Security Techniques

Chapter 3.2

Prepared by: Dr. Oliver 1

 Topics
1. Access Control
2. Firewall

Prepared by: Dr. Oliver 2

 Access Control
• The prevention of unauthorized use of a
resource, including the prevention of use of a
resource in an unauthorized manner.
• It implements a security policy that specifies
who or what may have access to each specific
system resource and the type of access that is
permitted in each instance.

Prepared by: Dr. Oliver 3

Prepared by: Dr. Oliver 4
 Access Control principles
• Authentication – verification that the
credentials of a user or other system entity are
valid.
• Authorization – the granting of a right or
permission to a system entity to access a
system resource.
• Audit – an independent review or examination
of system records and activities in order to
test for adequacy of system controls.
Prepared by: Dr. Oliver 5
 Elements
• Subject – an entity capable of accessing
objects.
– Owner, Group, World
• Objects – a resource to which access is
controlled.
– Records, files, directories, messages and programs
• Access rights – the way in which a subject may
access an object.
– Read, write, execute, delete, create, search

Prepared by: Dr. Oliver 6

Access Control Policies

Prepared by: Dr. Oliver 7

 a. Discretionary Access Control (DAC)
• A general approach to DAC, as exercised by an
OS, is that of an access matrix.
• One dimension of the matrix consists of
identified subjects that may attempt data
access to the resource.
• The other dimension lists the objects that may
be accessed.

Prepared by: Dr. Oliver 8

Prepared by: Dr. Oliver 9
Example: UNIX file access control

Prepared by: Dr. Oliver 10

b. Role-based Accessed Control (RBAC)
• RBAC is based on the roles that users assume
in a system rather than the user’s identity.
• RBAC models defines a role as a job function
within an organization.
• RBAC systems assign access rights to roles
instead of individual users.

Prepared by: Dr. Oliver 11

Prepared by: Dr. Oliver 12
Prepared by: Dr. Oliver 13
Prepared by: Dr. Oliver 14
 Example
Role Application Access Right
President Payroll System *
Vice-President *
Finance Manager *
Payroll Head r, w, x
Clerk r, x

Prepared by: Dr. Oliver 15

 Firewall
Aim is to protect the network premises from
Internet-based attacks and provide a single
choke point where security and auditing can
be imposed.
• All traffic from inside to outside, and vice
versa, must pass through the firewall.
• Only authorized traffic, as defined by the local
security policy, will be allowed to pass.
• The firewall itself is immune to penetration.
Prepared by: Dr. Oliver 16
 Firewall techniques to control access
• Service control – determines the types of
internet services that can be accessed, inbound
or outbound.
• Direction control – determines the direction in
which particular service requests may be initiated
and allowed to flow through the firewall.
• User control – controls access to a service
according to which user is attempting to access it.
• Behavior control – controls how particular service
are used.
Prepared by: Dr. Oliver 17
 Types of Firewalls
• Packet filtering
• Stateful inspection
• Application proxy
• Circuit-level proxy

Prepared by: Dr. Oliver 18

Prepared by: Dr. Oliver 19
 a. Packet filtering firewall
- Applies a set of rules to each incoming and
outgoing IP packet and then forwards/ discard

Prepared by: Dr. Oliver 20

Prepared by: Dr. Oliver 21
Prepared by: Dr. Oliver 22
 b. Stateful Inspection firewall
• Creates a directory of outbound TCP
connections.
• There is an entry for each established
connection.
• Packet filter will now allow incoming traffic to
high-numbered ports only for those packets
that fit the profile of one of the entries in this
directory.

Prepared by: Dr. Oliver 23

Prepared by: Dr. Oliver 24
 c. Application-Level gateway
• Also called application proxy, acts as a relay of
application-level traffic.
• User contacts the gateway using a TCP/IP
application (Telnet, FTP). Gateway asks the user
for the name of the remote host to be accessed.
• User provides a valid user ID and authentication
information. Gateway contacts the application on
the remote host and relays TCP segments

Prepared by: Dr. Oliver 25

 d. Circuit-Level Gateway
• Also called circuit-level proxy.
• It does not permit an end-to-end TCP connection.
• Gateway setups two connections: one between
itself and a TCP user on an inner host. And one
between itself and a TCP user in an outside host.
• Once the two connections were established, the
gateway typically relays TCP segments without
examining the contents.
• The security is to determine which connections
should be allowed.
Prepared by: Dr. Oliver 26
 Firewall basing
• It is common to base firewall on a stand-alone
machine running a common operating system,
such as UNIX or Linux.
• Firewall functionality can also be implemented
as a software module in a router or LAN
switch.

Prepared by: Dr. Oliver 27

 a. Bastion Host
• A bastion host is a system identified by the
firewall administrator as a critical strong point
in the network’s security.
• Typically, the bastion serves as a platform for
an application-level or circuit-level gateway.
• Only the services that the network
administrator considers essential are installed
on the bastion host. This could include proxy
applications for DNS, FTP, HTTP and SMTP.
Prepared by: Dr. Oliver 28
 b. Host-based Firewalls
• It is a software module used to secure an
individual host.
• Such module are available in many OS or can be
provided as an add-on package.
• Like conventional stand-alone firewalls, host-
resident firewalls filter and restrict the flow of
packets.
• A common location of such firewalls is a server.

Prepared by: Dr. Oliver 29

 c. Personal firewall
• It is a software module that controls the traffic
between a personal computer on one side and
the Internet/ network on the other side.
• In a home environment with multiple
computers connected to the Internet, firewall
can be housed in a router that connects all
computers.
• Its primary role is to deny unauthorized
remote access to the computer.
Prepared by: Dr. Oliver 30
 Firewall location and configurations
• A firewall is positioned to provide a protective
barrier between an external (potentially
untrusted) source of traffic and an internal
network.
• A security administrator must decide on the
location and on the number of firewalls
needed.

Prepared by: Dr. Oliver 31

 a. DMZ network
• An external firewall is placed at the edge of the
LAN and one or more internal firewalls protect
the bulk of the enterprise network.
• Between these two types of firewalls are one or
more network devices in a region referred to as
DMZ (demilitarized zone) network.
• Systems that are externally accessible but need
some protections are usually located at DMZ
networks (Web site, e-mail server or DNS server).
Prepared by: Dr. Oliver 32
Prepared by: Dr. Oliver 33
 b. Virtual Private Networks (VPN)
• A VPN consists of a set of computers that
interconnect by unsecure network and make use of
encryption and special protocols for security.
• The encryption may be performed by the firewall
software or routers.
• Most common protocol mechanism used by VPN is
IPSec (operate in network devices).
• IPSec encrypt and compress all traffic going into the
WAN and do the reverse for the traffic coming from
the WAN.
Prepared by: Dr. Oliver 34
Prepared by: Dr. Oliver 35
 c. Distributed firewalls
• Involves stand-alone firewall devices plus host-
based firewalls working together under a
central administrative control.
• Administrators can configure host-resident
firewalls on hundreds of servers and
workstations as well as personal firewall on
remote users.

Prepared by: Dr. Oliver 36

Prepared by: Dr. Oliver 37
 END

Prepared by: Dr. Oliver 38