Access Control Systems & Methodology
Download
Report
Transcript Access Control Systems & Methodology
Access Control Systems
& Methodology
CISSP
1
Topics to be covered
Overview
Tokens/SSO
Access control
Kerberos
implementation
Attacks/Vulnerabilities/Monitoring
Types of access control IDS
Object reuse
MAC & DAC
TEMPEST
Orange Book
RAS access control
Authentication
Penetration Testing
Passwords
Biometrics
2
What is access control?
Access control is the traditional center of
security
Definitions:
The ability to allow only authorized users, programs or
processes system or resource access
The granting or denying, according to a particular security
model, of certain permissions to access a resource
An entire set of procedures performed by hardware,
software and administrators, to monitor access, identify
users requesting access, record access attempts, and grant
or deny access based on pre-established rules.
3
Access control nomenclature
Authentication
Identification
Protection of private data from unauthorized viewing
Integrity
Process through which one ascertains the identity of another
person or entity
Confidentiality
Process through which one proves and verifies certain information
Data is not corrupted or modified in any unauthorized manner
Availability
System is usable. Contrast with Denial of Service (DOS)
4
How can AC be implemented?
Hardware
Software
Application
Protocol (Kerberos, IPSec)
Physical
Logical (policies)
5
Why access control does not
work?
?
?
What does AC hope to protect?
Data - Unauthorized viewing, modification or
copying
System - Unauthorized use, modification or
denial of service
It should be noted that nearly most network
operating system is based on a secure physical
infrastructure
The easiest way to protect data is not to have it
one the system. Make it some-one else’s problem.
7
Proactive access control
Awareness training
Background checks
Separation of duties
Split knowledge
Policies
Data classification
Effective user registration
Termination procedures
Change control procedures
8
Physical access control
Guards
Locks
Mantraps
ID badges
Digital Carmeras, sensors, alarms
Biometrics
Fences - the higher the voltage the better
Card-key and tokens
Guard dogs
9
AC & privacy issues
Expectation of privacy
Policies
Monitoring activity, Internet usage, email
Login banners should detail
expectations of privacy and state levels
of monitoring
HIPPA
10
Varied types of Access Control
Discretionary (DAC)
Mandatory (MAC)
Lattice/Role/Task
Formal models:
Biba
Take/Grant
Clark/Wilson
Bell/LaPadula
Used set theory to define the concept of a secure state, the
modes of access, and the rules for granting access.
Not Real Useful, but part of the test!
11
Problems with formal models
Based on a static infrastructure
Defined and succinct policies
These do not work in corporate systems which are
extremely dynamic and constantly changing
None of the previous models deals with:
Viruses/active content
Trojan horses
firewalls
Limited documentation on how to build these systems
Last Generation
12
MAC vs. DAC
Discretionary Access Control
You decided how you want to protect and
share your data
Mandatory Access Control
The system decided how the data will be
shared
13
Mandatory Access Control
Assigns sensitivity levels,
Secret, Confidential .. (AKA labels)
Every object is given a sensitivity label & is accessible
only to users who are cleared up to that particular level.
Only the administrators, not object owners, make change
the object level
Generally more secure than DAC
Orange book B-level
Used in systems where security is critical, i.e., military
14
Mandatory Access Control
(Continued)
Downgrade in performance
Relies on the system to control access
Example: If a file is classified as confidential, MAC
will prevent anyone from writing secret or top secret
information into that file.
All output, i.e., print jobs, floppies, other magnetic
media must have be labeled as to the sensitivity level
15
Discretionary Access Control
Access is restricted based on the
authorization granted to the user
Orange book C-level
Prime use to separate and protect users
from unauthorized data
Used by Unix and Windows.
Relies on the object owner to control
access
16
Access control lists (ACL)
A file used by the access control system to
determine who may access what programs
and files, in what method and at what time
Different operating systems have different
ACL terms
Types of access:
Read/Write/Create/Execute/Modify/Delete/Rename
17
Standard UNIX file permissions
Permission
R (read)
X (execute)
W (write)
Allowed action, if
Allow action if object is a
object is a file
directory
Reads contents of a file List contents of the directory
Execute file as a program Search the directory
Change file contents
Add, rename, create files and
subdirectories
18
Standard Sharing - Changing
19
Orange Book
DoD Trusted Computer System Evaluation
Criteria, DoD 5200.28-STD, 1983
Provides the information needed to classify
systems (A,B,C,D), defining the degree of
trust that may be placed in them
For stand-alone systems only
20
Orange book levels
A - Verified protection
B - MAC
B1/B2/B3
MVS w/ s, ACF2 or TopSecret, Trusted IRIX
C - DAC
A1
Boeing SNS, Honeywell SCOMP
C1/C2
DEC VMS, NT, NetWare, Trusted Solaris
D - Minimal security. Systems that have been evaluated, but
failed
21
Problems with the Orange Book
Based on an old model, Bell-LaPadula
Stand alone
network systems extensions exist
Systems take a long time
Certification is expensive
For the most part, not used outside of
the government sector
22
Red Book
Used to extend the Orange Book to networks
Actually two works:
Trusted Network Interpretation of the TCSEC
(NCSC-TG-005)
Trusted Network Interpretation Environments
Guideline: Guidance for Applying the Trusted
Network Interpretation (NCSC-TG-011)
23
Authentication
3 types of authentication:
Something you know - Password, PIN,
mother’s maiden name, passcode, fraternity
chant
Something you have - ATM card, smart card,
token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan,
iris scan, retina scan, body odor, DNA
24
Confidentiality Integrity
Availability
Multi-factor authentication
2-factor authentication. To increase the level of
security, many systems will require a user to
provide 2 of the 3 types of authentication.
ATM card + PIN
Credit card + signature
PIN + fingerprint
Username + Password (NetWare, Unix, NT default)
3-factor authentication -- For higher security
Username + Passcode + SecurID token
Username + Password + Fingerprint
26
Problems with passwords
Insecure - Given the choice, people will choose easily remembered and
hence easily guessed passwords such as names of relatives, pets,
phone numbers, birthdays, hobbies, etc.
Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack
& l0phtcrack can easily decrypt Unix, NetWare & NT passwords.
Dictionary attacks are only feasible because users choose easily guessed
passwords!
Inconvenient - In an attempt to improve security, organizations often
issue users with computer-generated passwords that are difficult, if not
impossible to remember
Repudiable - Unlike a written signature, when a transaction is signed
with only a password, there is no real proof as to the identity of the
individual that made the transaction
27
Classic password rules
The best passwords are those that are both easy to
remember and hard to crack using a dictionary attack.
Don’t use:
common names, DOB, spouse, phone #, etc.
word found in dictionaries
password as a password
systems defaults
Those trying break passwords have access to most
password rules in their tool kit!
28
Password management
Configure system to use string passwords
Set password time and lengths limits
Limit unsuccessful logins
Limit concurrent connections
Enabled auditing
How policies for password resets and changes
Use last login dates in banners
29
Password Attacks
See if it is “password”
Brute force
Dictionary
l0phtcrack
Crack
John the Ripper
Trojan horse login program
30
Biometrics
Authenticating a user via human
characteristics
Using measurable physical characteristics of a
person to prove their identification
Fingerprint
signature dynamics
Iris
retina
voice
face
DNA, blood
31
Advantages of hand / fingerprintbased biometrics
•
Can’t be lent like a physical key or token and can’t be
forgotten like a password
•
Good compromise between ease of use, template
size, cost and accuracy
•
Fingerprint contains enough inherent variability to
enable unique identification even in very large
(millions of records) databases
•
Basically lasts forever -- or at least until amputation
or dismemberment
•
Makes network login & authentication effortless
32
Biometric Disadvantages
Still relatively expensive per user
Cost is going down!
Companies & products are often new &
immature
Some hesitancy for user acceptance
After 9-11, some thoughts towards use at
airport security.
33
Biometric privacy issues
Tracking and surveillance - Ultimately, the ability to
track a person's movement from hour to hour
Anonymity - Biometric links to databases could
dissolve much of our anonymity when we travel and
access services
Profiling - Compilation of transaction data about a
particular person that creates a picture of that
person's travels, preferences, affiliations or beliefs
34
U.S. Airports Now
Fingerprint Foreigners
Foreigners arriving
at U.S. airports were
photographed and
had their
fingerprints scanned
Monday in the start
of a government
effort to use some of
the latest
surveillance
technology to keep
terrorists out of the
country.
Practical biometric
Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Social Security, welfare, etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or homes
Protecting personal property
Prevent against kidnapping in schools, play areas, etc.
Protecting children from fatal gun accidents
Voting/passports/visas & immigration
36
Tokens
Used to facilitate one-time passwords
Physical card
SecurID
S/Key
Smart card
Access token
37
Single sign-on
User has one password for all enterprise
systems and applications
That way, one strong password can be
remembered and used
All of a users accounts can be quickly created
on hire, deleted on dismissal
Kerberos, CA-Unicenter, Memco Proxima,
IntelliSoft SnareWorks, Tivoli Global Sign-On,
x.509
38
Kerberos
Part of MIT’s Project Athena
Currently in version 5
Kerberos is an authentication protocol used for
networkwide authentication
All software must be kerberized
Tickets, authenticators, key distribution center (KDC)
Divided into realms
Kerberos is the three-headed dog that guards the
entrance to Hades (this won’t be on the test)
39
Attacks
Passive attack - Monitor network traffic and then use
data obtained or perform a replay attack.
Active attack - Attacker is actively trying to break-in.
Hard to detect
Exploit system vulnerabilities
Spoofing
Crypto attacks
Denial of service (DoS) - Not so much an attempt to
gain access, rather to prevent system operation
Smurf, SYN Flood, Ping of death
Mail bombs
40
Vulnerabilities
Follow the Money!
Physical
Natural
Hardware/Software
Media
Floods, earthquakes, terrorists, power outage, lightning
Corrupt electronic media, stolen disk drives
Emanation
Communications
Human
Social engineering, disgruntled staff
41
Monitoring
IDS
Logs
Audit trails
Network tools
Tivoli
Spectrum
OpenView
42
Intrusion Detection Systems
IDS monitors system or network for
attacks
IDS engine has a library and set of
signatures that identify an attack
Adds defense in depth
Should be used in conjunction with a
system scanner
43
Object reuse
With Compact Disks – One-Time Write not much of an issue;
with tapes, floppies, read/write CDs
Sample Rules
Must ensure that magnetic media must not have any remnance of
previous data
Also applies to buffers, cache and other memory allocation
Documents recently declassified as to how 10-pass writes were
recovered
Objects must be declassified
Magnetic media must be degaussed or have secure overwrites
44
TEMPEST - DoD
Electromagnetic emanations from keyboards, cables, printers,
modems, monitors and all electronic equipment. With appropriate
and sophisticated enough equipment, data can be readable at a
few hundred yards.
TEMPEST certified equipment, which encases the hardware into a
tight, metal construct, shields the electromagnetic emanations
WANG Federal is the leading provider of TEMPEST hardware
TEMPEST hardware is extremely expensive and can only be
serviced by certified technicians
Rooms & buildings can be TEMPEST-certified
TEMPEST standards NACSEM 5100A NACSI 5004 are classified
documents
45
Banners
Mostly to protect provider – no one reads them
Some Reasons
Banners display at login or connection stating that the
system is for the exclusive use of authorized users and that
their activity may be monitored
Not foolproof, but a good start, especially from a legal
perspective
Make sure that the banner does not reveal system
information, i.e., OS, version, hardware, etc.
46
Penetration Testing
Identifies weaknesses in Internet, Intranet, Extranet, and RAS technologies
Discovery and footprint analysis
Exploitation
Physical Security Assessment
Social Engineering
Attempt to identify vulnerabilities and gain access to critical systems within
organization
Identifies and recommends corrective action for the systemic problems
which may help propagate these vulnerabilities throughout an organization
Assessments allow client to demonstrate the need for additional security
resources, by translating exiting vulnerabilities into real life business risks
47
Rule of least privilege
One of the most fundamental principles of infosec
States that: Any object (user, administrator, program,
system) should have only the least privileges the object
needs to perform its assigned task, and no more.
An AC system that grants users only those rights
necessary for them to perform their work
Limits exposure to attacks and the damage an attack
can cause
Physical security example: car ignition key vs. door key
48
Implementing least privilege
Ensure that only a minimal set of users have
access to full system.
Don’t run insecure programs on the firewall
or other trusted host.
Lots more!
49