Information Security

Principles and Practices, 2nd Edition

by Mark Merkow and Jim Breithaupt

Access Control Systems and Methodology

Objectives
 Apply access control techniques to meet
confidentiality and integrity goals
 Understand and implement the major terms and
concepts related to access control and tie them to
system security
 Apply discretionary access controls (DAC) and
mandatory access controls (MAC) techniques as
appropriate

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 2
Objectives cont.
 Choose effective passwords and avoid password
limitations
 Implement password alternatives, including smart
cards, password tokens, and other multifactor
techniques
 Apply the goals of single sign-on concepts to
business and common users
 Use the techniques described to control remote user
access

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 3
Introduction

 Access controls are a collection of

mechanisms that work together to create
security architecture to protect the assets of
an information system
 One of the goals of access control is personal
accountability, which is the mechanism that
proves someone performed a computer activity at
a specific point in time

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 4
Terms and Concepts
 Access control is the heart of an information
technology (IT) security system and is needed to
meet the major objectives of InfoSec:
confidentiality and integrity

 Terms
 Identification  Discretionary access control
 Authentication  Access control lists
 Least privilege  User provisioning
 Information owner
 Mandatory access control
 Role-based access control

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 5
Terms and Concepts cont.

 Identification
 Identification credentials uniquely identify the
users of an information system
 Examples: name, initials, email address, or a
meaningless string of characters, Social Security
number, IDs, and others

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 6
Terms and Concepts (cont.)
 Authentication
 Authentication credentials permit the system to verify one’s
identification credential
 Password
 Least Privilege (Need-to-Know)
 The predominant strategy to ensure confidentiality
 The objective is to give people the least amount of access
to a system that is needed to perform the job they’re doing

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 7
Terms and Concepts (cont.)
 Information Owner
 Maintains overall responsibility for the information within an
information system
 The information owner must be the one to make the
decisions about who uses the system and how to recover
the system in the event of a disaster

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 8
Terms and Concepts (cont.)
 Discretionary Access Control
 The principle of discretionary access control (DAC) dictates
that the information owner is the one who decides who gets
to access the system(s)
 Most of the common operating systems on the market
today (Windows, Macintosh, UNIX, Novell’s Netware, and
so forth) rely on DAC principles for access and operation

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 9
Terms and Concepts cont.
 Access Control Lists
 A list or a file of users who are given the privilege of access
to a system or resource (a database, for example)
 Within the file is a user ID and an associated privilege or
set of privileges for that user and that resource
 Privileges typically include Read, Write, Update, Execute,
Delete, or Rename
 User Provisioning
 Granting access to new employees
 Include checking management approvals for grating access

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 10
Terms and Concepts cont.
 Mandatory Access Control
 Also called nondiscretionary access control: The system
decides who gains access to information based on the
concepts of subjects, objects, and labels
 Often used in military and government systems
 Subjects: The people or other systems that are granted a
clearance to access an object within the information system
 Objects: The elements within the information system that
are being protected from use or access
 Labels: The mechanism that binds objects to subjects. A
subject’s clearance permits access to an object based on
the labeled security protection assigned to that object

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 11
Terms and Concepts cont.
 Role-Based Access Control
 Involves assigning users to a group and then assigning
rights to the group for access control purposes
 RBAC methods are most appropriate where there is high
turnover of employees and/or frequent movements
between job roles

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 12
Principles of Authentication
 The idea of authentication is that only the legitimate user
possesses the secret information needed to prove to a
system that she has the right to use a specific user ID
 These secrets are commonly passwords, but history has
shown that passwords are problematic:
 Passwords can be insecure
 Passwords are easily broken
 Passwords are inconvenient
 Passwords are repudiable
 Passwords are an example of a single factor
authentication

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 13
Principles of Authentication cont.

 Multifactor Authentication
 Using more than one authentication mechanism
 With two or three factors (multifactor
authentication) to authenticate, an information
owner can have confidence that users who
access their systems are indeed authorized
 This is accomplished by adding more controls
and/or devices to the password authentication
process

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 14
Principles of Authentication
(cont.)
 Two-Factor Authentication
 With a two-factor authentication system, a user has a
physical device (a card, a token, a smart card, and so forth)
that contains his credentials, protected by a personal
identification number (PIN) or a password that the user
keeps secret

 Three-Factor Authentication
 In a three-factor system, unique information related to the
user is added to the two-factor authentication process
 This unique information may be a biometric (fingerprint,
retinal scan, and so forth) needed for authentication

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 15
Biometrics
 Biometric-based identification works by measuring
unique human characteristics as a way to confirm
identity
 Some common biometric techniques include
 Fingerprint recognition
 Signature dynamics
 Iris scanning
 Retina scanning
 Voice prints
 Face recognition
 The most common biometric in use is fingerprint recognition.
Some of the advantages of fingerprints include

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 16
Single Sign-On

 In an SSO system, users have one password

for all corporate and back-office systems and
applications they need to perform their jobs
 oNe consistent password can be remembered
and used, thus increasing the security of the
overall system of access controls
 Single Sign-On mechanisms include
 Password Safe
 Kerberos
 Proprietary and custom developed solutions
© Pearson Education 2014, Information
Security: Principles and Practices, 2nd Edition 17
Single Sign-On (cont.)
 Kerberos
 Kerberos is designed to provide authentication for
client/server applications by using symmetric-key
cryptography
 A free implementation available from MIT
 Works by assigning a unique key, called a ticket, to
each user
 User logs in once and then can access all resources
based on the permission level associated with the
ticket

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 18
Single Sign-On (cont.)

 Federated Identities
 Facebook

 Sites have an arrangement with Facebook so users

can log in with their Facebook credentials and don’t
have to create a new unique user name and
password
 Google
 LinkedIn

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 19
Remote User Access and
Authentication
 Additional access control mechanisms are required
because of the use of insecure networks to create a
connection to the corporate local area network
 Remote Access Dial-In User Service (RADIUS)

 RADIUS is a client/server protocol and software that enables

remote access users to communicate with a central server to
authorize their access to the requested system or service
 Authenticating to a RADIUS server might require a user ID
and password or token or smart card

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 20
Remote User Access and
Authentication (cont.)
 Virtual Private Networks
 With a VPN, a user connects to the Internet via her
ISP and initiates a connection to the protected
network, creating a private tunnel between the end
points that prevents eavesdropping or data
modification
 Uses cryptography to both authenticate sender and
receiver and to encrypt the traffic

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 21
ACCESS CONTROLS Tutorial

Hoang Thi Kieu Hoa

Faculty of Information Technology, Hanoi University
 Contents
What is an Access Control List?
Why Use An ACL?
Where Can You Place An ACL?
What Are The Components of An ACL?
What Are The Types of ACLs?
How to Implement An ACL on a Router?
What is an Access Control List?
In the computer networking world, an ACL is one of the
most fundamental components of security.
Access Control Lists “ACLs” are network traffic filters
that can control incoming or outgoing traffic.
ACLs work on a set of rules that define how to forward
or block a packet at the router’s interface.
An ACL is the same as a Stateless Firewall, which only
restricts, blocks, or allows the packets that are flowing
from source to destination.
Why Use An ACL?
The main idea of using an ACL is to provide security to
your network. Without it, any traffic is either allowed to
enter or exit, making it more vulnerable to unwanted and
dangerous traffic.
Why Use An ACL?
As shown in the picture below, the routing device has an
ACL that is denying access to host C into the Financial
network, and at the same time, it is allowing access to
host D.
Why Use An ACL?
With an ACL you can filter packets for a single or group
of IP address or different protocols, such as TCP or UDP.
So for example, instead of blocking only one host in the
engineering team, you can deny access to the entire
network and only allow one. Or you can also restrict the
access to host C.
If the Engineer from host C, needs to access a web
server located in the Financial network, you can only
allow port 80, and block everything else
Where Can You Place An ACL?
The devices that are facing unknown external networks,
such as the Internet, need to have a way to filter traffic. So,
one of the best places to configure an ACL is on the edge
routers.
What Are The Components of An ACL?

ACL is a set of rules or entries. You can have an ACL with

single or multiple entries, where each one is supposed to
do something, it can be to permit everything or block
nothing.
What Are The Components of An ACL?
 Sequence Number:
Identify an ACL entry using a number.
 ACL Name:
Define an ACL entry using a name. Instead of using a sequence of
numbers, some routers allow a combination of letters and
numbers.
 Remark:
Some Routers allow you to add comments into an ACL, which
can help you to add detailed descriptions.
 Statement:
Deny or permit a specific source based on address and wildcard
mask. Some routing devices, such as Cisco, configure an implicit
deny statement at the end of each ACL by default.
What Are The Components of An ACL?
 Network Protocol:
Specify whether deny/permit IP, IPX, ICMP, TCP, UDP,
NetBIOS, and more.
 Source or Destination:
Define the Source or Destination target as a Single IP, a
Address Range (CIDR), or all Addresses.
 Log:
Some devices are capable of keeping logs when ACL
matches are found.
 Other Criteria:
Advanced ACLs allow you to use control traffic through the
Type of Service (ToS), IP precedence, and differentiated
services codepoint (DSCP) priority.
What Are The Types of ACLs?
The standard ACL aims to protect a network using only
the source address.
It is the most basic type and can be used for simple
deployments, but unfortunately, it does not provide
strong security. The configuration for a 
standard ACL on a Cisco router is as follows:
What Are The Types of ACLs?
With the extended ACL, you can also block source and
destination for single hosts or entire networks.
You can also use an extended ACL to filter traffic based
on protocol information (IP, ICMP, TCP, UDP).
The configuration of an extended ACL in a Cisco router
 for TCP is as follows:
 What Are The Types of ACLs?
Dynamic ACLs, rely upon extended ACLs, Telnet, and
authentication. This type of ACLs are often referred to as
“Lock and Key” and can be used for specific timeframes.
These lists permit access to a user to a source or destination
only if the user authenticates to the device via Telnet.
The following is the configuration of a 
Dynamic ACL in a Cisco router.
How to Implement An ACL On your RouterS?
For an ACL to work, apply it to a router’s interface. Since
all routing and forwarding decisions are made from the
router’s hardware, the ACL statements can be executed
much faster
When you create an ACL entry, the source address goes
first, and the destination goes after. Take the example of the
extended ACL configuration for IP on a Cisco Router.
When you create a Deny/Permit rule, you must first define
the source, and then the destination IP.
The incoming flow is the source of all hosts or network,
and the outgoing is the destination of all hosts and
networks.
Summary
 Access control is needed to meet the goals of
confidentiality, integrity, and user accountability—
essential for trust in an information system
 Access control is done using discretionary means,
mandatory means, and role-based means
 Identification and authentication techniques sometimes
use biometric information to add further confidence that
users are legitimate

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 36
Summary cont.
 Single sign-on and associated technologies and
protocols aim to reduce the proliferation of IDs and
passwords to better control the security of access control
mechanisms
 Remote access control technology, such as RADIUS
and VPN, permit remote users to access corporate
networks without the need for expensive dial-up
connections or additional hardware costs

© Pearson Education 2014, Information

Security: Principles and Practices, 2nd Edition 37