Module - 1 - Information Security Devices
Module - 1 - Information Security Devices
A. Avinash, Ph.D.
School of Computer Science and Engineering
Vellore Institute of Technology (VIT), Chennai
Identity & Access Management (IAM)1
What is Identity & Access Management (IAM)?
A set of tools & services used to manage access to systems or resources used by personnel as
well as our customers
Why is Managing Access Important?
Controlling access = Controlling risk
How Do We Manage Applications?
Centrally-Managed applications
Use one or more centrally-managed IAM services
Business-Managed applications
Applications the business manages locally. The business owns and creates the access to
application. The owner has responsibility for and the timely removal of access when someone
terminates or transfers jobs.
Who Is Responsible for Managing Access?
Everyone who manages employees or contractors in the organization
Reference: 1. Identity & Access Management: Business Performance Through Connected Intelligence by
Ertem Osmanoglu
Identity and Access Management
Identity Management (IdM)
IdM manages an identity’s lifecycle through a combination of processes, organizational
structure, and enabling technologies.
on
Pr
Pr
at i op
rd
ag
oc
oa
ni z
Users
nb at
es
Organization e
ga
Processe
O
s
Or
al Reporting
Identity
Attributes
s
Structure Lifecycle
Management
Workflow Privileges
Te
r m
n
in Passwords
ai
at
nt
e M
ai
Technology
Technolo
Access Management (AM)
AM primarily focuses on Authentication and Authorization
Authentication Authorization
Any combination of the following 3 2 primary forms of Authorization:
factors will be considered as Strong •Coarse-Grain
Authentication: High-level and
•What you know overarching
Password entitlements
Passphrase Create, Read,
Update, Modify
•What you are
Iris •Fine-Grain
Fingerprint Detailed and
•What you have explicit entitlements
Based on factors
Token
such as time, dept,
Smartcard
role and location
Uniting Identity and Access Management2
Identity and Access Management are tightly coupled by the governance and
consumption of identity data.
Multiple Identity
Stores (5)
Multiple
Administration
Points (4)
Redundant data
synchronization
and replication
Users must
authenticate to
each
application
Ability to
present multiple
data views
Single
Administration
Point
Reduced
replication and
synchronization
Single Sign-On
• No clocking devices
• Commonly used in telephone
networks
• Data is transmitted in a serial
stream. Each character is turned
into a string of 8 bits
• Each of these characters is
separated by one start bit and one
or two stop bits
• Need clocking devices
• Data are transmitted in blocks
• Used in digital networks
16
Infrastructure Devices
Relationship between End devices and Networking
devices
• A person uses end devices to communicate with another person with another end
devices via the network formed by the network devices.
• Servers and clients are end devices
Network Attached Storage (NAS)4
NAS is shared storage on a network infrastructure.
NAS Storag
Head e
ppl Prin
cation t NAS
Server Serve Device
References: 4. Network Attachedr Storage A Complete Guide - 2020 by Gerardus
Blokdyk
Storage device: Network Attached Storage (NAS)
Evolution
Portable Media Networked PCs Networked File
Stand Alone PC for File Sharin Sharing
Single Function
Device (NAS
General Purpose Server)
Server “ (NT or
Unix Server)
Network Attached Storage (NAS)
• Supports global information access
• Improves efficiency
• Provides flexibility
• Centralizes storage
• Simplifies management
• Scalability
• High availability — through native clustering
Application Server
FTP Server
Name Server
Database Server
Provides access to a database. It is
a server which uses a database
application that provides database
services to other computer
programs or to computers.
TYPES OF SERVER
Game Server
Server is authoritative source of events in
a multiplayer video game. The server
transmits enough data about its internal
state to allow its connected clients to
maintain their own accurate version of
the game world for display to players.
Media Server
Delivers media such as streaming
video or audio.
TYPES OF SERVER
Proxy Server
Acts as an intermediary between clients and
servers to implement functions such as security,
monitoring or anonymization.
List Server
Servers offer a way to better manage mailing
lists, whether they be interactive discussions
open to the public or one-way lists that deliver
announcements, newsletters or advertising.
Computer Assets: Identifying Unauthorized
Devices
• Asset Management
• Work for assets known and permitted within the environment, but offer little
visibility or control over rogue machines that may be connecting to the network.
SYN
Seq = x
Port=80
SYN-ACK
Client Seq = y
Ack = x + 1
ACK
Seq = x + 1
Ack = y + 1
Trusted internal Server
network
Firewall
SYN
Client (blocked) Seq = y Attacker
Port=80
• Using these tables, stateful firewalls can allow only inbound TCP packets that
are in response to a connection initiated from within the internal network.
Statefull Firewall
• Allow only requested TCP connections
76.120.54.101
SYN
Seq = x Server
128.34.78.55 Port=80
SYN-ACK
Client Seq = y
Ack = x + 1
ACK
Seq = x + 1
Ack = y + 1
Trusted internal
SYN-ACK
network (blocked) Seq = y
Attacker
Port=80
• There are two primary types of VPNs, remote access VPN and site-to-site VPN.
• Remote access VPNs allow authorized clients to access a private network that is
referred to as an intranet.
• E.g., UCF VPN. Computer has internal IP when connected.
• Set up a VPN endpoint, network access server (NAS)
• Clients install VPN client software on their machines.
• Site-to-site VPN solutions are designed to provide a secure bridge between two or
more physically distant networks.
• Before VPN, organizations wishing to safely bridge their private networks
purchased expensive leased lines to directly connect their intranets with cabling.
Solutions combining traffic filtering with
other Technologies
IDS Manager
Untrusted
Internet
router
router router
Possible Alarm Outcomes
• Alarms can be sounded (positive) or not (negative)
Intrusion Attack No Intrusion Attack
Bad
(reject norm
Alarm
Sounded
Advantages of DAS:
• Simpler to setup and configure over NAS / SAN
• Cheaper than NAS / SAN in terms of raw storage
• Networks not necessary, doesn’t use IP addresses
• Faster, more performant and better latency over SAN / NAS
• Easier to deal with overall considering all things
Disadvantages of DAS:
• Dedicated resource to a single computer
• No economies of scale in sharing the storage
• Can’t manage DAS via a network
• Requires a special hardware connection
Reference: 6. Storage Security: Protecting SANs, NAS and DAS by John Chirillo
and Scott Blaul
SERVER STORAGE
• NAS ( Network Attached Storage) is a filesystem delivered
over the network. It is ready to mount and use. Technologies to
do this include NFS, CIFS, AFS, etc.
Advantages of NAS:
• Economical way to provide large storage to many persons or
computers
• Several times easier to setup and configure versus SAN
• Easy way to provide RAID redundancy to mass amount of
users
• Allows users permissions, folder privileges, restricted access
to documents, etc
• Higher utilization of storage resources
Disadvantages of NAS:
• Requires IP Address(es) and takes up network space
• Slower latency and potentially maximum data-transfer issues
• Performance can be affected by network status
SERVER STORAGE
• SAN ( Storage Attached Network) is a block device which is
delivered over the network. Technologies to do this include
FibreChannel, iSCSI, FoE, etc.
• Combining the best of DAS and NAS.
DAS is good at? Speed. Speed. SPEED.
NAS is good at? Sharing. High Utilization. Flexibility.
Advantages of SAN:
• Higher hardware utilization, similar to that of NAS
• Speed similar or comparable to DAS
• Allows virtual environments, cloud computing, etc.
Disadvantages of SAN:
• Performance limited by network if configured incorrectly
• Requires multiple static IP Addresses
• Generally consumes more IP addresses than NAS devices
• Complex networking planning is necessary
• Physical network wiring may affect performance
• Generally more expensive than NAS or DAS
Content Management System7,8
CMS features
● Web-based publishing,
● Format management,
● Revision control,
● Indexing, search, and retrieval.
References:
7. Barker, D. (2016). Web content management: Systems, features, and best practices.Boston : O'Reilly, 2016
8. Boiko, B. (2001). Understanding content management.Bulletin of the American Society for Information
Science and Technology, 28(1).
Content and Presentation
The content management system (CMS) has two elements:
● Content management application (CMA) is the front-end user interface that
allows a user, even with limited expertise, to add, modify and remove content
from a Web site without the intervention of a Webmaster.
● Content delivery application (CDA) compiles that information and updates
the Web site.
Web CMS
● A software system that provides website authoring, collaboration, and
administration tools.
● Designed to allow users with little knowledge of web programming to create and
manage website content with relative ease.
● Uses a content repository or a database to store page content, metadata, and other
information assets.
● Has a presentation layer (template engine) to display the content to website
visitors based on a set of templates.
● Uses server side caching to improve performance.
Capabilities of CMS
● Automated templates
● Access control
● Scalable expansion
● Easily editable content
● Scalable feature sets
● Web standards upgrades
● Collaboration
● Document management
● Workflow management
● Content virtualization
Advantages and Disadvantages
Advantages
● Low cost
● Easy customization
● Easy to use
● Workflow management
● Search Engine Optimization
Disadvantages
● Cost of implementations
● Cost of maintenance
● Latency issues
● Tool mixing
● Security
Popular CMS
● WordPress was the most popular content management system before 2014.
● Textpattern is one of the first open source CMS.
● Joomla! is a popular content management system.
● Drupal is the third most used CMS and originated before WordPress and
Joomla.
● ExpressionEngine is in the top 5 most used CMSs. It is a commercial CMS
● MediaWiki powers Wikipedia and related projects.
● Magnolia CMS.
● Cascade Server is popular among universities and enterprise scale
organizations.
● eXo Platform Open Source Social CMS.
● Liferay Open Source Portal WCMS.
Secure Content Management
• Organizations are increasingly moving toward collaboration
• Encouraging usage of the internet for knowledge access and
productivity enhancement, advocating widespread adoption of email as
communication means and promoting instant messaging for better
coordination.
Unrestricted Access
The use of the internet is on the rise, as are the risks of uncontrolled
access.
Deliberately access sites containing inappropriate, illegal or dangerous
content, businesses suffer losses of productivity, expose themselves to
legal liabilities and can experience degraded network performance that
negatively affects mission-critical tasks.
Liability Exposure
Visit racist/hate sites represent a major legal liability concern. Businesses
need to shield themselves from potential legal liability that can arise if an
employee is repeatedly exposed to offensive material on a co-worker’s
computer or anywhere in the workplace.
• Standalone Solutions
Standalone solutions consist of a dedicated database server for defining policies
and a separate gateway or firewall that enforces the content management policies.
These solutions are more manageable than client based solutions because an
administrator can create a policy once on the gateway and then apply it across all
desktops.
However, most standalone solutions require organizations to purchase and
manage two separate hardware devices in addition to content management
software.
They also require additional storage to be purchased as needed, when the policy
database grows to exceed the storage available.
Key vendors of standalone solutions include SonicWALL, Websense and Surf
Control.
Solution Architectures
• Integrated Solutions
• Integrated solutions consolidate management and processing in a single
gateway or firewall, thereby reducing capital and operational expenses.
• However, when the gateway or firewall is also used for services like anti-virus
and intrusion prevention, performance can suffer.
• Key vendors of integrated content filtering solutions include SonicWALL,
Symantec and Watch Guard.