sodapdf-merged (8).pdf
Document Details
Uploaded by LogicalMelodica
University of Westminster
2024
Tags
Full Transcript
Defensive Technologies -(Intrusion Detection and Firewalls) 6COSC019W- Cyber Security Dr Ayman El Hajjar April 02, 2024 School of Computer Science and Engineering University of Westminster Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS...
Defensive Technologies -(Intrusion Detection and Firewalls) 6COSC019W- Cyber Security Dr Ayman El Hajjar April 02, 2024 School of Computer Science and Engineering University of Westminster Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots O UTLINE 1. Firewall Systems 2. Intrusion Detection Systems (IDS) 3. Intrusion Prevention Systems (IPS) 4. Honeypots 1 Firewall Systems Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots T HE N EED F OR F IREWALLS ❏ Internet connectivity is essential however it brings threats to our information system enrolment. ❏ Placed between the premises network and the Internet to establish a controlled link ❐ Can be a single computer system or a set of two or more systems working together ❏ Used as a perimeter defence ❐ Single choke point to impose security and auditing ❐ separates the internal systems from external networks 2 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots F IREWALL C HARACTERISTICS Design goals ❐ All traffc from inside to outside, and vice versa, must pass through the frewall ❐ Only authorised traffc as defned by the local security policy will be allowed to pass ❐ The frewall itself is immune to penetration 3 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots T YPES OF F IREWALL ❏ A frewall can monitor network traffc at a number of levels from low-level network packets, either individually or as part of a fow, to all traffc within a transport connection, up to inspecting details of application protocols. ❏ The choice of which level is appropriate is determined by the desired frewall access policy. ❏ Firewall levels are: ❐ Packet fltering frewall ❐ Stateful fltering frewall ❐ Application proxy frewall ❐ Circuit level proxy frewall 4 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots W HAT DO THEY F ILTER ! IP address and protocol values ❐ This type of fltering is used by packet flter and stateful inspection frewalls, used to limit access to specifc services Application protocol ❐ This type of fltering is used by an application-level gateway that relays and monitors the exchange of information for specifc application protocols User identity ❐ Typically for inside users who identify themselves using some form of secure authentication technology Network activity ❐ Controls access based on considerations such as the time or request, rate of requests, or other activity patterns 5 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots PACKET F ILTERING F IREWALL Also called Stateless fltering Firewall ❏ Applies rules to each incoming and outgoing IP packet ❐ Typically a list of rules based on matches in the IP or TCP header ❏ Two default policies: ❐ Discard (Deny) - prohibit unless expressly permitted ❐ Forward (Permit) - permit unless expressly prohibited Filtering rules are based on information contained in a network packet ❏ Source IP address ❏ Destination IP address ❏ Source and destination transport-level address ❏ IP protocol feld ❏ Interface 6 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots S TATEFUL FILTERING FIREWALL ❏ Tightens rules for TCP traffc by creating a directory of outbound TCP connections ❐ There is an entry for each currently established connection ❐ Packet flter allows incoming traffc to high numbered ports only for those packets that ft the profle of one of the entries in this directory ❏ Reviews packet information but also records information about TCP connections ❐ Keeps track of TCP sequence numbers to prevent attacks that depend on the sequence number 7 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots A PPLICATION PROXY FIREWALL ❏ Also called ”Application-Level Gateway” ❏ Acts as a relay of application-level traffc ❐ User contacts gateway using a TCP/IP application ❐ User is authenticated ❐ Gateway contacts application on remote host and relays TCP segments between server and user ❏ Must have proxy code for each application ❐ May restrict application features supported ❏ Tend to be more secure than packet flters ❏ Disadvantage is the additional processing overhead on each connection 8 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots C IRCUIT-L EVEL G ATEWAY Circuit level proxy ❏ Sets up two TCP connections, one between itself and a TCP user on an inner host and one on an outside host ❏ Relays TCP segments from one connection to the other without examining contents ❏ Security function consists of determining which connections will be allowed ❏ Typically used when inside users are trusted ❐ May use application-level gateway inbound and circuit-level gateway outbound ❐ Lower overheads 9 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots Figure 1: Types of Firewall 10 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H OST-BASED F IREWALLS / P ERSONAL F IREWALL ❏ Used to secure an individual host ❏ Available in operating systems or can be provided as an add-on package ❏ Can be housed in a router that connects all of the home computers to the Internet ❏ Filter and restrict packet fows. Primary role is to deny unauthorised remote access ❏ May also monitor outgoing traffc to detect and block worms and malware activity Advantages ❐ Filtering rules can be tailored to the host environment ❐ Protection is provided independent of topology ❐ Provides an additional layer of protection 11 Intrusion Detection Systems (IDS) Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots Security Intrusion: unauthorised act of bypassing the security mechanisms of a system Intrusion Detection: A hardware or software function that gathers and analyses information from various areas within a computer or a network to identify possible security intrusions 11 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots I NTRUSION D ETECTION S YSTEM (IDS) ❏ An IDS Comprises of three logical components ❐ Sensors - A fundamental component of intrusion detection that collects data. ❐ Common data sources include System call traces, Audit (log fle) records,File integrity checksums, Registry access. ❐ Analysers - determine if intrusion has occurred ❐ User interface - view output or control system behaviour ❏ An IDS uses either the Anomaly detection or the Signature/Heuristic detection approach. ❏ There are three type of Intrusion Detection systems, a Host-based IDS (HIDS) a Network-based IDS (NIDS) and a Distributed or hybrid IDS that combines both characteristics 12 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots A NALYSIS A PPROACHES ❏ Anomaly detection ❐ Involves the collection of data relating to the behaviour of legitimate users over a period of time ❐ Current observed behaviour is analysed to determine whether this behaviour is that of a legitimate user or that of an intruder ❏ Signature/Heuristic detection ❐ Uses a set of known malicious data patterns or attack rules that are compared with current behaviour ❐ Also known as misuse detection ❐ Can only identify known attacks for which it has patterns or rules 13 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots S IGNATURE OR A NOMALY ? ❏ Attacks suitable for Signature detection ❐ Application layer reconnaissance and attacks ❐ Transport layer reconnaissance and attacks ❐ Network layer reconnaissance and attacks ❐ Unexpected application services ❐ Policy violations ❏ Attacks suitable for Anomaly detection ❐ Denial-of-service (DoS) attacks ❐ Scanning ❐ Worms 14 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H OST-BASED I NTRUSION D ETECTION S YSTEM (HIDS) ❏ Adds a specialised layer of security software to vulnerable or sensitive systems ❏ Can use either anomaly or signature and heuristic approaches ❏ Monitors activity to detect suspicious behaviour ❐ Primary purpose is to detect intrusions, log suspicious events, and send alerts ❐ Can detect both external and internal intrusions 15 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots N ETWORK -BASED I NTRUSION D ETECTION S YSTEM (NIDS) ❏ Monitors traffc at selected points on a network ❏ Examines traffc packet by packet in real or close to real time ❏ May examine network, transport, and/or application-level protocol activity ❏ Comprised of a number of sensors, one or more servers for NIDS management functions, and one or more management consoles for the human interface ❏ Analysis of traffc patterns may be done at the sensor, the management server or a combination of the two 16 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots A N I NTRUSION DETECTION SYSTEM MUST BE ABLE TO ❐ Run continually with minimal human supervision. ❐ Be fault tolerant - Must be able to recover from system crashes and reinitialisations. ❐ Resist subversion. The IDS must be able to monitor itself and detect if it has been modifed by an attacker. ❐ Impose a minimal overhead on the system where it is running. ❐ Be able to be confgured according to the security policies of the system that is being monitored. ❐ Be able to adapt to changes in system and user behaviour over time. ❐ Be able to scale to monitor a large number of hosts. ❐ Provide graceful degradation of service in the sense that if some components of the IDS stop working for any reason, the rest of them should be affected as little as possible. ❐ Allow dynamic reconfguration; that is, the ability to reconfgure the IDS without having to restart it. 17 Intrusion Prevention Systems (IPS) Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots I NTRUSION P REVENTION S YSTEMS (IPS) ❏ Also known as Intrusion Detection and Prevention System (IDPS) ❏ Is an extension of an IDS that includes the capability to attempt to block or prevent detected malicious activity ❏ Can be host-based, network-based, or distributed/hybrid ❏ Can use anomaly detection to identify behavior that is not that of legitimate users, or signature/heuristic detection to identify known malicious behavior can block traffc as a frewall does, but makes use of the types of algorithms developed for IDSs to determine when to do so 18 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H OST-BASED IPS (HIPS) ❏ Can make use of either signature/heuristic or anomaly detection techniques to identify attacks ❐ Signature: focus is on the specifc content of application network traffc, or of sequences of system calls, looking for patterns that have been identifed as malicious ❐ Anomaly: IPS is looking for behaviour patterns that indicate malware ❏ Examples of the types of malicious behaviour addressed by a HIPS are Modifcation of system resources, Privilege-escalation exploits, Buffer-overfow exploits, Access to e-mail contact list, Directory traversal 19 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H OST-BASED IPS (HIPS) ❏ Capability can be tailored to the specifc platform ❏ A set of general purpose tools may be used for a desktop or server system. ❏ Some packages are designed to protect specifc types of servers, such as Web servers and database servers ❏ Can use a sandbox approach ❐ Sandboxes are especially suited to mobile code such as Java applets and scripting languages ❐ HIPS quarantines such code in an isolated system area then runs the code and monitors its behavior ❐ Areas for which a HIPS typically offers desktop protection such as System calls, File system access. 20 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots T HE R OLE OF HIPS ❏ Many industry observers see the enterprise endpoint, including desktop and laptop systems, as now the main target for hackers and criminals ❐ Endpoint security is provided by a collection of products, such as antivirus, and frewalls. ❏ Approach is an effort to provide an integrated, single-product suite of functions ❏ HIPS can be used as a defence-in-depth strategy that involves network-level devices, such as network-based IPSs 21 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots N ETWORK -BASED IPS (NIPS) ❏ Inline NIDS with the authority to modify or discard packets and tear down TCP connections ❏ Makes use of signature/heuristic and anomaly detection ❏ May provide fow data protection ❐ Requires that the application payload in a sequence of packets be reassembled 22 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots IPS METHODS TO IDENTIFY MALICIOUS PACKETS ❐ Signature-based : This method involves comparing network traffc against a database of known attack patterns or signatures. ❐ Anomaly-based : Anomaly detection involves establishing a baseline of normal network behaviour and then identifying deviations from this baseline. ❐ Heuristic-based : Heuristic analysis involves using rules and algorithms to identify potentially malicious behaviour. This method is less specifc than signature-based method but can detect previously unknown threats such as Zero-Day attacks based on certain characteristics. ❐ Protocol Analysis: IPS devices may analyse network protocols to detect abnormalities or violations. For example, if a protocol is not adhering to its standard specifcations, it may be fagged as suspicious. 23 Honeypots Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H ONEYPOTS ❏ Decoy systems designed to: ❐ Lure a potential attacker away from critical systems ❐ Collect information about the attacker’s activity ❐ Encourage the attacker to stay on the system long enough for administrators to respond ❏ Systems are flled with fabricated information that a legitimate user of the system wouldn’t access ❏ Resources that have no production value ❐ Therefore incoming communication is most likely a probe, scan, or attack ❐ Initiated outbound communication suggests that the system has probably been compromised ❏ A collection of honeypots is called HoneyNets. 24 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots H ONEYPOT C LASSIFICATIONS ❏ Low interaction honeypot ❐ Software package that emulates particular IT services or systems well enough to provide a realistic initial interaction ❐ Provides a less realistic target ❐ Often suffcient for use as a component of a distributed IDS to warn of imminent attack ❏ High interaction honeypot ❐ A real system, with a full operating system, services and applications, which are instrumented and deployed where they can be accessed by attackers ❐ Is a more realistic target that may occupy an attacker for an extended period 25 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots R EQUIREMENTS OF H ONEYPOTS /H ONEYNETS ❏ Isolation ❐ They should be isolated from the production system and network are typically ❐ They should contain and study any malicious activity without putting actual production systems at risk. ❏ Continuous monitoring ❐ They should be monitored continuously analyse potential threats on the company and the behaviour of attackers. ❏ Deception ❐ They should be as realistic as possible as they rely on the principle of deception. ❐ By presenting an attractive target to potential attackers, security experts can observe and learn from their activities without exposing real assets 26 Firewall Systems Intrusion Detection Systems (IDS) Intrusion Prevention Systems (IPS) Honeypots R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 3, Security Foundations , CEH v11 Certifed Ethical Hacker Study Guide ❐ Chapter 5 ,Networks and Telecommunications, Fundamentals of Information Systems Security ❐ Chapter 19, Network Security, The Cyber Security Body of Knowledge 27 AAA & Access Control 6COSC019W- Cyber Security Dr Ayman El Hajjar March 26, 2024 School of Computer Science and Engineering University of Westminster Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) O UTLINE 1. Access Control 2. Logical Access Control 3. Access Control principles 4. Access Control Models 5. Authentication, Authorisation & Accountability (AAA) 1 Access Control Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) Protecting Security Assets The ultimate goal for any security practitioner is to be able to secure all assets of their organisation. Defning Access Control ❏ Access Control is the process of protecting a resource so that it is used only by those allowed to. ❏ Mitigations put into place to protect a resource from a threat such as to prevent unauthorised use. 2 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL F UNCTIONS ❏ Identifcation: Who is asking to access the asset? ❐ Subjects supplying identifcation information ❐ Username, user ID, account number ❏ Authentication: Can their identities be verifed? ❐ Verifying the identifcation information ❐ Passphrase, PIN, biometric, password, OTP ❏ Authorisation: What can the requester access and do? ❐ Using criteria to determine what the subjects can do on objects ❐ ”I know who you are, I will allow you to do what you are allowed to ?” ❏ Accountability: How are actions traced to an individual to ensure the person who makes data or system changes can be identifed? ❐ Audit logs and/or real-time monitoring to track subject activities with objects 3 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL 4 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) P OLICY D EFINITION AND P OLICY E NFORCEMENT P HASES ❏ Policy Defnition phase: We start by defning Who has access and what systems or resources they can use. ❐ Tied to the authorisation phase ❏ Then, the policy enforcement phase Grants/Rejects requests for access based on the authorisations defned in the frst phase. ❐ Tied to identifcation, authentication, & accountability An example ❏ In the policy defnition phase: We defne the following ❐ Students are only authorised to see contents of their modules. They cannot edit. ❏ In the policy enforcement phase: For each student who access the system: ❐ Identifed by their username and authenticated by their password, they are given access to what they are authorised to see as per the policy defnition phase. 5 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL C OMPONENTS 6 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) T YPES OF ACCESS C ONTROL Physical Access Control ❏ Cards control access to physical resources or fngerprint (less used) ❏ Smart cards Programmed with ID number are an example ❏ Used at parking lots, elevators, offce doors Logical Access Control ❏ Deciding which users can get into a system ❏ Monitoring what each user does on that system ❏ Restraining or infuencing a user’s behaviour on that system 7 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) E NFORCING ACCESS C ONTROL The Security Kernel ❏ Enforces access control for computer systems ❏ Central point of access control ❏ Implements the reference monitor concept How Access Control is enforced ❏ The subject requests access to an object. The security kernel intercepts the request. ❏ The security kernel refers to its rules base, also known as the security kernel database to allow or deny access. ❏ All access requests handled by the system are logged for later tracking and analysis. 8 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) E NFORCING ACCESS C ONTROL 9 Logical Access Control Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) L OGICAL ACCESS C ONTROL S OLUTIONS Logical Controls Solutions Biometrics Static: Fingerprints, iris granularity, retina blood vessels, facial features, and hand geometry Dy- namic: Voice infections, keyboard strokes, and signature motions Tokens Synchronous or asynchronous Smart cards and memory cards Passwords Stringent password controls for users Account lockout policies Auditing logon events Single sign-on Kerberos process Secure European System for Applications in a Multi-Vendor Environment (SESAME) 10 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) AUTHENTICATION T YPES Authentication by Knowledge: Something you know ❐ Passwords, passphrases. PIN number Authentication by Ownership: Something you own ❏ Synchronous token- Calculates a number at both the authentication server and the device ❐ Time-based synchronization, i.e. software authenticator ❐ Event-based synchronization, i.e. SMS one time password ❏ Asynchronous token: Fixed, no calculation is needed as long as you prove you physically have it, you can access ❐ USB token or Smart card 11 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) A SYNCHRONOUS TOKEN C HALLENGE -R ESPONSE 12 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) AUTHENTICATION T YPES Authentication by Characteristics: Something unique to you ❐ This can be: ❑ Biometrics - Something Static, What are you Fingerprint, facial recognition, hand geometry, Retina scan ❑ Something Dynamic such as What you do! Voice patterns, keystroke dynamics, signature dynamics Authentication by Location: Somewhere you are ❏ Location ❐ Strong indicator of authenticity 13 Access Control principles Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) G ENERAL P RINCIPLES ❏ Files and folders are managed by the operating system ❏ Applications, including shells, access fles through an API ❏ Access control entry (ACE) ❐ Allow/deny a certain type of access to a fle/folder by user/group ❏ Access control list (ACL) ❐ Collection of ACEs for a fle/folder ❏ A fle handle provides an opaque identifer for a fle/folder ❏ File operations ❐ Open fle: returns fle handle ❐ Read/write/execute fle ❐ Close fle: invalidates fle handle ❏ Hierarchical fle organisation ❐ Tree (Windows) ❐ DAG (Linux) 14 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS P OLICIES 15 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL M ATRIX EXAMPLE ❐ Each entry in the matrix indicates the access rights of a particular subject for a particular object Objects File 1 File 2 File 3 File 4 Own Own User A Read Read Subjects Write Write Own User B Read Read Write Read Write Own Read User C Read Read Write Write 16 Access Control Models Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL M ODELS ❏ All access control models are built on the security operation principles listed below: ❐ Need to know This principle ensures that subjects are granted access only to what they need to know for their work tasks and job functions. ❐ Least privilege This principle ensures that subjects are granted only the privileges they need to perform their work tasks and job functions. ❐ Separation of privileges This principle ensures that sensitive functions are split into tasks performed by two or more employees. 17 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ACCESS C ONTROL M ODELS ❏ An access control model is a framework that dictates how subjects access objects. ❏ It uses access control technologies and security mechanisms to enforce the rules and objectives of the model. ❏ There are three main types of access control models: ❐ Discretionary ❐ Mandatory (Sometimes called Non-Discretionary) ❐ Rule Based ❐ Attribute-based access control (ABAC) ❏ Each model type uses different methods to control how subjects access objects ❏ Each model has its own merits and limitations. 18 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) Role-based access control Discretionary access control (RBAC) (DAC) Controls access based on the Controls access based on the roles that users have within the identity of the requester and on system and on rules stating what access rules (authorisations) accesses are allowed to users in stating what requestors are (or are given roles not) allowed to do Attribute-based access control Mandatory access control (ABAC) (MAC) Controls access based on Controls access based on attributes of the user, the resource comparing security labels with to be accessed, and current security clearances environmental conditions 19 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) D ISCRETIONARY ACCESS C ONTROL (DAC) ❏ The principle of discretionary access control (DAC) dictates that the information owner is the one who decides who gets to access the system(s) ❏Scheme in which an entity may be granted access rights that permit the entity, by its own violation, to enable another entity to access some resource ❏ Most of the common operating systems on the market today (Windows, Macintosh, UNIX and others) rely on DAC principles for access and operation ❏ Often provided using an access matrix ☞ One dimension consists of identifed subjects that may attempt data access to the resources ☞ The other dimension lists the objects that may be accessed 20 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) DAC T ERMS AND CONCEPTS ❏ Access Control Lists ❐ A list or a fle of users who are given the privilege of access to a system or resource (a database, for example) ❐ Within the fle is a user ID and an associated privilege or set of privileges for that user and that resource ❐ Privileges typically include Read, Write, Update, Execute, Delete, or Rename ❐ The other dimension lists the objects that may be accessed ❏ User Provisioning ❐ Granting access to new employees ❐ Include checking management approvals for grating access 21 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) N ON - DISCRETIONARY ACCESS C ONTROL ❏ Access rules are closely managed by security administrator, not system owner or ordinary users ❏ Sensitive fles are write-protected for integrity and readable only by authorised users ❏ More secure than discretionary access control ❏ Ensures that system security is enforced and tamper-proof 22 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) M ANDATORY ACCESS C ONTROL (MAC) ❏ Determines the level of restriction by how sensitive the resource is ❏ The system decides who gains access to information based on the concepts of subjects, objects, and labels ❏ Often used in military and government systems with labels given to objects and access is given to subject based on security clearance level. ❐ Subjects: The people or other systems that are granted a clearance to access an object within the information system ❐ Objects: The elements within the information system that are being protected from use or access ❐ classifcation label: The mechanism that binds objects to subjects. A subject’s clearance permits access to an object based on the labelled security protection assigned to that object such as Top Secret, Secret, Confdential and unclassifed 23 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) R ULE BASED ACCESS C ONTROL (RBAC) ❏ Rule-based access control uses specifc rules that indicate what can and cannot happen between a subject and an object. ❏ It is based on the simple concept of ”if X then Y” programming rules, which can be used to provide fner-grained access control to resources. ❏ Before a subject can access an object in a certain circumstance, it must meet a set of predefned rules. ❐ An example can be as simple as ”If the user’s ID matches the unique user ID value in the provided digital certifcate, then the user can gain access.” ❐ or a complex example such as ”If the user is accessing the system between Monday and Friday and between 8 A.M. and 5 P.M., and if the user’s security clearance equals or dominates the object’s classifcation, and if the user has the necessary need to know, then the user can access the object.” 24 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) R ULE -BASED ACCESS C ONTROL 25 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) ATTRIBUTE -BASED ACCESS C ONTROL (ABAC) ❏ Can defne authorisations that express conditions on properties of both the resource and the subject ❏ Strength is its fexibility and expressive power ❏Main obstacle to its adoption in real systems has been concern about the performance impact of evaluating predicates on both resource and user properties for each access ❏ There is considerable interest in applying the model to cloud services 26 Authentication, Authorisation & Accountability (AAA) Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) AUTHENTICATION , AUTHORISATION , AND ACCOUNTING (AAA) ❏ AAA protocols are commonly used with remote access systems such as virtual private networks (VPNs) and other types of network access servers to provide centralised access control. ❏ They prevent internal LAN authentication systems and other servers from being attacked remotely. ❏ When a separate system is used for remote access, only the remote access users are affected if this system is successfully attacked. ❏ The AAA protocols are also commonly used for mobile IP, which provides access to mobile users with smart phones. 27 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) C ENTRALISED AND D ECENTRALISED AAA ❏ Additional access control mechanisms are required because of the use of insecure networks to create a connection to the corporate local area network ❏ Centralised authentication, authorization, and accounting (AAA) servers ❐ RADIUS ❐ TACACS+ ❐ DIAMETER ❏ Decentralised Access Control: Access control is in the hands of the people closest to the system users ❐ Password Authentication Protocol (PAP) ❐ Challenge-Handshake Authentication Protocol (CHAP) ❐ Mobile device authentication, Initiative for Open Authentication (OATH). For example One-Time Password (OTP) 28 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) R EMOTE U SER ACCESS AND AUTHENTICATION (RADIUS) ❏ RADIUS is a client/server protocol and software that enables remote access users to communicate with a central server to authorise their access to the requested system or service ❏ It allows companies to have a single administered entry point, which provides standardization in security and a simplistic way to track usage and network statistics. 29 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) TACACS+ ARCHITECTURE : ❏ TACACS+ provides the same What does the use of TCP functionality as RADIUS with a few means for us? differences in some of its ❐ Any software that uses characteristics. UDP as its transport ❐ TACACS+ uses TCP as its protocol has to be ”fatter” transport protocol, while RADIUS with intelligent code. uses UDP. TACAS+ will be faster to ❏ If compared with RADIUS, transmit. TACACS+ is the better choice for complex environments such as corporate networks that require ❐ More sophisticated authentication steps ❐ Tighter control over more complex authorisation activities, 30 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) D IAMETER ❏ Diameter is a protocol that has been developed to build upon the functionality of RADIUS and overcome many of its limitations. ❏ Diameter uses TCP as its transport protocol ❏ It provides the same type of functionality as RADIUS and TACACS+ in addition to wireless networks access. ❏ Diameter also provides more fexibility and capabilities to meet the new demands of today’s complex and diverse networks. ❏ Diameter can deal with issues such as mobile IP. ❏ Diameter provides several functionalities in addition to AAA functionality such as roaming operations and replay attack protection. 31 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) S INGLE S IGN -O N (SSO) ❏ In an SSO system, users have one password for all corporate and back-offce systems and applications they need to perform their jobs ❏ One password can be remembered and used, thus increasing the security of the overall system of access controls ❏ Single Sign-On mechanisms include ❐ Kerberos ❐ Federated Identities 32 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) K ERBEROS ❏Kerberos is designed to provide authentication for client/server applications by using symmetric-key cryptography ❏ A free implementation available from MIT ❏ Works by assigning a unique key, called a ticket, to each user ❏ User logs in once and then can access all resources based on the permission level associated with the ticket 33 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) F EDERATED I DENTITIES ❏ Sites have an arrangement with a service so users can log in with the service credentials and don’t have to create a new unique user name and password ❐ Facebook ❐ Google 34 Access Control Logical Access Control Access Control principles Access Control Models Authentication, Authorisation & Accountability (AAA) R EFERENCES ❏ The lecture notes and contents were compiled from my own notes and from various sources. ❏ Figures and tables are from the recommended books ❏ The lecture notes are very detailed. If you attend the lecture, you should be able to understand the topics. ❏ You can use any of the recommended readings! You do not need to read all the chapters! ❏ Recommended Readings note: Focus on what was covered in the class. ❐ Chapter 14, Security Architecture and Design, CEH v11 Certifed Ethical Hacker Study Guide ❐ Chapter 6, Access Controls, Fundamentals of Information Systems Security ❐ Chapter 14, Authentication, Authorisation & Accountability CyBOK, The Cyber Security Body of Knowledge 35
