Chapter 5

Network Access Control

and Cloud Security

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Network Access Control (NAC)
• An umbrella term for managing access to a network
• Authenticates users logging into the network and
determines what data they can access and actions they
can perform
• Also examines the health of the user’s computer or
mobile device
NAC systems deal with
three categories of
components:
Access requester (AR)
• Node that is attempting
Policy server
• Determines
Network access server
(NAS)
to access the network what access • Functions as an access
and may be any device should be control point for users in
that is managed by the granted remote locations
NAC system, including • Often relies on connecting to an
workstations, servers, backend enterprise’s internal
printers, cameras, and systems network
other IP-enabled • Also called a media
devices gateway, remote access
• Also referred to as server (RAS), or policy
supplicants, or clients server
• May include its own
authentication services
or rely on a separate
authentication service
from the policy server
Network Access Enforcement
Methods
• The actions that are applied to ARs to
regulate access to the enterprise
network
• Many vendors support multiple
enforcement methods simultaneously,
allowing the customer to tailor the
configuration by using one or a
Common NAC enforcement methods:
combination of methods
• IEEE 802.1X
• Virtual local area networks (VLANs)
• Firewall
• DHCP management
Network Access Enforcement
Methods
IEEE 802.1X: This is a link layer protocol that enforces
authorization before a port is assigned an IP address. IEEE
802.1X makes use of the Extensible Authentication Protocol
for the authentication process.
Virtual local area networks (VLANs): In this approach, the
enterprise network, consisting of an interconnected set of LANs, is
segmented logically into several virtual LANs.1 The NAC system decides
to which of the network’s
VLANs it will direct an AR, based on whether the device needs security
remediation, Internet access only, or some level of network access to
enterprise resources.
 Network Access Enforcement
Methods

Firewall: A firewall provides a form of NAC by allowing or denying

network traffic between an enterprise host and an external user.
Firewalls are discussed in Chapter 12.

■■ DHCP management: The Dynamic Host Configuration Protocol

(DHCP) is an Internet protocol that enables dynamic allocation of IP
addresses to hosts.

A DHCP server intercepts DHCP requests and assigns IP addresses

instead. NAC enforcement occurs at the IP layer based on subnet and IP
assignment.
A DCHP server is easy to install and configure, but is subject to various
 • The Extensible Authentication
Protocol (EAP), defined in RFC
3748

Extensible • EAP provides a set of protocol

messages that can encapsulate

Authenticatio various authentication methods to

be used between a client and an
authentication server.
n Protocol • EAP can operate over network and
link level facilities, including point-
to-point links, LANs, and other
networks
Authentication Methods Cont.
• EAP provides a generic transport service
for the exchange of authentication
information between a client system and
an authentication server
• The basic EAP transport service is
extended by using a specific
authentication protocol that is installed in
both the EAP client and the authentication
server
EAP as extensible: Supports multiple
authentication methods
Authentication Methods Cont.
EAP-TLS (EAP Transport Layer Security): EAP-TLS (RFC 5216)
defines how the TLS protocol (described in Chapter 6) can be
encapsulated in EAP messages. EAP-TLS uses the handshake protocol in
TLS, not its encryption method.

• Client and server authenticate each other using digital certificates.

• Client generates a pre-master secret key by encrypting a random
number with the server’s public key and sends it to the server.
• Both client and server use the pre-master to generate the same
secret key.
Authentication Methods Cont.
EAP-TTLS (EAP Tunneled TLS): EAP-TTLS is like EAP-TLS, except only
the server has a certificate to authenticate itself to the client first. As in
EAPTLS, a secure connection (the “tunnel”) is established with secret
keys, but that connection is used to continue the authentication process
by authenticating the client and possibly the server again using any EAP
method or legacy method such as PAP (Password Authentication
Protocol) and CHAP
(Challenge-Handshake Authentication Protocol).

EAP-TTLS is defined in
RFC 5281.
 Authentication Methods Cont.
• EAP-GPSK (EAP Generalized Pre-Shared Key): EAP-GPSK, defined
in RFC 5433, is an EAP method for mutual authentication and session
key derivation using a Pre-Shared Key (PSK). EAP-GPSK specifies an
EAP method
• based on pre-shared keys and employs secret key-based cryptographic
algorithms.

• The set up of these pairwise secret keys is part of the peer registration
and must satisfy the system preconditions.

• It provides a protected communication channel when mutual

authentication is successful for both parties to communicate over and
is designed for authentication over insecure networks such as IEEE
802.11.
 Authentication Methods Cont.

EAP-IKEv2: It is based on the Internet Key Exchange

protocol version 2 (IKEv2), which is described in Chapter 9. It
supports mutual authentication and session key
establishment using a variety of methods.

EAP-TLS is defined
in RFC 5106.
 Authentication Methods Cont.

EAP Exchanges
Whatever method is used for authentication, the authentication
information and authentication protocol information are carried in EAP
messages.

In the context of RFC 3748, successful authentication is an exchange of

EAP messages, as a result of which the authenticator decides to allow
access by the peer, and the peer decides to use this access.

The authenticator’s decision typically involves both authentication and

authorization aspects; the peer may successfully authenticate to the
authenticator, but access may be denied by the authenticator due to
policy reasons.
 EAP Exchanges

The following components are involved:

■■ EAP peer: Client computer that is attempting to access a network.

■■ EAP authenticator: An access point or NAS that requires EAP authentication prior to
granting access to a network.
■■ Authentication server: A server computer that negotiates the use of a specific EAP method
with an EAP peer, validates the EAP peer’s credentials, and authorizes access to the network.
Typically, the authentication server is a
Remote Authentication Dial-In User Service (RADIUS) server.

Data: Contains information related to authentication. Typically, the Data field consists of a
Type subfield, indicating the type of data carried, and a Type-Data field.
EAP Exchanges

EAP messages containing the appropriate information for a chosen EAP method are then
exchanged between the EAP peer and the authentication server.

EAP messages may include the following fields:

■■ Code: Identifies the Type of EAP message. The codes are Request (1), Response (2), Success
(3), and Failure (4).
■■ Identifier: Used to match Responses with Requests.
■■ Length: Indicates the length, in octets, of the EAP message, including the Code, Identifier,
Length, and Data fields.
The authentication server functions as a backend
server that can authenticate peers as a service to
a number of EAP authenticators.

The EAP authenticator then makes the decision of

whether to grant access. This is referred to as the
EAP pass-
through mode.
 Table 5.1
Terminology
Related to
IEEE 802.1X

IEEE 802.1X Port-Based Network Access Control

was designed to provide access control functions
for LANs. Table 5.1 briefly defines key terms used
in the IEEE 802.11 standard. The terms supplicant,
network access point, and authentication server
correspond to the EAP terms peer, authenticator,
and authentication server
 The EAP Authentication Exchange
The EAP authentication exchange proceeds as follows.

• After a lower-level exchange that established the need for an EAP exchange, the
authenticator sends a Request to the peer to request an identity, and the peer
sends a Response with the identity information.

• This is followed by a sequence of Requests by the authenticator and Responses by

the peer for the exchange of authentication information.

• The information exchanged and the number of Request–response exchanges

needed depend on the authentication method.

• The conversation continues until either (1) the authenticator determines that it
cannot authenticate the peer and transmits an EAP Failure or (2) the authenticator
determines that successful authentication has occurred and transmits an EAP
Success.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
EAPOL
packet
•The EAPOL packet format
includes the following fields:
•■■ Protocol version:
version of EAPOL.
•■■ Packet type: indicates
start, EAP, key, logoff, etc.
•■■ Packet body length: If
the packet includes a body, this
field indicates the body length.
•■■ Packet body: The
payload for this EAPOL packet.
An example is an EAP
•packet.
Cloud Computing
• NIST defines cloud computing, in NIST SP-800-145 (The
NIST Definition of Cloud Computing ), as follows:
“A model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of
configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal
management effort or service provider interaction. This
cloud model promotes availability and is composed of
five essential characteristics, three service
models, and four deployment models.”
The cloud computing elements in the image can be broken down into three
categories: service models, deployment models, and essential
characteristics.
•Service models define the type of service a cloud provider offers. The
three main service models are:
• Infrastructure as a Service (IaaS): IaaS provides the basic
building blocks of cloud computing, like storage, servers and
networking. Users have control over the operating system and
everything above it.
• Platform as a Service (PaaS): PaaS provides a platform for
developing, deploying, and managing applications. Users have
control over the deployed applications and configurations, but not
the underlying infrastructure.
• Software as a Service (SaaS): SaaS is a complete software
solution delivered over the internet. Users access the software
application through a web browser or API.
•Deployment models define the location of the cloud service. The four
main deployment models are:
• Public cloud: A public cloud is owned and operated by a cloud
service provider and delivers services to the general public over
the internet.
• Private cloud: A private cloud is for the exclusive use of a single
organization. It can be located on-premises or hosted by a third-
party service provider.
• Community cloud: A community cloud is shared by a group of
organizations that have a shared interest.
• Hybrid cloud: A hybrid cloud combines two or more deployment
models, such as a public cloud and a private cloud.
•Essential characteristics are the five key properties that define cloud
computing:
• On-demand self-service: Users can provision and configure
cloud computing resources without needing to interact with a cloud
provider’s sales team.
• Broad network access: Cloud computing services are available
 Cloud Computing Reference
Architecture
• NIST SP 500-292 (NIST Cloud Computing Reference Architecture )
establishes a reference architecture, described as follows:

“The NIST cloud computing reference architecture focuses on the

requirements of “what” cloud services provide, not a “how to”
design solution and implementation. The reference architecture
is intended to facilitate the understanding of the operational
intricacies in cloud computing. It does not represent the system
architecture of a specific cloud computing system; instead it is a
tool for describing, discussing, and developing a system-specific
architecture using a common framework of reference.”
 Cloud provider (CP)
Can provide one or more
of the cloud services to
meet IT and business
requirements of cloud
consumers
For SaaS, the CP
deploys, configures,
maintains, and updates
the operation of the
software applications on
a cloud infrastructure so
that the services are
provisioned at the
expected service levels
to cloud consumers
Cloud
Provider
For each of the three
service models (SaaS,
PaaS, IaaS), the CP
provides the storage and
processing facilities
needed to support that
service model, together
with a cloud interface for
cloud service consumers
For PaaS, the CP
manages the computing
infrastructure for the For IaaS, the CP acquires
platform and runs the the physical computing
cloud software that resources underlying the
provides the service, including the
components of the servers, networks,
platform, such as storage, and hosting
runtime software infrastructure
execution stack,
databases, and other
middleware components
Roles and Responsibilities
Cloud carrier Cloud auditor
• A networking facility • An independent
that provides entity that can
connectivity and assure that the CP
transport of cloud conforms to a set of
services between cloud standards
consumers and CPs

Cloud broker
• Useful when cloud services are too complex for
a cloud consumer to easily manage
• Three areas of support can be offered by a
cloud broker:
• Service intermediation
• Value-added services such as identity
management, performance reporting, and
enhanced security
• Service aggregation
• The broker combines multiple cloud services
to meet consumer needs not specifically
addressed by a single CP, or to optimize
performance or minimize cost
• Service arbitrage
• A broker has the flexibility to choose
‫حامل السحابة منصة شبكية توفر االتصال ونقل خدمات السحابة بين مستهلكي السحابة‬
‫ومقدمي الخدمات‬

‫مراجع السحابة كيان مستقل يمكنه ضمان أن مقدم الخدمة يلتزم بمجموعة من المعايير‬

‫وسيط السحابة مفيد عندما تكون خدمات السحابة معقدة جًدا للمستهلك إلدارتها بسهولة‬
‫‪:‬يمكن تقديم ثالث مجاالت دعم من قبل وسيط السحابة‬

‫التوسيط في الخدمة خدمات مضافة القيمة مثل إدارة الهوية وتقارير األداء وتعزيز األمان‬

‫تجميع الخدمات يجمع الوسيط بين خدمات السحابة المتعددة لتلبية احتياجات المستهلك‬
‫التي لم ُتعاَلج بشكل خاص من قبل مقدم خدمة واحد‪ ،‬أو لتحسين األداء أو تقليل التكلفة‬

‫التحكيم في الخدمة يتمتع الوسيط بمرونة في اختيار الخدمات من وكاالت متعددة‬

Cloud Security Risks and
Countermeasures
• The Cloud Security Alliance [CSA10]
lists the following as the top cloud
specific security threats, together with
suggested countermeasures:
Abuse and nefarious use of cloud
computing
• Countermeasures: stricter initial registration and validation
processes; enhanced credit card fraud monitoring and
coordination; comprehensive introspection of customer network
traffic; monitoring public blacklists for one’s own network blocks

Malicious insiders
• Countermeasures: enforce strict supply chain management and
conduct a comprehensive supplier assessment; specify human
resource requirements as part of legal contract; require
transparency into overall information security and management
practices, as well as compliance reporting; determine security
breach notification processes
Risks and Countermeasures
(continued)

Insecure Shared
Data loss or
interfaces technology
leakage
and APIs issues
Countermeasures:
implement security
Countermeasures: best practices for
analyzing the installation/configura
Countermeasures:
security model of CP tion; monitor
implement strong
(Cloud provider ) environment for
API access control;
interfaces; ensuring unauthorized
encrypt and protect
that strong changes/activity;
integrity of data in
authentication and promote strong
transit; analyze data
access controls are authentication and
protection at both
implemented in access control for
design and run time;
concert with administrative
implement strong
encryption access and
key generation,
machines; operations; enforce
storage and
understanding the SLAs for patching
management, and
dependency chain and vulnerability
destruction practices
associated with the remediation; conduct
API vulnerability
scanning and
configuration audits
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Risks and
Countermeasures
(continued)
• Account or service hijacking
• Countermeasures: prohibit the sharing of
account credentials between users and
services; leverage strong two-factor
authentication techniques where
possible; employ proactive monitoring to
detect unauthorized activity; understand
CP security policies and SLAs
• Unknown risk profile
• Countermeasures: disclosure of
applicable logs and data; partial/full
disclosure of infrastructure details;
monitoring and alerting on necessary
information
 Table 5.3

NIST Guidelines on
Security and
Privacy Issues
and
Recommendations
(page 1 of 2)

(Table can be found on

Pages 163-164 in textbook)
1.Governance
Extend organizational practices pertaining to the policies, procedures, and
standards used for application development and service provisioning in the
cloud, as well as the design, implementation, testing, use, and monitoring of
deployed or engaged services.
Put in place audit mechanisms and tools to ensure organizational practices
are followed throughout the system lifecycle.
2.Compliance
Understand the various types of laws and regulations that impose security
and privacy obligations on the organization and potentially impact cloud
computing initiatives, particularly those involving data location, privacy and
security controls, records management, and electronic discovery
requirements.
Review and assess the cloud provider's offerings with respect to the
organizational requirements to be met and ensure that the contract terms
adequately meet the requirements. Ensure that the cloud provider's
electronic discovery capabilities and processes do not compromise the
privacy or security of data and applications.
3.Trust
Ensure that service arrangements have sufficient means to allow visibility
into the security and privacy controls and processes employed by the cloud
provider, and their performance over time.
Establish clear, exclusive ownership rights over data.
Institute a risk management program that is flexible enough to adapt to the
constantly evolving and shifting risk landscape for the lifecycle of the
system.
Continuously monitor the security state of the information system to support
ongoing risk management decisions.
4.Architecture
Understand the underlying technologies that the cloud provider uses to
provision services, including the implications that the technical controls
involved have on the security and privacy of the system, over the full system
lifecycle and across all system components.
5.Identity and access management
Ensure that adequate safeguards are in place to secure authentication,
authorization, and other identity and access management functions, and are
Data Protection in the Cloud
• The threat of data compromise increases in
the cloud
• Database environments used in cloud
computing can vary significantly
Multi-instance model
• Provides a unique DBMS running on a virtual machine instance
for each cloud subscriber
• This gives the subscriber complete control over role definition,
user authorization, and other administrative tasks related to
security
Multi-tenant model

• Provides a predefined environment for the cloud subscriber that

is shared with other tenants, typically through tagging data with
a subscriber identifier
• Tagging gives the appearance of exclusive use of the instance,
but relies on the CP to establish and maintain a sound secure
database environment
 Data Protection in the Cloud
• Data must be secured while at rest, in transit, and in use, and access to the data
must be controlled
• The client can employ encryption to protect data in transit, though this involves key
management responsibilities for the CP
• For data at rest the ideal security measure is for the client to encrypt the database
and only store encrypted data in the cloud, with the CP having no access to the
encryption key
• A straightforward solution to the security problem in this context is to encrypt the
entire database and not provide the encryption/decryption keys to the service
provider

• The user has little ability to access individual data items based on searches or indexing on key
parameters
• The user would have to download entire tables from the database, decrypt the tables, and
work with the results
• To provide more flexibility it must be possible to work with the database in its encrypted form
Cloud Security as a Service
(SecaaS)
• The Cloud Security Alliance defines SecaaS as the
provision of security applications and services via the
cloud either to cloud-based infrastructure and software
or from the cloud to the customers’ on-premise systems
• The Cloud Security Alliance has identified the following
SecaaS categories of service:
• Identity and access management
• Data loss prevention
• Web security
• E-mail security
• Security assessments
• Intrusion management
• Security information and event management
• Encryption
• Business continuity and disaster recovery
• Network security
 Table 5.4
Control Functions
and Classes
Summary
• Network access control • IEEE 802.1X port-based
• Elements of a network network access control
access control system • Cloud computing
• Network access • Elements
enforcement methods • Reference architecture
• Extensible authentication • Cloud security risks and
protocol countermeasures
• Authentication methods • Data protection in the cloud
• EAP exchanges
• Addressing cloud computing
• Cloud security as a service security concerns
Review Questions

What is an EAP?
The Extensible Authentication Protocol (EAP) acts as a
framework for network access and authentication protocols.
EAP provides a set of protocol messages that can encapsulate
various authentication methods to be used between a client
and an authentication server.
EAP can operate over a variety of network and link-level
facilities, including point-to-point links, LANs, and other
networks, and can accommodate the authentication needs of
the various links and networks.
 5.4 What is DHCP? How useful is it to help achieve security of IP
addresses?

The Dynamic Host Configuration Protocol (DHCP) is an internet

protocol that enables a dynamic allocation of IP addresses to hosts. A
DHCP server intercepts DHCP requests and assigns IP addresses
instead. Thus, NAC enforcement occurs at the IP layer based on
subnet and IP assignment. A DCHP server is easy to install and
configure, but is subject to various forms of IP spoofing, providing
limited security.
5.5 Why is EAPOL an essential element of IEEE
802.1X?

IEEE 802.1X provides only access control functions for LAN

and keeps data channel closed till authentication between
AS and supplicant is established. EAPOL enables
communication between AS and supplicant for
authentication by enabling the exchange of EA
 5.6 What are the essential characteristics of cloud
computing?

The essential characteristics of cloud computing are: broad network

access, rapid elasticity, measured service, on-demand self-service and
resource pooling.
5.7 List and briefly define the deployment models of cloud
computing.
There are mainly four deployment models of cloud computing:
a. Public cloud: The cloud infrastructure is made available to the general public or a
large industry group and is owned by an organization selling cloud services.

b. Private cloud: The cloud infrastructure is operated solely for an organization. It

may be managed by the organization or a third party and may exist on premise or off
premise.
c. Community cloud: The cloud infrastructure is shared by several organizations and
supports a specific community that has shared concerns (e.g., mission, security
requirements, etc).

d. Hybrid cloud: The cloud infrastructure is a composition of two or more clouds

(private, community, or public) that remain unique entities but are bound together by
standardized or proprietary technology that enables data and application portability.