Access Control Systems

1
Access Control Systems Methodology

2
Topics to be covered

• Overview
• Access control implementation
• Types of access control
• MAC DAC
• Orange Book
• Authentication
• Passwords
• Biometrics

• Tokens/SSO
• Kerberos
• Attacks/Vulnerabilities/Monitoring
• IDS
• Object reuse
• TEMPEST
• RAS access control
• Penetration Testing

3
What is access control?

• Access control is the heart of security
• Definitions
• The ability to allow only authorized users,
  programs or processes system or resource access
• The granting or denying, according to a
  particular security model, of certain permissions
  to access a resource
• An entire set of procedures performed by
  hardware, software and administrators, to monitor
  access, identify users requesting access, record
  access attempts, and grant or deny access based
  on pre-established rules.

4
Access control nomenclature

• Authentication
• Process through which one proves and verifies
  certain information
• Identification
• Process through which one ascertains the identity
  of another person or entity
• Confidentiality
• Protection of private data from unauthorized
  viewing
• Integrity
• Data is not corrupted or modified in any
  unauthorized manner
• Availability
• System is usable. Contrast with DoS.

5
How can AC be implemented?

• Hardware
• Software
• Application
• Protocol (Kerberos, IPSec)
• Physical
• Logical (policies)

6
What does AC hope to protect?

• Data - Unauthorized viewing, modification or
  copying
• System - Unauthorized use, modification or denial
  of service
• It should be noted that nearly every network
  operating system (NT, Unix, Vines, NetWare) is
  based on a secure physical infrastructure

7
Proactive access control

• Awareness training
• Background checks
• Separation of duties
• Split knowledge
• Policies
• Data classification
• Effective user registration
• Termination procedures
• Change control procedures

8
Physical access control

• Guards
• Locks
• Mantraps
• ID badges
• CCTV, sensors, alarms
• Biometrics
• Fences
• Card-key and tokens
• Guard dogs

9
AC privacy issues

• Expectation of privacy
• Policies
• Monitoring activity, Internet usage, e-mail
• Login banners should detail expectations of
  privacy and state levels of monitoring

10
Varied types of Access Control

• Discretionary (DAC)
• Mandatory (MAC)
• Lattice/Role/Task
• Formal models
• Biba
• Clark/Wilson
• Bell/LaPadula
• Used set theory to define the concept of a secure
  state, the modes of access, and the rules for
  granting access.

11
Problems with formal models

• Based on a static infrastructure
• Defined and succinct policies
• These do not work in corporate systems which are
  extremely dynamic and constantly changing
• None of the previous models deals with
• Viruses/active content
• Trojan horses
• firewalls
• Limited documentation on how to build these
  systems

12
MAC vs. DAC

• Discretionary Access Control
• You decided how you want to protect and share
  your data
• Mandatory Access Control
• The system decided how the data will be shared

13
Mandatory Access Control

• Assigns sensitivity levels, labels
• Every object is given a sensitivity label is
  accessible only to users who are cleared up to
  that particular level.
• Only the administrators, not object owners, make
  change the object level
• Generally more secure than DAC
• Orange book B-level
• Used in systems where security is critical, i.e.,
  military
• Hard to program for and configure implement

14
Mandatory Access Control (Continued)

• Downgrade in performance
• Relies on the system to control access
• Example If a file is classified as confidential,
  MAC will prevent anyone from writing secret or
  top secret information into that file.
• All output, i.e., print jobs, floppies, other
  magnetic media must have be labeled as to the
  sensitivity level

15
Discretionary Access Control

• Access is restricted based on the authorization
  granted to the user
• Orange book C-level
• Prime use is to separate and protect users from
  unauthorized data
• Used by Unix, NT, NetWare, Linux, Vines, etc.
• Relies on the object owner to control access

16
Access control lists (ACL)

• A file used by the access control system to
  determine who may access what programs and files,
  in what method and at what time
• Different operating systems have different ACL
  terms
• Types of access
• Read/Write/Create/Execute/Modify/Delete/Rename

17
Orange Book

• DoD Trusted Computer System Evaluation Criteria,
  DoD 5200.28-STD, 1983
• Provides the information needed to classify
  systems (A,B,C,D), defining the degree of trust
  that may be placed in them
• For stand-alone systems only

18
Orange book levels

• A - Verified protection
• A1
• Boeing SNS, Honeywell SCOMP
• B - MAC
• B1/B2/B3
• C - DAC
• C1/C2
• D - Minimal security. Systems that have been
  evaluated, but failed

19
Bell-LaPadula

• Formal description of allowable paths of
  information flow in a secure system
• Used to define security requirements for systems
  handling data at different sensitivity levels
• -property - prevents write-down, by preventing
  subjects with access to high level data from
  writing the information to objects of lower
  access

20
Bell-LaPadula

• Model defines secure state
• Access between subjects, objects in accordance
  with specific security policy
• Model central to TCSEC (TCSEC is an
  implementation of the Bell-LaPadula model)
• Bell-LaPadula model only applies to secrecy of
  information
• identifies paths that could lead to inappropriate
  disclosure
• the next model covers more . . .

21
Biba Integrity Model

• Biba model covers integrity levels, which are
  analagous to sensitivity levels in Bell-LaPadula
• Integrity levels cover inappropriate modification
  of data
• Prevents unauthorized users from making
  modifications (1st goal of integrity)
• Read Up, Write Down model - Subjects cannot read
  objects of lesser integrity, subjects cannot
  write to objects of higher integrity

22
Clark Wilson Model

• An Integrity Model, like Biba
• Addresses all 3 integrity goals
• Prevents unauthorized users from making
  modifications
• Maintains internal and external consistency
• Prevents authorized users from making improper
  modifications
• T - cannot be Tampered with while being changed
• L - all changes must be Logged
• C - Integrity of data is Consistent

23
Clark Wilson Model

• Proposes Well Formed Transactions
• perform steps in order
• perform exactly the steps listed
• authenticate the individuals who perform the
  steps
• Calls for separation of duty

24
Problems with the Orange Book

• Based on an old model, Bell-LaPadula
• Stand alone, no way to network systems
• Systems take a long time (1-2 years) to certify
• Any changes (hot fixes, service packs, patches)
  break the certification
• Has not adapted to changes in client-server and
  corporate computing
• Certification is expensive
• For the most part, not used outside of the
  government sector

25
Red Book

• Used to extend the Orange Book to networks
• Actually two works
• Trusted Network Interpretation of the TCSEC
  (NCSC-TG-005)
• Trusted Network Interpretation Environments
  Guideline Guidance for Applying the Trusted
  Network Interpretation (NCSC-TG-011)

26
Authentication

• 3 types of authentication
• Something you know - Password, PIN, mothers
  maiden name, passcode, fraternity chant
• Something you have - ATM card, smart card, token,
  key, ID Badge, driver license, passport
• Something you are - Fingerprint, voice scan, iris
  scan, retina scan, DNA

27
Multi-factor authentication

• 2-factor authentication. To increase the level
  of security, many systems will require a user to
  provide 2 of the 3 types of authentication.
• ATM card PIN
• Credit card signature
• PIN fingerprint
• Username Password (NetWare, Unix, NT default)
• 3-factor authentication -- For highest security
• Username Password Fingerprint
• Username Passcode SecurID token

28
Problems with passwords

• Insecure - Given the choice, people will choose
  easily remembered and hence easily guessed
  passwords such as names of relatives, pets, phone
  numbers, birthdays, hobbies, etc.
• Easily broken - Programs such as crack,
  SmartPass, PWDUMP, NTCrack l0phtcrack can
  easily decrypt Unix, NetWare NT passwords.
• Dictionary attacks are only feasible because
  users choose easily guessed passwords!
• Inconvenient - In an attempt to improve security,
  organizations often issue users with
  computer-generated passwords that are difficult,
  if not impossible to remember
• Repudiable - Unlike a written signature, when a
  transaction is signed with only a password, there
  is no real proof as to the identity of the
  individual that made the transaction

29
Classic password rules

• The best passwords are those that are both easy
  to remember and hard to crack using a dictionary
  attack. The best way to create passwords that
  fulfill both criteria is to use two small
  unrelated words or phonemes, ideally with a
  special character or number. Good examples would
  be hex7goop or -typetin
• Dont use
• common names, DOB, spouse, phone , etc.
• word found in dictionaries
• password as a password
• systems defaults

30
Password management

• Configure system to use string passwords
• Set password time and lengths limits
• Limit unsuccessful logins
• Limit concurrent connections
• Enabled auditing
• How policies for password resets and changes
• Use last login dates in banners

31
Password Attacks

• Brute force
• l0phtcrack
• Dictionary
• Crack
• John the Ripper
• Trojan horse login program

32
Biometrics

• Authenticating a user via human characteristics
• Using measurable physical characteristics of a
  person to prove their identification
• Fingerprint
• signature dynamics
• Iris
• retina
• voice
• face
• DNA, blood

33
Advantages of fingerprint-based biometrics

• Cant be lent like a physical key or token and
  cant be forgotten like a password
• Good compromise between ease of use, template
  size, cost and accuracy
• Fingerprint contains enough inherent variability
  to enable unique identification even in very
  large (millions of records) databases
• Basically lasts forever
• Makes network login authentication effortless

34
Biometric Disadvantages

• Still relatively expensive per user
• Companies products are often new immature
• No common API or other standard
• Some hesitancy for user acceptance

35
Biometric privacy issues

• Tracking and surveillance - Ultimately, the
  ability to track a person's movement from hour to
  hour
• Anonymity - Biometric links to databases could
  dissolve much of our anonymity when we travel and
  access services
• Profiling - Compilation of transaction data about
  a particular person that creates a picture of
  that person's travels, preferences, affiliations
  or beliefs

36
Practical biometric applications

• Network access control
• Staff time and attendance tracking
• Authorizing financial transactions
• Government benefits distribution (Social
  Security, welfare, etc.)
• Verifying identities at point of sale
• Using in conjunction with ATM , credit or smart
  cards
• Controlling physical access to office buildings
  or homes
• Protecting personal property
• Prevent against kidnapping in schools, play
  areas, etc.
• Protecting children from fatal gun accidents

37
Tokens

• Used to facilitate one-time passwords
• Physical card
• SecurID
• S/Key
• Smart card
• Access token

38
Single sign-on

• User has one password for all enterprise systems
  and applications
• That way, one strong password can be remembered
  and used
• All of a users accounts can be quickly created on
  hire, deleted on dismissal
• Hard to implement and get working
• Kerberos, CA-Unicenter, Memco Proxima,
  IntelliSoft SnareWorks, Tivoli Global Sign-On,
  x.509

39
Kerberos

• Part of MITs Project Athena
• Kerberos is an authentication protocol used for
  network wide authentication
• All software must be kerberized
• Tickets, authenticators, key distribution center
  (KDC)

40
Kerberos roles

• KDC divided into Authentication Server Ticket
  Granting Server (TGS)
• Authentication Server - authentication the
  identities of entities on the network
• TGS - Generates unique session keys between two
  parties. Parties then use these session keys for
  message encryption

41
Kerberos authentication

• User must have an account on the KDC
• KDC must be a trusted server in a secured
  location
• Shares a DES key with each user
• When a user want to access a host or application,
  they request a ticket from the KDC via klogin
  generate an authenticator that validates the
  tickets
• User provides ticket and authenticator to the
  application, which processes them for validity
  and will then grant access.

42
Problems with Kerberos

• Each piece of software must be kerberized
• Requires synchronized time clocks
• Relies on UDP which is often blocked by many
  firewalls
• Kerberos v4 binds tickets to a single network
  address for a hosts. Host with multiple NICs
  will have problems using tickets

43
Attacks

• Passive attack - Monitor network traffic and then
  use data obtained or perform a replay attack.
• Hard to detect
• Active attack - Attacker is actively trying to
  break-in.
• Exploit system vulnerabilities
• Spoofing
• Crypto attacks
• Denial of service (DoS) - Not so much an attempt
  to gain access, rather to prevent system
  operation
• Smurf, SYN Flood, Ping of death
• Mail bombs

44
Vulnerabilities

• Physical
• Natural
• Floods, earthquakes, terrorists, power outage,
  lightning
• Hardware/Software
• Media
• Corrupt electronic media, stolen disk drives
• Emanation
• Communications
• Human
• Social engineering, disgruntled staff

45
Monitoring

• IDS
• Logs
• Audit trails
• Network tools
• Tivoli
• OpenView

46
Intrusion Detection Systems

• IDS monitors system or network for attacks
• IDS engine has a library and set of signatures
  that identify an attack
• Adds defense in depth
• Should be used in conjunction with a system
  scanner (CyberCop, ISS ) for maximum security

47
Object reuse

• Must ensure that magnetic media must not have any
  remnance of previous data
• Also applies to buffers, cache and other memory
  allocation
• Required at TCSEC B2/B3/A1 level
• Secure Deletion of Data from Magnetic and
  Solid-State Memory,
• Objects must be declassified
• Magnetic media must be degaussed or have secure
  overwrites

48
TEMPEST

• Electromagnetic emanations from keyboards,
  cables, printers, modems, monitors and all
  electronic equipment. With appropriate and
  sophisticated enough equipment, data can be
  readable at a few hundred yards.
• TEMPEST certified equipment, which encases the
  hardware into a tight, metal construct, shields
  the electromagnetic emanations
• WANG Federal is the leading provider of TEMPEST
  hardware
• TEMPEST hardware is extremely expensive and can
  only be serviced by certified technicians
• Rooms buildings can be TEMPEST-certified
• TEMPEST standards NACSEM 5100A NACSI 5004 are
  classified documents

49
Banners

• Banners display at login or connection stating
  that the system is for the exclusive use of
  authorized users and that their activity may be
  monitored
• Not foolproof, but a good start, especially from
  a legal perspective
• Make sure that the banner does not reveal system
  information, i.e., OS, version, hardware, etc.

50
RAS access control

• RADIUS (Remote Authentication Dial-In User
  Service) - client/server protocol software that
  enables RAS to communicate with a central server
  to authenticate dial-in users authorize their
  access to requested systems
• TACACS/TACACS (Terminal Access Controller Access
  Control System) - Authentication protocol that
  allows a RAS to forward a users logon password to
  an authentication server. TACACS is an
  unencrypted protocol and therefore less secure
  than the later TACACS and RADIUS protocols. A
  later version of TACACS is XTACACS (Extended
  TACACS).

51
Penetration Testing

• Basically Improving the Security of Your Site by
  Breaking Into it, by Dan Farmer/Wietse Venema
• http//www.fish.com/security/admin-guide-to-cracki
  ng.html
• Identifies weaknesses in Internet, Intranet,
  Extranet, and RAS technologies
• Discovery and footprint analysis
• Exploitation
• Physical Security Assessment
• Social Engineering

52
Penetration Testing

• Attempt to identify vulnerabilities and gain
  access to critical systems within organization
• Identifies and recommends corrective action for
  the systemic problems which may help propagate
  these vulnerabilities throughout an organization
• Assessments allow client to demonstrate the need
  for additional security resources, by translating
  exiting vulnerabilities into real life business
  risks

53
Rule of least privilege

• One of the most fundamental principles of infosec
• States that Any object (user, administrator,
  program, system) should have only the least
  privileges the object needs to perform its
  assigned task, and no more.
• An AC system that grants users only those rights
  necessary for them to perform their work
• Limits exposure to attacks and the damage an
  attack can cause
• Physical security example car ignition key vs.
  door key

54
Implementing least privilege

• Ensure that only a minimal set of users have root
  access
• Dont make a program run setuid to root if not
  needed. Rather, make file group-writable to some
  group and make the program run setgid to that
  group, rather than setuid to root
• Dont run insecure programs on the firewall or
  other trusted host

55
Any questions?
Access Control Systems Methodology
Files graciously shared by Ben Rothke. Reformatted
and edited for Slide presentation