Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

access control and intrusion detection

advertisement 
2

A system can protect itself in two ways:
•
It can limit who can access the system.
This requires the system to implement a two-step process of
identification (asking you who you are) and authentication
(asking you to prove it)

It can limit what user can do after they have accessed
the system.This requires the system to implement
access control mechanisms.
3
4


The primary purpose of security mechanisms in a system is to
control access to resources.
Resources: Files, memory areas, processor time, devices,
database records.
Some history . . .
 Early systems had no internal access control.
 Any user could access any file simply by knowing its name.
 Access control became a more serious issue with the
emergence of disk storage, on which les of many users could
be stored (before the days of network and interactive
computing).
5

An access control policy dictates…

Vital for security in operating systems
-what types of access are permitted,
- under what circumstances, and
- by whom.
6
•
Identification.
{eg: username, account number…}
•
Authorization.
{eg: pwds, pin nos, tokens…}
•
Authentication.
{digital signature, fingerprint…}
7

Discretionary access control (DAC)

Mandatory access control (MAC)

Role-based access control (RBAC)
8

Controls access based on…

This policy is termed “ discretionary” because:
- the identity of the requestor and
- on access rules (authorizations)
stating what requestors are (or are not) allowed to do.
an entity might have access rights that
permit the entity, by its own volition,
to enable another entity …to access some resource.
9






What is DAC ?
Why is DAC needed ?
Where it is used ?
How is DAC implemented..?
Advantages of DAC ?
Disadvantages of DAC ?
10


Discretionary access control (DAC) is a policy
determined by the owner of an object.
The owner decides who is allowed to access
the object, and what privileges they have.
11
--File and data ownership: Every object in the system has
an owner. In most DAC systems, each object's initial owner is
the subject that caused it to be created. The access policy for
an object is determined by its owner.
--Access rights and permissions: These are the controls that an
owner can assign to other subjects for specific resources.
12

In computer security, discretionary access control (DAC) is a
type of access control defined by the
Trusted Computer System Evaluation Criteria(TCSEC) as :
“a means of restricting access to objects based on the identity of
subjects and/or groups to which they belong. The controls
are discretionary in the sense that a subject with a certain access
permission is capable of passing that permission (perhaps
indirectly) on to any other subject (unless restrained by mandatory
access control)”.
13

Usually implemented through Access control lists (ACLs)

Each resource object on a DAC based system has an Access
Control List (ACL) associated with it.

An ACL contains a list of users and groups to which the
user has permitted access together with the level of access
for each user or group.
14

DAC is typically the default access control mechanism for
most desktop operating systems.

widely used in commercial and government sectors.

Operating systems must be built differently depending
upon whether they are going to provide DAC or any other
access functionality.

For example,
Windows-based platforms provide a DAC access structure.
15

Flexibility

Simplicity

Ease of implementation
16

increases the risk that data will be made accessible to
users that should not necessarily be given access.

DAC mechanisms fail to recognize a fundamental
difference between human users and computer
programs.

However, DAC is known to be inherently weak for
two reasons.
17
•
First, granting read access is transitive.
• Information can be copied from one object to another; therefore,
there is no real assurance on the flow of information in a system.
• No restrictions apply to the usage of information when the user has
received it.
•
Second, DAC policy is vulnerable to Trojan horse attacks;
because programs inherit the identity of the invoking user.
18


Controls access based on…
-comparing security labels
(which indicate.. how sensitive or critical system resources are) with
security clearances
(which indicate ..system entities are eligible to access certain resources).
This policy is termed “mandatory ” because
an entity that has clearance to access a resource
may not, just by its own volition, enable another
entity to access that resource.
19
WHAT IS MAC ?



In computer security, mandatory access control (MAC) refers to a type
of access control by which the operating system constrains the ability of
a subject to access or generally perform some sort of operation on
an object or target.
MAC takes a hierarchical approach to controlling access to resources.
The term mandatory in MAC has acquired a special meaning derived from
its use with military systems. MAC means access controls that are
mandated by order of a government and so enforcement is supposed to be
more imperative than for commercial applications.
20
IDEA OF MAC:
 A system mechanism (e.g., the operating system) controls access to an object and
an individual user cannot alter that access.Neither the subject nor the owner of the
object can determine whether access is granted.

The system mechanism will check information associated with both
the subject and the object to determine whether the subject should
access the object.

Rules describe the conditions under which access is allowed.Mandatory policies
are also called rule-based policies.

Under a MAC enforced environment access to all resource objects (such as data
files) is controlled by settings defined by the system administrator. As such, all
access to resource objects is strictly controlled by the operating system based on
system administrator configured settings.
21
GOALS OF MAC :



Preserve confidentiality and integrity of information
Prevent some types of Trojan horse attacks
Prevent that a user can change security attributes.
WHERE IT IS USED ?

Systems that implement MAC models are used in highly
secured environments, such as military or government
organizations and in Defence departments.
22

Controls access based on…
- the roles that users have within the system and
-on rules stating what accesses are allowed to users in
given roles.
23

Role-based access control (RBAC) models make access
decisions based on the rights and permissions assigned to a
role or group, not an individual user.

In role based systems, users get assigned roles based on
their functions in that system. These systems are centrally
administered, they are nondiscretionary. An example is a
hospital.

It is an access policy determined by the system, not the owner.
24
USE AND AVAILABILITY…

RBAC is a flexible access control technology whose flexibility allows it to
implement DAC or MAC.

used to manage user privileges (computer permissions) within a single
system or application. Access under RBAC is based on a user's job
function within the organization to which the computer system belongs.

used in commercial applications and also in military systems, where multilevel security requirements may also exist.

This kind of model is effective in large companies that have high turnover
rates because it allows the administrator to simply place new employees
into roles instead of creating new permissions for each and every person
who joins the company.
25
SECURITY INTRUSION…
A security event, or a combination of multiple security events,that
constitutes a security incident in which an intruder gains, or attempts
to gain, access to a system (or system resource) without having
authorization to do so.
INTRUSION DETECTION…
A security service that monitors and analyzes system events for the
purpose of finding, and providing real-time or near real- time
warning of, attempts to access system resources in an unauthorized
manner.
26

Host-based IDS:
Monitors the characteristics of a single host and the events
occurring within that host for suspicious activity

Network-based IDS:
Monitors network traffic for particular network segments or
devices and analyzes network, transport, and application
protocols to identify suspicious activity.
27






SENSORS:
responsible for collecting data.
The input may be any part of a system that could contain
evidence of an intrusion.Types of input include network packets,
log files, and system call traces.Sensors collect and forward this
information to the analyzer.
ANALYZERS:
receive ip from 1 or more sensors or from other analyzers.
responsible for determining if an intrusion has occurred.The o/p
of this component indicates that an intrusion has occurred.The
output may include evidence supporting the conclusion.
28

USER INTERFACE:
The user interface to an IDS enables a user to view output from the
system or control the behavior of the system. In some systems, the user
interface may equate to a manager, director, or console component.
29
31
Related documents
Dynamic Access Control
Dynamic Access Control
year 3 family medicine (fm) clerkship objectives
year 3 family medicine (fm) clerkship objectives
Format for a review report
Format for a review report
Analytic Memo for DAC
Analytic Memo for DAC
604 E - Actor Training Studio
604 E - Actor Training Studio
- Krest Technology
- Krest Technology
Download
advertisement