Network Security

Essentials

Fifth Edition

by William Stallings
 Chapter 5
Network Access Control
and Cloud Security
 “No ticket! Dear me, Watson, this is really very
singular. According to my experience it is not
possible to reach the platform of a Metropolitan
train without exhibiting one’s ticket.”

—The Adventure of the Bruce-Partington Plans,

Sir Arthur Conan Doyle
 Network Access Control
(NAC)
• An umbrella term for managing access to a network

• Authenticates users logging into the network and

determines what data they can access and actions they can
perform
• Also examines the health of the user’s computer or
mobile device
Network Access Enforcement
Methods
• The actions that are applied to ARs to regulate access to
the enterprise network
• Many vendors support multiple enforcement methods
simultaneously, allowing the customer to tailor the
configuration by using one or a combination of methods
 Authentication Methods
• EAP provides a generic transport service for the exchange
of authentication information between a client system and
an authentication server
• The basic EAP transport service is extended by using a
specific authentication protocol that is installed in both
the EAP client and the authentication server
 Table 5.1

Terminology
Related to IEEE
802.1X
 Table 5.2
Common EAPOL Frame Types
 Cloud Computing
• NIST defines cloud computing, in NIST SP-800-145
(The NIST Definition of Cloud Computing ), as follows:

“A model for enabling ubiquitous, convenient, on-

demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly provisioned
and released with minimal management effort or service
provider interaction. This cloud model promotes
availability and is composed of five essential
characteristics, three service models, and
four deployment models.”
 Cloud Computing Reference
Architecture
• NIST SP 500-292 (NIST Cloud Computing Reference
Architecture ) establishes a reference architecture, described as
follows:

“The NIST cloud computing reference architecture focuses on

the requirements of “what” cloud services provide, not a “how
to” design solution and implementation. The reference
architecture is intended to facilitate the understanding of the
operational intricacies in cloud computing. It does not
represent the system architecture of a specific cloud computing
system; instead it is a tool for describing, discussing, and
developing a system-specific architecture using a common
framework of reference.”
 Cloud
Provider
Roles and Responsibilities
 Cloud Security Risks and
Countermeasures
• The Cloud Security Alliance [CSA10] lists the following
as the top cloud specific security threats, together with
suggested countermeasures:
Risks and Countermeasures (continued)
Risks and Countermeasures (continued)

• Account or service hijacking

• Countermeasures: prohibit the sharing of account credentials
between users and services; leverage strong two-factor
authentication techniques where possible; employ proactive
monitoring to detect unauthorized activity; understand CP
security policies and SLAs

• Unknown risk profile

• Countermeasures: disclosure of applicable logs and data;
partial/full disclosure of infrastructure details; monitoring
and alerting on necessary information
 Table 5.3

NIST Guidelines
on Security and
Privacy Issues
and
Recommendations
(page 1 of 2)

(Table can be found on

Pages 154 – 155 in textbook)
 Table 5.3

NIST Guidelines
on Security and
Privacy Issues
and
Recommendations
(page 2 of 2)

(Table can be found on

Pages 154 – 155 in textbook)
 Data Protection in the Cloud
• The threat of data compromise increases in the cloud

• Database environments used in cloud computing can vary

significantly
 Data Protection in the Cloud
• Data must be secured while at rest, in transit, and in use, and access
to the data must be controlled
• The client can employ encryption to protect data in transit, though this involves
key management responsibilities for the CP
• For data at rest the ideal security measure is for the client to encrypt the
database and only store encrypted data in the cloud, with the CP having no
access to the encryption key
• A straightforward solution to the security problem in this context is to encrypt
the entire database and not provide the encryption/decryption keys to the
service provider
• The user has little ability to access individual data items based on searches or
indexing on key parameters
• The user would have to download entire tables from the database, decrypt the
tables, and work with the results
• To provide more flexibility it must be possible to work with the database in its
encrypted form
 Cloud Security as a Service
(SecaaS)
• The Cloud Security Alliance defines SecaaS as the provision of security
applications and services via the cloud either to cloud-based infrastructure
and software or from the cloud to the customers’ on-premise systems
• The Cloud Security Alliance has identified the following SecaaS categories
of service:
• Identity and access management
• Data loss prevention
• Web security
• E-mail security
• Security assessments
• Intrusion management
• Security information and event management
• Encryption
• Business continuity and disaster recovery
• Network security
 Summary
• Network access control • IEEE 802.1X port-based
• Elements of a network access network access control
control system
• Network access enforcement
• Cloud computing
methods • Elements
• Reference architecture
• Extensible authentication
protocol • Cloud security risks and
• Authentication methods countermeasures
• EAP exchanges
• Data protection in the cloud
• Cloud security as a service