Post on 08-Jun-2015
1
Access Control Systems Access Control Systems & & Methodology Methodology
2
Topics to be covered
Overview Access control
implementation Types of access control MAC & DAC Orange Book Authentication Passwords Biometrics
Tokens/SSO Kerberos Attacks/Vulnerabilities/
Monitoring
IDS Object reuse TEMPEST RAS access control Penetration Testing
3
What is access control?
Access control is the heart of security Definitions:
The ability to allow only authorized users, programs or processes system or resource access
The granting or denying, according to a particular security model, of certain permissions to access a resource
An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.
4
Access control nomenclature Authentication
Process through which one proves and verifies certain information
Identification Process through which one ascertains the identity of
another person or entity Confidentiality
Protection of private data from unauthorized viewing Integrity
Data is not corrupted or modified in any unauthorized manner
Availability System is usable. Contrast with DoS.
5
How can AC be implemented?
Hardware Software
Application Protocol (Kerberos, IPSec)
Physical Logical (policies)
6
What does AC hope to protect?
Data - Unauthorized viewing, modification or copying
System - Unauthorized use, modification or denial of service
It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure
7
Proactive access control
Awareness training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures
8
Physical access control
Guards Locks Mantraps ID badges CCTV, sensors, alarms Biometrics Fences Card-key and tokens Guard dogs
9
AC & privacy issues
Expectation of privacy Policies Monitoring activity, Internet usage,
e-mail Login banners should detail
expectations of privacy and state levels of monitoring
10
Varied types of Access Control Discretionary (DAC) Mandatory (MAC) Lattice/Role/Task Formal models:
Biba Clark/Wilson Bell/LaPadula
Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access.
11
Problems with formal models
Based on a static infrastructure Defined and succinct policies These do not work in corporate systems
which are extremely dynamic and constantly changing
None of the previous models deals with: Viruses/active content Trojan horses firewalls
Limited documentation on how to build these systems
12
MAC vs. DAC
Discretionary Access Control You decided how you want to protect
and share your data
Mandatory Access Control The system decided how the data will
be shared
13
Mandatory Access Control
Assigns sensitivity levels, labels Every object is given a sensitivity label & is accessible
only to users who are cleared up to that particular level.
Only the administrators, not object owners, make change the object level
Generally more secure than DAC Orange book B-level Used in systems where security is critical, i.e., military Hard to program for and configure & implement
14
Mandatory Access Control (Continued)
Downgrade in performance Relies on the system to control access Example: If a file is classified as
confidential, MAC will prevent anyone from writing secret or top secret information into that file.
All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level
15
Discretionary Access Control Access is restricted based on the
authorization granted to the user Orange book C-level Prime use is to separate and protect
users from unauthorized data Used by Unix, NT, NetWare, Linux,
Vines, etc. Relies on the object owner to control
access
16
Access control lists (ACL)
A file used by the access control system to determine who may access what programs and files, in what method and at what time
Different operating systems have different ACL terms
Types of access: Read/Write/Create/Execute/Modify/Delete/
Rename
17
Orange Book
DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983
Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in them
For stand-alone systems only
18
Orange book levels A - Verified protection
A1 Boeing SNS, Honeywell SCOMP
B - MAC B1/B2/B3
C - DAC C1/C2
D - Minimal security. Systems that have been evaluated, but failed
19
Bell-LaPadula Formal description of allowable paths of
information flow in a secure system Used to define security requirements for
systems handling data at different sensitivity levels
*-property - prevents write-down, by preventing subjects with access to high level data from writing the information to objects of lower access
20
Bell-LaPadula Model defines secure state
Access between subjects, objects in accordance with specific security policy
Model central to TCSEC (TCSEC is an implementation of the Bell-LaPadula model)
Bell-LaPadula model only applies to secrecy of information identifies paths that could lead to
inappropriate disclosure the next model covers more . . .
21
Biba Integrity Model Biba model covers integrity levels, which are
analagous to sensitivity levels in Bell-LaPadula
Integrity levels cover inappropriate modification of data
Prevents unauthorized users from making modifications (1st goal of integrity)
Read Up, Write Down model - Subjects cannot read objects of lesser integrity, subjects cannot write to objects of higher integrity
22
Clark & Wilson Model An Integrity Model, like Biba Addresses all 3 integrity goals
Prevents unauthorized users from making modifications
Maintains internal and external consistency Prevents authorized users from making improper
modifications T - cannot be Tampered with while being
changed L - all changes must be Logged C - Integrity of data is Consistent
23
Clark & Wilson Model Proposes “Well Formed
Transactions” perform steps in order perform exactly the steps listed authenticate the individuals who
perform the steps Calls for separation of duty
24
Problems with the Orange Book
Based on an old model, Bell-LaPadula Stand alone, no way to network systems Systems take a long time (1-2 years) to
certify Any changes (hot fixes, service packs, patches)
break the certification Has not adapted to changes in client-server
and corporate computing Certification is expensive For the most part, not used outside of the
government sector
25
Red Book
Used to extend the Orange Book to networks
Actually two works: Trusted Network Interpretation of the
TCSEC (NCSC-TG-005) Trusted Network Interpretation
Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011)
26
Authentication
3 types of authentication:
Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chant
Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport
Something you are - Fingerprint, voice scan, iris scan, retina scan, DNA
27
Multi-factor authentication
2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT
default)
3-factor authentication -- For highest security Username + Password + Fingerprint Username + Passcode + SecurID token
28
Problems with passwords
Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc.
Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords.
Dictionary attacks are only feasible because users choose easily guessed passwords!
Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember
Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction
29
Classic password rules The best passwords are those that are both
easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin
Don’t use: common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults
30
Password management
Configure system to use string passwords Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and
changes Use last login dates in banners
31
Password Attacks
Brute force l0phtcrack
Dictionary Crack John the Ripper
Trojan horse login program
32
Biometrics
Authenticating a user via human characteristics
Using measurable physical characteristics of a person to prove their identification Fingerprint signature dynamics Iris retina voice face DNA, blood
33
Advantages of fingerprint-based biometrics Can’t be lent like a physical key or token and
can’t be forgotten like a password
Good compromise between ease of use, template size, cost and accuracy
Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases
Basically lasts forever
Makes network login & authentication effortless
34
Biometric Disadvantages
Still relatively expensive per user
Companies & products are often new & immature
No common API or other standard
Some hesitancy for user acceptance
35
Biometric privacy issues
Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour
Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services
Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs
36
Practical biometric applications Network access control
Staff time and attendance tracking
Authorizing financial transactions
Government benefits distribution (Social Security, welfare, etc.)
Verifying identities at point of sale
Using in conjunction with ATM , credit or smart cards
Controlling physical access to office buildings or homes
Protecting personal property
Prevent against kidnapping in schools, play areas, etc.
Protecting children from fatal gun accidents
37
Tokens
Used to facilitate one-time passwords
Physical card SecurID S/Key Smart card Access token
38
Single sign-on
User has one password for all enterprise systems and applications
That way, one strong password can be remembered and used
All of a users accounts can be quickly created on hire, deleted on dismissal
Hard to implement and get working Kerberos, CA-Unicenter, Memco
Proxima, IntelliSoft SnareWorks, Tivoli Global Sign-On, x.509
39
Kerberos
Part of MIT’s Project Athena Kerberos is an authentication
protocol used for network wide authentication
All software must be kerberized Tickets, authenticators, key
distribution center (KDC)
40
Kerberos roles
KDC divided into Authentication Server & Ticket Granting Server (TGS)
Authentication Server - authentication the identities of entities on the network
TGS - Generates unique session keys between two parties. Parties then use these session keys for message encryption
41
Kerberos authentication
User must have an account on the KDC KDC must be a trusted server in a secured
location Shares a DES key with each user When a user want to access a host or
application, they request a ticket from the KDC via klogin & generate an authenticator that validates the tickets
User provides ticket and authenticator to the application, which processes them for validity and will then grant access.
42
Problems with Kerberos
Each piece of software must be kerberized
Requires synchronized time clocks Relies on UDP which is often blocked by
many firewalls Kerberos v4 binds tickets to a single
network address for a hosts. Host with multiple NIC’s will have problems using tickets
43
Attacks Passive attack - Monitor network traffic and then
use data obtained or perform a replay attack. Hard to detect
Active attack - Attacker is actively trying to break-in.
Exploit system vulnerabilities Spoofing Crypto attacks
Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation
Smurf, SYN Flood, Ping of death Mail bombs
44
Vulnerabilities Physical Natural
Floods, earthquakes, terrorists, power outage, lightning
Hardware/Software Media
Corrupt electronic media, stolen disk drives Emanation Communications Human
Social engineering, disgruntled staff
45
Monitoring
IDS Logs Audit trails Network tools
Tivoli OpenView
46
Intrusion Detection Systems IDS monitors system or network for
attacks IDS engine has a library and set of
signatures that identify an attack Adds defense in depth Should be used in conjunction with
a system scanner (CyberCop, ISS ) for maximum security
47
Object reuse Must ensure that magnetic media must not
have any remnance of previous data Also applies to buffers, cache and other
memory allocation Required at TCSEC B2/B3/A1 level Secure Deletion of Data from Magnetic and
Solid-State Memory, Objects must be declassified Magnetic media must be degaussed or have
secure overwrites
48
TEMPEST
Electromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards.
TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations
WANG Federal is the leading provider of TEMPEST hardware
TEMPEST hardware is extremely expensive and can only be serviced by certified technicians
Rooms & buildings can be TEMPEST-certified TEMPEST standards NACSEM 5100A NACSI 5004 are
classified documents
49
Banners
Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored
Not foolproof, but a good start, especially from a legal perspective
Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.
50
RAS access control
RADIUS (Remote Authentication Dial-In User Service) - client/server protocol & software that enables RAS to communicate with a central server to authenticate dial-in users & authorize their access to requested systems
TACACS/TACACS+ (Terminal Access Controller Access Control System) - Authentication protocol that allows a RAS to forward a users logon password to an authentication server. TACACS is an unencrypted protocol and therefore less secure than the later TACACS+ and RADIUS protocols. A later version of TACACS is XTACACS (Extended TACACS).
51
Penetration Testing
Basically Improving the Security of Your Site by Breaking Into it, by Dan Farmer/Wietse Venema http://www.fish.com/security/admin-guide-to-
cracking.html Identifies weaknesses in Internet, Intranet,
Extranet, and RAS technologies Discovery and footprint analysis Exploitation Physical Security Assessment Social Engineering
52
Penetration Testing Attempt to identify vulnerabilities and gain
access to critical systems within organization Identifies and recommends corrective action
for the systemic problems which may help propagate these vulnerabilities throughout an organization
Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks
53
Rule of least privilege
One of the most fundamental principles of infosec States that: Any object (user, administrator,
program, system) should have only the least privileges the object needs to perform its assigned task, and no more.
An AC system that grants users only those rights necessary for them to perform their work
Limits exposure to attacks and the damage an attack can cause
Physical security example: car ignition key vs. door key
54
Implementing least privilege Ensure that only a minimal set of users
have root access Don’t make a program run setuid to
root if not needed. Rather, make file group-writable to some group and make the program run setgid to that group, rather than setuid to root
Don’t run insecure programs on the firewall or other trusted host
55
Any questions?
Access Control Systems & Access Control Systems & Methodology Methodology
Files graciously shared by Ben Rothke.Reformatted and edited for Slide presentation