1

04/29/2024
Eng. Mohamed Jaambiir
Computer System Security
COS-413

Lecture Seven
Eng. Mohamed Jaambiir
 2
What is Network Access Control?

 Network Access Control is a security solution that uses a set of protocols to keep
unauthorized users and devices out of a private network or give restricted access to the
devices which are compliant with network security policies.
 Network access control is the act of keeping unauthorized users and devices out of a
private network.
 It handles network management and security that implements security policy,
compliance, and management of access control to a network.
 NAC works on wired and wireless networks by identifying different devices that are
connected to the network.
Eng. Mohamed Jaambiir 04/29/2024
 3
Components of Network Access Control
Scheme:

A. Restricted Access: It restricts access to the network by user

authentication and authorization control. For example, the user can’t
access a protected network resource without permission to access it.
B. Network Boundary Protection: It monitors and controls the
connectivity of networks with external networks. It includes tools such
as controlled interfaces, intrusion detection, and anti-virus tools. It is
also called perimeter defense

Eng. Mohamed Jaambiir 04/29/2024

 4
Types of Network Access Control:

A. Pre-admission: It happens before access to the network is granted on

initialization of request by user or device to access the network. It evaluates
the access attempt and only allows the access if the user or device is compliant
with organization security policies and authorized to access the network.
B. Post-admission: It happens within the network when the user or device
attempts to access the different parts of the network. It restricts the lateral
movement of the device within the network by asking for re-authentication for
each request to access a different part of the network

Eng. Mohamed Jaambiir 04/29/2024

 5
Steps to Implement NAC Solutions:

A. Gather Data: Perform an exhaustive survey and collect information about every device,
user, and server that has to interface with the network resources.
B. Manage Identities: Verify user identities within the organization by authentication and
authorization.
C. Determine Permissions: Create permission policies stating different access levels for
identified user groups.
D. Apply for Permissions: Apply permission policies on identified user groups and register
each user in the NAC system to trace their access level and activity within the network.
E. Update: Monitor security operations and make adjustments to permission policies based on
changing requirements of the organization with time.
Eng. Mohamed Jaambiir 04/29/2024
 6
Responsibilities:

 It allows only compliant, authenticated devices to access network resources and

infrastructure.
 It controls and monitors the activity of connected devices on the network.
 It restricts the availability of network resources of private organizations to devices that
follow their security policy.
 It regulates the access of network resources to the users.
 It mitigates network threats by enforcing security policies that block, isolate, and
repair non-compliant machines without administrator attention.

Eng. Mohamed Jaambiir 04/29/2024

 7
Common Use-Cases:

 Organizations that allow employees to use their own devices or take corporate
devices home use NAC to ensure network security.
 Organizations use NAC to grant access to different network resources to people or
devices that are outside of the organization and are subjected to different security
controls.
 NAC protects from threats caused due to use of IoT devices by categorizing IoT
devices into groups that have limited permission and constantly monitoring their
activities.

Eng. Mohamed Jaambiir 04/29/2024

 8
Access Control in Computer Network

 Access control is a method of limiting access to a system or to physical

or virtual resources.
 It is a process by which users can access and are granted certain
prerogative to systems, resources or information.
 Access control is a security technique that has control over who can view
different aspects, what can be viewed and who can use resources in a
computing environment.

Eng. Mohamed Jaambiir 04/29/2024

 9
What Are the Components of Access Control?

1. Authentication
 Authentication is the initial process of establishing the identity of a user.
For example, when a user signs in to their email service or online banking
account with a username and password combination, their identity has
been authenticated. However, authentication alone is not sufficient to
protect organizations’ data.

Eng. Mohamed Jaambiir 04/29/2024

 10

2. Authorization
 Authorization adds an extra layer of security to the authentication process. It specifies
access rights and privileges to resources to determine whether the user should be
granted access to data or make a specific transaction.
 For example, an email service or online bank account can require users to
provide two-factor authentication (2FA), which is typically a combination of
something they know (such as a password), something they possess (such as a token),
or something they are (like a biometric verification). This information can also be
verified through a 2FA mobile app or a thumbprint scan on a smartphone.

Eng. Mohamed Jaambiir 04/29/2024

 11

3. Access
 Once a user has completed the authentication and authorization steps, their identity will be verified.
This grants them access to the resource they are attempting to log in to.
4. Manage
 Organizations can manage their access control system by adding and removing the authentication and
authorization of their users and systems. Managing these systems can become complex in modern IT
environments that comprise cloud services and on-premises systems.
5. Audit
 Organizations can enforce the principle of least privilege through the access control audit process. This
enables them to gather data around user activity and analyze that information to discover potential
access violations.
Eng. Mohamed Jaambiir 04/29/2024
 12
Physical Access Control

Access control is used to verify the identity of users attempting to log in to digital resources. But it is also
used to grant access to physical buildings and physical devices.
Barroom Bouncers
 Bouncers can establish an access control list to verify IDs and ensure people entering bars are of legal age.
Subway Turnstiles
 Access control is used at subway turnstiles to only allow verified people to use subway systems. Subway
users scan cards that immediately recognize the user and verify they have enough credit to use the service.
Keycard or Badge Scanners in Corporate Offices
 Organizations can protect their offices by using scanners that provide mandatory access control.
Employees need to scan a keycard or badge to verify their identity before they can access the building.
Eng. Mohamed Jaambiir 04/29/2024
 13

Logical/Information Access Control

 Logical access control involves tools and protocols being used to identify, authenticate, and authorize users in
computer systems. The access controller system enforces measures for data, processes, programs, and systems.
Signing Into a Laptop Using a Password
 A common form of data loss is through devices being lost or stolen. Users can keep their personal and corporate data
secure by using a password.
Unlocking a Smartphone With a Thumbprint Scan
 Smartphones can also be protected with access controls that allow only the user to open the device. Users can secure
their smartphones by using biometrics, such as a thumbprint scan, to prevent unauthorized access to their devices.
Remotely Accessing an Employer’s Internal Network Using a VPN
 Smartphones can also be protected with access controls that allow only the user to open the device. Users can secure
their smartphones by using biometrics, such as a thumbprint scan, to prevent unauthorized access to their devices.
Eng. Mohamed Jaambiir 04/29/2024
 14
Access Control Models

1. Attribute-based Access Control (ABAC): In this model, access is granted or declined

by evaluating a set of rules, policies, and relationships using the attributes of users,
systems and environmental conditions.
2. Discretionary Access Control (DAC): In DAC, the owner of data determines who can
access specific resources.
3. History-Based Access Control (HBAC): Access is granted or declined by evaluating the
history of activities of the inquiring party that includes behavior, the time between
requests and content of requests.
4. Identity-Based Access Control (IBAC): By using this model network administrators can
more effectively manage activity and access based on individual requirements.
Eng. Mohamed Jaambiir 04/29/2024
 15

5. Mandatory Access Control (MAC): A control model in which access rights are regulated by a
central authority based on multiple levels of security. Security Enhanced Linux is implemented
using MAC on the Linux operating system.
6. Organization-Based Access control (OrBAC): This model allows the policy designer to
define a security policy independently of the implementation.
7. Role-Based Access Control (RBAC): RBAC allows access based on the job title. RBAC
eliminates discretion on a large scale when providing access to objects. For example, there
should not be permissions for human resources specialist to create network accounts.
8. Rule-Based Access Control (RAC): RAC method is largely context based. Example of this
would be only allowing students to use the labs during a certain time of day.
Eng. Mohamed Jaambiir 04/29/2024
 16
The Importance of Access Control

 Access control is a cornerstone of a cybersecurity program. Without the ability to

limit access to authorized users, an organization can’t protect the confidentiality,
integrity, and availability of its assets.
Effective access control can help an organization to:
I. Minimize security risks and incidents.
II. Prevent data breaches and unauthorized access to sensitive data.
III. Comply with compliance requirements and internal security policies.

Eng. Mohamed Jaambiir 04/29/2024

 17
Access Control Policy

 An access control policy is a set of general requirements defining how the organization will
implement access control. Some elements of an access control policy include:
 Purpose: Defines the goals of the access control policy, including the assets being protected
and their security requirements.
 Access Control Model: Defines whether the system will use MAC, DAC, RBAC, or ABAC
to manage access.
 Security Enforcement: Specifies the tools and methods that will be used to implement and
enforce access control policies.
 Implementation Guides: Provides guidance and best practices for implementing the
organization’s access control policy.
Eng. Mohamed Jaambiir 04/29/2024
 18
Access Control Best Practices

Access control is essential to effective cybersecurity. Some best practices for

implementing robust access control include:
I. Implement Least Privilege: The principle of least privilege (POLP) states that
users, applications, etc. should only have the permissions needed for their role.
Implementing POLP reduces the risk of privilege abuse or a compromised user
account.
II. No Shared Accounts: Every user should have their account on corporate systems,
applications, etc. This is essential for controlling access to corporate resources,
demonstrating regulatory compliance, and investigating after a security incident has
occurred.
Eng. Mohamed Jaambiir 04/29/2024
 19

III.Strong Authentication: User authentication is essential to managing

access to corporate resources. Implementing multi-factor authentication
(MFA) and strong password policies reduces the risk of a compromised
account.
IV. Zero Trust: A zero trust security policy states that every access request
should be evaluated individually. This enables organizations to
implement granular access control for all applications and monitor and
manage every access request.
Eng. Mohamed Jaambiir 04/29/2024
 20

The End
Eng. Mohamed Jaambiir 04/29/2024