1 / 39

CIST 1601 Information Security Fundamentals

CIST 1601 Information Security Fundamentals. Chapter 5 Access Control and Identity Management. Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College.

denton
Download Presentation

CIST 1601 Information Security Fundamentals

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. CIST 1601 Information Security Fundamentals Chapter 5 Access Control and Identity Management Collected and Compiled By JD Willard MCSE, MCSA, Network+, Microsoft IT Academy Administrator Computer Information Systems Technology Albany Technical College

  2. Identification and Authentication (6:32) Identification vs. Authentication Single-Factor Authentication (4:38) Authentication is the mechanism by which the unique identity is associated with a security principal (a specific user or service). Before authorization can occur, the identity of the account attempting to access a resource must first be determined. This process is known as authentication. Authentication can be generally broken into three basic forms, depending on what is required to authorize access: Something you know Something you have Something you are The most well-known form of authentication is the use of a username and password combination to access controlled resources. Access is not possible without both parts required for account authentication, so a level of protection is provided. The shortcoming of any authentication system is that the keys used may be easily falsified and access rights may be granted to an unauthorized access attempt. Null or easily guessed passwords are one of the most widespread examples of the potential for this weakness.

  3. Authentication (Single Factor) and Authorization • The most basic form of Authentication is Single Factor Authentication • Most often implemented as a username/password combination • The logon process identifies to the operating system and the network that you are who you say you are • Using a login and password is single-factor authentication because it consists of only what you know. • A username and password are unique identifiers for a logon process. • Most operating systems use a user ID and password to accomplish identity during the logon process. • These values can be sent across the connection as plain text or can be encrypted. • The logon process identifies to the operating system, and possibly the network, that you are who you say you are. • The operating system might establish privileges or permissions based on stored data about that particular ID. • Usernames and passwords can be intercepted and are the least secure.

  4. Mutual Authentication Whenever two or more parties authenticate each other, this is known as mutual authentication. Mutual authentication checks the identity of both ends of the connection. It is often referred to as two-way authentication. A client may authenticate to a server, and a server authenticate to a client when there is a need to establish a secure session between the two and employ encryption. Mutual authentication ensures that the client is not unwittingly connecting and giving its credentials to a rogue server; which can then turn around and steal the data from the real server. Commonly, mutual authentication will be implemented when the data to be sent during the session is of a critical nature—such as financial or medical records.

  5. Multi-Factor Authentication (3:15) Multifactor Authentication Multifactor authentication involves the use of two or more different forms of authentication. Any combination of authentication methods may be used in a multifactor solution. Different forms include: What you know (logon, password, PIN) What you have (smartcard, keycard, SecureID number generator) What you are (biometrics) A two-factor method can potentially increase the strength of authentication by combining authentication protocols such as the use of a smart card in conjunction with a password or smart card and biometrics for logon.

  6. Multifactor Authentication Two-factor Authentication

  7. Operational Security Operational security encompasses everything not related to design or physical security. Instead of focusing on the physical components where the data is stored, such as the server, the focus is now on the topology and connections. Issues include: Daily operations of the network Connections to other networks Backup and recovery plans Operational security includes: Computers Networks and communications systems Management of information Operational security issues include: Network access control (NAC) Authentication Security topologies

  8. Network Access Control (NAC) Network Access Control (NAC) is an effective way to protect the network from malicious hosts. NAC secures the environment by examining the user’s machine and, based on the results, grant access accordingly. NAC provides: Enforcement of security policy Containment of noncompliant users Mitigation of threats   The basic components of NAC products: Access requestor (AR); device that requests access Policy decision point (PDP); system that assigns a policy based on the assessment Policy enforcement point (PEP); device that enforces the policy. Switch Firewall Router  Four ways NAC systems can be integrated into the network: Inline out-of-band switch based and host based An out-of-band intervenes and performs an assessment as hosts come online, and then grants appropriate access. NAC business benefits include: Compliance Better security posture Operational cost management

  9. Tokens Security tokens are similar to certificates. They contain the rights and access privileges of the token bearer as part of the token. Many operating systems generate a token that is applied to every action taken on the computer system. I f your token doesn’t grant you access to certain information, then either that information won’t be displayed or your access will be denied. The authentication system creates a token every time a user connects or a session begins. Authentication is established on each session and is valid only for that session. At the completion of a session, the token is destroyed.

  10. Tokens Security Token Authentication

  11. Potential Authentication and Access Problems Transitive Access A trusts B, and B trusts C, therefore A trusts C. In early OSs this process was often exploited. In current OSs, (i.e. Windows Server 2008) the problems with transitive access were solved by creating transitive trusts, which are a type of relationship than can exist between domains. When the trust relationship is transitive, the relationship flows through as described above. In Microsoft’s Active Directory, the default is that all domains in a forest trust each other with a two-way transitive trust relationship. This leaves open the possibility of a hacker acquiring more trust than they should by virtue of joining a domain. Client-Side Attacks An attack that targets vulnerabilities in client applications that interact with a malicious server. A user accesses the trusted site (web, ftp, etc.), and unwittingly downloads the rogue code (thinking they are downloading something else). The rogue code then allows the miscreant to then install or execute programs on the affected machine remotely. The newly installed applications run with the privilege level of the individual who accessed the server.

  12. Authentication Issues to Consider Setting authentication security, especially in supporting users, can become a high-maintenance activity for network administrators. On one hand, you want people to be able to authenticate themselves easily On the other hand, you want to establish security that protects your company’s resources. Be wary of popular names or current trends that make certain passwords predictable. Identity proofing is an organizational process that binds users to authentication methods. Identification proofing is invoked when a person claims they are the user, but cannot be authenticated—such as when they lose their password. They are typically asked to provide another value—such as mother’s maiden name— to prove their identity. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user. Under no circumstance should the person proofing be allowed access immediately— instead their access information should be sent to their email account of record. Identity proofing is the main component of authentication lifecycle management. Authenticators for identity proofing include smart cards, biometrics, and one-time password (OTP) devices.

  13. Understanding Remote Access Using Point-to-Point Protocol Point-to-Point Protocol PPP offers multiple protocol support including AppleTalk, IPX, and DECnet, and is widely used today as a transport protocol for dial-up connections. PPP is a protocol for communicating between two points using a serial interface, provides service at layer 2 of the OSI model. PPP can handle both synchronous and asynchronous connections. PPP provides no security. PPP is primarily intended for dial-up connections and should never be used for VPN connections. PPP works with POTS, Integrated Services Digital Network (ISDN), and other faster connections such as T1. PPP does not provide data security, but it does provide authentication using Challenge Handshake Authentication Protocol (CHAP). CHAP can be used to provide on-demand authentication within an ongoing data transmission. A dial-up connection using PPP works well because it isn’t common for an attacker to tap a phone line. You should make sure all your PPP connections use secure channels, dedicated connections, or dial-up connections. PPP using a single B channel on an ISDN connection. In the case of ISDN, PPP would normally use one 64Kbps B channel for transmission.

  14. Understanding Remote Access Working with Tunneling Protocols Tunneling protocols add a capability to the network: The ability to create tunnels between networks that can be more secure, support additional protocols, and provide virtual paths between systems. The three primary tunneling protocols are PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) and L2F (Layer 2 Forwarding protocol).

  15. Working with Tunneling Protocols Point-to-Point Tunneling Protocol Point-to-Point Tunneling Protocol (PPTP) was created by Microsoft to work with the Point-to-Point (PPP) protocol to create a virtual Internet connection so that networks can use the Internet as their WAN link. PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP connection, which results in a secure connection between client and server. This connectivity method creates a virtual private network (VPN), allowing for private network security. In effect PPTP creates a secure WAN connection using dial-up access. PPTP supports encapsulation in a single point-to-point environment. PPTP encapsulates and encrypts PPP packets. This makes PPTP a favorite low-end protocol for networks. The negotiation between the two ends of a PPTP connection is done in the clear. Once the negotiation is performed, the channel is encrypted. A packet-capture device, such as a sniffer, that captures the negotiation process can potentially use that information to determine the connection type and information about how the tunnel works.

  16. Working with Tunneling Protocols Layer 2 Forwarding L2F was created by Cisco as a method of creating tunnels primarily for dial-up connections. L2F is similar in capability to PPP and should not be used over WANs. L2F does provide authentication, but it does not provide encryption. Layer 2 Tunneling Protocol Layer Two Tunneling Protocol (L2TP) is an enhancement of PPTP that can be used between LANs and can also be used to create a VPN. L2TP is primarily a point-to-point protocol. Relatively recently, Microsoft and Cisco agreed to combine their respective tunneling protocols into one protocol: the Layer Two Tunneling Protocol (L2TP). L2TP is a hybrid of PPTP and L2F. L2TP supports multiple network protocols and can be used in networks besides TCP/IP. L2TP works over IPX, SNA, and IP. L2TP isn’t secure, and you should use IPSec with it to provide encryption of the data. L2TP operates at the Data Link layer of the OSI model and uses UDP for sending packets as well as for maintaining the connection. L2TP uses UDP port number 1701. 

  17. Working with Tunneling Protocols Secure Shell Secure Shell (SSH) is a type of tunneling protocol that allows access to remote systems in a secure manner. SSH was originally designed for UNIX systems. SSH is a program that allows connections to be secured by encrypting the session between the client and the server. SSH also provides security equivalent programs such as Telnet, FTP, and many of the other communications-oriented programs under UNIX. SSH transmits both authentication information and data securely during terminal connections with UNIX computers. SSH uses port 22. Internet Protocol Security IPSec (Internet Protocol Security) is not a tunneling protocol, but it is used in conjunction with tunneling protocols to provide network security. IPSec is oriented primarily toward LAN-to-LAN connections, rather than dial-up connections. IPSec can be used to digitally sign headers and to encrypt and encapsulate packets. IPSec provides both authentication and encryption, and is regarded as one of the strongest security standards. When the Authentication Header (AH) protocol is used, IPSec digitally signs packet headers, and when the Encapsulating Security Payload (ESP) is used, IPSec encrypts packets.

  18. Working with Tunneling Protocols IPSec can be used with many different protocols besides TCP/IP, and it has two modes of security: Tunneling mode is used for VPNing over an unsecured public network. In Tunneling mode, packets are encapsulated within other packets and both the payload and message headers are encrypted. Two routers that require secure communications should use IPSec in tunnel mode to encrypt packets. Transport mode is used only when the data portion needs to be encrypted over owner-controlled networks like LAN. In Transport mode, only the payload is encrypted. When transport mode is used, packets are not encapsulated.

  19. RADIUS and TACACS (5:46) Working with RADIUS A RADIUS server communicating with an ISP to allow access to a remote user. Notice that the remote server is functioning as a client to the RADIUS server. This allows centralized administration of access rights. Remote Authentication Dial-In User Service (RADIUS) is a mechanism that provides centralized remote user authentication, authorization, and accounting. The centralized authentication, authorization, and accounting features of RADIUS allow central administration of all aspects of remote login. The accounting features allow administrators to track usage and network statistics by maintaining a central database. A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether or not an incoming caller is authorized. In a large network with many connections, this allows a single server to perform all authentications. A RADIUS server acts as either the authentication server or a proxy client that forwards client requests to other authentication servers. The initial network access server, which is usually a VPN server or dial-up server, acts as a RADIUS client by forwarding the VPN or dial-up client’s request to the RADIUS server. RADIUS is the protocol that carries the information between the VPN or dial-up client, the RADIUS client, and the RADIUS server. RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. RADIUS uses UDP transport.

  20. TACACS/+ Terminal Access Controller Access Control System (TACACS) is a client/server-oriented environment, and it operates in a similar manner to RADIUS. Extended TACACS (XTACACS) replaced the original and combined authentication and authorization with logging to enable auditing. Although RADIUS performs in much the same manner, TACACS+ is used almost exclusively by Cisco. RADIUS is more of a generic standard used by many different companies. TACACS+ is gaining ground, however. The most current method or level of TACACS is TACACS/+. TACACS/+ allows credentials to be accepted from multiple methods, including Kerberos. TACACS+ provides authentication, authorization, and accounting (AAA). TACACS relies on TCP over port 49.

  21. VLANs (1:55) VLAN Management A virtual local area network (VLAN) allows you to create groups of users and systems and segment them on the network. This segmentation lets you hide segments of the network from other segments and thereby control access. VLANs enable you to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Networks can coexist on the same wiring and be unaware of each other. VLANs enable administrators to segment one broadcast domain into two or multiple domains, segmenting groups of users that have similar data sensitivity levels together and thereby increasing security. VLAN advantages include: Reducing the scope of broadcasts Improving performance and manageability Decreased dependence on the physical topology Switches are used to create VLANs. A router or other routing-type device would be needed to connect these VLANs. When a switch is compromised, the attacker could next compromise the VLANs created by the switch.

  22. VLAN Management A typical segmented VLAN

  23. LDAP (6:09) Understanding Authentication ServicesLDAP Lightweight Directory Access Protocol LDAP is a standardized directory access protocol that uses TCP/IP and allows queries to be made of directories (specifically, a pared down X.500-based directory). This is the computer equivalent of a phone book. If a directory service supports LDAP, you can query that directory with an LDAP client. An LDAP directory is defined as a tree-like structure with entries, each of which consists of named attributes with values. Services, such as repository and distribution of digital certificates, can be handled by external servers running the LDAP protocol. LDAP servers are external repositories. Therefore, the primary concern is the availability of systems, and the secondary consideration involves maintaining the confidentiality and integrity of information stored on such systems. LDAP, by default, uses TCP port 389. Directory structure showing unique identification of a user

  24. Kerberos (9:57) Kerberos Kerberos uses a Key Distribution Center (KDC) to authenticate a principle. Principals are the entities to which the KDC provides services. They may be users, applications, systems, or services. Session keys are symmetric keys used to encrypt and decrypt information that passed between the principals and KDC. The Key Distribution Center (KDC) is the most important component in a Kerberos environment. It is responsible for managing all the secret keys, authenticating all users, and issuing tickets to valid users. The KDC provides a ticket to the network. A ticket granting ticket (TGT) is the entity issued by the authentication service (AS) on the KDC to a principal. The TGT proves principal identity throughout the communication process. Once this ticket is issued, it can be used to authenticate against other principles. This occurs automatically when a request or service is performed by another principal. Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified.

  25. Kerberos Kerberos Authentication Process

  26. Single Sign-on (3:25) AD validating a user Single Sign-On Initiatives The principle of single sign-on (SSO) is based on granting users access to all the systems, applications and resources they need, when they start a computer session. The SSO capability is usually provided by a directory service, with a digital certificate being used to authenticate the user. Once authenticated, the user is granted access to the appropriate systems and resources. To reduce user support and authentication complexity, an SSO capable of granting access to all services is desirable. SSO solutions may employ a central directory service like Microsoft’s Active Directory or Novell’s eDirectory service, or may sequester services behind a series of proxy applications as in the Service-Oriented Architecture approach. Single sign-on provides many advantages: It is an efficient logon method because users only have to remember one password and only need to log on once. Resources are accessed faster because you do not need to log in for each resource access. It lowers security administration costs because only one account exists for each user. It lowers setup costs because only one account needs to be created for each user. It allows the use of stronger passwords. Kerberos and Active Directory are two technologies that provide single sign-on authentication. Single sign-on addresses the problem of users having to remember multiple usernames and passwords to access different systems. Other technologies that provide single sign-on authentication are security domains, directory services, and thin clients. In this instance, the database application, e‑mail client, and printers all authenticate with the same logon. Like Kerberos, this process requires all the applications that want to take advantage of AD to accept AD controls and directives. Access can be established through groups, and it can be enforced through group memberships.

  27. Authorization and Access Control (3:59) Understanding Access Control Access Control defines how users and systems communicate and in what manner. Implementation of access management is based on one of two models: centralized or decentralized. Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned. Decentralized security management is less secure but more scalable. Responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas. The three primary methods of access control are Mandatory (MAC), Discretionary (DAC), and Role-Based (RBAC). A fourth method, Rule-Based Access Control is gaining in popularity. Each of these methods has advantages and disadvantages to the organization from a security perspective.

  28. Understanding Access Control Mandatory Access Control (MAC) MAC provides the strictest security mechanism. It assigns security labels to both subjects and objects. Labels are comprised of a classification and different categories. Classification indicates the sensitivity level of the subject or object, such as secret or top-secret. Categories enforce need to know rules. Categories should be determined by the organization based on access control needs, such as human resources or accounting. Under MAC, a file, printer, or computer would exist as an object. Objects are resources accessed by groups, users, or processes. A user or group would exist as a subject. Subjects access objects. Access privileges to resources are assigned by administrators, are predefined based on the security policy, and can’t be changed by users. A privilege that is not expressly permitted is forbidden. Users cannot share resources dynamically. This model is usually implemented in highly secure networks, such as military facilities.

  29. Understanding Access Control The Discretionary Access Control model (DAC) The Discretionary Access Control model (DAC) is used in small Microsoft workgroup networks where users commonly share folders with each other. In the DAC model, the data owner\creator is responsible for granting other users access to resources, and determines the level of access that will be granted to those users, as well as limiting object access to certain days and certain times in the day. The DAC model uses Access Control Lists (ACLs) to map a user's access permissions to a resource. An ACL is a security mechanism used to designate those users who can gain various types of access, such as read, write, and execute access, to resources on a network. An ACL provides security as granular as the file level. In DAC, a subject’s rights should be suspended when he is on leave or vacation and should be terminated when he leaves the company.

  30. Understanding Access Control Role-Based Access Control (RBAC) Role-Based Access Control (RBAC) allows specific people to be assigned to specific roles with specific privileges. RBAC uses the role to identify the users who have permissions to a resource, and may be implemented system wide. Users may be able to access information from any station in the network, based strictly on their role. Access rights are first assigned to roles, and accounts are then assigned those roles. This type of access is used with groups for inheritance by group member account. If a person moves from one role to another, the access for the previous role will no longer be available. Privileges would be limited to the role and wouldn’t be present during the employee’s normal job functions. For example, a backup operator role would give anyone who occupied that role the ability to perform backups, including the security privileges that went along with it. These privileges should reflect the organization's structure and responsibilities users have in the organization. The RBAC mode is common in network administrative roles. Many systems offer a hybrid of DAC and RBAC. In some cases, the operating system might use DAC, whereas applications such as SQL Server use roles to determine access permission to data in tables and the database itself. TS1

  31. Understanding Access Control Rule-Based Access Control Rule-based access control uses the settings in pre-configured security policies to make all decisions. The rules defined usually include connection times and days. Access rights may vary by account, by time of day, or through other forms of conditional testing. The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. This type of access control is used by remote access connections.

  32. Implementing Access Control Best Practices Smart Cards A smart card is a type of badge or card that can be used for access control to multiple resources including buildings, parking lots, and computers. It contains information about your identity and access privileges. Smart Cards increase the security of the authentication process because it must be in your physical possession. Smart cards are replacing magnetic cards, in many instances because they can store additional personal information and are harder to copy or counterfeit. Smart Cards often also require the use of a small password called a PIN; which further secures the smart card if lost by the true card holder. Smart cards are difficult to counterfeit, but they’re easy to steal. Once a thief has a smart card, they have all the access the card allows. To prevent this, many organizations don’t put any identifying marks on their smart cards, making it harder for someone to utilize them. A password or PIN is required to activate many modern smart cards, and encryption is employed to protect the contents. The reader is connected to the workstation and validates against the security system. A whole system can become useless if the smart card is lost or stolen.

  33. Smart Cards The Smart Card Authentication Process

  34. Access Control Lists (1:57) Implementing Access Control Best Practices Access Control Lists Routers and firewalls are your front line of defense against attacks being launched from outside the company network. Access control list (ACL) mechanisms are implemented in many routers, firewalls, and other network devices. You can configure and apply access control lists to the interfaces of routers to filter out unauthorized traffic. Through ACLs, you can design and change network security to counter specific security threats. ACLs can be configured on router interfaces for inbound and outbound packets. ACLs deployed on a router will improve network security by confining sensitive internal data traffic to computers on a specific subnet. An ACL can also be used to exclude a particular system, IP address, or user. The following can be configured in an ACL: Source and/or destination IP address Source and/or destination protocol number Source and/or destination port number The most essential operational aspects of network device hardening involve ensuring that your network devices run only necessary protocols, services, and access control lists.

  35. Trusted OS (3:31) Implementing Access Control Best Practices Trusted OS Common Criteria has designed the evaluation criteria into seven EALs: 1. EAL 1 - A user must be assured that the system will operate correctly, but threats to security are not viewed as serious. The other EAL levels promote higher levels of security. 2. EAL 2 - Developers use good design practices but security is not a high priority. 3. EAL 3 - Developers provide moderate levels of security. 4. EAL 4 - Security configuration is based on good commercial development. This level is the common benchmark for commercial systems, including operating systems and products. 5. EAL 5 - Security is implemented starting in early design. It provides high levels of security assurance. 6. EAL 6 - Specialized security engineering provides high levels of assurance. This level will be highly secure from penetration attackers. 7. EAL 7 - Extremely high levels of security are provided. This level requires extensive testing, measurement, and independent testing.

  36. Implementing Access Control Best Practices Secure Router Configuration To securely configure the router, you must do the following: Change the Default Password The password for the administrator is set before the router leaves the factory. Assume that every miscreant knows the default router passwords. Walk through the Advanced Settings Vary by router manufacturer but often include settings to block ping requests, perform MAC filtering, etc. Keep the Firmware Upgraded Router manufacturers often issue patches when problems are discovered.

  37. The End

More Related