|
|
ITS 421 - Tactical Perimeter Defense
Chapter 1, Access Control Framework
Objectives:
This lesson presents background on accessing resources on a
managed network. Objectives important to this lesson:
- What is Access Control?
- Components of Access Control
- Three Stages of Access Control
- Logical Access Control
- Authentication Factors
Concepts:
Chapter 1
The chapter begins with a discussion of two terms. The first is access which the authors
define formally as "the ability of a subject
and an object to
interact". (Chapple, et al, page 3) This use of those two nouns is
like what you may have learned in an English class about
diagramming sentences. The subject,
in this case, is the person or thing in the sentence that is taking action. The object
is the thing that the subject is acting
upon. Typically, the subject
is a user on a network,
and the object is a file that needs to be edited,
or a printer the user
would like to use, or some other object for which the system
controls access.
That takes us to the second term. The point is that there needs
to be an access control
that allows or denies
access to resources. If there is no control, then anything is
available to everyone, which is not desirable on most networks. On
a network, access control means that rights (privileges) with
respect to particular objects, are granted or denied to particular
subjects.
That brings us to two sets of bullet point on page 4 which you
might confuse.The first set is the components
of an access control system:
- Policies - rules that determine whether a
subject has access to an object
- Subjects - A subject may be a user, a network
itself, a process running on a computer, or an application that
requests access to a resource.
- Objects - resources that a subject wants to
use
The text calls the second set ot bullet points elements
of an access control system. That means that these are
internal parts of the system itself:
- Policies
- this may mean the business
requirements that determine who
may access a resource; this may also mean a mechanism
in a system (like Microsoft Active Directory) that applies
such rules to subjects and objects
- Procedures - methods
used to enforce policies, typically carried out by people
- Tools - methods
used to enforce policies, typically used with or by devices
on the network
The discussion on page makes little sense unless you understand
the authors' use of the word subject.
It is good that they define it again. The text says that there are
three types of subjects. It may be clearer to say that there are
three categories that a subject may fall under with regard to any
particular resource (object).
- Authorized - those who are known to the system,
and are permitted access to the resource
- Unauthorized - those who are known to the
system, but are not permitted access to the resource
- Unknown - those who are not known to the
system; unknown users are typically allowed to authenticate, but
not much else
The text states the definitions differently, but those
definitions use a word that has not been defined yet. A user who
has presented proper credentials
to a system and been identified
as a known person is a user who has been authenticated.
Note that authenticated and authorized are two different things.
This leads to the next set of bullet points:
- Authentication - the process by which users prove their identities
to a system
- Authorization - This
one doesn't feel right in the text. A better definition is the process of granting
or denying permissions
to authenticated users.
- Accounting - The
process by which a system maintains records of the actions of
users.
The text expands its list of entities that could act as subjects
by explaining that some resources can be subjects:
- Networks - The text explains that a network is usually
an object, but a network may be granted permissions, so
that those permissions apply to all users logged in to
that network. The example in the text tells us that a firewall
rule may state that all addresses on a given network may access
the Internet. This is done by granting that permission to the
address of the network itself, which makes the network
the subject, and the gateway to the Internet is
the object.
- Systems - The text gives an example of a PC
that is given permission to use a printer. This
would be best done by placing PCs in a group object, and
granting permissions to that group. This would allow any user
who happened to be using that computer the permission to use the
associated printer.
- Processes and Applications - A process may need
access to a network drive when it needs to read or write
material there. An application may need the same thing. The
process of granting this access is not specified, so we will
ignore it for now.
The text begins a new topic, discussing three types of
objects that may be protected with access controls:
- Information - all types of data
- Technology - applications, systems, networks, and
devices attached to them; the text points out that if a user has
access to a file server, all files on it may be compromised by
that user
- Physical locations - buildings, rooms, doorways
(entrances and exits)
Page 7 shows a classic view of an Access Control process. It has
three steps which are once again confusing.
- Identification - A user identifies him/herself
to the system. This is often done with a User ID and a Password,
but it may be done many other ways.
- Authentication - The access control system confirms
the provided information. The user is now authenticated.
The confusing part is that the step above is often referred to
as authentication.
- Authorization - Assuming the User ID that has been
authenticated was previously assigned some right or
privileges on the system in question, those rights are now applied
to the user's current login session. The confusing part
here is that the actual assignment of rights must have been done
before this login. That is also called
authorization. The authorization that is taking place in this
step is the application of those rights to the current
session on the network.
Most
security is based on one or more of three types of things:
something you have (like a key or an ID card),
something you know (like a PIN or a password),
or something you are (like a fingerprint).
When a person logs in from a standard workstation in a normal
environment, one level of protection, like an ID
and password pair, may be secure enough.
For a situation that is more vulnerable, like logging in from a
remote location through a public data network, two levels
may be required, such as a user name-password
pair along with a one-time password from a
security device (that may require a Personal ID Number as well).
You see the layers? My password (something I know) is no good
unless I use the one-time key from the device (something I have),
which is no good unless I know the PIN that proves I am
allowed to use the device (something else I have to know). The
one-time password shown in the image on the right, by the way, is
only good for one minute. After that minute, a new six numeral
code will be generated. Sorry guys, the minute for that key passed
by long ago. Any complaints should be addressed to the Paladin
of the Lost Hour. The device in the photo is an
example of a hard token. The functions of such a device
can also be implemented in software as a soft token, but I
consider that to be a less secure idea. Using a soft token lets
the hacker strike another object off his "have to steal all of
these" list.
As the text points out, the thing that makes secrets valuable is
secrecy. If everyone can look up a password, as you can do
for the default administrator passwords on most routers, there is
not much value in using that password. Passwords usually expire,
and you can usually change one any time you need to do so. They
should all be changed from time to time. Any time you install
something that uses a factory default password, you should change
that password, and make a note of it in a secure place.
On page 9, the text discusses logical
access controls. This is another way of looking at the rules
you need to implement on your network. You need to remember these
concepts. A good way is to memorize a line from Rudyard
Kipling about six
honest serving men:
I keep six honest serving-men
(They taught me all I knew);
Their names are What and Why and When
And How and Where and Who.
(The rest of the poem is not important in this context.)
- Who are we granting the permissions to? Have
we made certain of their identity with the level of security
required to access this resource?
- What kind of acccess is being granted? Is it
the correct kind of access?
- When is the subject allowed to access this
resource? Is there a reason to restrict access by the hour of
the day, day of the week, or by a term of service? The text
cautions against the overuse of this kind of policy, because it
can become an impediment to users instead of a mere restriction.
- Where is the user, and does that matter? This can be
done several ways. Using a logical location, we might
restrict access based on an IP address (part of a known
network), or a MAC address (from a known device). Using
a geographic location may be harder. If access is granted only
from devices known to be in a secure location, we are still
using logical IDs to grant the access, but we are doing it for a
different reason. The main reason to do something like this is
to make sure there is no access across a public gateway. Why not
allow that? If you are using a VPN, that may be fine, but if you
are not, then your transmissions, wireless or not, may be
monitored by someone we don't want seeing them.
- Why is the accesss being granted? Is this
reason compliant with security policies?
- How will you grant this access? Will we grant
access to the subject, to a group that includes the subject, or
to a network the subject is using? How much permission will you
give? The text tells us that most systems support at least four
levels of access to files and folders:
- Administrative access - all rights to all
files in the container (read, write, update, delete)
- Author access - read and write
access, or all rights, but only to files you own
in either case
- Read only access - read access, but none
of the other rights
- No access - just like it sounds, no rights
to any files in the container
On page 11, the text discusses granting access according to group
membership. This is a much easier approach than
applying rights to each individual, especially in an environment
in which people frequently change jobs or duties. Since people can
be assigned to multiple groups in most systems, their cumulative
rights are the sum of those that they receive from
each group.
The text also discusses being very granular, and granting rights
to specific resources, such as files, tables, and databases.
The text ends the chapter with another discussion of the three
elements of authentication: something you know, something
you have, and something you are. It expands a bit
on each one:
- Something you know - The text recommends selecting
passwords and personal ID numbers that are hard for
someone to guess. Never write them down on a visible note, never
use a number that means something other people know about you or
can learn about you, and try the suggestion about using a pass
phrase instead of a single word. Another suggestion would
be to make an acronym from a longer pass phrase, like a
line from a song. You should probably use a song you know well,
and make sure you never tell anyone what song you are
using.
- Something you have - The text describes the kind of
token I described above, and another that requires the user to
ask for a challenge code, enter it in the
device, read a response code from the device,
then enter the response in the system they are trying to
access. This is obviously a more secure system than the code
that can be read from the token directly.
- Something you are - The text discusses standard biometric
measures, such as fingerprints, retinal scans,
and hand or face geometry. These are all physical
characteristics. The text also discusses the use of behavioral
characteristics. Some smart devices offer this sort of security
when they allow you to unlock the device with a specific sweep
of your fingers. This category also includes a system learning
the typing rhythm of a user, the way a user speaks, or the way
the user writes a phrase on a scanning screen. These behaviors
might all be copied, and so they should be considered less
secure than the physical measures.
|