CIST 1601 Information Security FundamentalsChapter 5 Access Control and Identity Management

Collected and CompiledBy JD WillardMCSE, MCSA, Network+, Microsoft IT Academy AdministratorComputer Information Systems TechnologyAlbany Technical College

Identification vs. AuthenticationAuthentication is the mechanism by which the unique identity is associated with a security principal (a specific user or service). Before authorization can occur, the identity of the account attempting to access a resource must first be determined. This process is known as authentication.

Authentication can be generally broken into three basic forms, depending on what is required to authorize access:

Something you knowSomething you haveSomething you are

The most well-known form of authentication is the use of a username and password combination to access controlled resources. Access is not possible without both parts required for account authentication, so a level of protection is provided. The shortcoming of any authentication system is that the keys used may be easily falsified and access rights may be granted to an unauthorized access attempt. Null or easily guessed passwords are one of the most widespread examples of the potential for this weakness.

Identification and Authentication (6:32)

Single-Factor Authentication (4:38)

Authentication (Single Factor) and Authorization

• The most basic form of Authentication is Single Factor Authentication• Most often implemented as a username/password combination• The logon process identifies to the operating system and the network that you are who you say you are• Using a login and password is single-factor authentication because it consists of only what you know. • A username and password are unique identifiers for a logon process.• Most operating systems use a user ID and password to accomplish identity during the logon process.• These values can be sent across the connection as plain text or can be encrypted.• The logon process identifies to the operating system, and possibly the network, that you are who you say

you are.• The operating system might establish privileges or permissions based on stored data about that particular ID.• Usernames and passwords can be intercepted and are the least secure.

Mutual AuthenticationWhenever two or more parties authenticate each other, this is known as mutual authentication.Mutual authentication checks the identity of both ends of the connection. It is often referred to as two-way authentication. A client may authenticate to a server, and a server authenticate to a client when there is a need to establish a secure session between the two and employ encryption. Mutual authentication ensures that the client is not unwittingly connecting and giving its credentials to a rogue server; which can then turn around and steal the data from the real server. Commonly, mutual authentication will be implemented when the data to be sent during the session is of a critical nature—such as financial or medical records.

Multifactor AuthenticationMultifactor authentication involves the use of two or more different forms of authentication. Any combination of authentication methods may be used in a multifactor solution. Different forms include:

What you know (logon, password, PIN)What you have (smartcard, keycard, SecureID number generator)What you are (biometrics)

A two-factor method can potentially increase the strength of authentication by combining authentication protocols such as the use of a smart card in conjunction with a password or smart card and biometrics for logon.

Multi-Factor Authentication (3:15)

Two-factor Authentication

Multifactor Authentication

Operational SecurityOperational security encompasses everything not related to design or physical security. Instead of focusing on the physical components where the data is stored, such as the server, the focus is now on the topology and connections. Issues include:

Daily operations of the networkConnections to other networksBackup and recovery plans

Operational security includes:

ComputersNetworks and communications systemsManagement of information

Operational security issues include:

Network access control (NAC)Authentication Security topologies

Network Access Control (NAC) Network Access Control (NAC) is an effective way to protect the network from malicious hosts. NAC secures the environment by examining the user’s machine and, based on the results, grant access accordingly. NAC provides:

Enforcement of security policyContainment of noncompliant usersMitigation of threats

The basic components of NAC products:Access requestor (AR); device that requests accessPolicy decision point (PDP); system that assigns a policy based on the assessmentPolicy enforcement point (PEP); device that enforces the policy.

SwitchFirewallRouter

Four ways NAC systems can be integrated into the network:Inline

out-of-bandswitch basedand host based

An out-of-band intervenes and performs an assessment as hosts come online, and then grants appropriate access. NAC business benefits include:

ComplianceBetter security postureOperational cost management

TokensSecurity tokens are similar to certificates. They contain the rights and access privileges of the token bearer as part of the token.

Many operating systems generate a token that is applied to every action taken on the computer system. If your token doesn’t grant you access to certain information, then either that information won’t be displayed or your access will be denied.

The authentication system creates a token every time a user connects or a session begins.

Authentication is established on each session and is valid only for that session.

At the completion of a session, the token is destroyed.

Security Token Authentication

Tokens

Potential Authentication and Access Problems

Transitive AccessA trusts B, and B trusts C, therefore A trusts C.In early OSs this process was often exploited. In current OSs, (i.e. Windows Server 2008) the problems with transitive access were solved by creating transitive trusts, which are a type of relationship than can exist between domains. When the trust relationship is transitive, the relationship flows through as described above. In Microsoft’s Active Directory, the default is that all domains in a forest trust each other with a two-way transitive trust relationship. This leaves open the possibility of a hacker acquiring more trust than they should by virtue of joining a domain.Client-Side AttacksAn attack that targets vulnerabilities in client applications that interact with a malicious server. A user accesses the trusted site (web, ftp, etc.), and unwittingly downloads the rogue code (thinking they are downloading something else). The rogue code then allows the miscreant to then install or execute programs on the affected machine remotely. The newly installed applications run with the privilege level of the individual who accessed the server.

Authentication Issues to ConsiderSetting authentication security, especially in supporting users, can become a high-maintenance activity for network administrators.

On one hand, you want people to be able to authenticate themselves easilyOn the other hand, you want to establish security that protects your company’s resources.

Be wary of popular names or current trends that make certain passwords predictable. Identity proofing is an organizational process that binds users to authentication methods. Identification proofing is invoked when a person claims they are the user, but cannot be authenticated—such as when they lose their password. They are typically asked to provide another value—such as mother’s maiden name— to prove their identity. Identity proofing gives the organization assurance that the user performing an authentication is the legitimate user.

Under no circumstance should the person proofing be allowed access immediately— instead their access information should be sent to their email account of record.

Identity proofing is the main component of authentication lifecycle management. Authenticators for identity proofing include smart cards, biometrics, and one-time password (OTP) devices.

Understanding Remote Access Using Point-to-Point Protocol

Point-to-Point Protocol PPP offers multiple protocol support including AppleTalk, IPX, and DECnet, and is widely used today as a transport protocol for dial-up connections.

PPP is a protocol for communicating between two points using a serial interface, provides service at layer 2 of the OSI model. PPP can handle both synchronous and asynchronous connections.

PPP provides no security. PPP is primarily intended for dial-up connections and should never be used for VPN connections.

PPP works with POTS, Integrated Services Digital Network (ISDN), and other faster connections such as T1.

PPP does not provide data security, but it does provide authentication using Challenge Handshake Authentication Protocol (CHAP). CHAP can be used to provide on-demand authentication within an ongoing data transmission.

A dial-up connection using PPP works well because it isn’t common for an attacker to tap a phone line. You should make sure all your PPP connections use secure channels, dedicated connections, or dial-up connections.

PPP using a single B channel on an ISDN connection. In the case of ISDN, PPP would normally use one 64Kbps B channel for transmission.

Tunneling protocols add a capability to the network:

The ability to create tunnels between networks that can be more secure, support additional protocols, and provide virtual paths between systems.

The three primary tunneling protocols are PPTP (Point-to-Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol) and L2F (Layer 2 Forwarding protocol).

Understanding Remote Access Working with Tunneling Protocols

Working with Tunneling ProtocolsPoint-to-Point Tunneling ProtocolPoint-to-Point Tunneling Protocol (PPTP) was created by Microsoft to work with the Point-to-Point (PPP) protocol to create a virtual Internet connection so that networks can use the Internet as their WAN link.

PPTP is known as a tunneling protocol because the PPTP protocol dials through the PPP connection, which results in a secure connection between client and server.

This connectivity method creates a virtual private network (VPN), allowing for private network security. In effect PPTP creates a secure WAN connection using dial-up access.

PPTP supports encapsulation in a single point-to-point environment. PPTP encapsulates and encrypts PPP packets. This makes PPTP a favorite low-end protocol for networks.

The negotiation between the two ends of a PPTP connection is done in the clear. Once the negotiation is performed, the channel is encrypted. A packet-capture device, such as a sniffer, that captures the negotiation process can potentially use that information to determine the connection type and information about how the tunnel works.

Layer 2 ForwardingL2F was created by Cisco as a method of creating tunnels primarily for dial-up connections. L2F is similar in capability to PPP and should not be used over WANs. L2F does provide authentication, but it does not provide encryption.

Layer 2 Tunneling ProtocolLayer Two Tunneling Protocol (L2TP) is an enhancement of PPTP that can be used between LANs and can also be used to create a VPN.

L2TP is primarily a point-to-point protocol.

Relatively recently, Microsoft and Cisco agreed to combine their respective tunneling protocols into one protocol: the Layer Two Tunneling Protocol (L2TP). L2TP is a hybrid of PPTP and L2F.

L2TP supports multiple network protocols and can be used in networks besides TCP/IP. L2TP works over IPX, SNA, and IP.

L2TP isn’t secure, and you should use IPSec with it to provide encryption of the data.

L2TP operates at the Data Link layer of the OSI model and uses UDP for sending packets as well as for maintaining the connection. L2TP uses UDP port number 1701.

Working with Tunneling Protocols

Secure ShellSecure Shell (SSH) is a type of tunneling protocol that allows access to remote systems in a secure manner.

SSH was originally designed for UNIX systems. SSH is a program that allows connections to be secured by encrypting the session between the client and the server. SSH also provides security equivalent programs such as Telnet, FTP, and many of the other communications-oriented programs under UNIX.

SSH transmits both authentication information and data securely during terminal connections with UNIX computers. SSH uses port 22. Internet Protocol SecurityIPSec (Internet Protocol Security) is not a tunneling protocol, but it is used in conjunction with tunneling protocols to provide network security. IPSec is oriented primarily toward LAN-to-LAN connections, rather than dial-up connections.

IPSec can be used to digitally sign headers and to encrypt and encapsulate packets. IPSec provides both authentication and encryption, and is regarded as one of the strongest security standards.

When the Authentication Header (AH) protocol is used, IPSec digitally signs packet headers, and when the Encapsulating Security Payload (ESP) is used, IPSec encrypts packets.

Working with Tunneling Protocols

IPSec can be used with many different protocols besides TCP/IP, and it has two modes of security:

Tunneling mode is used for VPNing over an unsecured public network. In Tunneling mode, packets are encapsulated within other packets and both the payload and message headers are encrypted. Two routers that require secure communications should use IPSec in tunnel mode to encrypt packets.Transport mode is used only when the data portion needs to be encrypted over owner-controlled networks like LAN. In Transport mode, only the payload is encrypted. When transport mode is used, packets are not encapsulated.

Working with Tunneling Protocols

Working with RADIUSRemote Authentication Dial-In User Service (RADIUS) is a mechanism that provides centralized remote user authentication, authorization, and accounting.

The centralized authentication, authorization, and accounting features of RADIUS allow central administration of all aspects of remote login. The accounting features allow administrators to track usage and network statistics by maintaining a central database.

A RADIUS server can be managed centrally, and the servers that allow access to a network can verify with a RADIUS server whether or not an incoming caller is authorized. In a large network with many connections, this allows a single server to perform all authentications.

A RADIUS server acts as either the authentication server or a proxy client that forwards client requests to other authentication servers. The initial network access server, which is usually a VPN server or dial-up server, acts as a RADIUS client by forwarding the VPN or dial-up client’s request to the RADIUS server. RADIUS is the protocol that carries the information between the VPN or dial-up client, the RADIUS client, and the RADIUS server.

RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted.

RADIUS uses UDP transport.

A RADIUS server communicating with an ISP to allow access to a remote user. Notice that the remote server is functioning as a client to the RADIUS server. This allows centralized administration of access rights.

RADIUS and TACACS (5:46)

TACACS/+ Terminal Access Controller Access Control System (TACACS) is a client/server-oriented environment, and it operates in a similar manner to RADIUS.

Extended TACACS (XTACACS) replaced the original and combined authentication and authorization with logging to enable auditing.

Although RADIUS performs in much the same manner, TACACS+ is used almost exclusively by Cisco. RADIUS is more of a generic standard used by many different companies. TACACS+ is gaining ground, however.

The most current method or level of TACACS is TACACS/+. TACACS/+ allows credentials to be accepted from multiple methods, including Kerberos.

TACACS+ provides authentication, authorization, and accounting (AAA).

TACACS relies on TCP over port 49.

VLAN ManagementA virtual local area network (VLAN) allows you to create groups of users and systems and segment them on the network. This segmentation lets you hide segments of the network from other segments and thereby control access. VLANs enable you to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Networks can coexist on the same wiring and be unaware of each other. VLANs enable administrators to segment one broadcast domain into two or multiple domains, segmenting groups of users that have similar data sensitivity levels together and thereby increasing security. VLAN advantages include:

Reducing the scope of broadcastsImproving performance and manageabilityDecreased dependence on the physical topology

Switches are used to create VLANs.A router or other routing-type device would be needed to connect these VLANs. When a switch is compromised, the attacker could next compromise the VLANs created by the switch.

VLANs (1:55)

A typical segmented VLAN

VLAN Management

Lightweight Directory Access ProtocolLDAP is a standardized directory access protocol that uses TCP/IP and allows queries to be made of directories (specifically, a pared down X.500-based directory). This is the computer equivalent of a phone book.

If a directory service supports LDAP, you can query that directory with an LDAP client.

An LDAP directory is defined as a tree-like structure with entries, each of which consists of named attributes with values.

Services, such as repository and distribution of digital certificates, can be handled by external servers running the LDAP protocol.

LDAP servers are external repositories. Therefore, the primary concern is the availability of systems, and the secondary consideration involves maintaining the confidentiality and integrity of information stored on such systems.

LDAP, by default, uses TCP port 389.

Understanding Authentication ServicesLDAP

Directory structure showing unique identification of a user

LDAP (6:09)

KerberosKerberos uses a Key Distribution Center (KDC) to authenticate a principle.

Principals are the entities to which the KDC provides services. They may be users, applications, systems, or services.Session keys are symmetric keys used to encrypt and decrypt information that passed between the principals and KDC.

The Key Distribution Center (KDC) is the most important component in a Kerberos environment. It is responsible for managing all the secret keys, authenticating all users, and issuing tickets to valid users. The KDC provides a ticket to the network.

A ticket granting ticket (TGT) is the entity issued by the authentication service (AS) on the KDC to a principal.

The TGT proves principal identity throughout the communication process.Once this ticket is issued, it can be used to authenticate against other principles.

This occurs automatically when a request or service is performed by another principal.

Kerberos v5 includes support for a process known as mutual authentication, where both the identity of the client that is requesting authentication and the server that is providing authentication are verified.

Kerberos (9:57)

Kerberos Authentication ProcessKerberos

Single Sign-On InitiativesThe principle of single sign-on (SSO) is based on granting users access to all the systems, applications and resources they need, when they start a computer session. The SSO capability is usually provided by a directory service, with a digital certificate being used to authenticate the user. Once authenticated, the user is granted access to the appropriate systems and resources. To reduce user support and authentication complexity, an SSO capable of granting access to all services is desirable. SSO solutions may employ a central directory service like Microsoft’s Active Directory or Novell’s eDirectory service, or may sequester services behind a series of proxy applications as in the Service-Oriented Architecture approach. Single sign-on provides many advantages:

It is an efficient logon method because users only have to remember one password and only need to log on once. Resources are accessed faster because you do not need to log in for each resource access. It lowers security administration costs because only one account exists for each user. It lowers setup costs because only one account needs to be created for each user. It allows the use of stronger passwords.

Kerberos and Active Directory are two technologies that provide single sign-on authentication. Single sign-on addresses the problem of users having to remember multiple usernames and passwords to access different systems. Other technologies that provide single sign-on authentication are security domains, directory services, and thin clients.

AD validating a user

In this instance, the database application, e mail client, and printers all authenticate with ‑the same logon. Like Kerberos, this process requires all the applications that want to take advantage of AD to accept AD controls and directives. Access can be established through groups, and it can be enforced through group memberships.

Single Sign-on (3:25)

Access Control defines how users and systems communicate and in what manner.Implementation of access management is based on one of two models: centralized or decentralized.

Both the group-based and role-based methods of access control have a centralized database of accounts and roles or groups to which the accounts are assigned.

Decentralized security management is less secure but more scalable. Responsibilities are delegated and employees at different locations are made responsible for managing privileges within their administrative areas.

The three primary methods of access control are Mandatory (MAC), Discretionary (DAC), and Role-Based (RBAC). A fourth method, Rule-Based Access Control is gaining in popularity.

Each of these methods has advantages and disadvantages to the organization from a security perspective.

Understanding Access ControlAuthorization and Access Control (3:59)

Understanding Access ControlMandatory Access Control (MAC) MAC provides the strictest security mechanism. It assigns security labels to both subjects and objects.Labels are comprised of a classification and different categories.

Classification indicates the sensitivity level of the subject or object, such as secret or top-secret. Categories enforce need to know rules. Categories should be determined by the organization based on access control needs, such as human resources or accounting.

Under MAC, a file, printer, or computer would exist as an object. Objects are resources accessed by groups, users, or processes.A user or group would exist as a subject. Subjects access objects.

Access privileges to resources are assigned by administrators, are predefined based on the security policy, and can’t be changed by users. A privilege that is not expressly permitted is forbidden. Users cannot share resources dynamically.

This model is usually implemented in highly secure networks, such as military facilities.

The Discretionary Access Control model (DAC)

The Discretionary Access Control model (DAC) is used in small Microsoft workgroup networks where users commonly share folders with each other.

In the DAC model, the data owner\creator is responsible for granting other users access to resources, and determines the level of access that will be granted to those users, as well as limiting object access to certain days and certain times in the day.

The DAC model uses Access Control Lists (ACLs) to map a user's access permissions to a resource.An ACL is a security mechanism used to designate those users who can gain various types of access, such as read, write, and execute access, to resources on a network. An ACL provides security as granular as the file level.

In DAC, a subject’s rights should be suspended when he is on leave or vacation and should be terminated when he leaves the company.

Understanding Access Control

Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC) allows specific people to be assigned to specific roles with specific privileges. RBAC uses the role to identify the users who have permissions to a resource, and may be implemented system wide. Users may be able to access information from any station in the network, based strictly on their role.

Access rights are first assigned to roles, and accounts are then assigned those roles.This type of access is used with groups for inheritance by group member account.If a person moves from one role to another, the access for the previous role will no longer be available.

Privileges would be limited to the role and wouldn’t be present during the employee’s normal job functions.

For example, a backup operator role would give anyone who occupied that role the ability to perform backups, including the security privileges that went along with it.

These privileges should reflect the organization's structure and responsibilities users have in the organization.

The RBAC mode is common in network administrative roles. Many systems offer a hybrid of DAC and RBAC. In some cases, the operating system might use DAC, whereas applications such as SQL Server use roles to determine access permission to data in tables and the database itself.

TS1

Understanding Access Control

Rule-Based Access Control

Rule-based access control uses the settings in pre-configured security policies to make all decisions. The rules defined usually include connection times and days. Access rights may vary by account, by time of day, or through other forms of conditional testing.

The most common form of rule-based access control involves testing against an access control list (ACL) that details systems and accounts with access rights and the limits of its access for the resource. This type of access control is used by remote access connections.

Understanding Access Control

Implementing Access Control Best PracticesSmart CardsA smart card is a type of badge or card that can be used for access control to multiple resources including buildings, parking lots, and computers. It contains information about your identity and access privileges. Smart Cards increase the security of the authentication process because it must be in your physical possession.

Smart cards are replacing magnetic cards, in many instances because they can store additional personal information and are harder to copy or counterfeit. Smart Cards often also require the use of a small password called a PIN; which further secures the smart card if lost by the true card holder.

Smart cards are difficult to counterfeit, but they’re easy to steal. Once a thief has a smart card, they have all the access the card allows. To prevent this, many organizations don’t put any identifying marks on their smart cards, making it harder for someone to utilize them. A password or PIN is required to activate many modern smart cards, and encryption is employed to protect the contents.

The reader is connected to the workstation and validates against the security system.

A whole system can become useless if the smart card is lost or stolen.

The Smart Card Authentication Process

Smart Cards

Implementing Access Control Best PracticesAccess Control ListsRouters and firewalls are your front line of defense against attacks being launched from outside the company network. Access control list (ACL) mechanisms are implemented in many routers, firewalls, and other network devices.You can configure and apply access control lists to the interfaces of routers to filter out unauthorized traffic. Through ACLs, you can design and change network security to counter specific security threats.ACLs can be configured on router interfaces for inbound and outbound packets. ACLs deployed on a router will improve network security by confining sensitive internal data traffic to computers on a specific subnet.An ACL can also be used to exclude a particular system, IP address, or user. The following can be configured in an ACL:

Source and/or destination IP addressSource and/or destination protocol numberSource and/or destination port number

The most essential operational aspects of network device hardening involve ensuring that your network devices run only necessary protocols, services, and access control lists.

Access Control Lists (1:57)

Implementing Access Control Best Practices

Trusted OS Common Criteria has designed the evaluation criteria into seven EALs:

1. EAL 1 - A user must be assured that the system will operate correctly, but threats to security are not viewed as serious. The other EAL levels promote higher levels of security.2. EAL 2 - Developers use good design practices but security is not a high priority.3. EAL 3 - Developers provide moderate levels of security.4. EAL 4 - Security configuration is based on good commercial development. This level is the common benchmark for commercial systems, including operating systems and products.5. EAL 5 - Security is implemented starting in early design. It provides high levels of security assurance.6. EAL 6 - Specialized security engineering provides high levels of assurance. This level will be highly secure from penetration attackers.7. EAL 7 - Extremely high levels of security are provided. This level requires extensive testing, measurement, and independent testing.

Trusted OS (3:31)

Implementing Access Control Best Practices

Secure Router ConfigurationTo securely configure the router, you must do the following:

Change the Default Password The password for the administrator is set before the router leaves the factory. Assume that every miscreant knows the default router passwords.Walk through the Advanced Settings Vary by router manufacturer but often include settings to block ping requests, perform MAC filtering, etc.Keep the Firmware Upgraded Router manufacturers often issue patches when problems are discovered.

The End