Access Control and Authentication Principles

Questions and Answers

What is the primary purpose of identification in access control?

The primary purpose of identification is to validate and verify an unauthenticated entity's purported identity.

List the three main factors of authentication.

The three main factors of authentication are something you know, something you have, and something you are.

How does authorization differ from authentication?

Authorization determines access levels for an authenticated entity, while authentication verifies the identity of a user.

What are authorization credentials, and what is their purpose?

Authorization credentials, or authorization tickets, are issued to authenticated users to grant them access to specific information assets.

Explain what a composite identifier is.

A composite identifier is a unique identifier made by combining elements like department codes, random numbers, or special characters.

What are the three methods of handling authorization mentioned?

Authorization can be handled for each authenticated user, for members of a group, or across multiple systems.

What role does the authenticator play in the authorization process?

The authenticator issues authorization credentials to users after verifying their identity.

Which source address allows outbound traffic according to Rule #1?

10.10.10.12

What action is taken for any traffic from the source address 10.10.10.1 based on the rules?

Deny

Identify the rule that allows traffic from the source address 10.10.10.0.

Rule #6

What is the default action for outbound traffic not explicitly stated in the rules?

Deny

Explain the purpose of Rule #2 in the outbound interface rule set.

Rule #2 denies all traffic to the destination address 10.10.10.1.

Which biometric method has the highest universality?

Face recognition.

Identify a biometric method with low uniqueness.

Face recognition.

Which biometric method is ranked highest in permanence?

Fingerprint.

What is the performance ranking of hand geometry?

Moderate (M).

Which biometric method has medium acceptability?

Hand vein.

How does the circumvention ranking compare between eye retina and iris recognition?

Iris recognition is more difficult to circumvent (H) compared to eye retina (H).

Which biometric method is noted for having high collectability?

Face recognition.

Rank the uniqueness of hand geometry.

Medium (M).

Which biometric has the lowest performance rating?

Face recognition (L).

What is the performance of eye iris recognition?

High (H).

What is accountability in the context of information security?

Accountability refers to the access control mechanism that ensures all actions on a system can be attributed to an authenticated identity.

How do system logs contribute to accountability?

System logs record specific information about actions taken on a system, aiding in the identification of authorized and unauthorized activities.

What are the main characteristics evaluated in biometric systems?

The main characteristics evaluated are false reject rate, false accept rate, and crossover error rate.

Why are only certain traits considered truly unique in biometrics?

Only traits like fingerprints, retina, iris, and DNA are considered truly unique because they distinctly identify individuals without ambiguity.

What is a common criticism of highly reliable biometric systems?

Highly reliable biometric systems are often considered intrusive by users.

What does auditability ensure in information security?

Auditability ensures that all actions, whether authorized or unauthorized, can be traced back to an authenticated identity.

In what ways are system logs utilized apart from accountability?

System logs can be used for troubleshooting, performance monitoring, and security analysis.

What is the importance of the crossover error rate in biometric systems?

The crossover error rate indicates the point where the false reject rate and the false accept rate are equal, reflecting system performance.

How are actions tracked in a secure system?

Actions are tracked using system logs that maintain records of user activities, contributing to both accountability and security monitoring.

What is the primary focus of the Clark-Wilson Integrity Model?

To ensure no unauthorized changes are made by both unauthorized and authorized subjects.

Describe the composition of the Graham-Denning Access Control Model.

It consists of a set of objects, a set of subjects, and a set of rights.

What is the main purpose of the Harrison-Ruzzo-Ullman Model?

To define methods for changing access rights and managing subjects or objects.

Explain the Brewer-Nash Model and its relevance.

It is designed to prevent conflicts of interest between two parties.

What constitutes a firewall in information security?

A combination of hardware and software that filters information between trusted and untrusted networks.

List and describe the key processing modes of firewalls.

Packet filtering, application-layer proxy, MAC layer firewalls, and hybrid models.

What kind of information do packet-filtering firewalls examine?

They examine header information of data packets, including IP addresses and TCP/UDP port requests.

How do packet-filtering firewalls differentiate between inbound and outbound traffic?

They assess the direction of the data packets based on their header information.

What role do MAC layer firewalls play in network security?

They filter traffic based on the MAC addresses of devices.

What are some examples of device configurations for firewalls?

They can be separate computer systems, software services on routers or servers, or separate networks.

Flashcards

Authentication

The process of verifying and validating an unauthenticated entity's claimed identity.

Authorization

The access control method that determines what resources an authenticated entity can access based on their permissions.

Identifier

A unique identifier that distinguishes one entity from another, often a combination of elements like department codes, random numbers, or special characters.

Authentication Factor

A factor used in authentication to verify identity, typically categorized as something you know, something you have, or something you are.

Authorization Credentials

A set of credentials issued by an authenticator that allows access to resources within a specific domain.

Identification

The validation process that confirms the identity of an unauthenticated entity.

Access Control

The process of giving access to information assets or resources based on the identity of an authenticated entity.

Universality

A measure of how widely applicable a biometric method is in a population.

Uniqueness

A measure of how unique a particular biometric trait is among individuals.

Permanence

A measure of how stable and unchanging a biometric trait is over time.

Collectability

How easily a biometric trait can be captured and measured.

Performance

How accurate and reliable a biometric method is in identifying individuals.

Acceptability

How readily people are willing to use a biometric method.

Circumvention

How easy it is to bypass or deceive a biometric system.

Accountability (Auditability)

A way to track all actions on a system, regardless of authorization, by linking them to a specific user's identity.

How is Accountability (Auditability) Achieved?

This mechanism ensures that every activity on a system can be traced back to the person who initiated it.

System Logs

Digital records that store information about events like logins, access attempts, changes to system settings, and file modifications.

Biometrics

A method of verifying identity based on unique biological traits, like fingerprints, iris patterns, or facial features.

False Reject Rate

How well a biometric system accurately rejects unauthorized users.

False Accept Rate

How well a biometric system accurately identifies authorized users.

Crossover Error Rate

The combined rate of false rejects and false accepts, used to evaluate the overall accuracy of a biometric system.

What are considered truly unique biometric traits?

Unique features like fingerprints, iris patterns, and DNA.

Why are highly reliable biometric systems considered intrusive?

The use of strong biometric security measures may make some users uncomfortable.

Firewall Rule Processing

The process of permitting or blocking network traffic based on pre-defined rules and criteria.

Firewall Rule Set

A set of instructions that define how a firewall should handle incoming and outgoing network traffic, based on factors like source/destination IPs, ports, and protocols.

Allow Rule

A firewall rule that allows specific traffic to pass through the firewall.

Deny Rule

A firewall rule that blocks specific traffic from passing through the firewall.

Default Allow Rule

A firewall rule that allows all traffic to pass through the firewall.

Clark-Wilson Integrity Model

A security model focused on maintaining data integrity, ensuring only authorized subjects can make changes to data, and preventing unauthorized modifications.

Graham-Denning Access Control Model

This model defines a system based on objects, subjects, and their associated rights, emphasizing the management of access permissions.

Harrison-Ruzzo-Ullman Model

This model focuses on dynamically managing access rights, allowing for the addition or removal of users and objects, and modifying access privileges.

Brewer-Nash Model (Chinese Wall)

A security model specifically designed to prevent conflicts of interest, often used in situations where confidential information must be protected from unauthorized access.

Firewall

A combination of hardware and software that acts as a gatekeeper, controlling the flow of information between trusted and untrusted networks.

Packet Filtering

A firewall method that examines data packets based on header information, such as source and destination addresses, ports, and protocols.

Application-Layer Proxy

A firewall technique that operates at the application layer, examining higher-level protocols and potentially caching data for faster response.

MAC Layer Firewall

A firewall technique that uses MAC addresses to control network access, blocking or allowing devices based on their unique hardware identifiers.

Hybrid Firewall

A firewall approach that combines various techniques, such as packet filtering, application proxy, and MAC layer filtering, to provide comprehensive security.

Study Notes

Module 6: Security Technology: Access Controls, Firewalls, and VPNs

• Access control is a selective method for systems to specify who can use a resource and how.
• Technical controls are essential in enforcing policy for IT functions not directly managed by humans.
• Well-implemented technical controls improve balance between accessibility and confidentiality/integrity.
• Access controls focus on permissions/privileges for subjects (users/systems) on objects (resources).
• Access control includes consideration of when, how, and from where a subject can access an object, and the ways a subject uses it.
• Mandatory Access Controls (MACs) require structured data classification schemes that prioritize each information collection and user.
• Discretionary Access Controls (DACs) are implemented at the discretion of the data user.
• Nondiscretionary controls are implemented by a central authority.

Access Control Approaches

• Access control relies on four mechanisms:
  • Identification: user claiming an identity
  • Authentication: proving user identity
  • Authorization: defining allowable actions with the system
  • Accountability: tracking and monitoring user actions

Identification

• Identification validates and verifies an unauthenticated entity.
• Identifiers can be composite, combining elements like department codes, random numbers, or special characters, for uniqueness.
• Most organizations use a single, unique identifier like a full name or initials and surname.

Authentication

• Authentication validates and verifies claimed identity.
• Authentication factors include:
  • Something you know (DOB, place of birth, SSN, password)
  • Something you have (token, physical key)
  • Something you are (biometrics)

Authorization

• Authorization matches an authenticated entity to a list of assets and their access levels
• Authorization can be handled by:
  • Individual user
  • User group
  • Multiple systems

Accountability

• Accountability (auditability) ensures actions are assigned to a verified identity.
• This is usually accomplished through system logs and database journals.
• Logs record, and log entries have multi-purposes.
• Logs, system/database journals can and are commonly used as audit trails.

Biometrics

• Biometrics authenticate identity using measurable human traits.
• Accurate biometrics include fingerprints, retina, iris, and DNA.
• Biometric systems are often evaluated by false rejection rate, false acceptance rate, and crossover error rate.
• Some users find highly reliable biometric systems intrusive.

Firewall Technologies

• A firewall is a combination of hardware and software that controls information flow between trusted and untrusted networks.
• A firewall might:
  • Separate computer system
  • Utilize software on existing router/server
  • Utilize separate network with supporting devices

Firewalls Processing Modes

• Firewalls use various processing modes:
  • Packet filtering through data packet headers
  • Application-layer proxy through higher layer protocols (and cache services)
  • MAC layer firewalls using MAC addresses
  • Hybrid models using several criteria

Packet-Filtering Firewalls

• Packet-filtering firewalls examine packet header information based on several criteria, such as:
  • IP source and destination addresses
  • Direction (inbound or outbound)
  • TCP/UDP port numbers
• Simple models enforce rules blocking packets based on their addresses.

Access Control Architecture Models

• Models like TCSEC's Trusted Computing Base (TCB), used in pre-2005 DoD Rainbow Series security policy enforcement, help quickly implement or adapt access control strategies.
• Challenges of covert channels, storage channels, and timing channels must be considered.
• Other models, like ITSEC (International Standards for evaluating computer security), the Common Criteria (considered successor to TCSEC and ITSEC), Bell-LaPadula, Biba Integrity Model, Clark-Wilson, Graham-Denning, and Harrison-Ruzzo-Ullman are security models, or access control schemes having unique purposes.

Firewall Architectures

• Firewalls can be configured in several arrangements, including single bastion hosts, screened hosts, and screened subnets(with DMZs).
• Architectural decisions should consider network objectives, organizational capabilities, and available budget.

VPNs

• Virtual Private Networks (VPNs) create a private communication pathway between networked systems.
• Securely accessing internal network resources from remote locations via VPNs.
• VPN implementations exist via Trusted, Secure, and/or Hybrid VPNs.

VPN Functionality

• VPNs use encryption, encapsulation, and authentication functions to create secure connections.
• VPNs use mechanisms such as encapsulation, encryption, authentication to turn public network into private networks
• Common types of VPNs include transport mode VPNs and tunnel mode VPNs.

Content Filters

• Content filters are software programs or appliances that restrict content entering or leaving a network.
• Content filters focus on scripts or programs that limit access to specific protocols/internet locations.
• Content Filters mainly used for internal access restriction to external materials and preventing/filtering incoming spam.

Additional Information regarding Specific Topics

• Knowledge check activity questions for firewalls/access control
• Various Firewall Rule Sets are included (Rule Set 1 - Rule Set 8).
• Well-known Port Numbers are listed
• External/Internal Filtering Firewall Rule Sets
• Access Control Considerations with COVID-19