02_AccessControl

7/30/2019 02_AccessControl

1/33


2/33

2

Khi ni m

Access Control - i u khi n truy c p Bao hm cc quy trnh, ti n trnh i u

khi n an ninh, qua vi c truy c p t i

cc i t ng c c p php hay t ch i d a trn cc chnh sch ho c cc lu t nh tr c.


3/33

3

Access control object-subject-system


4/334

M c tiu c a i u khi n truy c p

C p quy n truy c p Nh n di n Xc th c

C p quy n m b o an ninh

B o m t

Ton v nKh d ng Ch u trch nhi m


5/335

C p quy n truy c p


6/33


7/337

Cc ki u xc th c

Thng tin ng i dng bi t: Thng tin ghi nh nh password, PINs, d ki n

c bi t Thng tin s h u v t l: Smart cards, Keys

Thng tin sinh tr c h c: Vn tay, ch k, gi ng ni


8/33


9/33

9

ng nh p 1 l n: Kerberos


10/33

10

ng nh p 1 l n: Kerberos


11/33

11

Xc th c truy c p t xa

TACACS:Terminal Access ControllerAccess Control System

RADIUS: Remote Authentication Dial-InUser Service


12/33


13/33

13

Qu n tr m t kh u

L a ch n m t kh u: di, k t cho php, khng dng thng tin c b n, khng dng m t kh u m c nh Qu n l m t kh u: Reset m t kh u, th i h n m t kh u, gi i h n s l n ng nh p l i

Ki m sot m t kh u: Audit logs


14/33


15/33

15

M hnh i u khi n truy c p

i u khi n truy c p ty (Discretionary): D a trn i t ng truy c p.

i u khi n truy c p b t bu c (Madatory): D a trn m c nh y c m c a ti nguyn.

i u khi n truy c p khng ty (Non- Discretionary): i u khi n truy c p theo vai tr (Role).


16/33

16

i u khi n truy c p ty

M i i t ng truy c p c gn 1 s quy n nh t nh. Ng i dng ho c ng d ng s h u i t ng c truy c p c th gn quy n ty .

M c tiu ch y u nh m ng n ch n cc

truy c p khng c php. c s d ng r ng ri trn cc H H thng d ng (UNIX, Windows )


17/33

17

i u khi n truy c p ty

S d ng Danh sch truy c p cho cc i t ng:


18/33


19/33

i khi t th i


20/33

20

i u khi n truy c p theo vai tr


21/33

21

Cc m hnh chu n

M hnh Bell-LaPadula:

Ch tr ng vo tnh b o m t. D a trn 2 quy t c:

i t ng c m c b o m t th p h n khng c c i t ng c m c b o m t cao h n ( noread-up)

i t ng c m c b o m t cao h n khng ghi

c vo i t ng c m c b o m t th p h n (no write-down)


22/33


23/33

23

Cc m hnh chu n

M hnh Clark - Wilson:

C ng ch tr ng vo tnh ton v n, nh ng s d ng ph ng php ti p c n khc. C 5

thnh t :Users

Transformation procedures: TP

Constrained Data Items: CDIUnconstrained Data Items: UDI

Integrity Verification Procedures: IVP


24/33

24

Cc m hnh chu n

M hnh Clark - Wilson:


25/33

25

Qu n l i u khi n truy c p

Qu n l ti kho n Xc nh quy n truy c p Qu n l cc i t ng c truy c p Qu n l d li u m


26/33

26

Qu n l Ti kho n

Qu n l cc ti kho n ng i dng, ti kho n h th ng, ti kho n d ch v Bao g m 3 ho t ng:

Thi t l p Duy tr

H y b


27/33

27

Qu n l Ti kho n


28/33


29/33

29

Qu n l cc i t ng

Qu n l cc thi t b l u tr m b o phn lo i d li u ng n (m

hnh MAC)

m b o cc i t ng b xa khng th khi ph c


30/33


31/33

31

T n cng i u khi n truy c p

T i n m t kh u -> Khng dng cc t quen thu c

T n cng vn c n m t kh u -> Dng m t kh u di

T n cng t ch i d ch v -> ch n cc a ch c gi tin t n cng

T n cng gi m o: IP spoofing, Session Hijacking, ARP spoofing


32/33

32


T n cng k th 3 gi a (MITM):


33/33

33


T n cng nghe ln (sniffer): S d ng ph n m m b t gi tin trn m ng.

S d ng ch h n t p c a giao di n m ng.

S d ng ph ng php thay i b ng MAC c a switch.

C th dng trong gim st m ng

02_AccessControl

Documents

Transcript of 02_AccessControl