Chapter 6: Access Control

Previous page
Table of content
Next page


Overview

Perhaps the most important element of your information security system is controlling how people access the network resources. The goal of access control is typically described by the abbreviation AAA or "Triple A," short for authentication, authorization, and accounting.

Authentication, the first goal of access control, is to ensure that users are who they claim to be. Authentication of users can be established in one of three ways:

  • Something the user knows. This is normally an intangible that only the authorized user should know. Common examples include a password or a personal identification number. Other examples, while not unique to the individual user, can also be used, such as mother's maiden name or other mnemonic trick. The primary advantage of using password-type authentication is that it is well-established in both the psyche of users and the design of network components. It is easy to implement and easy to manage. The primary disadvantage is that users tend to pick something easy to remember. "Easy to remember" is often shorthand for insecure. The problem is compounded when an organization relies on different passwords for multiple systems.

  • Something the user has. The second most common method of access control is by assuming that only the authorized user will be in possession of a physical object that will prove his or her identity. A common object is a token or magnetically striped card. The primary problem with this solution alone is that the physical object itself can be lost or stolen. Consider the example of a common object that utilizes something you have as the authentication method — automobiles. The key to the automobile serves as the physical token with the assumption that only the authorized driver of the car will be in possession of the key itself. This, of course, is not always true.

  • Something the user is. This third category of authentication relies on some individually unique personal characteristic of a person to establish identity. Arguably, this is the same as something the user has; but because in this case we are referring to a biological identifier, a separate authentication category is typically assigned to it. From our DNA to our fingerprints, humans have a number of unique characteristics that can be used to establish identity with a very high degree of probability. While biological identifiers are generally considered the last word in authentication, they suffer from several implementation problems. Most notably, accuracy, user acceptance, and cost are issues that limit the widespread adoption of this form of authentication.

Any system of authentication that employs only one of the above listed methods of authentication is known as single-factor authentication. Systems that employ two of the above methods of authentication are similarly known as two-factor authentication systems and are generally preferable to single-factor authentication systems. Two-factor authentication is also fairly simple to implement, assuming that the network infrastructure has been created to support it. Consider the two-factor authentication that we use every day with automatic teller machine (ATM) cards. First, we must be in possession of the ATM card itself — something we have. In conjunction with the card, however, we must also know the PIN (personal identification number) assigned to that account — something we know.

Two-factor authentication significantly improves the confidence we have in our authentication systems. Consider the ATM and PIN example. From a security point of view, the use of a four-digit PIN as access control would be unacceptable. With only 10,000 available values in a PIN, a PIN is less secure than even a password selected right from the dictionary. Combined with the requirement for a physical token, however, the level of security the PIN provides becomes adequate for the application.

Three-factor authentication is not unheard of, just less widely deployed. While a biometric (something you are) is commonly applied with something you have or know, the increase in security versus the increase in cost in complexity for three-factor authentication must be carefully evaluated.

Once user identity has been authenticated, authorization is the next step. The access rights that a user has on the network must then be established. This is typically done via associating a username with an access control list that applies rules dictating what a user can access and what a user is specifically prohibited from accessing.

From a network management perspective, methods of authorization can be divided into three primary models: discretionary, mandatory, and non-discretionary access control.

Discretionary access control (DAC) allows the owner of a resource to create access rules defining access to the resource. If I create a spread-sheet on the network, then as the owner of the spreadsheet, I am allowed to define who has access to that spreadsheet. Using the discretionary model, users are able to define the access rights for the resources they create. Thus, you, being part of the project, may have full read access to the spreadsheet but Jim down the hall is not allowed to read our important information.

Discretionary access control is ideal in a decentralized environment, but can be difficult to manage. Because network administrators are not involved in assigning rights to resources created by the users, it can be difficult to ensure that all resources have the appropriate level of rights assigned to them. For example, as the average user, I may have inadvertently provided more access to the spreadsheet I had created than is allowed considering the sensitive nature of information on the spreadsheet. If this were the case, a network security officer would be unlikely to know about my intentional or unintentional security configuration until it was too late.

The response to a discretionary access control model is mandatory access control (MAC). Using the MAC model, users and objects are assigned security labels. When a user attempts to access an object, the security labels for the user and the object are compared. If the user's security level is higher than that of the object, access is allowed. Any fan of spy thrillers will recognize this model. An agent with "top secret" clearance can access files of a "confidential" nature because "top secret" is a security label assigned to a user that has a security value higher than the value of "confidential."

For mandatory access control to operate properly, each object or resource in a system must be assigned a security label. These labels follow a strict hierarchy, with each label on the hierarchy more trusted than those below it. The security label hierarchy can be repeated among different categories in the organization. Thus, a company may have a research and development (R&D) category and an accounting category. Both R&D and accounting may have several security labels, such as confidential, proprietary, corporate, and sensitive. To access an object in the accounting department that has a security label of corporate, a user would have to be classified as part of the accounting category and have a clearance of corporate or sensitive to be able to access that object.

Mandatory access controls are beneficial for large organizations with centralized management. The creator of the file can still determine what level of security his document requires, but it is the operating system itself that determines the users who have access to the file and who can override the owner of the file regarding security permissions. If you were to assign a security label of "proprietary" to a spreadsheet, anyone who is in the same category of your organization (e.g., accounting) with a security clearance of confidential or higher would be able to access your document and possibly change or reassign the security label to a higher level.

The most common implementation of mandatory access controls is found in the military. There, the security levels from lowest to highest are unclassified, sensitive but unclassified, confidential, secret, and top secret. In a business environment, when strictly implemented, mandatory access control security labels from lowest to highest are public, sensitive, private, and confidential.

Purely discretionary and mandatory access controls suffer from a management problem in that users are assigned permissions on an individual basis. For large organizations, this becomes a cumbersome chore, making sure that each user has the appropriate rights for any given network resource. Imagine for a small company of even 500 employees with 10 network servers, 25 printers, and hundreds of files and folders, each requiring different levels of access permissions to utilize them. Network administrators for this company would spend much of their time assigning rights to new employees and troubleshooting rights that they have already assigned ("I can't use the printer down the hall for some reason, but I can use the one on the third floor. Can you fix this for me, please?"). Such complexity also puts the information security policies of the organization at risk because misconfiguration or excessive privileges may go unnoticed until it is too late.

When implementing any security policy, a hallmark of a good implementation is to provide rights to users that are exactly appropriate to their job function, a philosophy known as "least privilege." Least privilege means that as a user on the second floor of the engineering department, I have access to network printers on the second floor of the engineering department but not those printers in the executive suite. I have network access that allows me to share resources on the engineering department file servers but have no access whatsoever to the accounting department file servers. These permissions serve to protect the company against myself should I decide to initiate malicious actions against the company, but it also protects the company and myself should someone illegitimately gain access to my accounts.

A common risk associated with privileges is something known as "privilege creep." Privilege creep is the slow accumulation of rights that an individual acquires as they change roles in the company. A person may be transferred from one department to another or promoted from one position to another yet retain the permissions associated with their previous position along with acquiring the permissions of their new position. Of course, this is the exact opposite of least required privilege in that the user now has network permissions that exceed his required job function.

To address the issue of management and privilege creep, the nondiscretionary access control model is often implemented. Also known as role based access control (RBAC), users are assigned roles within a company. The roles are then assigned the proper permissions. As an example, John is a new hire in the engineering department and working on the secret project to power fuel cells by methane in the hopes of greatly increasing the fuel efficiency of 18-wheelers by harnessing to this point untapped power of the truck drivers themselves. The role name of this project is "Buy Beans." The network administrator has taken the time to set up the permissions for the "Buy Beans" role to access only those resources critical to the success of the project and no others. That means that members of the Buy Beans group cannot even access other ongoing engineering projects. As can be imagined, in this company, the complexity of this task could have taken the network administrators a couple of hours to ensure that permissions were correctly assigned. When John signs on, instead of duplicating the work for John in assigning permissions, John is simply assigned the role of "Buy Beans." His permissions then take on exactly that of the Buy Beans role.

Should John transfer to another project, one more appealing to his sense of smell, the network administrator could simply assign John a new role. When assigned to the new role, John then has permissions only to objects defined by the new role. The benefit of nondiscretionary access controls then includes both ease of management and improved security. By assigning users to roles, management is eased because users do not need to be individually assigned rights to network objects. Security is increased through the use of roles by ensuring that rights assigned to roles are exactly those required by the role. When changing roles, the rights of the users are then changed, helping to prevent privilege creep.

For those familiar with network administration, a number of popular operating systems where users are put into groups and then groups assigned rights will immediately spring to mind. This is very similar to role-based access control with only one minor difference. In role-based access control, users have only those rights assigned to the roles. In systems that employ groups, the user is generally allowed to assign privileges on an individual basis as well. Furthermore, users may be generally placed in multiple groups. Thus, most popular operating systems allow the flexibility of discretionary access controls with the management capabilities of nondiscretionary access controls.

While flexible, this combination of access control authorization models does have its drawbacks. The most significant is that it is difficult to determine a user's effective permission to any given object. If users are allowed only read access to a network object in one group but are allowed read and write access in another group, what permission do they have when actually accessing the objects? Most operating systems default to the most restrictive rule in this regard. This overlap of rules can make administration of the system confusing, and confusion is always poor security. The best way to avoid this is to create your groups as if you were creating roles for your users. That is, create your permissions and groups based on defined roles in your organization. Done properly, you will be able to assign users to a role-based group to accomplish their required tasks, instead of assigning users to a number of groups to be able to accomplish their daily functions.

The third and final component of access control is accounting. No information security system can be considered complete until proper accounting is configured (and reviewed on a regular basis, but that is a different story altogether). It is unlikely that all computer attacks are going to be discovered in real-time. Even if the effect of an attack is noticed, by the time a human decides to intervene, most of the time the damage has already been done. The best we can do, short of using computers themselves to respond to attacks in a reactive manner, is to review the evidence of an attack and make an assessment as to whether or not the attack was successful. One of the most important elements in this regard is thorough accounting.

As the name suggests, accounting is the ability to associate a user account with a series of actions and the time they occurred. It is the ability to know who did what and when they did it. The ability to accurately and completely log user information leads to a number of questions that must be considered when comparing countermeasures.

The first element for consideration is the ability to do logging at all. Most access control applications allow some sort of logging, but this may be little more than knowing that user jdoe logged in at 8:45 Monday, December 16, 2002, and stayed logged in to the network for eight hours. More advanced reporting will also be able to inventory what jdoe did while logged in.

It may be natural to assume that the more information that can be gathered, the better; this is not necessarily the case. The auditing of information is only important if someone is going to actually review the logged information. Even in a small network, assuming that this function takes place on a regular basis, the amount of information that can be collected about users can quickly become overwhelming. Too much information is just as bad as not enough information. This is for two reasons. The first is that information overload will discourage the review of the accounting information in the first place. The second is that actual misuse can be lost in the mountains of accumulated data.

Instead of simply looking for the amount of information to be collected, a more accurate comparison of access control countermeasures would be to examine what information they collect and how configurable the accounting rules can be. For example, you may not wish to audit every single failed log-on attempt. Instead, you would want to only record log-on attempts that fail a certain number of times. Most users will, from time to time, mistype their passwords. If they mistype it more than three times, however, that may be an indication of a problem. Or you may wish to only log network log-ons that occur outside normal working hours so that you can concentrate your efforts on specific events. If you have reason to suspect misuse of network resources by a particular user, it would be helpful to be able to audit everything that this particular user does, yet leave the rest of the network users at the default logging level.

The process of being able to specify logging only after a certain number of events occur, such as failed network log-ons, is known as being able to establish a clipping level. Clipping levels are essential in reducing the amount of accounting information that a reviewer is presented with by removing events that alone may not be significant, but in a group may be very significant. Note, however, that clipping levels normally have a decay period associated with the clipping level. That means that three failed logons in ten minutes may be recorded, but three failed log-ons in 30 minutes may have caused the clipping level timers to reset and thus not be logged. Good attackers are very patient.

The ability to manipulate accounting data is also very important. While a single, long text file is technically an accounting log, woe to the person that needs to peer through that log to decipher usage patterns. Instead, the ability to manipulate data is important. While I would rather manage my servers using a command-line interface, I cannot dispute the advantage of humans using graphical interfaces to be able to interpret aggregate data.

Mechanisms used to store information in access control accounting are very important. If the accounting of a network of any size is being performed, then a good deal of data is going to be recorded. This logged data is going to be important if anyone on the network is suspected of misuse or an actual attack has occurred through a user account. It may be important enough to have to serve as legal evidence. To ensure the longevity, integrity, and even admissibility of the accounting data in court, be sure to examine backup mechanisms, timestamping, and the cryptographic signing of data through the use of either the access control accounting software itself or a third-party solution. Speaking of timestamping, it may also be a good time to note that most networks do not adequately ensure the consistency of time settings between their systems. Even having a 60-second difference between the settings of multiple hosts will make conclusive reconstruction of events from the accounting log impossible. Ensure that your network time protocol server is functioning properly and hosts are configured to synchronize their system clocks on a regular basis.

Common methods of securing accounting data include rather straight-forward methods of recording data to a removable disk or writeable CD-ROM. Once full, the removable media can be replaced and stored in a safe location. In either case, cryptographically secure timestamping and hashing of the information should be performed as soon as possible; in some cases, each entry is timestamped and hashed as it occurs. This provides reasonable assurance that the information has not been tampered with after the fact. In certain instances where the integrity of data must be ensured, network administrators have even gone through the effort of printing out hard copies of accounting information as they occur. This procedure tends to generate quite a bit of paper, but ensures that any information logged cannot be easily altered or deleted from a network-based attack.

In medium to large networks, there may be multiple systems that perform the access control function. This can make the examination of accounting data troublesome if the logging information is likewise distributed among a number of authentication and authorization services. No matter the diversity of access control systems in use, make it a point to ensure that the logging can be collected from a central location.

An experienced attacker will make the accounting system one of his first targets once the network has been compromised. To make the attacker's work more difficult, it is imperative that the server hosting the log files be especially secure by configuring it as a bastion host as all network devices should be and protecting the logging file with a firewall. Disabling remote management of the accounting information server altogether would not be a bad idea either.

For most attackers, circumventing access controls is the goal of the intelligence-gathering phase of their attacks. Once allowed access to network resources in any form, an attacker will then attempt to use clues available within the network infrastructure itself to elevate their privileges and eventually obtain the information they are seeking or gain control of the network itself. The most significant step that can be taken to prevent this is to make it difficult for attackers to access your network.

As previously discussed, access control is more than simply ensuring that users pick a good password for logging in to the network. The bulk of our security controls implemented by our firewalls, VPN devices, and intrusion detection systems are an effort to ensure that access is only granted at points where it is appropriate. This logical control of the network can be extended to physical access controls as well. While there are any number of risks associated with network access attempts, these pale in comparison to the damage that someone with physical access to your information infrastructure could cause. Most host computers can be compromised with a simple floppy disk at a user workstation. A denial-of-service attack that comprises the simple step of physically removing (stealing) your servers would clearly be hard to recover from.


Previous page
Table of content
Next page
Network Perimeter Security. Building Defense In-Depth
Network Perimeter Security: Building Defense In-Depth
ISBN: 0849316286
EAN: 2147483647
Year: 2004
Pages: 119
Authors: Cliff Riggs
BUY ON AMAZON
The .NET Developers Guide to Directory Services Programming
Image Processing with LabVIEW and IMAQ Vision
Documenting Software Architectures: Views and Beyond
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Logistics and Retail Management: Emerging Issues and New Challenges in the Retail Supply Chain
.NET System Management Services
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy