SECURITY TECHNOLOGY: ACCESS CONTROLS, FIREWALLS, AND VPNS

Access Controls - method by which systems determine whether and how to admit a
user into a trusted area of the organization that is, information systems, restricted areas
such as computer rooms, and the entire physical location.

Access control is achieved through a combination of policies, programs, and

technologies. To understand access controls, you must first understand they are
focused on the permissions or privileges that a subject (user or system) has on an
object (resource), including if, when, and from where a subject may access an object
and especially how the subject may use that object.

Got it—no emojis. Here's the same content in a clean, professional, and structured
format for fast review and memorization:

Types of Access Controls

Discretionary Access Control (DAC)
●​ Users decide who can access their resources.

●​ Access rights are at the discretion of the data owner.

Nondiscretionary Access Control (NDAC)

●​ Access rights are determined by a central authority, not by the user.

●​ Types include:

o​ Lattice-Based Access Control (LBAC)

o​ Role-Based Access Control (RBAC)

o​ Task-Based Access Control (TBAC)

o​ Mandatory Access Control (MAC)

o​ Attribute-Based Access Control (ABAC)

Nondiscretionary Access Control Models

Lattice-Based Access Control (LBAC)
●​ Based on security labels/classifications (e.g., Confidential, Secret).

●​ Uses a lattice structure to define access permissions.

Role-Based Access Control (RBAC)

●​ Access is based on user roles.

●​ Roles are assigned specific permissions.

●​ Users inherit permissions based on assigned roles.

Task-Based Access Control (TBAC)

●​ Access is granted dynamically based on tasks assigned to a user.

●​ Common in workflow systems and project management.

Mandatory Access Control (MAC)

●​ Enforces strict access rules based on clearance and data classification.

●​ Users cannot change access permissions.

●​ Common in government/military systems.

Attribute-Based Access Control (ABAC)

●​ Access is determined by evaluating attributes (e.g., role, department, time).

●​ Flexible and context-aware.

●​ Recommended by NIST for modern environments.

IAAA - Four Core Access Control Functions

1.​ Identification – Declaring your identity (e.g., username).

2.​ Authentication – Proving your identity (e.g., password, biometric).

3.​ Authorization – Determining what you are allowed to access.

4.​ Accountability – Logging user actions for audit and tracking.

Identification
 ●​ Unique identification of users in a system.

●​ Links actions to individuals.

Authentication
●​ Verifies the identity of a user.

●​ Three types of authentication factors:

o​ Something you know (password)

o​ Something you have (ID card, OTP token)

o​ Something you are (biometric)

Authorization
●​ Determines access privileges after authentication.

●​ Based on Access Control Lists (ACLs), access matrices, or roles.

Accountability
●​ Ensures actions can be traced to users.

●​ Uses logs, audit trails, and monitoring systems.

Biometrics
●​ Uses physical or behavioral traits for authentication.

●​ Common types: fingerprint, retina, iris, facial recognition.

●​ Effectiveness metrics:

o​ False Rejection Rate (FRR)

o​ False Acceptance Rate (FAR)

o​ Crossover Error Rate (CER)

Access Control Models

Trusted Computing Base (TCB)
●​ Hardware and software enforcing system security.
 ●​ Key component: Reference Monitor

o​ Must be tamper-proof, always invoked, and verifiable.

●​ Covert Channels can leak data (e.g., via timing or storage).

Security Evaluation Models

TCSEC (Orange Book)
●​ U.S. DoD standard for evaluating computer security.

●​ Emphasizes confidentiality.

ITSEC
●​ European standard.

●​ Evaluates overall security and assurance levels (E1–E6).

Common Criteria (CC)

●​ International standard combining TCSEC and ITSEC.

●​ Components:

o​ Target of Evaluation (ToE)

o​ Protection Profile (PP)

o​ Security Target (ST)

o​ Security Functional Requirements (SFR)

o​ Evaluation Assurance Levels (EAL1–EAL7)

Security Models
Bell-LaPadula (Confidentiality)
●​ No Read Up (NRU), No Write Down (NWD)

Biba (Integrity)
●​ No Read Down (NRD), No Write Up (NWU)

Clark-Wilson (Commercial Integrity)

 ●​ Uses well-formed transactions.

●​ Includes CDIs, TPs, and IVPs.

Graham-Denning Model
●​ Defines 8 primitive operations for managing access rights.

Harrison-Ruzzo-Ullman Model
●​ Builds on Graham-Denning to determine the safety of access rights changes.

Brewer-Nash (Cognitive Model)

●​ Prevents conflicts of interest (e.g., in consulting firms).

●​ Access depends on past data interactions.

Zero Trust Architecture

●​ Default stance: trust no one, verify everything.

●​ Key principles:

o​ Assume breach.

o​ Enforce least privilege.

o​ Continuous authentication and authorization.

Firewall Fundamentals
What is a Firewall?
●​ A system that controls access between networks.

●​ Can be hardware, software, or a combination.

IP Packet Structure
●​ Header: contains routing and control information.

●​ Payload: contains actual data.

 ●​ Header fields include version, TTL, source/destination IP, protocol, checksum,
etc.

Firewall Processing Modes

1.​ Packet Filtering

o​ Filters traffic based on headers (IP, port, protocol).

o​ Types:

▪​ Static (fixed rules)

▪​ Dynamic (rules change in response to traffic)

▪​ Stateful (tracks session states)

2.​ Application Proxy

o​ Intercepts and inspects traffic at the application level.

o​ Acts as an intermediary between clients and servers.

3.​ MAC Layer Filtering

o​ Filters traffic based on MAC addresses at Layer 2.

4.​ Hybrid Firewalls

o​ Combine multiple filtering techniques (e.g., packet filtering + proxy).

Firewall Architectures
Single Bastion Host
●​ One firewall protecting the internal network.

●​ Simple but a single point of failure.

Screened Host
●​ Packet-filtering router + a bastion host.

●​ Adds a layer of protection for internal systems.

Screened Subnet (DMZ)

 ●​ Has two routers/firewalls.

●​ Creates a buffer zone (DMZ) between the internet and internal network.

●​ Ideal for hosting public-facing services securely.

Modern Firewall Solutions

Unified Threat Management (UTM)
●​ All-in-one solution: antivirus, firewall, VPN, IDS/IPS.

●​ Easy management but may be performance-limited.

Next-Generation Firewall (NGFW)

●​ Deep packet inspection, intrusion prevention, and application awareness.

●​ More precise and context-aware than traditional firewalls.

PAT (Port Address Translation)

●​ Definition: A type of NAT (Network Address Translation) that allows many internal
devices to share one external IP address.

●​ Method: Assigns unique port numbers to each session to differentiate them.

●​ Advantage: Efficient use of limited public IPs; supports multiple users behind one
IP.

●​ Application: Maintains session tracking via port numbers.

DMZ (Demilitarized Zone)

●​ Hosts that offer services (e.g., web, FTP, email) to external users while protecting
the internal network.

●​ Function: Acts as a buffer zone between internal network and the internet.
●​ Security: Provides limited and controlled access to internal systems.

Extranet (Extension of DMZ)

 ●​ Definition: A restricted-access part of the DMZ requiring authentication.
●​ Use Cases: Shopping carts, catalogs, or other private online services.
●​ Security: Requires login credentials before granting access to services.

Firewall Selection Criteria

1.​ Protection vs. Cost: Evaluate features and overall cost-effectiveness.

2.​ Staff Expertise: Consider the learning curve and training requirements.

3.​ Scalability: Ensure the firewall can grow with the organization.

4.​ Implementation: Flexible architecture, ease of deployment, and performance.

Firewall Configuration Best Practices

●​ Allow outbound access from trusted internal networks.

●​ Restrict administrative access to the firewall using strong methods (e.g.,

two-factor authentication).

●​ Secure email systems using SMTP gateways with antivirus and anti-spam.
●​ Block ICMP (e.g., ping) from outside to avoid reconnaissance.
●​ Block Telnet, especially for public-facing servers.

Firewall Rule Basics

●​ Rule Principle: "What is not explicitly allowed is denied."

●​ Inspection Criteria:

o​ Source and destination IP addresses

o​ Protocol types (e.g., TCP, UDP, ICMP)

o​ Port numbers

●​ Rule Scope: Inbound, outbound, interface-based

●​ Port Ranges:
 o​ 0–1023: Well-known ports

o​ 1024–49151: Registered ports

o​ 49152–65535: Dynamic/private ports

Common Firewall Rule Sets

Rule Set Description
Allow return traffic for internal requests (stateful
1
inspection)

2 Deny access to firewall interfaces

3 Permit outbound traffic from trusted internal users

4 Route all outbound email to a secure SMTP server

5 Allow internal ping; block external ping

6 Allow internal Telnet; deny external Telnet

7a Allow HTTP access to a public web server in the DMZ

7b Allow HTTP to a proxy server

7c Proxy forwards HTTP to internal server only

8&9 Cleanup: Block all other unpermitted traffic

Internet Protocol Standards

●​ RFCs (Request for Comments): Official documents for internet protocol
definitions.

●​ Access: Available at www.rfc-editor.org/rfc/index.html

●​ Key RFCs:
o​ RFC 2663: NAT terminology and concepts

o​ RFC 4193: IPv6 Unique Local Addresses (ULAs)

Content Filtering
●​ Purpose: Block access to harmful or inappropriate content.

●​ Note: Not a firewall but functions similarly for application/content-level control.

●​ Types:

o​ Rating-based: Rules to allow or deny specific websites.

o​ Keyword-based: Blocks content with specific terms (e.g., adult terms).

●​ Modes:

o​ Exclusive filtering: Block only sites on a blacklist.

o​ Inclusive filtering: Only allow sites on a whitelist (stricter).

Data Loss Prevention (DLP)

●​ Works with content filtering to prevent unauthorized sharing of sensitive data.

●​ Uses rules and patterns to monitor and block confidential information.

Remote Access and Authentication

●​ Then: Used dial-up modems; vulnerable to war dialers scanning for open lines.

●​ Now: Uses secure VPNs, strong authentication (multi-factor), and cloud-based

services.

●​ Impact of COVID-19: Increased demand for secure and scalable remote access
solutions.

Types of Access Control Protocols

1. RADIUS (Remote Authentication Dial-In User Service)
●​ Purpose: Centralized authentication for users connecting remotely.

●​ How It Works:

1.​ Remote user connects to a NAS (Network Access Server) and submits
credentials.

2.​ NAS forwards credentials to the RADIUS server.

 3.​ RADIUS server approves or denies access and authorizes services.

4.​ NAS grants or denies access based on server response.

●​ RFCs: 2058, 2059, 2865–2869

●​ Use Case: Common in ISP, enterprise remote access systems.

2. Diameter Protocol
●​ Improved version of RADIUS

●​ Provides: Authentication, Authorization, and Accounting (AAA)

●​ Features:

o​ Supports more commands and attributes.

o​ Uses modern encryption standards.

o​ Considered the emerging standard for AAA services.

3. TACACS (Terminal Access Controller Access Control System)

●​ RFC: 1492

●​ Versions:

o​ Original TACACS

o​ Extended TACACS

o​ TACACS+

●​ Key Features:
o​ Separates authentication, authorization, and accounting.

o​ Supports two-factor authentication and dynamic passwords.

o​ Uses a centralized client/server model.

4. Kerberos
●​ Concept: Named after the three-headed dog from mythology.
 ●​ Uses: Symmetric-key encryption for authentication.
●​ Key Features:
o​ Single sign-on across network resources.

o​ Generates session keys for secure communications.

o​ Maintains a database of private keys.

●​ Main Components:
o​ Authentication Server (AS): Verifies client identity.

o​ Key Distribution Center (KDC): Issues session keys.

o​ Ticket Granting Service (TGS): Provides access tickets for services.

5. SESAME (Secure European System for Applications in a Multivendor Environment)

●​ Enhancement to Kerberos

●​ Defined in: RFC 1510

●​ Key Differences from Kerberos:

o​ Uses tokens instead of tickets.

o​ Uses Privilege Attribute Certificates (PACs).

o​ Implements public-key encryption for distributing secret keys.

●​ Additional Features:

o​ More scalable encryption.

o​ Improved access control and auditing.

o​ Ability to delegate access responsibilities.

Virtual Private Networks (VPNs)

Definition
A VPN creates secure communication tunnels over public networks (like the internet) to
extend private networks to remote users or sites.
Types of VPNs
Type Description
Trusted VPNs Use leased lines with contractual guarantees.
Secure VPNs Use encryption protocols (e.g., IPsec) for data protection over the
internet.

Hybrid VPNs Combine secure and trusted VPN elements.

VPN Encryption Modes

Mode Encryption Scope Use Case Security Efficiency
Level
Transport Encrypts only payload Host-to-host, remote access Moderate High

Encrypts entire IP Site-to-site,

Tunnel packet network-to-network
High Moderate

●​ Transport Mode: Encrypts data only, not headers. Good for device-to-device
communication.

●​ Tunnel Mode: Encrypts full packets, concealing original IP addresses. Ideal for
network-to-network links.

Final Thoughts on Remote Access & Access Controls

Deperimeterization
●​ Concept: The network perimeter is fading.

●​ Reality: Data resides outside traditional firewalls—in the cloud, on mobile

devices, etc.

●​ Implication: Security must follow the data, not stay bound to network boundaries.
●​ Solution: Adopt Zero Trust models—never trust, always verify.

Remote Access During COVID-19

 ●​ Rapid Shift: Massive adoption of VPNs, remote tools.
●​ Challenges: Security gaps, unprepared IT systems.
●​ Lessons:
o​ Plan for flexibility.

o​ Secure authentication and access.

o​ Train users on cybersecurity best practices.

Key Takeaways
●​ The network perimeter is dynamic, not fixed.

●​ Protect data at all points—not just within firewalls.

●​ Combine traditional tools (firewalls, VPNs) with modern approaches (cloud

security, ZTNA).

●​ Stay adaptive, proactive, and user-aware in access control strategies.