Uploaded bymaneltighiouart7
PPT, PDF13 views

lecture7-accesscontroool_ct1405.pptx.ppt

access control

Embed presentation

Download to read offline
Access Control CT1405 Lecture 7 1
Objectives • Define access control and list the four access control models • Describe logical access control methods • Explain the different types of physical access control • Define authentication services 2
Introduction • Important foundations in information security – Verifying approved users – Controlling their access • This chapter introduces principles and practices of controlling access – Terminology – Four standard control models – Best practices • Authentication services is also covered in this chapter 3
What Is Access Control? • Granting or denying approval to use specific resources • Information system’s mechanism to allow or restrict access to data or devices • Four standard models • Specific practices used to enforce access control 4
Access Control Terminology • Identification – Presenting credentials – Example: delivery driver presenting employee badge • Authentication – Checking the credentials – Example: examining the delivery driver’s badge • Authorization – Granting permission to take action – Example: allowing delivery driver to pick up package 5
6 Table 9-1 Basic steps in access control
Access Control Terminology (cont’d.) • Object – Specific resource – Example: file or hardware device • Subject – User or process functioning on behalf of a user – Example: computer user • Operation – Action taken by the subject over an object – Example: deleting a file 7
8 Table 9-2 Roles in access control
9 Figure 9-1 Access control process and terminology © Cengage Learning 2012
Access Control Models • Standards that provide a predefined framework for hardware or software developers • Used to implement access control in a device or application • Custodians can configure security based on owner’s requirements • Four major access control models – Mandatory Access Control (MAC) – Discretionary Access Control (DAC) 10
Access Control Models (cont’d.) • Four major access control models (cont’d.) – Role Based Access Control (RBAC) – Rule Based Access Control (RBAC) • Mandatory Access Control – Most restrictive access control model – Typically found in military settings – Two elements • Labels • Levels 11
Access Control Models (cont’d.) • MAC grants permissions by matching object labels with subject labels – Labels indicate level of privilege • To determine if file may be opened: – Compare object and subject labels – Subject must have equal or greater level than object to be granted access • Two major implementations of MAC – Lattice model – Bell-LaPadula model 12
Access Control Models (cont’d.) • Lattice model – Subjects and objects are assigned a “rung” on the lattice – Multiple lattices can be placed beside each other • Bell-LaPadula – Similar to lattice model – Subjects may not create a new object or perform specific functions on lower level objects 13
Access Control Models (cont’d.) • Example of MAC implementation – Windows 7/Vista has four security levels – Specific actions by a subject with lower classification require administrator approval • Discretionary Access Control (DAC) – Least restrictive model – Every object has an owner – Owners have total control over their objects – Owners can give permissions to other subjects over their objects 14
15 Figure 9-2 Windows User Account Control (UAC) dialog box © Cengage Learning 2012
Access Control Models (cont’d.) • Discretionary Access Control (cont’d.) – Used on operating systems such as most types of UNIX and Microsoft Windows • DAC weaknesses – Relies on decisions by end user to set proper security level • Incorrect permissions may be granted – Subject’s permissions will be “inherited” by any programs the subject executes – Trojans are a particular problem with DAC 16
17 Figure 9-3 Discretionary Access Control (DAC) © Cengage Learning 2012
Access Control Models (cont’d.) • Role Based Access Control (RBAC) – Also called Non-discretionary Access Control – Access permissions are based on user’s job function • RBAC assigns permissions to particular roles in an organization – Users are assigned to those roles • Rule Based Access Control (RBAC) – Dynamically assigns roles to subjects based on a set of rules defined by a custodian 18
Access Control Models (cont’d.) • Rule Based Access Control (cont’d.) – Each resource object contains access properties based on the rules – When user attempts access, system checks object’s rules to determine access permission – Often used for managing user access to one or more systems • Business changes may trigger application of the rules specifying access changes 19
20 Table 9-3 Access control models
Best Practices for Access Control • Establishing best practices for limiting access – Can help secure systems and data • Examples of best practices – Separation of duties – Job rotation – Least privilege – Implicit deny – Mandatory vacations 21
Best Practices for Access Control (cont’d.) • Separation of duties – Fraud can result from single user being trusted with complete control of a process – Requiring two or more people responsible for functions related to handling money – System is not vulnerable to actions of a single person • Job rotation – Individuals periodically moved between job responsibilities 22
Best Practices for Access Control (cont’d.) • Job rotation (cont’d.) – Employees can rotate within their department or across departments • Advantages of job rotation – Limits amount of time individuals are in a position to manipulate security configurations – Helps expose potential avenues for fraud • Individuals have different perspectives and may uncover vulnerabilities – Reduces employee burnout 23
Best Practices for Access Control (cont’d.) • Least privilege – Limiting access to information based on what is needed to perform a job function – Helps reduce attack surface by eliminating unnecessary privileges – Should apply to users and processes on the system – Processes should run at minimum security level needed to correctly function – Temptation to assign higher levels of privilege is great 24
25 Table 9-4 Challenges of least privilege
Best Practices for Access Control (cont’d.) • Implicit deny – If a condition is not explicitly met, access request is rejected – Example: network router rejects access to all except conditions matching the rule restrictions • Mandatory vacations – Limits fraud, because perpetrator must be present daily to hide fraudulent actions – Audit of employee’s activities usually scheduled during vacation for sensitive positions 26
Access Control Lists • Set of permissions attached to an object • Specifies which subjects may access the object and what operations they can perform • When subject requests to perform an operation: – System checks ACL for an approved entry • ACLs usually viewed in relation to operating system files 27
28 Figure 9-4 UNIX file permissions © Cengage Learning 2012
Access Control Lists (cont’d.) • Each entry in the ACL table is called access control entry (ACE) • ACE structure (Windows) – Security identifier for the user or group account or logon session – Access mask that specifies access rights controlled by ACE – Flag that indicates type of ACE – Set of flags that determine whether objects can inherit permissions 29
Group Policies • Microsoft Windows feature – Provides centralized management and configuration of computers and remote users using Active Directory (AD) – Usually used in enterprise environments – Settings stored in Group Policy Objects (GPOs) • Local Group Policy – Fewer options than a Group Policy – Used to configure settings for systems not part of AD 30
Account Restrictions • Time of day restrictions – Limits the time of day a user may log onto a system – Time blocks for permitted access are chosen – Can be set on individual systems • Account expiration – Orphaned accounts: accounts that remain active after an employee has left the organization – Dormant accounts: not accessed for a lengthy period of time – Both can be security risks 31
32 Figure 9-5 Operating system time of day restrictions © Cengage Learning 2012
33 Figure 9-6 Wireless access point restrictions © Cengage Learning 2012
Account Restrictions (cont’d.) • Recommendations for dealing with orphaned or dormant accounts – Establish a formal process – Terminate access immediately – Monitor logs • Orphaned accounts remain a problem in today’s organizations • Account expiration – Sets a user’s account to expire 34
Account Restrictions (cont’d.) • Password expiration sets a time when user must create a new password – Different from account expiration • Account expiration can be a set date, or a number of days of inactivity 35
Authentication Services • Authentication – Process of verifying credentials • Authentication services provided on a network – Dedicated authentication server • Or AAA server if it also performs authorization and accounting • Common types of authentication and AAA servers – Kerberos, RADIUS, TACACS, LDAP 36
RADIUS • Remote Authentication Dial In User Service – Developed in 1992 – Became industry standard – Suitable for high volume service control applications • Such as dial-in access to corporate network – Still in use today • RADIUS client – Typically a device such as a wireless AP • Responsible for sending user credentials and connection parameters to the RADIUS server 37
38 Figure 9-7 RADIUS authentication © Cengage Learning 2012
RADIUS (cont’d.) • RADIUS user profiles stored in central database – All remote servers can share • Advantages of a central service – Increases security due to a single administered network point – Easier to track usage for billing and keeping network statistics 39
Kerberos • Authentication system developed at MIT – Uses encryption and authentication for security • Most often used in educational and government settings • Works like using a driver’s license to cash a check • Kerberos ticket – Contains information linking it to the user – User presents ticket to network for a service – Difficult to copy – Expires after a few hours or a day 40
Terminal Access Control Access Control System (TACACS) • Authentication service similar to RADIUS • Developed by Cisco Systems • Commonly used on UNIX devices • Communicates by forwarding user authentication information to a centralized server 41
42 Table 9-5 Comparison of RADIUS and TACACS+
Lightweight Directory Access Protocol (LDAP) • Directory service – Database stored on a network – Contains information about users and network devices – Keeps track of network resources and user’s privileges to those resources – Grants or denies access based on its information • Standard for directory services – X.500 43
Lightweight Directory Access Protocol (cont’d.) • X.500 standard defines protocol for client application to access the DAP • LDAP – A simpler subset of DAP – Designed to run over TCP/IP – Has simpler functions – Encodes protocol elements in simpler way than X.500 – An open protocol 44
Lightweight Directory Access Protocol (cont’d.) • Weakness of LDAP – Can be subject to LDAP injection attacks • Similar to SQL injection attacks • Occurs when user input is not properly filtered 45
Summary • Access control is the process by which resources or services are denied or granted • Four major access control models exist • Best practices for implementing access control – Separation of duties – Job rotation – Least privilege – Mandatory vacations 46
Summary (cont’d.) • Access control lists define which subjects are allowed to access which objects – Specify which operations they may perform • Group Policy is a Windows feature that provides centralized management and configuration • Authentication services can be provided on a network by a dedicated AAA or authentication server – RADIUS is the industry standard 47

More Related Content

PPT
Chapter 11 Presentation
byAmy McMullin
 
PPT
Access control mechanism (DAC, MAC and RBAC).ppt
byDAKSHATAPANCHAL2
 
PPT
access control information security professor hossein saiedian fall 2014
bymaneltighiouart7
 
PPTX
Lecture-12-ACL_information_Security.pptx
byhomecooking511
 
PPT
AccessControl.ppt
byDAKSHATAPANCHAL2
 
PPT
2. access control
by7wounders
 
PPT
Access control3
byAwhydot
 
PPT
Access control3
byAwhydot
 
Chapter 11 Presentation
byAmy McMullin
 
Access control mechanism (DAC, MAC and RBAC).ppt
byDAKSHATAPANCHAL2
 
access control information security professor hossein saiedian fall 2014
bymaneltighiouart7
 
Lecture-12-ACL_information_Security.pptx
byhomecooking511
 
AccessControl.ppt
byDAKSHATAPANCHAL2
 
2. access control
by7wounders
 
Access control3
byAwhydot
 
Access control3
byAwhydot
 

Similar to lecture7-accesscontroool_ct1405.pptx.ppt

PPTX
Access Controls
byprimeteacher32
 
PPTX
Least privilege, access control, operating system security
byPrachi Gulihar
 
PDF
CC 3-3 Logical access controls.pdf
byWaleed Elnaggar
 
PPTX
484444398-Chapter-11-Access-Control-Fundamentals.pptx
bysomeoneelse1981
 
PDF
Chapter 3 access control fundamental i
bySyaiful Ahdan
 
PPTX
Group 5 computer security and terms.pptx
byGilbertMashawi1
 
PPTX
Access-Controls System Integragation Administration.pptx
bywenzduke3098
 
PPT
4_5949547032388570388.ppt
byMohammedMohammed578197
 
PPT
Access control (authorisation) in distributed systems.ppt
byangeldna767
 
PPT
Information Security Principles - Access Control
byidingolay
 
PPT
Access control (authorization) in distributed systems.ppt
byDesalegn70
 
PPT
Chapter 5-Security Mechanisms and Techniques.ppt
byLina Shimelis
 
PDF
Access Control Fundamentals
bySetiya Nugroho
 
PPTX
Chapter 2_protection.pptxggggggggggggggg
byASKMEDIA
 
PPT
Access Control
byazida3
 
PPTX
Week No 13 Access Control Part 1.pptx
byXhamiiiCH
 
PPT
Isys20261 lecture 12
byWiliam Ferraciolli
 
PDF
Role-Based Access Control, Second Edition ( PDFDrive ).pdf
bySusmitaMahato3
 
DOCX
Comprehensive Analysis of Contemporary Information Security Challenges
bysidraasif9090
 
PPT
14-accessCtrl.ppt
byCNSHacking
 
Access Controls
byprimeteacher32
 
Least privilege, access control, operating system security
byPrachi Gulihar
 
CC 3-3 Logical access controls.pdf
byWaleed Elnaggar
 
484444398-Chapter-11-Access-Control-Fundamentals.pptx
bysomeoneelse1981
 
Chapter 3 access control fundamental i
bySyaiful Ahdan
 
Group 5 computer security and terms.pptx
byGilbertMashawi1
 
Access-Controls System Integragation Administration.pptx
bywenzduke3098
 
4_5949547032388570388.ppt
byMohammedMohammed578197
 
Access control (authorisation) in distributed systems.ppt
byangeldna767
 
Information Security Principles - Access Control
byidingolay
 
Access control (authorization) in distributed systems.ppt
byDesalegn70
 
Chapter 5-Security Mechanisms and Techniques.ppt
byLina Shimelis
 
Access Control Fundamentals
bySetiya Nugroho
 
Chapter 2_protection.pptxggggggggggggggg
byASKMEDIA
 
Access Control
byazida3
 
Week No 13 Access Control Part 1.pptx
byXhamiiiCH
 
Isys20261 lecture 12
byWiliam Ferraciolli
 
Role-Based Access Control, Second Edition ( PDFDrive ).pdf
bySusmitaMahato3
 
Comprehensive Analysis of Contemporary Information Security Challenges
bysidraasif9090
 
14-accessCtrl.ppt
byCNSHacking
 

Recently uploaded

PPTX
SOFTWARE CONSTRUCTION AND CODING PRINCIPLES.pptx
byOnenBobocan
 
PDF
application of matrix in computer science
byankitberamath
 
PDF
Decarbonizing Healthcare: Exploring the Potential for Electrification with IESVE
byIES VE
 
PPTX
Joseph Hill Honors Thesis Presentation 2024
byJoeHill71
 
DOCX
Kabirpawarpptof java practicalexp1 to 11.docx
bynkpawar4413
 
PDF
Event #3_ Build a Gemini Bot, Together with GitHub_private.pdf
by3526ming
 
PPTX
Introduction to Relational Algebra Advance Database Part three.pptx
bywilliamsmareh
 
PDF
Fluid-Mechanics with question and answer.pdf
bysparunkumar1
 
PPTX
Supercapacitor.pptx...............................
byTarikBouchala
 
PPT
Behavioral Modeling using Verilog and combinational or sequential circuit
bykirtipfraoa
 
PDF
Highway Construction and Pavement design.pdf
byVinayVitekari
 
PDF
Amar Dexign Scape - Architecture and interiors designers
byAmar Dexign scape
 
PDF
A Guide to Marine Air Compressors on Ships
byMahmoud Moghtaderi
 
PPTX
Modularity In Lyra - A new studio's experiences building their prototype on U...
byiamscottcstevens
 
PPT
6.1POWER BLOCK NEW.ppt indian railway three
bykhuranarahul599
 
PDF
HYDRAULIC TURBINES with question and answer.pdf
bysparunkumar1
 
PPTX
hydrology and unit hydrograph presents.pptx
byp26335566
 
PPTX
ATD.pptx traction distribution railway atd
bykhuranarahul599
 
PPTX
Meghon se Sakshatkar Google Cloud Workshop.pptx
byvanshikaprakash05
 
PPTX
MIRROR-EQUATION-AND-REFLECTION-OF-LIGHT-IN-LENSES.pptx
byYbaezEldredKyleS
 
SOFTWARE CONSTRUCTION AND CODING PRINCIPLES.pptx
byOnenBobocan
 
application of matrix in computer science
byankitberamath
 
Decarbonizing Healthcare: Exploring the Potential for Electrification with IESVE
byIES VE
 
Joseph Hill Honors Thesis Presentation 2024
byJoeHill71
 
Kabirpawarpptof java practicalexp1 to 11.docx
bynkpawar4413
 
Event #3_ Build a Gemini Bot, Together with GitHub_private.pdf
by3526ming
 
Introduction to Relational Algebra Advance Database Part three.pptx
bywilliamsmareh
 
Fluid-Mechanics with question and answer.pdf
bysparunkumar1
 
Supercapacitor.pptx...............................
byTarikBouchala
 
Behavioral Modeling using Verilog and combinational or sequential circuit
bykirtipfraoa
 
Highway Construction and Pavement design.pdf
byVinayVitekari
 
Amar Dexign Scape - Architecture and interiors designers
byAmar Dexign scape
 
A Guide to Marine Air Compressors on Ships
byMahmoud Moghtaderi
 
Modularity In Lyra - A new studio's experiences building their prototype on U...
byiamscottcstevens
 
6.1POWER BLOCK NEW.ppt indian railway three
bykhuranarahul599
 
HYDRAULIC TURBINES with question and answer.pdf
bysparunkumar1
 
hydrology and unit hydrograph presents.pptx
byp26335566
 
ATD.pptx traction distribution railway atd
bykhuranarahul599
 
Meghon se Sakshatkar Google Cloud Workshop.pptx
byvanshikaprakash05
 
MIRROR-EQUATION-AND-REFLECTION-OF-LIGHT-IN-LENSES.pptx
byYbaezEldredKyleS
 

lecture7-accesscontroool_ct1405.pptx.ppt

  • 1.
  • 2.
    Objectives • Define accesscontrol and list the four access control models • Describe logical access control methods • Explain the different types of physical access control • Define authentication services 2
  • 3.
    Introduction • Important foundationsin information security – Verifying approved users – Controlling their access • This chapter introduces principles and practices of controlling access – Terminology – Four standard control models – Best practices • Authentication services is also covered in this chapter 3
  • 4.
    What Is AccessControl? • Granting or denying approval to use specific resources • Information system’s mechanism to allow or restrict access to data or devices • Four standard models • Specific practices used to enforce access control 4
  • 5.
    Access Control Terminology •Identification – Presenting credentials – Example: delivery driver presenting employee badge • Authentication – Checking the credentials – Example: examining the delivery driver’s badge • Authorization – Granting permission to take action – Example: allowing delivery driver to pick up package 5
  • 6.
    6 Table 9-1 Basicsteps in access control
  • 7.
    Access Control Terminology(cont’d.) • Object – Specific resource – Example: file or hardware device • Subject – User or process functioning on behalf of a user – Example: computer user • Operation – Action taken by the subject over an object – Example: deleting a file 7
  • 8.
    8 Table 9-2 Rolesin access control
  • 9.
    9 Figure 9-1 Accesscontrol process and terminology © Cengage Learning 2012
  • 10.
    Access Control Models •Standards that provide a predefined framework for hardware or software developers • Used to implement access control in a device or application • Custodians can configure security based on owner’s requirements • Four major access control models – Mandatory Access Control (MAC) – Discretionary Access Control (DAC) 10
  • 11.
    Access Control Models(cont’d.) • Four major access control models (cont’d.) – Role Based Access Control (RBAC) – Rule Based Access Control (RBAC) • Mandatory Access Control – Most restrictive access control model – Typically found in military settings – Two elements • Labels • Levels 11
  • 12.
    Access Control Models(cont’d.) • MAC grants permissions by matching object labels with subject labels – Labels indicate level of privilege • To determine if file may be opened: – Compare object and subject labels – Subject must have equal or greater level than object to be granted access • Two major implementations of MAC – Lattice model – Bell-LaPadula model 12
  • 13.
    Access Control Models(cont’d.) • Lattice model – Subjects and objects are assigned a “rung” on the lattice – Multiple lattices can be placed beside each other • Bell-LaPadula – Similar to lattice model – Subjects may not create a new object or perform specific functions on lower level objects 13
  • 14.
    Access Control Models(cont’d.) • Example of MAC implementation – Windows 7/Vista has four security levels – Specific actions by a subject with lower classification require administrator approval • Discretionary Access Control (DAC) – Least restrictive model – Every object has an owner – Owners have total control over their objects – Owners can give permissions to other subjects over their objects 14
  • 15.
    15 Figure 9-2 WindowsUser Account Control (UAC) dialog box © Cengage Learning 2012
  • 16.
    Access Control Models(cont’d.) • Discretionary Access Control (cont’d.) – Used on operating systems such as most types of UNIX and Microsoft Windows • DAC weaknesses – Relies on decisions by end user to set proper security level • Incorrect permissions may be granted – Subject’s permissions will be “inherited” by any programs the subject executes – Trojans are a particular problem with DAC 16
  • 17.
    17 Figure 9-3 DiscretionaryAccess Control (DAC) © Cengage Learning 2012
  • 18.
    Access Control Models(cont’d.) • Role Based Access Control (RBAC) – Also called Non-discretionary Access Control – Access permissions are based on user’s job function • RBAC assigns permissions to particular roles in an organization – Users are assigned to those roles • Rule Based Access Control (RBAC) – Dynamically assigns roles to subjects based on a set of rules defined by a custodian 18
  • 19.
    Access Control Models(cont’d.) • Rule Based Access Control (cont’d.) – Each resource object contains access properties based on the rules – When user attempts access, system checks object’s rules to determine access permission – Often used for managing user access to one or more systems • Business changes may trigger application of the rules specifying access changes 19
  • 20.
    20 Table 9-3 Accesscontrol models
  • 21.
    Best Practices forAccess Control • Establishing best practices for limiting access – Can help secure systems and data • Examples of best practices – Separation of duties – Job rotation – Least privilege – Implicit deny – Mandatory vacations 21
  • 22.
    Best Practices forAccess Control (cont’d.) • Separation of duties – Fraud can result from single user being trusted with complete control of a process – Requiring two or more people responsible for functions related to handling money – System is not vulnerable to actions of a single person • Job rotation – Individuals periodically moved between job responsibilities 22
  • 23.
    Best Practices forAccess Control (cont’d.) • Job rotation (cont’d.) – Employees can rotate within their department or across departments • Advantages of job rotation – Limits amount of time individuals are in a position to manipulate security configurations – Helps expose potential avenues for fraud • Individuals have different perspectives and may uncover vulnerabilities – Reduces employee burnout 23
  • 24.
    Best Practices forAccess Control (cont’d.) • Least privilege – Limiting access to information based on what is needed to perform a job function – Helps reduce attack surface by eliminating unnecessary privileges – Should apply to users and processes on the system – Processes should run at minimum security level needed to correctly function – Temptation to assign higher levels of privilege is great 24
  • 25.
    25 Table 9-4 Challengesof least privilege
  • 26.
    Best Practices forAccess Control (cont’d.) • Implicit deny – If a condition is not explicitly met, access request is rejected – Example: network router rejects access to all except conditions matching the rule restrictions • Mandatory vacations – Limits fraud, because perpetrator must be present daily to hide fraudulent actions – Audit of employee’s activities usually scheduled during vacation for sensitive positions 26
  • 27.
    Access Control Lists •Set of permissions attached to an object • Specifies which subjects may access the object and what operations they can perform • When subject requests to perform an operation: – System checks ACL for an approved entry • ACLs usually viewed in relation to operating system files 27
  • 28.
    28 Figure 9-4 UNIXfile permissions © Cengage Learning 2012
  • 29.
    Access Control Lists(cont’d.) • Each entry in the ACL table is called access control entry (ACE) • ACE structure (Windows) – Security identifier for the user or group account or logon session – Access mask that specifies access rights controlled by ACE – Flag that indicates type of ACE – Set of flags that determine whether objects can inherit permissions 29
  • 30.
    Group Policies • MicrosoftWindows feature – Provides centralized management and configuration of computers and remote users using Active Directory (AD) – Usually used in enterprise environments – Settings stored in Group Policy Objects (GPOs) • Local Group Policy – Fewer options than a Group Policy – Used to configure settings for systems not part of AD 30
  • 31.
    Account Restrictions • Timeof day restrictions – Limits the time of day a user may log onto a system – Time blocks for permitted access are chosen – Can be set on individual systems • Account expiration – Orphaned accounts: accounts that remain active after an employee has left the organization – Dormant accounts: not accessed for a lengthy period of time – Both can be security risks 31
  • 32.
    32 Figure 9-5 Operatingsystem time of day restrictions © Cengage Learning 2012
  • 33.
    33 Figure 9-6 Wirelessaccess point restrictions © Cengage Learning 2012
  • 34.
    Account Restrictions (cont’d.) •Recommendations for dealing with orphaned or dormant accounts – Establish a formal process – Terminate access immediately – Monitor logs • Orphaned accounts remain a problem in today’s organizations • Account expiration – Sets a user’s account to expire 34
  • 35.
    Account Restrictions (cont’d.) •Password expiration sets a time when user must create a new password – Different from account expiration • Account expiration can be a set date, or a number of days of inactivity 35
  • 36.
    Authentication Services • Authentication –Process of verifying credentials • Authentication services provided on a network – Dedicated authentication server • Or AAA server if it also performs authorization and accounting • Common types of authentication and AAA servers – Kerberos, RADIUS, TACACS, LDAP 36
  • 37.
    RADIUS • Remote AuthenticationDial In User Service – Developed in 1992 – Became industry standard – Suitable for high volume service control applications • Such as dial-in access to corporate network – Still in use today • RADIUS client – Typically a device such as a wireless AP • Responsible for sending user credentials and connection parameters to the RADIUS server 37
  • 38.
    38 Figure 9-7 RADIUSauthentication © Cengage Learning 2012
  • 39.
    RADIUS (cont’d.) • RADIUSuser profiles stored in central database – All remote servers can share • Advantages of a central service – Increases security due to a single administered network point – Easier to track usage for billing and keeping network statistics 39
  • 40.
    Kerberos • Authentication systemdeveloped at MIT – Uses encryption and authentication for security • Most often used in educational and government settings • Works like using a driver’s license to cash a check • Kerberos ticket – Contains information linking it to the user – User presents ticket to network for a service – Difficult to copy – Expires after a few hours or a day 40
  • 41.
    Terminal Access ControlAccess Control System (TACACS) • Authentication service similar to RADIUS • Developed by Cisco Systems • Commonly used on UNIX devices • Communicates by forwarding user authentication information to a centralized server 41
  • 42.
    42 Table 9-5 Comparisonof RADIUS and TACACS+
  • 43.
    Lightweight Directory AccessProtocol (LDAP) • Directory service – Database stored on a network – Contains information about users and network devices – Keeps track of network resources and user’s privileges to those resources – Grants or denies access based on its information • Standard for directory services – X.500 43
  • 44.
    Lightweight Directory AccessProtocol (cont’d.) • X.500 standard defines protocol for client application to access the DAP • LDAP – A simpler subset of DAP – Designed to run over TCP/IP – Has simpler functions – Encodes protocol elements in simpler way than X.500 – An open protocol 44
  • 45.
    Lightweight Directory AccessProtocol (cont’d.) • Weakness of LDAP – Can be subject to LDAP injection attacks • Similar to SQL injection attacks • Occurs when user input is not properly filtered 45
  • 46.
    Summary • Access controlis the process by which resources or services are denied or granted • Four major access control models exist • Best practices for implementing access control – Separation of duties – Job rotation – Least privilege – Mandatory vacations 46
  • 47.
    Summary (cont’d.) • Accesscontrol lists define which subjects are allowed to access which objects – Specify which operations they may perform • Group Policy is a Windows feature that provides centralized management and configuration • Authentication services can be provided on a network by a dedicated AAA or authentication server – RADIUS is the industry standard 47