2. access control

  • 747 views
Uploaded on

 

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
747
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
35
Comments
0
Likes
1

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Access Control Systems & Methodology dswami@vsnl.com 98402 99933 1
  • 2. Topics to be covered Overview  Tokens/SSO Access control  Kerberos implementation  Attacks/Vulnerabilities/Monitori Types of access control ng MAC & DAC  IDS Orange Book  Object reuse Authentication  TEMPEST Passwords  RAS access control Biometrics  Penetration Testing 2
  • 3. What is access control? Access controls are the collection of mechanisms that specify what users can do on the system, such as what resources they can access and what operations they can perform. • The ability to allow only authorized users, programs or processes system or resource access • The granting or denying, according to a particular security model, of certain permissions to access a resource • An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules. 3
  • 4. The Big ThreeConfidentiality  An attack on confidentiality is when an entity, such as a person, program, or computer, gains unauthorized access to sensitive information.Integrity  An attack on integrity occurs when an unauthorized entity gains access and tampers with a system resource. Another type of integrity attack occurs when an unauthorized entity inserts objects into the system or performs an unauthorized modification.Availability  An attack on availability is when an asset on the system is destroyed, rendered unavailable, or caused to be unusable. 4
  • 5. Access control Cont…Authentication  Process through which one proves and verifies certain informationIdentification  Process through which one ascertains the identity of another person or entitySeparation of Duties  A process is designed so that separate steps / operations must be performed by different people.  Collusion is an agreement among two or more people to commit fraud.Least Privilege  A policy that limits both the system’s users and processes to access only those resources necessary to perform 5 assigned functions.
  • 6. How can AC be implemented?HardwareSoftware • Application • Protocol (Kerberos, IPSec…)PhysicalLogical (policies) 6
  • 7. Access Control Protects Data - Unauthorized viewing, modification or copying System - Unauthorized use, modification or denial of service It should be noted that nearly every network operating system (Win2K, NT, Unix, Vines, NetWare…) is based on a secure physical infrastructure Protection from Threats Prepares for minimal Impact Accountability 7
  • 8. Proactive access control Awareness training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures 8
  • 9. Physical Control Guards Locks Mantraps ID badges CCTV, sensors, alarms Biometrics Fences - the higher the voltage the better Card-key and tokens Guard dogs 9
  • 10. Technical (Logical) Controls Access control software, such as firewalls, proxy servers Anti-virus software Passwords Smart cards/biometrics/badge systems Encryption Dial-up callback systems Audit trails Intrusion detection systems (IDSs) 10
  • 11. Administrative Control Policies and procedures Security awareness training Separation of duties Security reviews and audits Rotation of duties Procedures for recruiting and terminating employees Security clearances Background checks Alert supervision Performance evaluations Mandatory vacation time 11
  • 12. AC & privacy issuesExpectation of privacyPoliciesMonitoring activity, Internet usage, e-mailLogin banners should detail expectations of privacy and state levels of monitoring 12
  • 13. Types of Access Control Mandatory (MAC) Discretionary (DAC) Lattice / Role Based / Task Based Formal models: Bell-La Padula - Focuses on the confidentiality of classified information Biba - Rules for the protection of Information Integrity Take/Grant – A directed Graph to specify the rights that a subject can transfer to, or take from, another subject Clark/Wilson – The Integrity Model based on Well Formed Transactions 13
  • 14. Mandatory Access Control Assigns sensitivity levels, AKA labels Every object is given a sensitivity label & is accessible only to users who are cleared up to that particular level. Only the administrators, not object owners, make change the object level Generally more secure than DAC Orange book B-level Used in systems where security is critical, i.e., military Hard to program for and configure & implement 14
  • 15. Mandatory Access Control Cont… Downgrade in performance Relies on the system to control access Example: If a file is classified as confidential, MAC will prevent anyone from writing secret or top secret information into that file. All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level 15
  • 16. Discretionary Access ControlAccess is restricted based on the authorization granted to the userOrange book C-levelPrime use to separate and protect users from unauthorized dataUsed by Unix, NT, NetWare, Linux, Vines, etc.Relies on the object owner to control access 16
  • 17. Access control lists (ACL)A file used by the access control system to determine who may access what programs and files, in what method and at what timeDifferent operating systems have different ACL termsTypes of access: Read/Write/Create/Execute/Modify/Delete/Renam e 17
  • 18. Standard UNIX file permissions Permission Allowed action, if object is a Allow action if object is a directory fileR (read) Reads contents of a file List contents of the directoryX (execute) Execute file as a program Search the directoryW (write) Change file contents Add, rename, create files and subdirectories 18
  • 19. Standard NT file permissions Permission Allowed action, if object is Allow action if object is a a file directoryNo access None NoneList N/A RXRead RX RXAdd N/A WXAdd & Read N/A RWXChange RWXD RWXDFull Control All AllR- Read X - Execute W - Write D - Delete 19
  • 20. MAC vs. DACDiscretionary Access Control You decided how you want to protect and share your dataMandatory Access Control  The system decided how the data will be shared 20
  • 21. Problems with formal models  Based on a static infrastructure  Defined and succinct policies  These do not work in corporate systems which are extremely dynamic and constantly changing  None of the formal models deals with: Viruses/active content Trojan horses firewalls  Limited documentation on how to build these systems 21
  • 22. Orange BookDoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in themFor stand-alone systems onlyWindows NT has a C2 utility, it does many things, including disabling networking 22
  • 23. Orange book levelsA - Verified protection A1B - MAC B1/B2/B3C - DAC C1/C2D - Minimal security. Systems that have been evaluated, but failed 23
  • 24. The Orange Book LimitationsBased on an old model, Bell-La PadulaStand alone, no way to network systemsSystems take a long time (1-2 years) to certify Any changes (hot fixes, service packs, patches) break the certificationHas not adapted to changes in client-server and corporate computingCertification is expensiveFor the most part, not used outside of the government sector 24
  • 25. Red BookUsed to extend the Orange Book to networksActually two works: Trusted Network Interpretation of the TCSEC (NCSC-TG-005) Trusted Network Interpretation Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011) 25
  • 26. AuthenticationThree Types of Authentication:  Something you know - Password, PIN, mother’s maiden name, passphrase…  Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport…  Something you are - Fingerprint, voice scan, iris scan, retina scan, DNA… 26
  • 27. Multi-factor authentication 2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication.  ATM card + PIN  Credit card + signature  PIN + fingerprint  Username + Password (NetWare, Unix, NT default) 3-factor authentication -- For highest security Username + Password + Fingerprint Username + Passcode + SecurID token 27
  • 28. Problems with passwords Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc. Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords. Dictionary attacks are only feasible because users choose easily guessed passwords! Inconvenient - In an attempt to improve security, organizations often issue users with computer- generated passwords that are difficult, if not impossible to remember Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made 28 the transaction
  • 29. Classic password rules The best passwords are those that are both easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin Don’t use:  common names, DOB, spouse, phone #, etc.  word found in dictionaries  password as a password  systems defaults 29
  • 30. Password managementConfigure system to use string passwordsSet password time and lengths limitsLimit unsuccessful loginsLimit concurrent connectionsEnabled auditingHow policies for password resets and changesUse last login dates in banners 30
  • 31. Password AttacksDictionary Crack John the RipperBrute force l0phtcrackHybrid Attack Dictionary and Brute ForceTrojan horse login program Password sending Trojans 31
  • 32. BiometricsAuthenticating a user via human characteristicsUsing measurable physical characteristics of a person to prove their identification Fingerprint signature dynamics Iris retina voice face DNA, blood 32
  • 33. Advantages of fingerprint-based biometrics Can’t be lent like a physical key or token and can’t be forgotten like a password Good compromise between ease of use, template size, cost and accuracy Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases Basically lasts forever -- or at least until amputation or dismemberment Makes network login & authentication effortless 33
  • 34. Biometric Disadvantages Still relatively expensive per user Companies & products are often new & immature No common API or other standard Some hesitancy for user acceptance 34
  • 35. Biometric privacy issues Tracking and surveillance - Ultimately, the ability to track a persons movement from hour to hour Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services Profiling - Compilation of transaction data about a particular person that creates a picture of that persons travels, preferences, affiliations or beliefs 35
  • 36. Practical biometric applications  Network access control  Staff time and attendance tracking  Authorizing financial transactions  Government benefits distribution (Social Security, welfare, etc.)  Verifying identities at point of sale  Using in conjunction with ATM , credit or smart cards  Controlling physical access to office buildings or homes  Protecting personal property  Prevent against kidnapping in schools, play areas, etc.  Protecting children from fatal gun accidents  Voting/passports/visas & immigration 36
  • 37. TokensUsed to facilitate one-time passwordsPhysical cardSecurIDS/KeySmart cardAccess token 37
  • 38. Synchronous Token 38
  • 39. Asynchronous Token 39
  • 40. Smart Card 40
  • 41. Single sign-onUser has one password for all enterprise systems and applicationsThat way, one strong password can be remembered and usedAll of a users accounts can be quickly created on hire, deleted on dismissalHard to implement and get workingKerberos, CA-Unicenter, Memco Proxima, IntelliSoft SnareWorks, Tivoli Global Sign-On, x.509 41
  • 42. KerberosPart of MIT’s Project AthenaKerberos is an authentication protocol used for network wide authenticationAll software must be kerberizedTickets, authenticators, key distribution center (KDC)Divided into realmsKerberos is the three-headed dog that guards the entrance to Hades (this won’t be on the test) 42
  • 43. Kerberos RolesKDC divided into Authentication Server & Ticket Granting Server (TGS)Authentication Server - authentication the identities of entities on the networkTGS - Generates unique session keys between two parties. Parties then use these session keys for message encryption 43
  • 44. Kerberos AuthenticationUser must have an account on the KDCKDC must be a trusted server in a secured locationShares a DES key with each userWhen a user want to access a host or application, they request a ticket from the KDC via klogin & generate an authenticator that validates the ticketsUser provides ticket and authenticator to the application, which processes them for validity and will then grant access. 44
  • 45. Problems with KerberosEach piece of software must be kerberizedRequires synchronized time clocksRelies on UDP which is often blocked by many firewallsKerberos v4 binds tickets to a single network address for a hosts. Host with multiple NIC’s will have problems using tickets 45
  • 46. Attacks Passive attack - Monitor network traffic and then use data obtained or perform a replay attack. Hard to detect Active attack - Attacker is actively trying to break- in. Exploit system vulnerabilities Spoofing Crypto attacks Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation Smurf, SYN Flood, Ping of death Mail bombs 46
  • 47. VulnerabilitiesPhysicalNatural Floods, earthquakes, terrorists, power outage, lightningHardware/Software Design WeaknessMedia Corrupt electronic media, stolen disk drivesEmanation EMR, RFCommunications Sniffing, Wire Tapping, RadiationHuman 47 Social engineering, disgruntled staff
  • 48. Monitoring IDS Network based and Host Based (Signature and Anomaly Detection) Logs System Logs and Audit Logs Audit trails Network tools Network Monitor (Sniffers and SNMP Based Tools) Tivoli Spectrum OpenView 48
  • 49. Intrusion Detection SystemsIDS monitors system or network for attacksIDS engine has a library and set of signatures that identify an attackAdds defense in depthShould be used in conjunction with a system scanner (CyberCop, ISS S3) for maximum security 49
  • 50. Object reuse Must ensure that magnetic media must not have any remanance of previous data Also applies to buffers, cache and other memory allocation Required at TCSEC B2/B3/A1 level Secure Deletion of Data from Magnetic and Solid- State Memory Documents recently declassified Objects must be declassified Magnetic media must be degaussed or have secure overwrites 50
  • 51. TEMPESTElectromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards.TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanationsWANG Federal is the leading provider of TEMPEST hardwareTEMPEST hardware is extremely expensive and can only be serviced by certified techniciansRooms & buildings can be TEMPEST-certifiedTEMPEST standards NACSEM 5100A NACSI 5004 are classified documents 51
  • 52. BannersBanners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitoredNot foolproof, but a good start, especially from a legal perspectiveMake sure that the banner does not reveal system information, i.e., OS, version, hardware, etc. 52
  • 53. RAS access control RADIUS (Remote Authentication Dial-In User Service) - client/server protocol & software that enables RAS to communicate with a central server to authenticate dial-in users & authorize their access to requested systems TACACS/TACACS+ (Terminal Access Controller Access Control System) - Authentication protocol that allows a RAS to forward a users logon password to an authentication server. TACACS is an unencrypted protocol and therefore less secure than the later TACACS+ and RADIUS protocols. A later version of TACACS is XTACACS (Extended TACACS). May 1997 - TACACS and XTACACS are 53 considered Cisco End-of-Maintenance
  • 54. Penetration Testing Basically Measuring the Security of Your Network by Breaking Into it Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies  Discovery and footprint analysis  Exploitation  Physical Security Assessment  Social Engineering Attempt to identify vulnerabilities and gain access to critical systems within organization Identifies and recommends corrective action for the systemic problems which may help propagate these vulnerabilities throughout an organization Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks 54
  • 55. Rule of least privilege One of the most fundamental principles of infosec States that: Any object (user, administrator, program, system) should have only the least privileges the object needs to perform its assigned task, and no more. An AC system that grants users only those rights necessary for them to perform their work Limits exposure to attacks and the damage an attack can cause Physical security example: car ignition key vs. door key 55
  • 56. Implementing least privilege Ensure that only a minimal set of users have root access Don’t make a program run setuid to root if not needed. Rather, make file group-writable to some group and make the program run setgid to that group, rather than setuid to root Don’t run insecure programs on the firewall or other trusted host 56
  • 57. ? 57