The document discusses security techniques focusing on access control and firewalls. Access control involves authentication, authorization, and auditing to prevent unauthorized resource use, while firewalls protect networks from external threats by controlling traffic based on predefined security policies. Various types of firewalls and access control models, such as Discretionary Access Control (DAC) and Role-based Access Control (RBAC), are also detailed.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
0 ratings0% found this document useful (0 votes)
19 views38 pages
Chapter 3 - 2 2018
The document discusses security techniques focusing on access control and firewalls. Access control involves authentication, authorization, and auditing to prevent unauthorized resource use, while firewalls protect networks from external threats by controlling traffic based on predefined security policies. Various types of firewalls and access control models, such as Discretionary Access Control (DAC) and Role-based Access Control (RBAC), are also detailed.
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 38
Security Techniques
Chapter 3.2
Prepared by: Dr. Oliver 1
Topics 1. Access Control 2. Firewall
Prepared by: Dr. Oliver 2
Access Control • The prevention of unauthorized use of a resource, including the prevention of use of a resource in an unauthorized manner. • It implements a security policy that specifies who or what may have access to each specific system resource and the type of access that is permitted in each instance.
Prepared by: Dr. Oliver 3
Prepared by: Dr. Oliver 4 Access Control principles • Authentication – verification that the credentials of a user or other system entity are valid. • Authorization – the granting of a right or permission to a system entity to access a system resource. • Audit – an independent review or examination of system records and activities in order to test for adequacy of system controls. Prepared by: Dr. Oliver 5 Elements • Subject – an entity capable of accessing objects. – Owner, Group, World • Objects – a resource to which access is controlled. – Records, files, directories, messages and programs • Access rights – the way in which a subject may access an object. – Read, write, execute, delete, create, search
Prepared by: Dr. Oliver 6
Access Control Policies
Prepared by: Dr. Oliver 7
a. Discretionary Access Control (DAC) • A general approach to DAC, as exercised by an OS, is that of an access matrix. • One dimension of the matrix consists of identified subjects that may attempt data access to the resource. • The other dimension lists the objects that may be accessed.
Prepared by: Dr. Oliver 8
Prepared by: Dr. Oliver 9 Example: UNIX file access control
Prepared by: Dr. Oliver 10
b. Role-based Accessed Control (RBAC) • RBAC is based on the roles that users assume in a system rather than the user’s identity. • RBAC models defines a role as a job function within an organization. • RBAC systems assign access rights to roles instead of individual users.
Prepared by: Dr. Oliver 11
Prepared by: Dr. Oliver 12 Prepared by: Dr. Oliver 13 Prepared by: Dr. Oliver 14 Example Role Application Access Right President Payroll System * Vice-President * Finance Manager * Payroll Head r, w, x Clerk r, x
Prepared by: Dr. Oliver 15
Firewall Aim is to protect the network premises from Internet-based attacks and provide a single choke point where security and auditing can be imposed. • All traffic from inside to outside, and vice versa, must pass through the firewall. • Only authorized traffic, as defined by the local security policy, will be allowed to pass. • The firewall itself is immune to penetration. Prepared by: Dr. Oliver 16 Firewall techniques to control access • Service control – determines the types of internet services that can be accessed, inbound or outbound. • Direction control – determines the direction in which particular service requests may be initiated and allowed to flow through the firewall. • User control – controls access to a service according to which user is attempting to access it. • Behavior control – controls how particular service are used. Prepared by: Dr. Oliver 17 Types of Firewalls • Packet filtering • Stateful inspection • Application proxy • Circuit-level proxy
Prepared by: Dr. Oliver 18
Prepared by: Dr. Oliver 19 a. Packet filtering firewall - Applies a set of rules to each incoming and outgoing IP packet and then forwards/ discard
Prepared by: Dr. Oliver 20
Prepared by: Dr. Oliver 21 Prepared by: Dr. Oliver 22 b. Stateful Inspection firewall • Creates a directory of outbound TCP connections. • There is an entry for each established connection. • Packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory.
Prepared by: Dr. Oliver 23
Prepared by: Dr. Oliver 24 c. Application-Level gateway • Also called application proxy, acts as a relay of application-level traffic. • User contacts the gateway using a TCP/IP application (Telnet, FTP). Gateway asks the user for the name of the remote host to be accessed. • User provides a valid user ID and authentication information. Gateway contacts the application on the remote host and relays TCP segments
Prepared by: Dr. Oliver 25
d. Circuit-Level Gateway • Also called circuit-level proxy. • It does not permit an end-to-end TCP connection. • Gateway setups two connections: one between itself and a TCP user on an inner host. And one between itself and a TCP user in an outside host. • Once the two connections were established, the gateway typically relays TCP segments without examining the contents. • The security is to determine which connections should be allowed. Prepared by: Dr. Oliver 26 Firewall basing • It is common to base firewall on a stand-alone machine running a common operating system, such as UNIX or Linux. • Firewall functionality can also be implemented as a software module in a router or LAN switch.
Prepared by: Dr. Oliver 27
a. Bastion Host • A bastion host is a system identified by the firewall administrator as a critical strong point in the network’s security. • Typically, the bastion serves as a platform for an application-level or circuit-level gateway. • Only the services that the network administrator considers essential are installed on the bastion host. This could include proxy applications for DNS, FTP, HTTP and SMTP. Prepared by: Dr. Oliver 28 b. Host-based Firewalls • It is a software module used to secure an individual host. • Such module are available in many OS or can be provided as an add-on package. • Like conventional stand-alone firewalls, host- resident firewalls filter and restrict the flow of packets. • A common location of such firewalls is a server.
Prepared by: Dr. Oliver 29
c. Personal firewall • It is a software module that controls the traffic between a personal computer on one side and the Internet/ network on the other side. • In a home environment with multiple computers connected to the Internet, firewall can be housed in a router that connects all computers. • Its primary role is to deny unauthorized remote access to the computer. Prepared by: Dr. Oliver 30 Firewall location and configurations • A firewall is positioned to provide a protective barrier between an external (potentially untrusted) source of traffic and an internal network. • A security administrator must decide on the location and on the number of firewalls needed.
Prepared by: Dr. Oliver 31
a. DMZ network • An external firewall is placed at the edge of the LAN and one or more internal firewalls protect the bulk of the enterprise network. • Between these two types of firewalls are one or more network devices in a region referred to as DMZ (demilitarized zone) network. • Systems that are externally accessible but need some protections are usually located at DMZ networks (Web site, e-mail server or DNS server). Prepared by: Dr. Oliver 32 Prepared by: Dr. Oliver 33 b. Virtual Private Networks (VPN) • A VPN consists of a set of computers that interconnect by unsecure network and make use of encryption and special protocols for security. • The encryption may be performed by the firewall software or routers. • Most common protocol mechanism used by VPN is IPSec (operate in network devices). • IPSec encrypt and compress all traffic going into the WAN and do the reverse for the traffic coming from the WAN. Prepared by: Dr. Oliver 34 Prepared by: Dr. Oliver 35 c. Distributed firewalls • Involves stand-alone firewall devices plus host- based firewalls working together under a central administrative control. • Administrators can configure host-resident firewalls on hundreds of servers and workstations as well as personal firewall on remote users.