Access Control

advertisement
Access Control:
Part II
Chao-Hsien Chu, Ph.D.
College of Information Sciences and Technology
The Pennsylvania State University
University Park, PA 16802
chu@ist.psu.edu
IST 515
Access Control Process
 Identification: Method of establishing the
subject’s (user, program, process) identity.
- Use of user name or other public information.
- Know identification component requirements.
Identification
 Authentication: Method of proving the identity.
- Something a person is, has, or does.
- Use of biometrics, passwords, passphrase,
token, or other private information.
Authentication
 Authorization: Determines and gives the
authenticated users the proper right to access the
requested resources.
Authorization
Step 1: Identification
• Identification is the assurance that the entity
(e.g., user) requesting access is accurately
associated with the role or subject defined
within the system.
• Identification is a critical first step in applying
access controls. It is necessary to identify the
users for downstream activities and controls.
– Accountability
– Audit trail
– Trace individual activities
Types of Identification
• The most common form of identification is a
username, user ID, account number, or personal
identification number (PIN).
• To ensure the authorized application is making the
requests to potentially sensitive resources, they can
use digital identification such as certificate or one time
session identifier.
• Other types of identification include tokens, smart
card or smart devices, biometric devices, and badges
for visual and physical access.
Essential Identification Practices
• Uniqueness: User identification must be unique so that
each person can be positively identified.
• Nondescriptive. User identification should not expose
the associated role or job function of the user (e.g.,
root, admin, web master, and cfo).
• Issuance: The process of issuing identifiers must be
secure and documented. If an identity can be
inappropriately issued, the entire system begins to
break down. The entire process must be logged and
documented to ensure the process can be verified and
audited.
Step 2: Authentication
There are three types of factors/information can
be used for authentication:
• Authentication by knowledge – What a person
knows. Something you know (e.g., a password).
• Authentication by ownership – What a person has.
Something you have (e.g., a token or smart card).
• Authentication by characteristic – What a person is
or does. Something you are or do (e.g.,
biometrics).
Types of Authentication
• Single-factor authentication employs one of the three
factors, which is usually associated with a username
and password combination.
• Two-factor authentication uses two of the three
factors. It usually introduce an additional level of
technical controls in the form of physical or biometric
device. It can include one-time passwords.
• Three-factor authentication uses all three factors and,
as such, include something about the user such as
biometric features.
What a Person Knows
What a person knows can be associated with the
user ID or other unique identifier:
• Password is typically a short (5 to 15 characters)
string of characters that the user must remember
to authenticate against their unique identifier.
• Passphrase allows the user to utilize an easier to
remember phrase (sentence) as a password
without sacrificing the integrity. It supports all
types of characters and spaces and is longer to
enter and typically harder to attack.
Techniques to Attack Passwords

Electronic monitoring

Access the password file

Brute Force Attacks

Dictionary Attacks

Social Engineering
• What are the differences between a password
checker and a password cracker?
• What are the potential legal issues?
The Protection of Password
• The more diverse (or complicated) the password is, the
more difficult it will be to guess or crack the password.
• Password must never be passed over a network or stored in
cleartext. Moreover, the storage of passwords must be
protected.
• To protect passwords from being exposed, they are
typically hashed. Hash function is inherently one-way,
which means that a hash results cannot be deciphered to
produce the original data.
• However, the time to discover a password by means of a
password cracker is directly related to the complexity of the
password and the employment of the hashing algorithm.
What a Person Has
• Typically is a physical device (such as a token, a memory
card or a smart card) that can be used in lieu of a
password or in addition to a password. The objective is to
add another layer of confidence that the user is who he or
she claims by the assurance a physical device offers.
• Asynchronous: Asynchronous token device is essentially
a challenge response technology. Dialogue is required
between the authentication service and the remote entity.
• Synchronous: Synchronous token authentication is based
on an event, location, or time-based synchronization
between the requestor and authenticator.
Authentication Devices
• Memory Cards. The cards hold user authentication
information, but does not process information. The user
only needs to type in a user ID or PIN and present the
memory card for approval. E.g., swipe card or the ATM
card. Moreover, data stored on the card is not protected.
• Smart Card is a card that has an embedded
semiconductor chip that accepts, stores, process and
sends information. It. can hold more data than
magnetic-stripe cards. Also, small applications can be
incorporated into the memory to provide various
functions. Smart cards can be contact or contactless.
Authentication - Biometrics

Uses a unique person attribute or behavior
(e.g., what a person “is”) to verify her/his
identity.

Biometric considerations:

Resistance to counterfeiting

Data storage requirements

User acceptance (due to privacy concern).

Reliability and accuracy.
Type of Biometrics
Biometric systems can be divided in two main classes:
Physiological
Behavior
•
Fingerprint
• Voice
•
Hand
• Keystroke
•
Face
• Signature
•
Iris
•
DNA
Biometric Accuracy Measurement
Accuracy or the ability to separate authentic users
from imposters is essential for Biometric systems.



False rejection rate (Type I Error). Authorized users
are rejected as unidentified or unverified.
False acceptance rate (Type II Error). Unauthorized
persons are accepted as authentic. This is an important
error to avoid.
Crossover Error Rate (CER). The point at which the
false reject rate and false acceptance rate are equal.
The smaller the value of the CER, the more accurate
the system.
Biometric Accuracy Measurement

The lower the sensitivity, the more prone the system is
to false acceptance. Not sensitive enough, and anyone
is authorized; too sensitive, and no one get through.
One Time Passwords

Also know as Dynamic Passwords, a onetime password (OTP) is a password that is valid
for only one login session or transaction. OTPs are
not vulnerable to replay attacks.

OTP generation algorithms typically make
use of randomness. It can be generated in
software (soft tokens) based on timesynchronization between the authentication
server and the client, a mathematical
algorithm, or a hardware.
Step 3: Authorization
• Once the subject provides its credentials and is properly
identified, the system access needs to determine if this
subject has been given the necessary right to carry out
the requested actions and authorize it.
• Access Criteria can be thought of as:





Roles – assign rights based on roles
Groups – assign the right to groups
Location – assign rights to specific location
Time od day – assign based on the time
Transaction Types – assign rights to specific transaction.
Challenges of Authorization
Common problems encountered in controlling
access to assets include:

Different levels of users with different levels
of access (e.g., manager vs. staff).

Resources may be classified differently

Diverse identity data and devices
(interoperability issue).

Corporate environments keep changing
(maintenance issue).
Authorization - Single Sign On (SSO)
Capabilities: Allow user credentials to be entered one time
and the user is then able to access all resources in primary and
secondary network domains
Technologies:
• Kerberos – is an authentication protocol based on a
symmetric key cryptography technology, which has been
widely used in operating systems.
• SESAME – based on both asymmetric and symmetric key
cryptography.
• Security Domains
• Directory Services
• Dumb Terminals / Thin Clients
Access Control Categories
• Each control works at a different level of
granularity, but can also perform several
functions
• Access Control Functionalities/Categories:
–
-
Preventive, to avoid incidents
Deterrent: to discourage incidents
Detective: to identify incidents
Corrective: to remedy circumstance; mitigate damage
and restore controls
- Recovery: to restore conditionals to normal
- Compensation: as an alternative control (Supervision)
Types of Control
• Access controls can be implemented at various layers of
an organization, network, and individual systems
• There are three broad categories (types) of access
control:
– Administrative: Defines the roles, responsibilities,
policies, and administrative functions to manage the
control environment.
– Physical: The operating environment, such as doors,
locks, fire management, gates and guards.
– Technical (aka Logical). Firewalls, filters, operating
systems, applications, and routing protocols.
Administrative Controls








Personnel security, evaluation, and clearances:
– Separation of Duties
• Change Management
– Rotation of Duties
• Business Continuity &
– Mandatory Vacation
Disaster Management
Security Policies
• Performance
Operational policies and Procedures • Configuration Mgmt.
• Vulnerability Mgmt.
Monitoring
• Product Life-cycle
Mgmt.
User Management
• Network Management
Security Awareness Training
Privilege Management
Testing
Physical Controls

Perimeter Security
 Physical Entry
 Computer Controls / Information Processing
Center
 Work Area Separation
 Data Backups
 Cabling
 Control Zone
Technical (Logical) Controls









User Controls
System Access
Network Architecture
Network Access
Remote Access
Application Access
Malware Control
Encryption and Protocols
Auditing
Access Control Administration

Step 1: Choose the access control model (DAC,
MAC, RBAC).

Step 2: Select and implement different access
control technologies.

Step 3: Access Control Administration.
– Centralized
– Decentralized
Centralized Access Control
• One entity is responsible for overseeing access
to all corporate resources.
• Provides a consistent and uniform method of
controlling access rights.
– Protocols: Agreed upon ways of communication
– Attribute Value Pairs: Defined fields that accept
certain values.
• Types of Centralized Access Control
– RADIUS
– TACACS (Terminal Access Controller AccessControl System)
– DIAMETER
RADIUS
• RADIUS is a server for remote user authentication
and accounting. Its primary use is for Internet
Service Providers, though it may as well be used
on any network that needs a centralized
authentication and/or accounting service for its
workstations.
• The package includes an authentication and
accounting server and some administrator tools.
TACACS+
• TACACS+ is an entirely new protocol and not
compatible with TACACS or XTACACS.
• TACACS+ uses the Transmission Control
Protocol (TCP) and RADIUS uses the User
Datagram Protocol (UDP). Some administrators
recommend using TACACS+ because TCP is
seen as a more reliable protocol. Whereas
RADIUS combines authentication and
authorization in a user profile, TACACS+
separates the two operations.
Example of Centralized Control
DIAMETER
extends the base
protocol by adding
new commands
and/or attributes,
such as those for
use of the
Extensible
Authentication
Protocol (EAP).
Decentralized Access Control
• Gives control of access to the people who are
closer to the resources, as in department
managers and sometimes users.
• Has no methods for consistent control, lacks
proper consistency.
• Nonstandardization and overlapping rights,
which may cause gaps in security control.
Example of Decentralized Control
Access Control Practices
• Security professionals need to know the access
control tasks that need to be accomplished
regularly to ensure satisfactory security.
• Best practices used in industry include:
-
Deny access to anonymous accounts
Enforce strict access criteria
Suspend inactive accounts
Replace default passwords
Enforce password rotation
Audit and review
Protect audit logs
Threats to Access Control
•
Denial of service
• Buffer Overflows
• Insiders
• Mobile code
• Malicious software
• Password crackers
• Spoofing / masquerading
• Sniffers
• Eavesdropping
• Emanations
• Shoulder surfing
•
•
•
•
•
•
•
•
•
Tapping
Object reuse
Data remanance
Unauthorized targeted data
mining
Dumpster diving
Backdoor/trapdoor
Theft
Intruders
Social engineering
Threats to Access Control
• Emanation is the proliferation or propagation of a signal. This
is most evident in wireless networks. A wireless network
antenna may radiate the signal to areas beyond the desired
scope, such as out of a building and into the parking lot. If this
were to occur, an attacker could drive to the location and
attempt to access the network from the privacy of his vehicle,
potentially undetected.
• Data Remanence is the remains of partial or even the entire
data set of digital information. Normally, this refers to the data
that remains after the media is written over or degaussed.
Countermeasure to Emanation Security
• TEMPEST refers to standardized technology that suppresses
signal emanations with shielding material. The devices (monitors,
computers, printers, and so on) have an outer metal coating,
referred to as a Faraday cage. This is made of metal with the
necessary depth to ensure only a certain amount of radiation is
released.
• White noise is a uniform spectrum of random electrical signals.
It is distributed over the full spectrum so the bandwidth is
constant and an intruder is not able to decipher real information
from random noise or random information.
• Control Zone uses material in their walls to contain electrical
signals. This prevents intruders from being able to access
information emitted via electrical signals from network devices.
Access Control Monitoring
• Three Common Components:
- Sensors
- Analyzers
- Administrator Interfaces
• Common Types:
-
Intrusion Detection
Intrusion Prevention
Honeypots
Network Sniffers
Intrusion Detection Systems (IDS)
IDS is a technical solution whose role is to detect suspicious activity
and report on the findings. IDS is a reactive warning system that
provides information necessary to guide administrators in
responding to the attack.
Two Main Types of Intrusion Detection Systems:
• Network Based (NIDS) is a network device, or dedicated system
attached to the network, that monitors traffic traversing the
network segment for which it is integrated. NIDS is usually
incorporated into the network in a passive architecture.
• Host Based (HIDS) is the implementation of IDS capabilities at
the host level. Its most significant difference from NIDS is
intrusion detection analysis, and related processes are limited to
the boundaries of the host.
Intrusion Detection Systems (IDS)
HIDS and NIDS can be:
• Signature Based
• Statistical Anomaly Based IDS
– Protocol Anomaly Based
• Traffic Anomaly Based
• Rule Based
Intrusion Prevention Systems (IPS)
• The next big thing
• Is a preventative and proactive technology,
IDS is a detective technology.
• Two types:
- Network Based (NIPS)
- Host Based (HIPS)
Access Control Monitoring
• Honeypots: An attractive offering that hopes
to lure attackers away from critical systems
• Network sniffers: A general term for
programs or devices that are able to examine
traffic on a LAN segment.
Accountability
• Accountability is tracked by recording user,
system, and application activities.
• Audit information must be reviewed
- Event Oriented Audit Review
- Real Time and Near Real Time Review
- Audit Reduction Tools
- Variance Detection Tools
- Attack Signature Tools
Practical Projects
•
•
•
•
RBAC for Banking.
RBAC for Healthcare.
RBAC for Critical Systems.
Comparatives analysis of different access control
techniques.
• Deployment of RBAC Mechanism.
• Semantic Access Control.
Download