1

Access Control Systems Access Control Systems & & Methodology Methodology

2

Topics to be covered

Overview Access control

implementation Types of access control MAC & DAC Orange Book Authentication Passwords Biometrics

Tokens/SSO Kerberos Attacks/Vulnerabilities/

Monitoring

IDS Object reuse TEMPEST RAS access control Penetration Testing

3

What is access control?

Access control is the heart of security Definitions:

The ability to allow only authorized users, programs or processes system or resource access

The granting or denying, according to a particular security model, of certain permissions to access a resource

An entire set of procedures performed by hardware, software and administrators, to monitor access, identify users requesting access, record access attempts, and grant or deny access based on pre-established rules.

4

Access control nomenclature Authentication

Process through which one proves and verifies certain information

Identification Process through which one ascertains the identity of

another person or entity Confidentiality

Protection of private data from unauthorized viewing Integrity

Data is not corrupted or modified in any unauthorized manner

Availability System is usable. Contrast with DoS.

5

How can AC be implemented?

Hardware Software

Application Protocol (Kerberos, IPSec)

Physical Logical (policies)

6

What does AC hope to protect?

Data - Unauthorized viewing, modification or copying

System - Unauthorized use, modification or denial of service

It should be noted that nearly every network operating system (NT, Unix, Vines, NetWare) is based on a secure physical infrastructure

7

Proactive access control

Awareness training Background checks Separation of duties Split knowledge Policies Data classification Effective user registration Termination procedures Change control procedures

8

Physical access control

Guards Locks Mantraps ID badges CCTV, sensors, alarms Biometrics Fences Card-key and tokens Guard dogs

9

AC & privacy issues

Expectation of privacy Policies Monitoring activity, Internet usage,

e-mail Login banners should detail

expectations of privacy and state levels of monitoring

10

Varied types of Access Control Discretionary (DAC) Mandatory (MAC) Lattice/Role/Task Formal models:

Biba Clark/Wilson Bell/LaPadula

Used set theory to define the concept of a secure state, the modes of access, and the rules for granting access.

11

Problems with formal models

Based on a static infrastructure Defined and succinct policies These do not work in corporate systems

which are extremely dynamic and constantly changing

None of the previous models deals with: Viruses/active content Trojan horses firewalls

Limited documentation on how to build these systems

12

MAC vs. DAC

Discretionary Access Control You decided how you want to protect

and share your data

Mandatory Access Control The system decided how the data will

be shared

13

Mandatory Access Control

Assigns sensitivity levels, labels Every object is given a sensitivity label & is accessible

only to users who are cleared up to that particular level.

Only the administrators, not object owners, make change the object level

Generally more secure than DAC Orange book B-level Used in systems where security is critical, i.e., military Hard to program for and configure & implement

14

Mandatory Access Control (Continued)

Downgrade in performance Relies on the system to control access Example: If a file is classified as

confidential, MAC will prevent anyone from writing secret or top secret information into that file.

All output, i.e., print jobs, floppies, other magnetic media must have be labeled as to the sensitivity level

15

Discretionary Access Control Access is restricted based on the

authorization granted to the user Orange book C-level Prime use is to separate and protect

users from unauthorized data Used by Unix, NT, NetWare, Linux,

Vines, etc. Relies on the object owner to control

access

16

Access control lists (ACL)

A file used by the access control system to determine who may access what programs and files, in what method and at what time

Different operating systems have different ACL terms

Types of access: Read/Write/Create/Execute/Modify/Delete/

Rename

17

Orange Book

DoD Trusted Computer System Evaluation Criteria, DoD 5200.28-STD, 1983

Provides the information needed to classify systems (A,B,C,D), defining the degree of trust that may be placed in them

For stand-alone systems only

18

Orange book levels A - Verified protection

A1 Boeing SNS, Honeywell SCOMP

B - MAC B1/B2/B3

C - DAC C1/C2

D - Minimal security. Systems that have been evaluated, but failed

19

Bell-LaPadula Formal description of allowable paths of

information flow in a secure system Used to define security requirements for

systems handling data at different sensitivity levels

*-property - prevents write-down, by preventing subjects with access to high level data from writing the information to objects of lower access

20

Bell-LaPadula Model defines secure state

Access between subjects, objects in accordance with specific security policy

Model central to TCSEC (TCSEC is an implementation of the Bell-LaPadula model)

Bell-LaPadula model only applies to secrecy of information identifies paths that could lead to

inappropriate disclosure the next model covers more . . .

21

Biba Integrity Model Biba model covers integrity levels, which are

analagous to sensitivity levels in Bell-LaPadula

Integrity levels cover inappropriate modification of data

Prevents unauthorized users from making modifications (1st goal of integrity)

Read Up, Write Down model - Subjects cannot read objects of lesser integrity, subjects cannot write to objects of higher integrity

22

Clark & Wilson Model An Integrity Model, like Biba Addresses all 3 integrity goals

Prevents unauthorized users from making modifications

Maintains internal and external consistency Prevents authorized users from making improper

modifications T - cannot be Tampered with while being

changed L - all changes must be Logged C - Integrity of data is Consistent

23

Clark & Wilson Model Proposes “Well Formed

Transactions” perform steps in order perform exactly the steps listed authenticate the individuals who

perform the steps Calls for separation of duty

24

Problems with the Orange Book

Based on an old model, Bell-LaPadula Stand alone, no way to network systems Systems take a long time (1-2 years) to

certify Any changes (hot fixes, service packs, patches)

break the certification Has not adapted to changes in client-server

and corporate computing Certification is expensive For the most part, not used outside of the

government sector

25

Red Book

Used to extend the Orange Book to networks

Actually two works: Trusted Network Interpretation of the

TCSEC (NCSC-TG-005) Trusted Network Interpretation

Environments Guideline: Guidance for Applying the Trusted Network Interpretation (NCSC-TG-011)

26

Authentication

3 types of authentication:

Something you know - Password, PIN, mother’s maiden name, passcode, fraternity chant

Something you have - ATM card, smart card, token, key, ID Badge, driver license, passport

Something you are - Fingerprint, voice scan, iris scan, retina scan, DNA

27

Multi-factor authentication

2-factor authentication. To increase the level of security, many systems will require a user to provide 2 of the 3 types of authentication. ATM card + PIN Credit card + signature PIN + fingerprint Username + Password (NetWare, Unix, NT

default)

3-factor authentication -- For highest security Username + Password + Fingerprint Username + Passcode + SecurID token

28

Problems with passwords

Insecure - Given the choice, people will choose easily remembered and hence easily guessed passwords such as names of relatives, pets, phone numbers, birthdays, hobbies, etc.

Easily broken - Programs such as crack, SmartPass, PWDUMP, NTCrack & l0phtcrack can easily decrypt Unix, NetWare & NT passwords.

Dictionary attacks are only feasible because users choose easily guessed passwords!

Inconvenient - In an attempt to improve security, organizations often issue users with computer-generated passwords that are difficult, if not impossible to remember

Repudiable - Unlike a written signature, when a transaction is signed with only a password, there is no real proof as to the identity of the individual that made the transaction

29

Classic password rules The best passwords are those that are both

easy to remember and hard to crack using a dictionary attack. The best way to create passwords that fulfill both criteria is to use two small unrelated words or phonemes, ideally with a special character or number. Good examples would be hex7goop or -typetin

Don’t use: common names, DOB, spouse, phone #, etc. word found in dictionaries password as a password systems defaults

30

Password management

Configure system to use string passwords Set password time and lengths limits Limit unsuccessful logins Limit concurrent connections Enabled auditing How policies for password resets and

changes Use last login dates in banners

31

Password Attacks

Brute force l0phtcrack

Dictionary Crack John the Ripper

Trojan horse login program

32

Biometrics

Authenticating a user via human characteristics

Using measurable physical characteristics of a person to prove their identification Fingerprint signature dynamics Iris retina voice face DNA, blood

33

Advantages of fingerprint-based biometrics Can’t be lent like a physical key or token and

can’t be forgotten like a password

Good compromise between ease of use, template size, cost and accuracy

Fingerprint contains enough inherent variability to enable unique identification even in very large (millions of records) databases

Basically lasts forever

Makes network login & authentication effortless

34

Biometric Disadvantages

Still relatively expensive per user

Companies & products are often new & immature

No common API or other standard

Some hesitancy for user acceptance

35

Biometric privacy issues

Tracking and surveillance - Ultimately, the ability to track a person's movement from hour to hour

Anonymity - Biometric links to databases could dissolve much of our anonymity when we travel and access services

Profiling - Compilation of transaction data about a particular person that creates a picture of that person's travels, preferences, affiliations or beliefs

36

Practical biometric applications Network access control

Staff time and attendance tracking

Authorizing financial transactions

Government benefits distribution (Social Security, welfare, etc.)

Verifying identities at point of sale

Using in conjunction with ATM , credit or smart cards

Controlling physical access to office buildings or homes

Protecting personal property

Prevent against kidnapping in schools, play areas, etc.

Protecting children from fatal gun accidents

37

Tokens

Used to facilitate one-time passwords

Physical card SecurID S/Key Smart card Access token

38

Single sign-on

User has one password for all enterprise systems and applications

That way, one strong password can be remembered and used

All of a users accounts can be quickly created on hire, deleted on dismissal

Hard to implement and get working Kerberos, CA-Unicenter, Memco

Proxima, IntelliSoft SnareWorks, Tivoli Global Sign-On, x.509

39

Kerberos

Part of MIT’s Project Athena Kerberos is an authentication

protocol used for network wide authentication

All software must be kerberized Tickets, authenticators, key

distribution center (KDC)

40

Kerberos roles

KDC divided into Authentication Server & Ticket Granting Server (TGS)

Authentication Server - authentication the identities of entities on the network

TGS - Generates unique session keys between two parties. Parties then use these session keys for message encryption

41

Kerberos authentication

User must have an account on the KDC KDC must be a trusted server in a secured

location Shares a DES key with each user When a user want to access a host or

application, they request a ticket from the KDC via klogin & generate an authenticator that validates the tickets

User provides ticket and authenticator to the application, which processes them for validity and will then grant access.

42

Problems with Kerberos

Each piece of software must be kerberized

Requires synchronized time clocks Relies on UDP which is often blocked by

many firewalls Kerberos v4 binds tickets to a single

network address for a hosts. Host with multiple NIC’s will have problems using tickets

43

Attacks Passive attack - Monitor network traffic and then

use data obtained or perform a replay attack. Hard to detect

Active attack - Attacker is actively trying to break-in.

Exploit system vulnerabilities Spoofing Crypto attacks

Denial of service (DoS) - Not so much an attempt to gain access, rather to prevent system operation

Smurf, SYN Flood, Ping of death Mail bombs

44

Vulnerabilities Physical Natural

Floods, earthquakes, terrorists, power outage, lightning

Hardware/Software Media

Corrupt electronic media, stolen disk drives Emanation Communications Human

Social engineering, disgruntled staff

45

Monitoring

IDS Logs Audit trails Network tools

Tivoli OpenView

46

Intrusion Detection Systems IDS monitors system or network for

attacks IDS engine has a library and set of

signatures that identify an attack Adds defense in depth Should be used in conjunction with

a system scanner (CyberCop, ISS ) for maximum security

47

Object reuse Must ensure that magnetic media must not

have any remnance of previous data Also applies to buffers, cache and other

memory allocation Required at TCSEC B2/B3/A1 level Secure Deletion of Data from Magnetic and

Solid-State Memory, Objects must be declassified Magnetic media must be degaussed or have

secure overwrites

48

TEMPEST

Electromagnetic emanations from keyboards, cables, printers, modems, monitors and all electronic equipment. With appropriate and sophisticated enough equipment, data can be readable at a few hundred yards.

TEMPEST certified equipment, which encases the hardware into a tight, metal construct, shields the electromagnetic emanations

WANG Federal is the leading provider of TEMPEST hardware

TEMPEST hardware is extremely expensive and can only be serviced by certified technicians

Rooms & buildings can be TEMPEST-certified TEMPEST standards NACSEM 5100A NACSI 5004 are

classified documents

49

Banners

Banners display at login or connection stating that the system is for the exclusive use of authorized users and that their activity may be monitored

Not foolproof, but a good start, especially from a legal perspective

Make sure that the banner does not reveal system information, i.e., OS, version, hardware, etc.

50

RAS access control

RADIUS (Remote Authentication Dial-In User Service) - client/server protocol & software that enables RAS to communicate with a central server to authenticate dial-in users & authorize their access to requested systems

TACACS/TACACS+ (Terminal Access Controller Access Control System) - Authentication protocol that allows a RAS to forward a users logon password to an authentication server. TACACS is an unencrypted protocol and therefore less secure than the later TACACS+ and RADIUS protocols. A later version of TACACS is XTACACS (Extended TACACS).

51

Penetration Testing

Basically Improving the Security of Your Site by Breaking Into it, by Dan Farmer/Wietse Venema http://www.fish.com/security/admin-guide-to-

cracking.html Identifies weaknesses in Internet, Intranet,

Extranet, and RAS technologies Discovery and footprint analysis Exploitation Physical Security Assessment Social Engineering

52

Penetration Testing Attempt to identify vulnerabilities and gain

access to critical systems within organization Identifies and recommends corrective action

for the systemic problems which may help propagate these vulnerabilities throughout an organization

Assessments allow client to demonstrate the need for additional security resources, by translating exiting vulnerabilities into real life business risks

53

Rule of least privilege

One of the most fundamental principles of infosec States that: Any object (user, administrator,

program, system) should have only the least privileges the object needs to perform its assigned task, and no more.

An AC system that grants users only those rights necessary for them to perform their work

Limits exposure to attacks and the damage an attack can cause

Physical security example: car ignition key vs. door key

54

Implementing least privilege Ensure that only a minimal set of users

have root access Don’t make a program run setuid to

root if not needed. Rather, make file group-writable to some group and make the program run setgid to that group, rather than setuid to root

Don’t run insecure programs on the firewall or other trusted host

55

Any questions?

Access Control Systems & Access Control Systems & Methodology Methodology

Files graciously shared by Ben Rothke.Reformatted and edited for Slide presentation