Transcript Network Management

Chapter 4
Access Control Systems and
Methodology
COMP4690, HKBU
1
Definition



Access controls are the collection of mechanisms
that specify what users can do on the system.
They are the countermeasures for ensuring that only
users with the proper need and authority can access
the system, are allowed to execute programs, and
can read, edit, add, delete the appropriate
information on the system.
Access Control Policy: a written policy which defines
who can access and what type of access will be
given to information contained on the system
COMP4690, HKBU
2
Threats

Buffer overflows


Covert channel



Masquerading as an authorized user to gain unauthorized access
Internal intruders


Emanations are electronic signals that radiate from hardware devices (monitors, power cords,
transmission media). The analysis on emanations can disclose some information.
Hackers
Impersonation


Use software (sniffers) to monitor packets or wiretapping telecommunication links to read
transmitted data
Emanations


It violates the organization’s security policy through an unintended communications path.
Eavesdropping


A program fills up its buffer of memory with more data than its buffer can hold. It can lead to the
insertion of malicious code to destroy data or to gain administrative privileges.
Gain access to data beyond the access limitations, or gain unauthorized physical access to network
connections, server equipment, etc.
Malicious code

The code that can gain access to a system and, in executing, violates security policy
COMP4690, HKBU
3
Threats

Masquerading/man-in-the-middle



Mobile code


An unauthorized user tries to con authorized users into providing the information needed to access
systems.
Spoofing


Software that read or capture packets that travel on the networks
Social engineering


Direct visual observation of monitor displays to obtain access to sensitive information
Sniffers


To reveal passwords stored in password file (usually, passwords for user accounts are one-way
hashed and stored in a system file)
Shoulder surfing


It is the software that is transmitted across a network from a remote source to a local system and is
then executed on that local system.
Password crackers


A masquerade takes place when one entity pretends to be a different entity.
A man-in-the-middle attack occurs when an unauthorized third party intercepts a transmission and
changes it before retransmitting it to the intended recipient.
The act of masquerading as a different IP address (IP spoofing) or ARP address (ARP spoofing).
Trapdoor

An opening that system developers use to bypass the user authentication process in software.
COMP4690, HKBU
4
Transmission Threats

Denial-of-Service (DoS)



A common name for attacks on resource availability
Attempt to disable a computer or network or deny access to authorized users
Examples

Distributed DoS (DDoS)


Ping of Death


Send ICMP packets (ping packet) with 65535 bytes to the victim. Some systems may
crash or hang (in 1996-1997).
Smurfing (ICMP storm, or Ping flooding)


The attacker controls many compromised hosts which an be used to overload a targeted
server.
The attacker sends a large stream of spoofed ping packets to a broadcast address. The
source address is the IP address of the victim. Therefore the victim will receive lots of
ICMP echo reply packets.
SYN flooding

The attacker keeps on establishing lots of half-open TCP connections to the victim (using
IP spoofing) such that the victim has no room to establish legitimate connections.
COMP4690, HKBU
5
Malicious Code Threats




Virus
 Attach itself to executable code and is executed when the code
begins to run.
 Can replicate itself and infect other programs.
Worms
 Can reproduce by copying themselves through computers on a
network. It doesn’t copy itself to a program; it remains as an
independent program.
Trojan horse
 A code fragment that hides inside a program and performs a
disguised function. Usually spread by email attachments or web
downloads.
Logic bomb
 A type of Trojan horse that releases some type of malicious code
when a particular event occurs.
COMP4690, HKBU
6
Security Technology and Tools

Technical (Logical) controls








Access control software: firewalls, proxy servers
Anti-virus software
Passwords
Smart cards/biometrics/badge systems
Encryption
Dial-up callback system
Audit trails
Intrusion detection system (IDSs)
COMP4690, HKBU
7
Security Technology and Tools

Administrative controls











Policies and procedures
Security awareness training
Separation of duties
Security reviews and audits
Rotation of duties
Procedures for recruiting and terminating employees
Security clearances
Background checks
Alert supervision
Performance evaluations
Mandatory vacation time
COMP4690, HKBU
8
Security Technology and Tools

Physical controls




Badges
Mantraps
Turnstiles
Limiting access to physical resources through the
use of bollards, locks, alarms, or guards
COMP4690, HKBU
9
I. Access to the System




Identification
Authentication
Centralized access control
Decentralized access control
COMP4690, HKBU
10
Identification


All system entities must have a unique identifier that
differentiate it from other entities
User identification can



Asserts user identity
Provides accountability (combined with audit trail)
User identification




is what users present to the system to say who they are
can be Logon ID, user ID, account number, or user-name
 It’s important to establish a procedure for establishing the
format of a user’s name that is consistent throughout the
organization
can be a badge or card system
Biometric devices
COMP4690, HKBU
11
Authentication

Authentication verifies identification.


The user must present identification, and the
system must authenticate the identification before
the user is allowed access to the system.
Three methods of authentication



Something you know
Something you have
Something you are
COMP4690, HKBU
12
Authentication Factors
Authentication
Example
Pros
Something you
know
Password, personal Easy and
identification number inexpensive
(PID)
Easy to guess; subject
to password sniffers
and dictionary attacks;
users don’t keep
passwords secret
Something you have
Token, memory card, Difficult to attack
smart card
Can be lost or stolen;
can be expensive
Something you are
Biometric devices:
fingerprint, voice
recognition, eye
scanners
Can be expensive;
user acceptance can
be difficult; false
rejection and false
acceptance rates must
meet security
objectives
Portable and
provides an easy
method of
authenticating
COMP4690, HKBU
Cons
13
Centralized Access Control

For remote user access (dial-in users, access
from Internet through a firewall or VPN), it is
important to provide the AAA service

Authentication, authorization, and accounting



Authentication verifies who the user is and whether
the user is allowed access to the network
Authorization determines what the user is allowed to
do
Accounting tracks what the user did and when it was
done. It can be used for an audit trail or for billing for
connection or resource time
COMP4690, HKBU
14
AAA service

Basic steps of an AAA service






Remote user sends a user ID and password to the NAS
(network access server)
The NAS collects the remote user’s user ID and password
The NAS sends an authentication request to the AAA
server
The AAA server returns connection parameters,
authorization, and protocol information
The NAS confirms connection and writes the audit record
Centralized authentication protocols



RADIUS
TACACS
DIAMETER
COMP4690, HKBU
15
RADIUS

Remote Authentication Dial-In User Service



To assist ISPs with billing information and connection
configuration
The most popular AAA service in use today
Includes a RADIUS client, a RADIUS server, and a UDP/IP
based frame protocol
 The RADIUS client situated on the NAS, which accepts the
login credentials from the user, and then submits them to
the RADIUS server for authentication.
 The RADIUS servers are responsible for receiving user
connection requests, authenticating the user, and then
returning all configuration information necessary for the
client to deliver service to the user.
COMP4690, HKBU
16
TACACS

Terminal Access Controller Access Control Systems




Original TACACS was used in early ARPANET and was
adopted by Cisco
Second version: XTACACS (move from UDP to TCP, also
with additional functionality)
Third version: TACACS+, a proposed IETF Standard
References:


RFC1492
http://www.gazi.edu.tr/tacacs/
COMP4690, HKBU
17
DIAMETER

Designed to support roaming applications
and to overcome the extension limitations of
the RADIUS protocol.



RADIUS was designed to function only with SLIP
and PPP for standard analog modems. (Remark:
it also works for ADSL today.)
DIAMETER can handle wireless mobile devices,
cellular phones, or VPN
Reference

http://www.diameter.org/
COMP4690, HKBU
18
Decentralized/Distributed
Access Control




Single Sign-On (SSO)
 Addresses the cumbersome situation of logging on multiple times
to access different resources
 In SSO, a user provides one ID and password per work session
and is automatically logged-on to all the required applications.
Advantages
 Can use stronger passwords
 Easier administration of changing or deleting passwords
 Requiring less time to access resources
Disadvantage
 Once a user obtains access to the system through the initial
logon, the user can freely roam the network resources without
any restrictions
Kerberos, SESAME, KryptoKnight, NetSP
COMP4690, HKBU
19
Kerberos


trusted key server system from MIT
provides centralised private-key third-party
authentication in a distributed network




allows users access to services distributed
through network
without needing to trust all workstations
rather all trust a central authentication server
two versions in use: 4 & 5
COMP4690, HKBU
20
Kerberos Requirements

first published report identified its
requirements as:





security
reliability
transparency
scalability
implemented using an authentication protocol
based on Needham-Schroeder
COMP4690, HKBU
21
Kerberos 4 Overview


a basic third-party authentication scheme
have an Authentication Server (AS)



users initially negotiate with AS to identify self
AS provides a non-corruptible authentication
credential (ticket granting ticket TGT)
have a Ticket Granting server (TGS)

users subsequently request access to other
services from TGS on basis of users TGT
COMP4690, HKBU
22
Kerberos 4 Overview
COMP4690, HKBU
23
Kerberos Realms

a Kerberos environment consists of:




this is termed a realm


a Kerberos server
a number of clients, all registered with server
application servers, sharing keys with server
typically a single administrative domain
if have multiple realms, their Kerberos
servers must share keys and trust
COMP4690, HKBU
24
Kerberos Version 5


developed in mid 1990’s
provides improvements over v4

addresses environmental shortcomings


and technical deficiencies


encryption system dependence, network protocol
dependence, byte order, ticket lifetime, authentication
forwarding, inter-realm authentication
double encryption, non-std mode of DES, session
keys, password attacks
specified as Internet standard RFC 1510
COMP4690, HKBU
25
SESAME


Secure European System for Applications in a Multi-vendor
Environment
To access the network system
 The user first authenticates to an Authentication Server to get a
cryptographic protected token. The token is used to prove the
user’s identity
 The user then presents the token to a Privileged Attribute Server
to obtain a guaranteed set of access rights contained in a
Privileged Attribute Certificate (PAC) which is digitally signed to
prevent tampering.
 The user presents the PAC to a requested application/resource
whenever access is needed. The requested application makes
an access control decision according to the user’s security
attributed contained in the PAC and any other access control
information that is located on the resource, such as an ACL.
COMP4690, HKBU
26
II. Access to Data

Discretionary Access Controls (DACs)


DACs are an access control policy that restricts
access to files and other system resources based
on the identity and assignment of the user and/or
the groups to which the user belongs.
Mandatory Access Controls (MACs)

MACs are an access control policy supported for
information systems that process highly sensitive
data. The system must assign sensitivity labels to
all system subjects (users or programs) and all
system objects (files or devices).
COMP4690, HKBU
27
DACs

File structure and DACs



Resource ownership:


A tree-structured file system has directories and files.
DACs can be applied to both.
It allows users to not only specify who has access, but also
what type of access others will have. E.g., none, read, write,
execute, delete, change, and full control.
An important aspect of DASs. Usually the user who creates
the file is considered the owner of the file. This user is
granted full control over the file.
The DACs are based entirely on identities of users
and objects, which can be outlined in an access
control matrix.
COMP4690, HKBU
28
Access Control Lists (ACLs)




ACLs allow any particular user to be allowed or
disallowed access to a particular protected object.
It works like DACs and access control matrices.
The ACL implements the access control matrix by
representing the columns as lists of users attached
to the protected objects.
Notice: the ACLs should be protected just as other
objects are protected.
COMP4690, HKBU
29
Mandatory Access Controls



Use sensitivity labels to determine who can
access what information
Access decisions are based on the owner’s
authorization, the subject’s label, the object’s
label, and the security policy
To limit user access so that a user at a lower
level cannot access information labeled at a
higher level
COMP4690, HKBU
30
Assurance, Trust, and
Confidence Mechanisms



It is also important to verify whether or not an
intruder has breached the access control.
It is necessary to audit the network on a
regular basis for intrusion attempts.
Intrusion detection system (IDS)


Attempt to identify and isolate computer and
network attacks by observing traffic logs or other
audit data.
Three basic components: a sensor, an analyzer,
and a user interface
COMP4690, HKBU
31
Network-based IDS (NIDS)




NIDS monitors network traffic on the transmission
links in real-time.
It examines the details of the packet payloads,
looking for DoS attacks or malicious code located in
the data payloads.
Some NIDSs can integrate with a firewall and
automatically define new rules to shut out similar
types of attacks in the future.
Problem: when encryption is used, the NIDS may
not be capable of interpreting the data packets and
thus might allow unauthorized or suspicious packets
to enter the network.
COMP4690, HKBU
32
Host-based IDS (HIDS)


HIDS uses an agent that resides on a single
host to detect intrusions.
It will detect an attack on the host and
provide the ability to respond more effectively
to an attack.
COMP4690, HKBU
33
Analysis Engine Methods



Rule-based Intrusion Detection
Statistical-based Intrusion Detection
Signature-based Intrusion Detecion
COMP4690, HKBU
34
Chapter 5
Operations Security
COMP4690, HKBU
35
Introduction

Two kinds of operations



Operations security


Data center operations
Distributed and network operations
The central location of al IT processing areas, e.g., data
center, server room, or computing center
Key issue

To ensure that operators in a data center and
system/network administrators in the distributed
environment, do not abuse the special privileges they must
have to perform their duties
COMP4690, HKBU
36
Outline




Information Protection Requirements
Information Protection Environment
Security Technology Tools
Information Protection and Management
Services
COMP4690, HKBU
37
Information Protection
Requirements

Basic Security Requirements




Availability
Integrity
Confidentiality
Operations controls requirements



Resource protection
Privileged-entity control
Hardware control
COMP4690, HKBU
38
Information Protection
Environment


The environment for operations security
includes all computing resources of an
organization
Various types of threats





Disclosure of sensitive information
Destruction of resources
Interruption of processing
Corruption/modification of processes
Theft/removal of resources
COMP4690, HKBU
39
Hardware Equipment


Hardware: computers and peripherals
Threats
 Operators/system administrators have full access to the
computers, and have the ability to load a version of the operating
system that bypasses any access control mechanism.
 Some times the equipment provides hardware maintenance
functions that allow main storage display and modification, as
well as tracing program instructions, while the system is running.
These could enable someone to update system control block
information, obtain system privileges, and compromise
data/information.
 Unauthorized connection of a device or communications line to a
processor that would allow the unauthorized exposure of
information.
COMP4690, HKBU
40
Software


Software: operating system components
(utilities and libraries, directories, address
tables, system logs, audit trails, security
services), and applications (application
program libraries, source and object code,
vendor software, database management
system, proprietary packages)
Must be protected not only from external
attacks, but also from internal misuse
COMP4690, HKBU
41
Software



Buffer Overflow: the result of inadequate
system testing during the development
process
Pirated software: organizations should strictly
enforce the conditions of software licenses
Backdoors or trapdoors: hidden software
mechanisms that enable system access
without going through the access control
COMP4690, HKBU
42
Operations

Personnel who run the data centers have the
potential to cause harm to the data processing.





A user with privileged access modifies a device address
Hijack a server’s network address to capture traffic
Force the server to reboot from tape, CD to bypass
operating system security and thereby enable unauthorized
access to the system and files
Force a system shutdown from the console or operations
area, either accidentally or intentionally but inappropriately
Steal the password file or table from the server (this can
leads to dictionary attacks)
COMP4690, HKBU
43
Data and Media




Sensitive or critical files and programs
System logs, audit trails, and violation reports
Backup files
Media is the vehicle for storing data: paper
documents, hard drives, CDs, tapes, flash memory.
Media containing sensitive data should be protected


Disposal: consider the sensitivity, quantity, timing of the
information; the medium; dumpster diving (intruders may
look through the trash to discover useful information!)
Object reuse: it’s necessary to remove any sensitive data
from the media before it is made available to the next set of
users.
COMP4690, HKBU
44
Telecommunications
Equipment







Network interface cards
Routers
Switches
Firewalls
Cables
Telephone/cellular phones
More will be covered in “Telecommunications
& network security”.
COMP4690, HKBU
45
Support Systems

Part of the computing infrastructure







Facility location and construction to house the
operation
HVAC (heating/ventilation/air conditioning)
Refrigeration
Electrical power
Fire protection
Water
More will be covered in “Physical Security”.
COMP4690, HKBU
46
Personnel



People are a key ingredient in operations security.
The weakest link from a security of operations
viewpoint!
Personnel security


To ensure personnel needed to operate the data
processing facilities have a safe and habitable working
environment
To ensure they can be trusted to conduct secure
operations in accordance with organization policies and
procedures
COMP4690, HKBU
47
Personnel (Cont.)

Key employees




Operators in a data center
Network or system administrator in a network or distributed
system
Security administrator in both
Separation of responsibilities in a data center





Operators run the computers
Programmers and analysts create the software
Librarians control the media
Setup personnel prepare the jobs for the operators to run
Security administrators assign privileges to the users
COMP4690, HKBU
48
Personnel (Cont.)

Privileges which can create security issues if
abused:





Changing computer system privileges or controls
Changing protective features or parameters
affecting another
Allocating resources
Halting the computing system
Controlling the allocation and sharing of system
and data resources (memory, file space, CPU
cycles, etc.)
COMP4690, HKBU
49
Personnel (Cont.)

Possible threats




Operators (and users as well) can use the system’s
computer time or vendor software for personal business or
entertainment.
Operators have the opportunity and the ability to be
involved in unauthorized access to restricted files and
obtain information later disclosed to unauthorized persons.
Discontinuity of operation caused by failures induced by
users, operators, and administrators.
Corrupting audit trails or system logs to hide unauthorized
activities
COMP4690, HKBU
50
Security Technology and Tools

Five types of controls

Directive controls: administrative controls


To advise employees of the expected behavior
Preventive controls

To preclude actions violating policies


Detective controls

To identify and possibly react to security violations


Audit trails, intrusion detection software, integrity checks
Corrective controls

To react to detection of an incident


Guards, mantraps, backups, separation of duties, encryption, access control software,
anti-virus software
More frequent update of anti-virus software, additional security awareness training,
replacement of key locks
Recovery controls

To restore the system or operation to normal

Fault tolerance mechanisms, RAID, virus removal
COMP4690, HKBU
51
Hardware Controls

Physical protection



Configuration control


Surge suppressors
UPS equipment
Logs of hardware modifications, configuration changes,
maintenance must be maintained, reviewed, and retained
for future reference
Control unauthorized connection to a processor




Physically secure individual machines and servers
Network cabling should be protected in conduits
Anti-sniffer tools to detect unauthorized connections
Using encryption, or install switches
COMP4690, HKBU
52
Software Controls





Control buffer overflows
Enforce the conditions of software licenses and respect software
copyright requirements
Examine all acquired software for malicious code. E.g., use
current anti-virus software products from several vendors
Check software for backdoors and trapdoors
Integrity control that keeps intruders and unauthorized changes
out of production programs
 Use a program library, maintained by a program librarian
 The librarian is responsible for ensuring that programs are not
added to the production library until they have been properly
tested and authorized
COMP4690, HKBU
53
Operations Controls


It’s necessary to establish, document, and enforce
operating procedures for all equipment and software:
e.g., system start-up, error conditions and how to
handle them, system shutdown, system restoration
System recovery


Having current backups of all system-critical files
Controls after a system crash ensure that the
system is in a secure state before allowing user
access.
COMP4690, HKBU
54
Data and Media





Objective: to maintain the highest level of availability to users.
Backups
 Image backup vs. file backup
 Full volume backup vs. differential backup
Electronic vaulting
 Online tape vaulting
 Remote transaction journaling
 Database shadowing
Direct access storage devices (DASDs)
 An effective backup facility
Fault tolerance
 To ensure the continuity of operations in the event of equipment
failure
COMP4690, HKBU
55
Data and Media

Network data mirroring



Redundant network connections and equipment


Disk mirroring
Provide duplicate copies of production disks so that disk
failures result in limited or no damage to critical data.
To avoid availability problems resulting from the single
point of failure issue
Redundant arrays of independent disks (RAID)



Originally coined in a paper by researchers at University of
California in Berkeley in 1988.
7 levels: RAID 0, RAID 1, …, RAID 6
Widely used by the industry today (except RAID2 & RAID4)
COMP4690, HKBU
56
RAID

RAID 0 (not a true member of the RAID family!)




No redundancy
Data striped across all disks
Round Robin striping
Increase speed




Multiple data requests probably not on same disk
Disks seek in parallel
A set of data is likely to be striped across multiple disks
RAID 1






Mirrored Disks
Data is striped across disks
2 copies of each stripe on separate disks
Read from either
Write to both
Recovery is simple



Swap faulty disk & re-mirror
No down time
Expensive
COMP4690, HKBU
57
Telecommunications
Equipment





Communications equipment must be monitored for
errors, inconsistencies, etc.
Penetration tests should be conducted to ensure
that communications controls cannot be easily
compromised or misused.
Sensitive data being communicated electronically
should be encrypted
Non-employee personnel performing maintenance
should be supervised by a knowledgeable employee
All communications equipment should be located in
secured facilities.
COMP4690, HKBU
58
Personnel

Hiring process





Background checks, security clearances
Security awareness training
Employee transfers or terminations
For data center, separation of responsibilities is
commonly used to prevent an individual from having
control over all steps of an operation and therefore
being able to manipulate it for personal benefit
For networks and distributed systems, can establish
a security administrator position to handle all the
operational security-related tasks
COMP4690, HKBU
59
Information Protection and
Management Services

Some tasks the security and operations
management needs to perform to ensure a
secure operating environment



Security reviews
Incident reporting
Problem management
COMP4690, HKBU
60
Security Review



By information security staff
Enable an independent evaluation of how the
security policies, procedures, standards are
implemented and how well they are working
Areas to be reviewed





System access and authorization
Procedures and controls
Security incident
Problem reporting
Change control
COMP4690, HKBU
61
Incident Reporting


The local polices and procedures should
have detailed information about what types of
activity should be reported, as well as the
appropriate person to whom you should
report.
Outside organizations


CERT coordination center in U.S.
HKCERT: http://www.hkcert.org/
COMP4690, HKBU
62
Problem Management


Report, track, and resolve problems affecting
computer services
Objectives




Reducing failures to an acceptable level
Preventing recurrences of problems
Reducing the problem impact on service
Problems should be organized according to types




Performance and availability
Safety
Security
Operating procedures
COMP4690, HKBU
63