Chapter -5

Security Mechanism and Access

Control

1/29/2023 1
 5.1 Access
Control
A protection system describes the conditions under which a system is secure
 Access control is used to identify a user to a system
 Associated with each user, there can be a profile that specifies permissible operations
and
accesses (authorization)
 The operating system can enforce rules based on user profile
 Access Control - Generalized View
o Access control: Verifying access rights to prevent misuse of resources
o Authorization: Granting access rights

1/29/2023 2
Access Control Matrix (ACM)
 The access control matrix arose both in operating research and
systems database research in
 It describes allowed accesses using a matrix
 Basic elements of ACM
 Subject: An entity capable of accessing objects, such as processes/software and
users; subjects are given security clearance
 Object: Anything to which access is controlled programs, memory
(files, segments, …); objects have security classification
 Access right: The way in which an object is accessed by a subject (read, write,
execute, …);
o The exact meaning of the operation depends on the nature of the
object;
“reading from” a file is obvious but what is “reading from” a process;
1/29/2023
o It could mean that the reader accepts messages from the process being read
3
Access Control Matrix
Object

Subject

 In the ACM, each subject is represented by a row and each object as a

column
 ACM [s, o] lists precisely which operations subject s can request to be
carried out on object o
1/29/2023 4
 Problems of ACM
 The number of subjects and objects will be large so that the matrix
will use significant amount of storage
 Most entries in the matrix will be either blank(indicating no access)
or the same(because implementations often provide a default
setting)
 The creation and deletion of subjects and objects will require the
matrix to manage its storage carefully, adding to the complexity of
the code
 Optimizations(variants based on the access control matrix that
eliminate many of the problems mentioned) are used
 Access Control Lists in which each object maintains a list of access
rights of subjects
 Capability List where each subject is given access rights to objects
1/29/2023 5
 Access Control List
 Decomposition of the ACM by columns (store each column with the object
it
represents)

 An access control list of an object lists users and their permitted access
right
on the object
 The list may contain a default or public entry

1/29/2023 6
 Capability List
 Decomposition of the ACM by rows (store each row with the
subject it represents)

 Each subject has associated with it a set of pairs, with each pair
containing an object and a set of rights. The subject associated with
this list can access the named object in any of the ways indicated
by the named rights

1/29/2023 7
 Access Control Policies and Models
 Security policy governs a set of rules and objectives needed by an
organization
 A security model can be used by an organization to help express the
policy or business rules to be used in a computer system
 Access control policies are high-level requirements that specify how
access is managed and who may access information under
what circumstances
 For instance, policies may pertain to resource usage within or across
organizational units or may be based on need-to-know, competence, authority,
or obligation
 There are two types of access control models
 Discretionary Access Control Model and
 Non Discretionary Access Control Model
1/29/2023 8
 Discretionary Access Controls (DACs) is an access policy determined by the
owner of an object. The owner decides who is allowed to access the
object and with what privileges
 They are called discretionary as users can be given the ability of passing on
their privileges of any of the objects under them to other users, without the
intervention of the system administrator
 Non Discretionary Access Controls (NDACs) are controls that cannot be
changed by users, but only through administrative action.
 Users cannot pass access permissions on to other users at their
discretion.
 NDAC has three popular forms of access control policies
1. Mandatory Access Control (MAC),
2. Role-Based Access Control (RBAC), and
3. Temporal Authorization (TA)
1/29/2023 9
1. Mandatory Access Control (MAC) is a means of restricting access to objects based on the
sensitivity of the information contained in the objects and the formal authorization of
subjects to access information of such sensitivity
 In MAC, decisions are made by a central authority, not by the individual owner of an
object, and the owner cannot change access rights
 An example of MAC occurs in military security, where an individual data owner does not
decide who has a Top Secret clearance, nor can the owner change the classification of an
object from Top Secret to Secret
2. Role-Based Access Control (RBAC) bases access control decisions on the
functions/roles
of a user that he/she is allowed to perform within an organization
 This includes the specification of duties, responsibilities, and qualifications.
 For example, the role “individual associated with a hospital” can include doctor, nurse
and
patient
3. Temporal Authorization (TA) are formal statements of access policies that
involve time-based access restrictions
1/29/2023 10
Trusted System: Reference Monitor (Implementing Policies)
 Reference Monitor
 A controlling element in the hardware and operating system that regulates the access
of subjects to objects on the basis of security parameters
 It enforces the security policies
 It has access to a security kernel database

Properties of the Reference Monitor

 complete mediation: Security rules are enforced on every
Access
 Isolation: The reference monitor and its database themselves
are protected from unauthorized modification
 Verifiability: The reference monitor’s correctness must be
provable
 A system that can provide such verifications is referred
to as
a trusted system

1/29/2023 11
 Multilevel Security Models
 Multilevel Security
 Military-style classifications
 Subjects and objects are partitioned into different security
levels

 Protection is based on levels of security

 A subject can only access objects at certain levels
determined by its security level and model in use

 There are two Multilevel Security Models

 Bell-LaPadula (BLP) Model
1/29/2023
 Biba Integrity Model 12
5.1.1 Bell-LaPadula Model
 Bell-LaPadula (BLP) model is one of the first multilevel security models that was created
to control access to data
 The two basic properties of the Bell-LaPadula model are
 “no read up” : A subject can only read an object of less or equal security level
(Simple Security Property)
 “no write down”: A subject can only write into an object of greater or equal
security level (*-Property) or (Star Property); this prevents an illegal information
flow
 For instance, if we have two levels of security namely unclassified and top
secret
 Unclassified personnel cannot read data at top secret level (no read up)
and
 Top secret data cannot be written into files at unclassified level (no write
1/29/2023 down) 13
 Examples of security
classification

The Security Levels and Security Categories

(the Subjects)
 Levels = {Top Secret, Secret, Confidential,
Unclassified}
 Categories = {Registrar, Instructor, Student,
Fig: Hierarchy of Everyone}
Sensitivity
1/29/2023 14
 The Bell-LaPadula model supports mandatory access control by determining
the access rights from the security levels associated with subjects and
objects
 It also supports discretionary access control by checking access rights from
an access control matrix
 With respect to specification, we can consider the multilevel model as
adding higher-level mechanisms to the access control matrix model
 In addition to supporting arbitrary access specifications to the access control
matrix, the model groups protected objects according to different security
levels and decides user privileges by their authorized security clearance
levels
1/29/2023 15
5.1.2 Biba Integrity
Model
 Kenneth Biba (1975) proposed three different integrity access control policies
1. The Low Water Mark Integrity Policy
2. The Ring Policy
3. Strict Integrity Policy
 One difference among them is the amount of trust invested in subjects.
 Biba’s Low Water Mark Policy has the following two rules:
 If s reads o, then i′(s) = min( i (s), i (o)), where i′(s) is the subject’s new integrity level after the read.
 Subject s can write to object o only if i ( o ) ≤ i ( s)
 A potential of the LWM Integrity policy is to monotonically decrease the integrity level of a subject
unnecessarily
 Ring policy focuses on direct modification and solves some problems of the LWM Policy.
 Any subject can read any object, regardless of integrity levels.
 Subject s can write to object o only if i(o) ≤ i(s).
 Trustworthiness of subject (problem)
1/29/2023 16
Cont…
 All assume that we associate integrity levels with subjects and
objects, analogous to clearance levels in BLP
 Only Strict Integrity Policy had much continuing influence; it is the
one typically referred to as the “Biba Model” or “Biba Integrity”
 It was published in 1977 at the Mitre Corporation, one year after the
Bell La-Padula model was published
 It is designed so that subjects may not corrupt objects in a level
ranked higher than the subject, or be corrupted by objects from a
lower level than the subject
1/29/2023 17
  A problem with the BLP model is, it does not deal with the integrity of data as
the *-property makes it possible for a lower level subject to write to a higher
classified object
 The inability of the Bell-LaPadula model to deal with integrity of data motivated
the creation of the Biba model
 BLP is for Confidentiality while Biba is for Integrity of data and they can be
used together
*Integrity
 Integrity refers to the trustworthiness of data or resources
 Integrity is usually defined in terms of preventing improper or unauthorized change
to data
 There are three main goals of integrity
 Preventing unauthorized users from making modifications to data
or programs
 Preventing authorized users from making improper or unauthorized
modifications
 Maintaining internal and external consistency of data and
1/29/2023
programs 18
Biba Integrity Model – Access Modes
 The Biba model consists of the following access modes
 Modify: the modify right allows a subject to write to an object.
This mode is similar to the write mode in other models

 Observe: the observe right allows a subject to read an

object. This is synonyms with the read mode of most other models

 Invoke: the invoke right allows a subject to communicate another

with subject

 Execute: the execute right allows a subject to execute an object. It

essentially allows a subject to execute a program which is the

1/29/2023
object 19
Biba Integrity Model – Policies
 The Biba model is a family of different policies
 The goal of the model is to prevent the contamination of “clean” high level
entities from “dirty” low level entities

 The model supports both mandatory and discretionary policies

 Let S be the set of subjects, O the set of objects, I the set of integrity levels, s a
subject, o an object, and i(x) the integrity level of x (subject or object)
 Then Biba Strict Integrity Policy consists of
1. Simple Integrity Property: s ∈S can observe o∈O if and only if i(s) ≤ i(o) (“no read-down”)
2. Integrity *-Property: s ∈S can modify o∈O if and only if i(o) ≤ i(s) (“no write-up”)
3. Invocation Property: s₁∈S can invoke s₂∈S if and only if i(s₂) ≤i(s₁) (“no upward
invocation”)
1/29/2023 20
 This can expressed in terms of
 Users can only create content at or below their own integrity level
 Conversely, users can only view content at or above their own
integrity level
 The “no write-up” limits the damage that can be done
by malicious programs in the system.
 For instance, “no write-up” limits the amount of damage that can
be done by a Trojan Horse in the system. The Trojan horse would
only be able to write to objects at its integrity level or lower. This is
important because it limits the damage that can be done to the
operating system
 The “no read-down” prevents a trusted subject from
being “contaminated” by a less trusted object

1/29/2023 21
 Note: circle = subject, square = object

No Read down

No Write-Up No upward invocation

1/29/2023 22
6.2 Authentication-Kerberos
 Kerberos: In Greek mythology, a many
headed dog, the guardian of the entrance of
Hades (an otherworld where souls went after
death and was the Greek idea of afterlife)

 Users wish to access services on servers

 Three threats exist (a workstation cannot be trusted to identify
its users correctly to network services)
o A user pretends to be another user
o A user alters the network address of a workstation
o A user eavesdrops on exchanges and uses a replay attack

1/29/2023 23
 Basis for most type of access control and accountability
 Two steps
o Identification
o Verification

Means of Authentication
 Traditionally listed as three factors
o Something you know
 Password, PIN
o Something you have
 Card, RFID badge
o Something you are
 Biometrics

1/29/2023 24
 Kerberos provides a centralized authentication server whose function is to authenticate
users to servers and servers to users; it is a trusted system
from MIT
 Relies on symmetric encryption, making no use of public-key encryption
 Provides centralized symmetric third-party authentication in a distributed network
 allows users to access services distributed through networks
 without needing to trust all workstations
 rather
Currently all are
there trusttwo
a central authentication
Kerberos versions server
 V4: restricted to a single realm (a Kerberos realm is a set of managed nodes that share
the same Kerberos database)
 V5: allows inter-realm authentication
 V5 is an Internet standard: specified in RFC 1510, and used by many
utilities
 To use Kerberos: You
 need to have a KDC on your network
 Major need to have- Kerberised
problem applications running on all
US export restrictions participating
 Kerberos
systems cannot be directly distributed outside the source format
US in libraries must be re-implemented (crypto
1/29/2023 locally) 25
5.3
Firewall
 The term firewall has been around for quite some time
and originally was used to define a barrier constructed
to prevent the spread of fire from one part of a
building or structure to another

 A network firewall provides a barrier between networks that prevents or

denies unwanted or unauthorized traffic
 A Network Firewall is a system or group of systems used to control access
between two
networks: a trusted network and an untrusted network, using pre-configured rules
or filters
(internal/external; varying levels of trust)
 A
 Used todevice that provides secure connectivity between
implement and enforce a security policy for communication between
networks
networks
1/29/2023 26
 Firewalls can either be hardware (stand alone device)and/or software(installed on hosts)
based
 Firewalls can be composed of a single router, multiple routers, a single host system or
multiple hosts running firewall software, hardware appliances specifically designed to
provide firewall services, or any combinations
 They vary greatly in design, functionality, architecture, and cost
 A firewall is also called a Border Protection Device (BPD) in certain military contexts
where a firewall separates networks by creating perimeter networks in a DMZ
“Demilitarized Zone”
 DMZ is a sub network that contains an organization’s external facing services like Web
services, Mail services, FTP Services, etc.
 Firewall technology emerged in the late 1980s when the Internet was a fairly new
technology in terms of its global use and connectivity.
 The original idea was formed in response to a number of major Internet security breaches,
which occurred in the late 1980s

1/29/2023 27
Firewall Overview
 It is more feasible to secure a community of users by putting some control at the
entrance rather than trying to secure every host
 This is done in the real world
o Countries protect themselves at their
borders
o Neighborhoods protect the whole neighbors
 A firewall provides secured access between two networks
 When information moves from the Internet to the internal network, confidentiality is not
an issue. However, integrity is.
 The firewall must not accept messages that will cause servers to work incorrectly
or to crash
 When information moves from the internal network to the Internet, confidentiality
and integrity are both concerns.
 The firewall must ensure that no confidential information goes to the Internet and that
the information that reaches the Internet is correct
1/29/2023 28
Firewall – Design Goals

 All traffic from outside to inside must pass through the firewall (physically
blocking
all access to the local network except via the firewall)

 Only authorized traffic (defined by the local security policy) will be allowed to
pass

 The firewall itself is immune to penetration (use of trusted system with a

secure
operating system)

1/29/2023 29
Firewall - Features
 Port Control: allow some (e.g., 80 for a Web server, 25 for a mail server, 21
and 20
for FTP server)
 Network AddressandTranslation:
deny otherstranslates the IP addresses of internal hosts to hide
them from outside monitoring
 Application Monitoring
 Packet Filtering: rejects TCP/IP packets from hosts and rejects
unauthorized
connection attempts to unauthorized services
 Data encryption: confidentiality of outgoing packets types of content by
 Content Filtering: to block internal users from accessing
certain
category, such as hate group propaganda, pornography,
etc.
 Virus Scanning
 Popup advertisement blocking/Spam protection
 Spyware protection
1/29/2023 30
Types of Firewalls
 Firewall types can be categorized depending on
1. The firewall methodology
2. Whether the communication is being done between a single
node and the network, or between two or more networks
3. Whether the communication state is being tracked at the firewall or not
1. By the Firewall Methodology
 Packet Filtering Firewall
 Stateful Packet Inspection Firewall
 Application Gateways/Proxies
 Adaptive Proxies
 Circuit Level Gateway
1/29/2023 31
i. Packet Filtering Firewall

 A packet filtering firewall does exactly what its name implies - it filters packets.
 As each packet passes through the firewall (in both directions), it is examined
and information contained in the header is compared to a pre-configured set of rules or
filter
 An allow or deny decision is made based on the results of the comparison
 A packet filtering firewall is often called a network layer firewall because the
filtering is primarily done at the network layer or transport layer of TCP/IP reference
layer
1/29/2023 32
ii. Stateful Packet Inspection Firewall :- Stateful packet inspection uses the same fundamental packet
screening technique that packet filtering does.
 In addition, it examines the packet header information from the network layer to the application layer to verify
that the packet is part of a legitimate connection and the protocols are behaving as expected.
 This method can make decisions based on one or
more of the following
 Source IP address
 Destination IP address
 Protocol type (TCP/UDP)
 Source port
 Destination port
 Connection state( it is derived from information gathered in previous
packet)
 Stateful packet inspection compares the packets against the rules or filters and then
checks the dynamic state table to verify that the packets are part of a valid, established
connection

1/29/2023 33
iii. Application Gateways/Proxies :- Acts as a relay of application-level traffic. This type
of firewall operates at the application layer.

 The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and
the gateway asks the user for the name of the remote host to be accessed. When the
user responds and provides a valid user ID and authentication information, the
gateway contacts the application on the remote host and relays TCP segments
containing the application data between the two endpoints

1/29/2023 34
iv. Adaptive Proxies :- Also known as dynamic proxies and developed as an enhanced form of
application gateways/proxies, combining the merits of both application gateways/proxies and
packet filtering.
v. Circuit Level Gateway :- It sets up two TCP connections; one between itself and a TCP
user on an inner host and one between itself and a TCP user on an outside host
 The gateway typically relays TCP segments from one connection to the other
without examining the contents
 The security function consists of determining which connections will be allowed
 Unlike a packet filtering firewall, a circuit-level gateway does not examine individual packets.
Instead, circuit-level gateways monitor TCP or UDP sessions
 Once a session has been established, it leaves the port open to allow all other
packets
belonging to that session to pass. The port is closed when the session is terminated.
 It operate at transport layer

1/29/2023 35
2. With regard to the scope of filtered communications

 Done between a single node and the network, or between two or more networks

 Personal Firewall, a software application which normally filters traffic

entering or
leaving a single computer

 Network Firewall, normally running on a dedicated network device or

computer positioned on the boundary of two or more networks

3. Whether the firewalls keeps track of the state of network connections or treats each
packet in isolation
 Stateful firewall

 Stateless firewall

1/29/2023 36
a. Stateful firewall
 Keeps track of the state of network connections (such as TCP streams)
travelling across it
 A stateful firewall is able to hold in memory significant attributes
of each connection, from start to finish
 These attributes, which are collectively known as the state of the connection,
may include such details as the IP addresses and ports involved in the connection
and the sequence numbers of the packets traversing the connection
b. Stateless firewall
 Treats each network packet in isolation. Such a firewall has no way of knowing
if any given packet is part of an existing connection or is trying to establish a new
connection

1/29/2023 37
Firewall Location and Configuration
 A firewall can be internal or external
 An external firewall is placed at the edge of a local or enterprise
network, just inside the boundary router that connects to the Internet
 One or more internal firewalls protect the bulk of the enterprise
network
 Between these two types of firewalls are one or more networked
devices in a region referred to as a DMZ(demilitarized zone) network
 Systems that are externally accessible but need some protections are
usually located on DMZ networks. Typically, the systems in the DMZ
require external connectivity, such as a corporate Web site, an e-mail
server, or a DNS (domain name system) server

1/29/2023 38
1/29/2023 39
 The external firewall provides a measure of access control and protection for the
DMZ systems consistent with their need for external connectivity
 The external firewall also provides a basic level of protection for the remainder of
the enterprise network
 Internal firewalls serve three purposes
1. The internal firewall adds more stringent filtering capability, compared to the
external firewall, in order to protect enterprise servers and workstations
from external attack
2. The internal firewall provides two-way protection with respect to the DMZ.
First, the internal firewall protects the remainder of the network from attacks
launched from DMZ systems. Such attacks might originate from worms,
bots, or other malware lodged in a DMZ system. Second, an internal firewall
can protect the DMZ systems from attack from the internal protected
network
3. Multiple internal firewalls can be used to protect portions of the internal
network from each other. For example, firewalls can be configured so that
internal servers are protected from internal workstations and vice versa
1/29/2023 40
 Distributed Firewalls
 A distributed firewall configuration involves stand-alone
firewall devices plus host based firewalls working together
under a central administrative control

 Virtual Private Networks

 A VPN consists of a set of computers that
are interconnect by means of a relatively
unsecured network and that make use of
encryption and special protocols to
provide security
 At each corporate site, workstations,
servers, and databases are linked by one
 There are three different protocols that are used to create
VPNs: Point-to-Point Tunneling Protocol (PPTP), Layer
2 Tunneling Protocol (L2TP), and IP Security (IPsec)

1/29/2023 41
5.4 Intrusion Detection/Prevention
 Firewalls generally don’t detect internal attacks or attacks once the system is compromised
 An Intrusion detection system gathers and analyzes information from various areas
within a
computer or a network to identify possible security breaches
 An intrusion detection system, therefore, is a tool that monitors network traffic for potential
intrusions that may indicate malicious activity or a breach of policies.
 It detects both intrusions and misuse
 Intrusion detection functions include
 Monitoring and analyzing both user and system activities
 Analyzing system configurations and vulnerabilities
 Assessing system and file integrity
 Ability to recognize patterns typical of attacks
 Analysis of abnormal activity patterns
 Tracking user policy violations
1/29/2023 42
 IDS Categorization
 There are a number of ways in which Intrusion Detection Systems can be categorized
 Misuse detection versus anomaly detection
 Passive systems versus reactive systems
 Network-based systems versus host-based systems
 Misuse Detection vs. Anomaly Detection
 An IDS that uses misuse detection analyzes the information it gathers and compares it to large
databases of attack signatures (IDS signatures); similar to a virus-detection system
 Anomaly detection tries to detect intrusion attempts and notify the administrator
 The system looks for any anomalous behavior; any activity that does not match the pattern of
normal user access is noted and logged
 With anomaly-based IDS, it can take some time to create what is considered “normal” activity
patterns. While these activity patterns are being established, a high rate of false alarms may be
experienced.
 Note also that, if the network already contains malicious code, then the activity of this code
would be considered normal
1/29/2023 43
 Passive Systems Vs Reactive Systems
 In a passive system, the IDS detects a potential security breach, logs the information,
and signals an alert.

 In a reactive system, the IDS responds to the suspicious activity by logging off a user
or reprogramming the firewall to block network traffic from the suspected malicious
source

 Network-Based System Versus Host-Based System

 In a network-based system, the individual packets flowing through a
network are analyzed
 This system can detect malicious packets that are designed to be overlooked by a
firewall’s simplistic filtering rules
 In a host-based system, the activity of each individual computer
1/29/2023
or host is examined 44
IDS Approaches
 Preemptive Blocking
 This approach seeks to prevent intrusions before they occur
 This is done by noting any danger signs of impending threats and then blocking the user or IP
address from which these signs originate.
 For example, if a particular IP address is the source of frequent port scans and other scans of a
system, then block that IP address at the firewall
 Intrusion Deflection
 An attempt is made to attract the intruder to a subsystem set up for the purpose of observing her/him.
 This is done by tricking the intruder into believing that s/he has succeeded in accessing system resources
when, in fact, s/he has been directed to a specially designed environment
 This is often done by using what is commonly referred to as a honey
pot
 A honey pot assumes that an attacker is able to breach a network
security
 A honey pot achieves two goals. First, it will take the attacker’s attention away from the data to
be protected.
 Second, it will provide interesting and valuable data, thus leading the attacker to stay connected
to the
1/29/2023 fake server, giving time to try and track the 45