02_AccessControl
Transcript of 02_AccessControl
-
7/30/2019 02_AccessControl
1/33
-
7/30/2019 02_AccessControl
2/33
2
Khi ni m
Access Control - i u khi n truy c p Bao hm cc quy trnh, ti n trnh i u
khi n an ninh, qua vi c truy c p t i
cc i t ng c c p php hay t ch i d a trn cc chnh sch ho c cc lu t nh tr c.
-
7/30/2019 02_AccessControl
3/33
3
Access control object-subject-system
-
7/30/2019 02_AccessControl
4/334
M c tiu c a i u khi n truy c p
C p quy n truy c p Nh n di n Xc th c
C p quy n m b o an ninh
B o m t
Ton v nKh d ng Ch u trch nhi m
-
7/30/2019 02_AccessControl
5/335
C p quy n truy c p
-
7/30/2019 02_AccessControl
6/33
-
7/30/2019 02_AccessControl
7/337
Cc ki u xc th c
Thng tin ng i dng bi t: Thng tin ghi nh nh password, PINs, d ki n
c bi t Thng tin s h u v t l: Smart cards, Keys
Thng tin sinh tr c h c: Vn tay, ch k, gi ng ni
-
7/30/2019 02_AccessControl
8/33
-
7/30/2019 02_AccessControl
9/33
9
ng nh p 1 l n: Kerberos
-
7/30/2019 02_AccessControl
10/33
10
ng nh p 1 l n: Kerberos
-
7/30/2019 02_AccessControl
11/33
11
Xc th c truy c p t xa
TACACS:Terminal Access ControllerAccess Control System
RADIUS: Remote Authentication Dial-InUser Service
-
7/30/2019 02_AccessControl
12/33
-
7/30/2019 02_AccessControl
13/33
13
Qu n tr m t kh u
L a ch n m t kh u: di, k t cho php, khng dng thng tin c b n, khng dng m t kh u m c nh Qu n l m t kh u: Reset m t kh u, th i h n m t kh u, gi i h n s l n ng nh p l i
Ki m sot m t kh u: Audit logs
-
7/30/2019 02_AccessControl
14/33
-
7/30/2019 02_AccessControl
15/33
15
M hnh i u khi n truy c p
i u khi n truy c p ty (Discretionary): D a trn i t ng truy c p.
i u khi n truy c p b t bu c (Madatory): D a trn m c nh y c m c a ti nguyn.
i u khi n truy c p khng ty (Non- Discretionary): i u khi n truy c p theo vai tr (Role).
-
7/30/2019 02_AccessControl
16/33
16
i u khi n truy c p ty
M i i t ng truy c p c gn 1 s quy n nh t nh. Ng i dng ho c ng d ng s h u i t ng c truy c p c th gn quy n ty .
M c tiu ch y u nh m ng n ch n cc
truy c p khng c php. c s d ng r ng ri trn cc H H thng d ng (UNIX, Windows )
-
7/30/2019 02_AccessControl
17/33
17
i u khi n truy c p ty
S d ng Danh sch truy c p cho cc i t ng:
-
7/30/2019 02_AccessControl
18/33
-
7/30/2019 02_AccessControl
19/33
i khi t th i
-
7/30/2019 02_AccessControl
20/33
20
i u khi n truy c p theo vai tr
-
7/30/2019 02_AccessControl
21/33
21
Cc m hnh chu n
M hnh Bell-LaPadula:
Ch tr ng vo tnh b o m t. D a trn 2 quy t c:
i t ng c m c b o m t th p h n khng c c i t ng c m c b o m t cao h n ( noread-up)
i t ng c m c b o m t cao h n khng ghi
c vo i t ng c m c b o m t th p h n (no write-down)
-
7/30/2019 02_AccessControl
22/33
-
7/30/2019 02_AccessControl
23/33
23
Cc m hnh chu n
M hnh Clark - Wilson:
C ng ch tr ng vo tnh ton v n, nh ng s d ng ph ng php ti p c n khc. C 5
thnh t :Users
Transformation procedures: TP
Constrained Data Items: CDIUnconstrained Data Items: UDI
Integrity Verification Procedures: IVP
-
7/30/2019 02_AccessControl
24/33
24
Cc m hnh chu n
M hnh Clark - Wilson:
-
7/30/2019 02_AccessControl
25/33
25
Qu n l i u khi n truy c p
Qu n l ti kho n Xc nh quy n truy c p Qu n l cc i t ng c truy c p Qu n l d li u m
-
7/30/2019 02_AccessControl
26/33
26
Qu n l Ti kho n
Qu n l cc ti kho n ng i dng, ti kho n h th ng, ti kho n d ch v Bao g m 3 ho t ng:
Thi t l p Duy tr
H y b
-
7/30/2019 02_AccessControl
27/33
27
Qu n l Ti kho n
-
7/30/2019 02_AccessControl
28/33
-
7/30/2019 02_AccessControl
29/33
29
Qu n l cc i t ng
Qu n l cc thi t b l u tr m b o phn lo i d li u ng n (m
hnh MAC)
m b o cc i t ng b xa khng th khi ph c
-
7/30/2019 02_AccessControl
30/33
-
7/30/2019 02_AccessControl
31/33
31
T n cng i u khi n truy c p
T i n m t kh u -> Khng dng cc t quen thu c
T n cng vn c n m t kh u -> Dng m t kh u di
T n cng t ch i d ch v -> ch n cc a ch c gi tin t n cng
T n cng gi m o: IP spoofing, Session Hijacking, ARP spoofing
-
7/30/2019 02_AccessControl
32/33
32
T n cng i u khi n truy c p
T n cng k th 3 gi a (MITM):
-
7/30/2019 02_AccessControl
33/33
33
T n cng i u khi n truy c p
T n cng nghe ln (sniffer): S d ng ph n m m b t gi tin trn m ng.
S d ng ch h n t p c a giao di n m ng.
S d ng ph ng php thay i b ng MAC c a switch.
C th dng trong gim st m ng