019).


Assignments

  1. Continue the reading assignments for the course.
  2. Complete the assignments and class discussion made in this module