2. Topics to be covered
Overview Tokens/SSO
Access control Kerberos
implementation Attacks/Vulnerabilities/Monitoring
Types of access control IDS
MAC & DAC Object reuse
Orange Book TEMPEST
Authentication RAS access control
Passwords Penetration Testing
Biometrics
2
3. What is access control?
Access control is the heart of security
Definitions:
The ability to allow only authorized users,
programs or processes system or resource access
The granting or denying, according to a particular
security model, of certain permissions to access a
resource
An entire set of procedures performed by
hardware, software and administrators, to monitor
access, identify users requesting access, record
access attempts, and grant or deny access based
on pre-established rules.
3
4. Access control nomenclature
Authentication
Process through which one proves and verifies
certain information
Identification
Process through which one ascertains the identity of
another person or entity
Confidentiality
Protection of private data from unauthorized viewing
Integrity
Data is not corrupted or modified in any unauthorized
manner
Availability
System is usable. Contrast with DoS.
4
5. How can AC be implemented?
Hardware
Software
Application
Protocol (Kerberos, IPSec)
Physical
Logical (policies)
5
6. What does AC hope to protect?
Data - Unauthorized viewing,
modification or copying
System - Unauthorized use,
modification or denial of service
It should be noted that nearly every
network operating system (NT, Unix,
Vines, NetWare) is based on a secure
physical infrastructure
6
7. Proactive access control
Awareness training
Background checks
Separation of duties
Split knowledge
Policies
Data classification
Effective user registration
Termination procedures
Change control procedures
7
8. Physical access control
Guards
Locks
Mantraps
ID badges
CCTV, sensors, alarms
Biometrics
Fences
Card-key and tokens
Guard dogs
8
9. AC & privacy issues
Expectation of privacy
Policies
Monitoring activity, Internet usage, e-
mail
Login banners should detail
expectations of privacy and state levels
of monitoring
9
10. Varied types of Access
Control
Discretionary (DAC)
Mandatory (MAC)
Lattice/Role/Task
Formal models:
Biba
Clark/Wilson
Bell/LaPadula
Used set theory to define the concept of a secure state,
the modes of access, and the rules for granting access.
10
11. Problems with formal models
Based on a static infrastructure
Defined and succinct policies
These do not work in corporate systems
which are extremely dynamic and constantly
changing
None of the previous models deals with:
Viruses/active content
Trojan horses
firewalls
Limited documentation on how to build these
systems 11
12. MAC vs. DAC
Discretionary Access Control
You decided how you want to protect and
share your data
Mandatory Access Control
The system decided how the data will be
shared
12
13. Mandatory Access Control
Assigns sensitivity levels, labels
Every object is given a sensitivity label & is accessible
only to users who are cleared up to that particular level.
Only the administrators, not object owners, make change
the object level
Generally more secure than DAC
Orange book B-level
Used in systems where security is critical, i.e., military
Hard to program for and configure & implement
13
14. Mandatory Access Control
(Continued)
Downgrade in performance
Relies on the system to control access
Example: If a file is classified as confidential,
MAC will prevent anyone from writing secret
or top secret information into that file.
All output, i.e., print jobs, floppies, other
magnetic media must have be labeled as to
the sensitivity level
14
15. Discretionary Access Control
Access is restricted based on the
authorization granted to the user
Orange book C-level
Prime use is to separate and protect users
from unauthorized data
Used by Unix, NT, NetWare, Linux, Vines,
etc.
Relies on the object owner to control access
15
16. Access control lists (ACL)
A file used by the access control system to
determine who may access what programs
and files, in what method and at what time
Different operating systems have different ACL
terms
Types of access:
Read/Write/Create/Execute/Modify/Delete/Rename
16
17. Orange Book
DoD Trusted Computer System Evaluation
Criteria, DoD 5200.28-STD, 1983
Provides the information needed to classify
systems (A,B,C,D), defining the degree of
trust that may be placed in them
For stand-alone systems only
17
18. Orange book levels
A - Verified protection
A1
Boeing SNS, Honeywell SCOMP
B - MAC
B1/B2/B3
C - DAC
C1/C2
D - Minimal security. Systems that have been
evaluated, but failed
18
19. Bell-LaPadula
Formal description of allowable paths of
information flow in a secure system
Used to define security requirements for
systems handling data at different sensitivity
levels
*-property - prevents write-down, by
preventing subjects with access to high level
data from writing the information to objects of
lower access
19
20. Bell-LaPadula
Model defines secure state
Access between subjects, objects in accordance
with specific security policy
Model central to TCSEC (TCSEC is an
implementation of the Bell-LaPadula model)
Bell-LaPadula model only applies to secrecy
of information
identifies paths that could lead to inappropriate
disclosure
the next model covers more . . .
20
21. Biba Integrity Model
Biba model covers integrity levels, which are
analagous to sensitivity levels in Bell-
LaPadula
Integrity levels cover inappropriate
modification of data
Prevents unauthorized users from making
modifications (1st goal of integrity)
Read Up, Write Down model - Subjects
cannot read objects of lesser integrity,
subjects cannot write to objects of higher
integrity
21
22. Clark & Wilson Model
An Integrity Model, like Biba
Addresses all 3 integrity goals
Prevents unauthorized users from making
modifications
Maintains internal and external consistency
Prevents authorized users from making improper
modifications
T - cannot be Tampered with while being
changed
L - all changes must be Logged
C - Integrity of data is Consistent 22
23. Clark & Wilson Model
Proposes “Well Formed Transactions”
perform steps in order
perform exactly the steps listed
authenticate the individuals who perform
the steps
Calls for separation of duty
23
24. Problems with the Orange Book
Based on an old model, Bell-LaPadula
Stand alone, no way to network systems
Systems take a long time (1-2 years) to
certify
Any changes (hot fixes, service packs, patches)
break the certification
Has not adapted to changes in client-server
and corporate computing
Certification is expensive
For the most part, not used outside of the
government sector 24
25. Red Book
Used to extend the Orange Book to
networks
Actually two works:
Trusted Network Interpretation of the
TCSEC (NCSC-TG-005)
Trusted Network Interpretation
Environments Guideline: Guidance for
Applying the Trusted Network
Interpretation (NCSC-TG-011)
25
26. Authentication
3 types of authentication:
Something you know - Password, PIN,
mother’s maiden name, passcode, fraternity
chant
Something you have - ATM card, smart card,
token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan,
iris scan, retina scan, DNA
26
27. Multi-factor authentication
2-factor authentication. To increase the level of
security, many systems will require a user to provide
2 of the 3 types of authentication.
ATM card + PIN
Credit card + signature
PIN + fingerprint
Username + Password (NetWare, Unix, NT
default)
3-factor authentication -- For highest security
Username + Password + Fingerprint
Username + Passcode + SecurID token
27
28. Problems with passwords
Insecure - Given the choice, people will choose easily
remembered and hence easily guessed passwords such as
names of relatives, pets, phone numbers, birthdays, hobbies,
etc.
Easily broken - Programs such as crack, SmartPass,
PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix,
NetWare & NT passwords.
Dictionary attacks are only feasible because users choose
easily guessed passwords!
Inconvenient - In an attempt to improve security,
organizations often issue users with computer-generated
passwords that are difficult, if not impossible to remember
Repudiable - Unlike a written signature, when a transaction is
signed with only a password, there is no real proof as to the
identity of the individual that made the transaction
28
29. Classic password rules
The best passwords are those that are both
easy to remember and hard to crack using a
dictionary attack. The best way to create
passwords that fulfill both criteria is to use two
small unrelated words or phonemes, ideally
with a special character or number. Good
examples would be hex7goop or -typetin
Don’t use:
common names, DOB, spouse, phone #, etc.
word found in dictionaries
password as a password
systems defaults 29
30. Password management
Configure system to use string passwords
Set password time and lengths limits
Limit unsuccessful logins
Limit concurrent connections
Enabled auditing
How policies for password resets and
changes
Use last login dates in banners
30
31. Password Attacks
Brute force
l0phtcrack
Dictionary
Crack
John the Ripper
Trojan horse login program
31
32. Biometrics
Authenticating a user via human
characteristics
Using measurable physical characteristics of
a person to prove their identification
Fingerprint
signature dynamics
Iris
retina
voice
face
DNA, blood
32
33. Advantages of fingerprint-
based biometrics
Can’t be lent like a physical key or token and can’t be
forgotten like a password
Good compromise between ease of use, template
size, cost and accuracy
Fingerprint contains enough inherent variability to
enable unique identification even in very large
(millions of records) databases
Basically lasts forever
Makes network login & authentication effortless
33
34. Biometric Disadvantages
Still relatively expensive per user
Companies & products are often new &
immature
No common API or other standard
Some hesitancy for user acceptance
34
35. Biometric privacy issues
Tracking and surveillance - Ultimately, the
ability to track a person's movement from
hour to hour
Anonymity - Biometric links to databases
could dissolve much of our anonymity when
we travel and access services
Profiling - Compilation of transaction data
about a particular person that creates a
picture of that person's travels, preferences,
affiliations or beliefs
35
36. Practical biometric
applications
Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Social Security, welfare,
etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or homes
Protecting personal property
Prevent against kidnapping in schools, play areas, etc.
Protecting children from fatal gun accidents
36
38. Single sign-on
User has one password for all enterprise
systems and applications
That way, one strong password can be
remembered and used
All of a users accounts can be quickly created
on hire, deleted on dismissal
Hard to implement and get working
Kerberos, CA-Unicenter, Memco Proxima,
IntelliSoft SnareWorks, Tivoli Global Sign-On,
x.509
38
39. Kerberos
Part of MIT’s Project Athena
Kerberos is an authentication protocol
used for network wide authentication
All software must be kerberized
Tickets, authenticators, key distribution
center (KDC)
39
40. Kerberos roles
KDC divided into Authentication Server
& Ticket Granting Server (TGS)
Authentication Server - authentication
the identities of entities on the network
TGS - Generates unique session keys
between two parties. Parties then use
these session keys for message
encryption
40
41. Kerberos authentication
User must have an account on the KDC
KDC must be a trusted server in a secured
location
Shares a DES key with each user
When a user want to access a host or
application, they request a ticket from the
KDC via klogin & generate an authenticator
that validates the tickets
User provides ticket and authenticator to the
application, which processes them for validity
and will then grant access. 41
42. Problems with Kerberos
Each piece of software must be kerberized
Requires synchronized time clocks
Relies on UDP which is often blocked by
many firewalls
Kerberos v4 binds tickets to a single network
address for a hosts. Host with multiple NIC’s
will have problems using tickets
42
43. Attacks
Passive attack - Monitor network traffic and then use
data obtained or perform a replay attack.
Hard to detect
Active attack - Attacker is actively trying to break-in.
Exploit system vulnerabilities
Spoofing
Crypto attacks
Denial of service (DoS) - Not so much an attempt to
gain access, rather to prevent system operation
Smurf, SYN Flood, Ping of death
Mail bombs
43
44. Vulnerabilities
Physical
Natural
Floods, earthquakes, terrorists, power outage, lightning
Hardware/Software
Media
Corrupt electronic media, stolen disk drives
Emanation
Communications
Human
Social engineering, disgruntled staff
44
46. Intrusion Detection Systems
IDS monitors system or network for
attacks
IDS engine has a library and set of
signatures that identify an attack
Adds defense in depth
Should be used in conjunction with a
system scanner (CyberCop, ISS ) for
maximum security
46
47. Object reuse
Must ensure that magnetic media must not have any
remnance of previous data
Also applies to buffers, cache and other memory
allocation
Required at TCSEC B2/B3/A1 level
Secure Deletion of Data from Magnetic and Solid-
State Memory,
Objects must be declassified
Magnetic media must be degaussed or have secure
overwrites
47
48. TEMPEST
Electromagnetic emanations from keyboards, cables,
printers, modems, monitors and all electronic equipment.
With appropriate and sophisticated enough equipment,
data can be readable at a few hundred yards.
TEMPEST certified equipment, which encases the
hardware into a tight, metal construct, shields the
electromagnetic emanations
WANG Federal is the leading provider of TEMPEST
hardware
TEMPEST hardware is extremely expensive and can only
be serviced by certified technicians
Rooms & buildings can be TEMPEST-certified
TEMPEST standards NACSEM 5100A NACSI 5004 are
classified documents 48
49. Banners
Banners display at login or connection stating
that the system is for the exclusive use of
authorized users and that their activity may
be monitored
Not foolproof, but a good start, especially
from a legal perspective
Make sure that the banner does not reveal
system information, i.e., OS, version,
hardware, etc.
49
50. RAS access control
RADIUS (Remote Authentication Dial-In User Service) -
client/server protocol & software that enables RAS to
communicate with a central server to authenticate dial-in
users & authorize their access to requested systems
TACACS/TACACS+ (Terminal Access Controller Access
Control System) - Authentication protocol that allows a RAS
to forward a users logon password to an authentication
server. TACACS is an unencrypted protocol and therefore
less secure than the later TACACS+ and RADIUS protocols.
A later version of TACACS is XTACACS (Extended
TACACS).
50
51. Penetration Testing
Basically Improving the Security of Your Site by
Breaking Into it, by Dan Farmer/Wietse Venema
http://www.fish.com/security/admin-guide-to-
cracking.html
Identifies weaknesses in Internet, Intranet,
Extranet, and RAS technologies
Discovery and footprint analysis
Exploitation
Physical Security Assessment
Social Engineering
51
52. Penetration Testing
Attempt to identify vulnerabilities and gain access to
critical systems within organization
Identifies and recommends corrective action for the
systemic problems which may help propagate these
vulnerabilities throughout an organization
Assessments allow client to demonstrate the need for
additional security resources, by translating exiting
vulnerabilities into real life business risks
52
53. Rule of least privilege
One of the most fundamental principles of infosec
States that: Any object (user, administrator, program,
system) should have only the least privileges the object
needs to perform its assigned task, and no more.
An AC system that grants users only those rights
necessary for them to perform their work
Limits exposure to attacks and the damage an attack
can cause
Physical security example: car ignition key vs. door key
53
54. Implementing least privilege
Ensure that only a minimal set of users have
root access
Don’t make a program run setuid to root if not
needed. Rather, make file group-writable to
some group and make the program run setgid
to that group, rather than setuid to root
Don’t run insecure programs on the firewall or
other trusted host
54
55. Access Control Systems &
Methodology
Any questions?
Files graciously shared by Ben Rothke.
Reformatted and edited for Slide presentation
55