0% found this document useful (0 votes)
19 views38 pages

Chapter 3 - 2 2018

The document discusses security techniques focusing on access control and firewalls. Access control involves authentication, authorization, and auditing to prevent unauthorized resource use, while firewalls protect networks from external threats by controlling traffic based on predefined security policies. Various types of firewalls and access control models, such as Discretionary Access Control (DAC) and Role-based Access Control (RBAC), are also detailed.

Uploaded by

shemse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
19 views38 pages

Chapter 3 - 2 2018

The document discusses security techniques focusing on access control and firewalls. Access control involves authentication, authorization, and auditing to prevent unauthorized resource use, while firewalls protect networks from external threats by controlling traffic based on predefined security policies. Various types of firewalls and access control models, such as Discretionary Access Control (DAC) and Role-based Access Control (RBAC), are also detailed.

Uploaded by

shemse
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 38

Security Techniques

Chapter 3.2

Prepared by: Dr. Oliver 1


Topics
1. Access Control
2. Firewall

Prepared by: Dr. Oliver 2


Access Control
• The prevention of unauthorized use of a
resource, including the prevention of use of a
resource in an unauthorized manner.
• It implements a security policy that specifies
who or what may have access to each specific
system resource and the type of access that is
permitted in each instance.

Prepared by: Dr. Oliver 3


Prepared by: Dr. Oliver 4
Access Control principles
• Authentication – verification that the
credentials of a user or other system entity are
valid.
• Authorization – the granting of a right or
permission to a system entity to access a
system resource.
• Audit – an independent review or examination
of system records and activities in order to
test for adequacy of system controls.
Prepared by: Dr. Oliver 5
Elements
• Subject – an entity capable of accessing
objects.
– Owner, Group, World
• Objects – a resource to which access is
controlled.
– Records, files, directories, messages and programs
• Access rights – the way in which a subject may
access an object.
– Read, write, execute, delete, create, search

Prepared by: Dr. Oliver 6


Access Control Policies

Prepared by: Dr. Oliver 7


a. Discretionary Access Control (DAC)
• A general approach to DAC, as exercised by an
OS, is that of an access matrix.
• One dimension of the matrix consists of
identified subjects that may attempt data
access to the resource.
• The other dimension lists the objects that may
be accessed.

Prepared by: Dr. Oliver 8


Prepared by: Dr. Oliver 9
Example: UNIX file access control

Prepared by: Dr. Oliver 10


b. Role-based Accessed Control (RBAC)
• RBAC is based on the roles that users assume
in a system rather than the user’s identity.
• RBAC models defines a role as a job function
within an organization.
• RBAC systems assign access rights to roles
instead of individual users.

Prepared by: Dr. Oliver 11


Prepared by: Dr. Oliver 12
Prepared by: Dr. Oliver 13
Prepared by: Dr. Oliver 14
Example
Role Application Access Right
President Payroll System *
Vice-President *
Finance Manager *
Payroll Head r, w, x
Clerk r, x

Prepared by: Dr. Oliver 15


Firewall
Aim is to protect the network premises from
Internet-based attacks and provide a single
choke point where security and auditing can
be imposed.
• All traffic from inside to outside, and vice
versa, must pass through the firewall.
• Only authorized traffic, as defined by the local
security policy, will be allowed to pass.
• The firewall itself is immune to penetration.
Prepared by: Dr. Oliver 16
Firewall techniques to control access
• Service control – determines the types of
internet services that can be accessed, inbound
or outbound.
• Direction control – determines the direction in
which particular service requests may be initiated
and allowed to flow through the firewall.
• User control – controls access to a service
according to which user is attempting to access it.
• Behavior control – controls how particular service
are used.
Prepared by: Dr. Oliver 17
Types of Firewalls
• Packet filtering
• Stateful inspection
• Application proxy
• Circuit-level proxy

Prepared by: Dr. Oliver 18


Prepared by: Dr. Oliver 19
a. Packet filtering firewall
- Applies a set of rules to each incoming and
outgoing IP packet and then forwards/ discard

Prepared by: Dr. Oliver 20


Prepared by: Dr. Oliver 21
Prepared by: Dr. Oliver 22
b. Stateful Inspection firewall
• Creates a directory of outbound TCP
connections.
• There is an entry for each established
connection.
• Packet filter will now allow incoming traffic to
high-numbered ports only for those packets
that fit the profile of one of the entries in this
directory.

Prepared by: Dr. Oliver 23


Prepared by: Dr. Oliver 24
c. Application-Level gateway
• Also called application proxy, acts as a relay of
application-level traffic.
• User contacts the gateway using a TCP/IP
application (Telnet, FTP). Gateway asks the user
for the name of the remote host to be accessed.
• User provides a valid user ID and authentication
information. Gateway contacts the application on
the remote host and relays TCP segments

Prepared by: Dr. Oliver 25


d. Circuit-Level Gateway
• Also called circuit-level proxy.
• It does not permit an end-to-end TCP connection.
• Gateway setups two connections: one between
itself and a TCP user on an inner host. And one
between itself and a TCP user in an outside host.
• Once the two connections were established, the
gateway typically relays TCP segments without
examining the contents.
• The security is to determine which connections
should be allowed.
Prepared by: Dr. Oliver 26
Firewall basing
• It is common to base firewall on a stand-alone
machine running a common operating system,
such as UNIX or Linux.
• Firewall functionality can also be implemented
as a software module in a router or LAN
switch.

Prepared by: Dr. Oliver 27


a. Bastion Host
• A bastion host is a system identified by the
firewall administrator as a critical strong point
in the network’s security.
• Typically, the bastion serves as a platform for
an application-level or circuit-level gateway.
• Only the services that the network
administrator considers essential are installed
on the bastion host. This could include proxy
applications for DNS, FTP, HTTP and SMTP.
Prepared by: Dr. Oliver 28
b. Host-based Firewalls
• It is a software module used to secure an
individual host.
• Such module are available in many OS or can be
provided as an add-on package.
• Like conventional stand-alone firewalls, host-
resident firewalls filter and restrict the flow of
packets.
• A common location of such firewalls is a server.

Prepared by: Dr. Oliver 29


c. Personal firewall
• It is a software module that controls the traffic
between a personal computer on one side and
the Internet/ network on the other side.
• In a home environment with multiple
computers connected to the Internet, firewall
can be housed in a router that connects all
computers.
• Its primary role is to deny unauthorized
remote access to the computer.
Prepared by: Dr. Oliver 30
Firewall location and configurations
• A firewall is positioned to provide a protective
barrier between an external (potentially
untrusted) source of traffic and an internal
network.
• A security administrator must decide on the
location and on the number of firewalls
needed.

Prepared by: Dr. Oliver 31


a. DMZ network
• An external firewall is placed at the edge of the
LAN and one or more internal firewalls protect
the bulk of the enterprise network.
• Between these two types of firewalls are one or
more network devices in a region referred to as
DMZ (demilitarized zone) network.
• Systems that are externally accessible but need
some protections are usually located at DMZ
networks (Web site, e-mail server or DNS server).
Prepared by: Dr. Oliver 32
Prepared by: Dr. Oliver 33
b. Virtual Private Networks (VPN)
• A VPN consists of a set of computers that
interconnect by unsecure network and make use of
encryption and special protocols for security.
• The encryption may be performed by the firewall
software or routers.
• Most common protocol mechanism used by VPN is
IPSec (operate in network devices).
• IPSec encrypt and compress all traffic going into the
WAN and do the reverse for the traffic coming from
the WAN.
Prepared by: Dr. Oliver 34
Prepared by: Dr. Oliver 35
c. Distributed firewalls
• Involves stand-alone firewall devices plus host-
based firewalls working together under a
central administrative control.
• Administrators can configure host-resident
firewalls on hundreds of servers and
workstations as well as personal firewall on
remote users.

Prepared by: Dr. Oliver 36


Prepared by: Dr. Oliver 37
END

Prepared by: Dr. Oliver 38

You might also like