Cybersecurity Essentials 3.0-Module13
Cybersecurity Essentials 3.0-Module13
Control
Cybersecurity Essentials 3.0
Module Objectives
Module Title: Access Control
Module Objective: Configure local and server-based access control.
Access Control Concepts Explain how access control protects network data.
Explain the need for account management and access control
Account Management
strategies.
AAA Usage and Operation Configure server-based authentication with TACACS+ and RADIUS.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
13.1 Access Controls
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Access Controls
Physical Access Controls
• Physical access controls are actual barriers deployed to prevent direct physical contact with
systems.
• The goal is to prevent unauthorized users from gaining physical access to facilities, equipment,
and other organizational assets.
• These technology-based solutions include tools and protocols that computer systems use for
identification, authentication, authorization, and accountability.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Access Controls
Administrative Access Controls in Detail
• The concept of administrative access controls involves three security services: authentication,
authorization, and accounting (AAA).
• These services provide the primary framework to control access, preventing unauthorized access
to a computer, network, database, or other data resource.
• Authentication:
• It verifies the identity of each user, to prevent unauthorized access.
• Users prove their identity with a username or ID.
• In addition, users need to verify their identity by providing one of the following:
• Something they know (such as a password)
• Something they have (such as a token or card)
• Something they are (such as a fingerprint)
• In the case of two factor authentication, which is increasingly becoming the norm,
the system requires a combination of two of the above rather than just one to verify
someone’s identity.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Access Controls
Administrative Access Controls in Detail (Cont.)
• Authorization:
• It determines which resources users can access, along with the operations that users can
perform.
• Some systems accomplish this by using an access control list, or an ACL.
• An ACL determines whether a user has certain access privileges once the user
authenticates.
• It can also control when a user has access to a specific resource.
• Accounting:
• It keeps track of what users do — including what they access, the amount of time they
access resources, and any changes they make.
• Cybersecurity accounting services track each data transaction and provide auditing results.
• System administrators can set up computer policies to enable system auditing.
• Cybersecurity accounting tracks and monitors in real time.
• The concept of AAA is like using a credit card that identifies who can use it, how much that user
can spend, and accounts for items or services the user purchased.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Access Controls
What Is Identification?
• It enforces the rules established by the authorization policy.
• Every time access to a resource is requested, the access controls determine whether to grant or
deny access.
• A unique identifier ensures the proper association between allowed activities and subjects.
• A unique identifier ensures that a system can identify each user individually, therefore allowing an
authorized user to perform the appropriate actions on a particular resource.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Access Controls
Federated Identity Management
• It refers to multiple enterprises that let their users use the same identification credentials to gain
access to the networks of all enterprises in the group.
• Unfortunately, this broadens the scope and increases the probability of a cascading effect should
an attack occur.
• A federated identity links a subject’s electronic identity across separate identity management
systems, such as being able to access several websites using the same social login credentials.
• The goal of federated identity management is to share identity information automatically across
castle boundaries.
• From the individual user’s perspective, this means a single sign-on to the web.
• It is imperative that organizations scrutinize the identifying information shared with partners, even
within the same corporate group, for example.
• The sharing of social security numbers, names, and addresses may allow identity thieves the
opportunity to steal this information from a partner to perpetrate fraud.
• The most common way to protect federated identity is to tie login ability to an authorized device.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Access Controls
Authentication Methods
• Users prove their identity with a username or ID and need to verify their identity by providing one
of the following.
• The terms passphrase, passcode, passkey, and PIN are all generically referred to as
password — a string of characters used to prove a user’s identity.
• A password should be at least eight characters and contain a combination of upper and
lowercase letters, numbers, and special characters.
• Users need to use different passwords for different systems because if a criminal cracks the
user’s password once, the criminal will have access to all the user’s accounts.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Access Controls
Authentication Methods (Cont.)
• A smart card is a small plastic card, about the size of a credit card, with a small chip
embedded in it that is capable of processing, storing, and safeguarding data.
• In most cases, security key fobs are used for two factor authentication (2FA), which is
much more secure than a username and password combination.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Access Controls
Authentication Methods (Cont.)
Who you are:
• Biometric security compares unique physical characteristics against stored profiles to
authenticate users.
• Implementing biometrics involves a reader or scanning device, software that converts the
scanned information into digital form and a database that has biometric data stored for
comparison.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Access Controls
Multi-Factor Authentication
• It uses at least two methods of verification — such as a password and something you have, for
example, a security key fob.
• This can be taken a step further by adding something you are, such as a fingerprint scan.
• Multi-factor authentication can reduce the incidence of online identity theft because it means
knowing a password will not give cybercriminals access to a user’s account.
• Note that two-factor authentication (2FA) is a method of multi-factor authentication that entails two
factors, but the two terms are often used interchangeably.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Access Controls
Authorization
Authorization controls what a user can and cannot do on the network after successful authentication.
• After a user proves their identity, the system checks to see what network resources the user
can access and what they can do with the resources.
• The system compares these attributes to the information contained within the authentication
database, determines a set of restrictions for that user, and delivers it to the local device where the
user is connected.
• Authorization is automatic and does not require users to perform additional steps after
authentication.
• System administrators have set the network up to implement authorization immediately after the
user authenticates.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Access Controls
Authorization (Cont.)
Using authorization
• Defining authorization rules is the first step in controlling access.
• A group membership policy defines authorization based on users’ membership in a specific group.
• All employees of an organization may have a swipe card, for example, which provides access to
the premises, but it might not allow access to a server room.
• An authority-level policy defines access permissions based on an employee’s position within the
organization.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Access Controls
Packet Tracer - Configure Access Control
In the following Packet Tracer activity, you will complete the following objectives:
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Access Controls
Implementing Accountability
• What is accountability?
• Accountability traces an action back to a person or process making this change to a
system.
• The organization can use this data for such purposes as auditing or billing.
• Implementing accountability
• Implementing accountability consists of technologies, policies, procedures, and
education.
• The organization’s policies and procedures spell out what actions should be recorded
and how the log files are generated, reviewed, and stored.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
Access Controls
Implementing Accountability (Cont.)
• Providing accountability
• Data retention, media disposal, and compliance requirements all provide accountability.
• Many laws require the implementation of measures to secure different data types.
• These laws guide an organization on the right way to handle, store, and dispose of data.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Access Controls
Lab - Configure Authentication and Authorization in Linux
In the following Lab, you will complete the following objectives:
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
13.2 Access Control Concepts
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Access Control Concepts
Zero Trust Security
• Zero trust is a comprehensive approach to securing all access across networks, applications,
and environments.
• This approach helps secure access from users, end-user devices, APIs, IoT, microservices,
containers, and more.
• A zero trust security framework helps to prevent unauthorized access, contain breaches, and
reduce the risk of an attacker's lateral movement through a network.
• Traditionally, the network perimeter (edge) was the boundary between inside and outside, or
trusted and untrusted.
• In a zero trust approach, any place at which an access control decision is required should be
considered a perimeter.
• This means that although a user or other entity may have successfully passed access control
previously, they are not trusted to access another area or resource until they are authenticated.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33
Access Control Concepts
Zero Trust Security (Cont.)
The three pillars of zero trust are workforce, workloads, and workplace:
• A security analyst should understand the different basic access control models to have a better
understanding of how attackers can break the access controls.
• One access control model is the principle of least privilege, which specifies a limited, as-
needed approach to granting user and process access rights to specific information and
tools.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 35
Access Control Concepts
Access Control Models (Cont.)
Access Control Models Description
This is the least restrictive model and allows users to control access to their data as owners of
Discretionary access control
that data. DAC may use ACLs or other methods to specify which users or groups of users have
(DAC)
access to the information.
This applies the strictest access control and is typically used in military or mission critical
Mandatory access control
applications. It assigns security level labels to information and enables users with access
(MAC)
based on their security level clearance.
Access decisions are based on an individual’s roles and responsibilities within the organization.
Role-based access control Different roles are assigned security privileges, and individuals are assigned to the RBAC
(RBAC) profile for the role. Roles may include different positions, job classifications, or groups of job
classifications. Also known as a type of non-discretionary access control.
ABAC allows access based on attributes of the object (resource) to be accessed, the subject
Attribute-based access control
(user) accessing the resource, and environmental factors regarding how the object is to be
(ABAC)
accessed, such as time of day.
Network security staff specify sets of rules regarding or conditions that are associated with
Rule-based access control
access to data or systems. These rules may specify permitted or denied IP addresses, or
(RBAC)
certain protocols and other conditions. Also known as Rule-Based RBAC.
Time-based access control TAC Allows access to network resources based on time and day.
(TAC)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
Access Control Concepts
Network Access Control (NAC) Systems
• They support access management by enforcing organizational policies regarding the people and
devices that are attempting to access the network.
• NAC systems allow cybersecurity professionals to monitor the users and devices that are
attached to the network, and manually control access as required.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37
Access Control Concepts
Network Access Control (NAC) Systems (Cont.)
• Because BYOD and IoT networking greatly expand the network attack surface,
NAC system automation features make focused control of network access by such devices practical.
• The relevant policies are enacted to permit or deny network access according to a wide range of
factors that the NAC system detects on the devices that are attempting access.
• Without NAC systems it would be impossible for cybersecurity personnel to evaluate the thousands of
devices that could attempt to access the network.
• NAC is an important component of a zero-trust security architecture that enforces security policy
compliance with all devices and users that attempt to access the network.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38
13.3 Account Management
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 39
Account Management
Account Types
• An organization should not share accounts for privileged users, administrators, or
applications.
• The administrator account should only be used to administer a system.
• If a user accesses a malware-infected website or opens a malicious email while using the
administrator account, this would put the organization at risk.
• Administrators must be aware of the default group and user accounts that might be installed
by an operating system.
• Knowing about these accounts will help an administrator decide which should be permitted
and which of these accounts should be disabled.
• Default accounts such as the guest or administrator accounts can be a security risk in older
systems as attackers are familiar with the default settings used.
• To improve security, always replace any default accounts and make sure that all account
types require a password.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Account Management
Account Types (Cont.)
It’s important to properly manage accounts to maintain security.
• On hiring a new employee, create an identity profile, register the employee’s computer and
mobile devices, and enable access to the organization’s network. As the Identity Provider
(IdP), the organization is responsible for authenticating their identity.
• Disable or deactivate any accounts that are no longer needed and retrieve any
organizational data or applications from the user’s devices.
• Grant a user no more access than is necessary to perform assigned tasks (least privilege).
• Review user access to identify any access control adjustments that need to be made.
• Use time of day restrictions to control when a user can log in.
• Use location restrictions to control where a device or user can log in from.
• Geofencing is used to trigger an action when a user enters or exits a geographic
boundary.
• Geolocation identifies a device based on its geographic location.
• Geotagging adds an identifier to something based on the location (like a photo taken
on a smartphone tagged with the coordinates of where the photo was taken).
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Account Management
Privileged Accounts
• Cybercriminals target privileged accounts because these are the most powerful accounts in
the organization with elevated, unrestricted access to systems.
• Administrators use these accounts to deploy and manage operating systems, applications, and
network devices.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Account Management
Privileged Accounts (Cont.)
Organizations should adopt robust practices for securing privileged accounts.
• Identify and reduce the number of privileged accounts.
• Enforce the principle of least privilege. The principle means that users, systems,
and processes only have access to resources (networks, systems, and files) that are
necessary to perform their assigned function.
• Revoke access rights when employees leave or change jobs.
• Eliminate shared accounts with passwords that do not expire.
• Secure password storage.
• Eliminate shared credentials for multiple administrators.
• Automatically change privileged account passwords every 30 or 60 days.
• Record privileged sessions.
• Implement a process to change embedded passwords for scripts and service
accounts.
• Log all user activity.
• Generate alerts for unusual behavior.
• Disable inactive privileged accounts.
• Use multi-factor authentication for all administrative access.
• Implement a gateway between the end user and sensitive assets to limit network
exposure to malware. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Account Management
File Access Control
• Permissions are rules configured to limit folder or file access for an individual or a group and can
help secure data.
• Users should be limited to only the resources they need on a computer system or network.
• It may be easier to provide access to the entire drive, but it is more secure to limit access to only
the folder they need.
• This is the principle of least privilege and closely connected to the concept of ‘need to know’
access.
• Limiting access to resources also prevents cybercriminals from accessing those resources if the
user’s computer becomes infected.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Account Management
File Access Control (Cont.)
Permission levels available for files and folders
Modify: Users can change and delete existing files and folders but cannot create new ones.
Read and execute: Users can see the contents of existing files and folders and can run
programs in a folder.
Write: Users can create new files and folders and make changes to existing files and folders.
Read: Users can see the contents of a folder and open files and folders.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45
Account Management
File Access Control (Cont.)
• If an administrator denies an individual or group permissions to a network share, this will override
any other permission settings.
• The user cannot access that share, even if the user is the administrator or part of the
administrator group.
• The local security policy must outline the resources and the type of access allowed for each user
and group.
• After parent folder permissions have been set, folders and files created inside the parent folder
inherit its permissions.
• The location of data and the action performed on it also determine the permission propagation:
• Data moved to the same volume will keep the original permissions.
• Data copied to the same volume will inherit new permissions.
• Data moved to a different volume will inherit new permissions.
• Data copied to a different volume will inherit new permission.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 46
Account Management
Account Policies in Windows
• In most networks that use Windows computers, an administrator configures Active Directory with
domains on a Windows server.
• Windows computers that join the domain become domain members.
• The administrator configures a domain security policy that applies to all domain members.
• When a computer is not part of an Active Directory domain, the user configures policies through
Windows Local Security Policy.
• In all versions of Windows except Home edition, enter ‘secpol.msc’ at the Run command to open
the Local Security Policy tool.
• Audit Policies
• More security settings are available by selecting the ‘local policies’ folder in Windows.
• An audit policy creates a security log file used to track the following events:
• Account logon events
• Audit account management
• Directory service access
• Object access
• Policy changes
• Privilege use
• Process tracking © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 48
• System events
Account Management
Authentication Management
• Authentication and authorization issues include unencrypted credentials, incorrect permissions,
and access violations.
• Authentication management aims to ensure secure sign in while still providing ease of use:
• A Single Sign On (SSO) solution allows the user to use one set of login credentials to
authenticate across multiple applications. This way, the user only needs to remember one
strong password.
• OAuth is a standard that enables a user’s account information to be used by third-party
services such as Facebook or Google.
• A password vault can protect and store the user’s credentials with a single strong
password required to access them.
• Many organizations implement Knowledge-Based Authentication (KBA) to provide a
password reset should a user forget their password. KBA is based on personal information
known by the user or a series of questions.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 49
Account Management
Hash-Based Message Authentication Code (HMAC)
• HMAC uses an encryption key with a hash function to authenticate a web user.
• Using HMAC, the user sends a private key identifier and an HMAC.
• The server looks up the user’s private key and creates an HMAC.
• The user’s HMAC must match the one calculated by the server.
• Many web services use basic authentication, which does not encrypt the username and
password during transmission.
• VPNs using IPsec rely on HMAC functions to authenticate the origin of every packet and provide
data integrity checking.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 50
Account Management
Hash-Based Message Authentication Code (HMAC) (Cont.)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 51
Account Management
Authentication Protocols and Technologies
• The word ‘entity’ can refer to any device or system within an organization.
• A protocol outlines the type of information that needs to be shared to authenticate and
connect.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 52
Account Management
Authentication Protocols and Technologies
Extensible Authentication A password from the client is sent using a hash to the authentication server. The
Protocol (EAP) authentication server has a certificate (the client does not need a certificate).
Password Authentication A username and password are sent to a remote access server in plaintext. Most network
Protocol (PAP) operating system remote servers support PAP.
Challenge Handshake It validates the identity of remote clients using a one-way hashing function created by
Authentication Protocol the client. The service also calculates the expected hash value. The server (the
(CHAP) authenticator) compares the two values. If the values match, transmission continues.
An organization authenticates your identity and authorizes access to the network. Your
802.1X identity is determined based on credentials or a certificate which is confirmed by a
RADIUS server.
It uses strong encryption, requesting a client to prove its identity to a server, with the
Kerberos server in turn authenticating itself to the client.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 53
Account Management
Applications of Cryptographic Hash Functions
• Cryptographic hash functions help us to ensure data integrity and verify authentication.
• When choosing a hashing algorithm, use SHA-256 or higher, as they are currently the most
secure. Avoid SHA-1 and MD5 due to security flaws that have been discovered.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54
Account Management
Access Control Strategies
It restricts the actions that a user can perform on an object (a file, a port or a device). An authorization rule
Mandatory access enforces whether a user can access the object. Organizations use it where different levels of security
control classifications exist. Every object has a label, and every user has a clearance. Its system restricts a user
based on the security classification of the object and the label attached to the user.
In systems that employ them, the owner of an object can decide which users can access that object and
Discretionary what specific access they may have. Permissions and access control lists can be used to implement it.
access control The owner of a file can specify what permissions (read, write, or execute) other users may have. An ACL
uses rules to determine what traffic can enter or exit a network.
It depends on the role or job function of the user. It can work in combination with discretionary access
Role-based controls or mandatory access controls by enforcing the policies of either one. It helps to implement
access control security administration in large organizations with hundreds of users and thousands of possible
permissions.
It uses ACLs to help determine whether to grant access. A series of rules is contained in the ACL and the
Rule-based decision to grant access depends on these rules. As with mandatory access control, users cannot change
access control the access rules. Organizations can combine rule-based access control with other strategies for
implementing access restrictions.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 55
13.4 AAA usage and operation
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 56
AAA usage and operation
AAA Operation
• A network must be designed to control who is allowed to connect to it and what they are
allowed to do when they are connected.
• These design requirements are identified in the network security policy.
• The policy specifies how network administrators, corporate users, remote users, business
partners, and clients access network resources.
• The network security policy can also mandate the implementation of an accounting system that
tracks who logged in, when, and what they did while logged in.
• The Authentication, Authorization, and Accounting (AAA) protocol provides the necessary
framework to enable scalable access security.
• The three independent security functions provided by the AAA architectural framework
are authentication, authorization, and accounting.
• This concept is like the use of a credit card.
• The credit card identifies who can use it, how much that user can spend, and keeps
account of what items the user spent money on.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 57
AAA usage and operation
AAA Operation (Cont.)
The three independent security functions provided by the AAA architectural framework:
AAA Description
Component
Users and administrators must prove that they are who they say they are. Authentication can
be established using username and password combinations, challenge and response
Authentication questions, token cards, and other methods. AAA authentication provides a centralized way to
control access to the network.
After the user is authenticated, authorization services determine which resources the user can
Authorization access and which operations the user is allowed to perform. An example is “User ‘student’ can
access host server XYZ using SSH only.”
Accounting records what the user does, including what is accessed, the amount of time the
resource is accessed, and any changes that were made. Accounting keeps track of how
Accounting network resources are used. An example is "User ‘student’ accessed host server XYZ using
SSH for 15 minutes."
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 58
AAA usage and operation
AAA Authentication
• AAA Authentication can be used to authenticate users for administrative access or remote network
access.
• Centralized AAA is more scalable and manageable than local AAA authentication and it is the preferred
AAA implementation.
• Its system may independently maintain databases for authentication, authorization, and
accounting.
• It can leverage Active Directory or LDAP for user authentication and group membership, while
maintaining its own authorization and accounting databases.
• Devices communicate with the centralized AAA server using either the RADIUS or TACACS+
protocols. © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 59
AAA usage and operation
AAA Authentication (Cont.)
The table lists the differences between the two protocols.
TACACS+ RADIUS
It separates authentication, authorization, and
accounting functions according to the AAA It combines authentication and authorization but
Functionality architecture, allowing modularity of the security separates accounting, allowing less flexibility in
server implementation. implementation than TACACS+.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 61
AAA usage and operation
AAA Accounting Logs (Cont.)
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
AAA usage and operation
AAA Accounting Logs (Cont.)
The table displays the various types of accounting information that can be collected:
Type of Accounting Description
Information
Network Accounting It captures information for all PPP sessions, including packet and byte counts.
Connection Accounting It captures information about all outbound connections made from the AAA client, such as by SSH
EXEC Accounting It captures information about user EXEC terminal sessions (user shells) on the network access server,
including username, date, start and stop times, and the access server IP address.
System Accounting It captures information about all system-level events (for example, when the system reboots or when
accounting is turned on or off).
Command Accounting It captures information about the EXEC shell commands for a specified privilege level, as well as the
date and time each command was executed, and the user who executed it.
The Cisco implementation of AAA accounting captures “start” and “stop” record support for connections
Resource Accounting that have passed user authentication. The additional feature of generating “stop” records for connections
that fail to authenticate as part of user authentication is also supported.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
AAA usage and operation
Packet Tracer - Configure Server-Based Authentication with TACACS+
and RADIUS
In this Packet Tracer activity, you will complete the following objectives:
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
13.5 Access Control Summary
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Access Control Summary
What Did I Learn in this Module?
• Physical access controls are actual barriers deployed to prevent direct physical contact with systems.
• Logical access controls are hardware and software solutions used to manage access resources and systems.
• Administrative access controls involves three security services: authentication, authorization, and accounting.
• Identification enforces the rules established by the authorization process.
• Authorization controls what a user can and cannot do on the network after successful authentication.
• Accountability traces an action back to a person or process making the change to the system.
• The CIA triad consists of confidentiality, integrity, and availability.
• Zero trust is a comprehensive approach to securing all access across networks, applications, and environments.
• Access control methods include DAC, MAC, RBAC, ABAC, RBAC, and TAC.
• Privilege escalation is a common exploit where vulnerabilities in servers or access control systems are exploited to grant
access to an unauthorized user or software process.
• Account types can include administrator accounts, user accounts, service accounts, and guest accounts.
• Permission levels can be assigned to files and folders to include full control, modify, read and execute, write, and read.
• Robust practices for securing privileged accounts must be taken because they are often the target of cybercriminals.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Access Control Summary
What Did I Learn in this Module?
• Authentication management aims to ensure secure sign in while still providing ease of use.
• HMAC uses an encryption key with a hash function to authenticate a web user.
• An authentication protocol authenticates data between two entities to prevent unauthorized access.
• A network must be designed to control who is allowed to connect to it and what they are allowed to do when they are
connected.
• AAA systems provide the necessary framework to enable scalable security.
• AAA authentication can be used to authenticate users for local access, or it can be used to authenticate users for remote
network access.
• Cisco provides two common methods of implementing AAA services: Local AAA Authentication and Server-based AAA
Authentication.
• Centralized AAA is more scalable and manageable than local AAA and is the preferred AAA implementation.
• A centralized AAA system can leverage Active Directory or LDAP for user authentication and group membership, while
maintaining its own authorization and accounting databases.
• Devices communicate with the centralized AAA server using with the RADIUS or TACACS+ protocols.
• Centralized AAA also enables the use of the accounting method that reports usage data in AAA logs.
• Various types of accounting information that can be collected are network accounting, connection
accounting, EXEC accounting, system accounting, command accounting, and resource ©accounting.
2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67