Chapter 3

3.1 Access Control: security control between users and system.

Access: information exchange between object and subject. Subjects use objects.

Security Principles: availability (useful, can be used), integrity (not fragment), confidentiality (security).

3.2 Identification (Who you are) è Authentication (proving who you are) è Authorization (telling you what sources you can use) è Sources è Accountability (monitoring user)

Organizing all of this stuff (rules): 1. Family tree structure; 2. unique name with specific attributes; 3. Attributes are decided by defined schema; 4. Distinguished names.

Web management:

Password management: 1. Password Synchronization (Complexity); 2. Self-Service Password Reset (customers reset password by themselves); 3. Assisted Password Reset (using ID, email, phone number, question, and fingerprint to reset password).

Single sign-on technology: Kerberos, SESAME, Security domains, Directory, and Thin clients.

3.3 Access control models:

a. Discretionary access control (which source you can have depend who you are and what be allowed)

b. Mandatory access control (depending on what security level you are)

c. Role- based access control (Limited hierarchies and general hierarchies; depending on who you are and what’s your job)

3.4 Access control techniques:

Access control matrix: relationship between subjects and objects

Access control list: which subjects can be access by objects

Capability table: which objects can be use by subjects

Content-based access: bases access decisions on the sensitivity of the data

Context-based access: bases access decisions on the state of the situation

Restricted interface: user’s environment limits

Rule-based access: control subjects’ access

3.5 Access control administration (centralized access control administration, RADUIS, TACACS, and Diameter):

AAA: Authentication (PAP, CHAP, EAP; End-to-end protection; Replay attack protection)

         Authorization (Redirects, secure proxies, relays, and brokers; state reconciliation; unsolicited disconnect; reauthorization on demand)

         Accounting (reporting, roaming operations accounting, event monitoring)

3.6 Access control layers:

a. Administrative controls: policy and procedures; personnel controls; supervisory structure; security-awareness training, testing

b. Physical controls: network segregation; perimeter security; computer controls; work area separation; data backups; cabling; control zone

c. Technical controls: system access; network architecture; network access; encryption and protocols; auditing

3.7 Accountability

Remember:

Store the audits security; control the size of logs; protected logs; training people check logs in right ways; only administrators can delete logs; logs have high level security

3.8 IDS types:

Signature-based: pattern matching; continuously updated; can’t identify new attacks; (two types) Pattern matching and Stateful matching

Anomaly-based: it know what is “normal environment;” detect new attacks; behavior or heuristic; (three types) Statistical anomaly-based, Protocol anomaly-base, and Traffic anomaly-based

Rule-based: IF/THEN rule; artificial intelligence; high requirement of software and hardware; can’t detect new attacks