46. SINGLE SIGN ON
As environments get larger and more complex it becomes
harder and harder to manage users accounts securely.
• Multiple users to create/disable
• Passwords to remember, leads to passwords
security issues
• Reduces user frustration as well as IT
frustration!
• Wastes your IT budget trying to manage
disparate accounts.
48. SSO SINGLE SIGN-ON PROS AND CONS
• Pros
• Ease of use for end
users
• Centralized Control
• Ease of
administration
• Cons
• Single point of failure
• Standards necessary
• Keys to the kingdom
50. KERBEROS
• A network authentication protocol designed from MITs
project Athena. Kerberos tries to ensure authentication
security in an insecure environment
• Used in Windows2000+ and some Unix
• Allows for single sign on
• Never transfers passwords
• Uses Symmetric encryption to verify Identifications
• Avoids replay attacks
51. KERBEROS COMPONENTS
• Essential Components:
• AS (Authentication Server): Allows authentication of the user and issues a TGT
• TGS: After receiving the TGT from the user, the TGS issues a ticket for a
particular user to access a particular service
KDC (Key Distribution Center) a system which runs the TGS (Ticket Granting
Service) and the AS (Authentication Service)
• Ticket: Means of distributing Session Key
• Principles (users, applications, services)
• Kerberos Software (integrated into most Operating Systems. MS Windows 2000
and up support Kerberos)
• Main Goal: User needs to authenticate himself/herself without sending
passwords across the network—needs to prove he/she knows the password
without actually sending it across the wire.
52. Welcome to the
Kerberos Carnival
Realm
1. Username
2. TGT
File Server
Ticket Granting Service
Authentication Service
Print Server A
Database Server
54. KERBEROS CONCERNS
• Computers must have clocks synchronized within 5
minutes of each other
• Tickets are stored on the workstation. If the workstation is
compromised your identity can be forged.
• If your KDC is hacked, security is lost
• A single KDC is a single point of failure and performance
bottleneck
• Still vulnerable to password guessing attacks
55. SESAME
340
European technology, developed to
extend Kerberos and improve
on it’s weaknesses
• Sesame uses both
symmetric and
asymmetric
cryptography.
• Uses “Privileged Attribute
Certificates” rather than tickets,
Privileged Attribute Certificates
are digitally signed and
contain the subjects identity,
access capabilities for the
object, access time
period and lifetime of the PAC.
• Privileged Attribute
58. ACCESS CONTROL MODELS
A framework that dictates how subjects access objects.
Uses access control technologies and security
mechanisms to enforce the rules
Supported by Access Control Technologies
Business goals and culture of the organization will
prescribe which model is used
Every OS has a security kernel/reference monitor (talk
about in another chapter) that enforces the access control
model.
59. ACCESS CONTROL MODELS
The models we are about to discuss are
From the TCSEC(Trusted Computer System Evaluation
Criteria—Orange Book)
• DAC (Discretionary Access Control)
• MAC (Mandatory Access Control)
• Established Later
• RBAC (Role based Access Control)
60. Discretionary Access Control
• Security of an object is at the owner’s
discretion
• Access is granted through an ACL (Access
Control List)
• Commonly implemented in commercial
products and all client based systems
• Identity Based
62. Mandatory Access Control
• Data owners cannot grant access!
• OS makes the decision based on a security label system
• Subject’s label must dominate the object’s label
• Users and Data are given a clearance level (confidential,
secret, top secret etc..)*
• Rules for access are configured by the security officer and
enforced by the OS.
63. MAC is used where classification and
confidentiality is of utmost importance…
military.
• Generally you have to buy a specific MAC system, DAC
systems don’t do MAC
• SELinux
• Trusted Solaris (now called Solaris with
Trusted Extensions)
64. MAC SENSITIVITY LABELS
• All objects in a MAC system have a security label*
• Security labels can be defined the organization.
• They also have categories to support “need to know” at a
certain level.
• Categories can be defined by the organization
67. ROLE BASED ACCESS CONTROL
• Uses a set of controls to determine how subjects and
objects interact.
• Don’t give rights to users directly. Instead create “roles”
which are given rights. Assign users to roles rather than
providing users directly with privileges.
• Advantages:
• This scales better than DAC methods
• Fights “authorization creep”*
68. ROLE BASED ACCESS CONTROL
When to use*
• If you need centralized access
• If you DON’T need MAC
• If you have high turnover
69. RULE BASED ACCESS CONTROL
• Uses specific rules that indicate what can and cannot transpire
between subject and object.
• Also called non-discretionary.
• Before a subject can access and object it must meet a set
of predefined rules.
ex. If a user has proper clearance, and it’s
between 9AM - 5PM then allow access (Context
based access
control)
• However it does NOT have to deal specifically with
identity/authorization
Ex. May only accept email attachments
5M or less
70. RULES BASED ACCESS CONTROL
Is considered a
“compulsory control”
because the rules are
strictly enforced and not
modifiable by users.
Routers and firewalls use
Rule Based access
control*
71. CONSTRAINED USER INTERFACES
Restrict user access by not allowing them see certain data or
have certain functionality (see slides)
Views – only allow access to certain data (canned
interfaces)
Restricted shell – like a real shell but only with
certain commands. (like Cisco's non-enable
model
Menu – similar but more “GUI”
Physically constrained interface – show only certain keys
on a keypad/touch screen. – like an ATM. (a modern type of
menu) Difference is you are physically constrained from
accessing them.
73. CONTENT DEPENDANT ACCESS CONTROLS
Access is determined by the type of data.
• Example, email filters that look for specific
things like “confidential”, “SSN”, images.
• Web Proxy servers may be content based.
74. CONTEXT DEPENDANT ACCESS CONTROL
System reviews a Situation then makes a decision on access.
• A firewall is a great example of this, if
session is established, then allow traffic
to proceed.
• In a web proxy, allow access to certain body
imagery if previous web sessions are
referencing medical data otherwise deny
access.
77. CENTRALIZED ACCESS
CONTROL ADMINISTRATION
• A centralized place for configuring and managing access
control
• All the ones we will talk about (next) are “AAA” protocols
• Authentication
• Authorization
• Auditing
#2:This is an important subject—students need to be able to distinguish between types of security controls. They will also often have to work within the compliance requirements of legislation, regulation, and frameworks.
#3:Explain that a control category describes how it is implemented. For example, a document access policy is managerial, checking that permissions are applied according to the policy is operational, and the file system permissions are technical in nature. As with all classification systems, there is some degree of overlap, but the classification process is designed to help assess capabilities compared to frameworks and best practice guides.
#4:Where the category describes the implementation type, a functional type describes what the control is deployed to do.
Get the students to nominate examples of different types of controls:
Preventive—permissions policy, encryption, firewall, barriers, locks
Detective—alarms, monitoring, file verification
Corrective—incident response policies, data backup, patch management
#6:Businesses might be framework-oriented or they might need to use a framework because of a legal or regulatory requirement.
Note that we have already looked at the five functions of the CSF. Risk management is covered later in the course.
#7:There is a lot of detail to take in here. Try not to spend too long in class, but students will need to be able to match the organizations and frameworks to typical industries and uses.
#8:Explain the difference between a framework and benchmark. Note the use of benchmarks for both host/network appliance deployment (operations) and coding projects (development).
#9:The syllabus does not list specific examples of legislation, so these are illustrative rather than comprehensive. Students should focus on the fact that there can be many different sources of compliance requirements. Note the difference between vertical (sector-specific) and horizontal (consumer-specific, cross-sector) legislation.
#10:
Most of the basic concepts in this topic are covered in Security+. Focus on scenarios where procedures or tools must be updated, following a breach or new compliance requirement, for instance. Note that cost is a factor when considering implementing a new technology.
#12:The NIST advice was published in 2017 and may not have been adopted as best practice by all companies. Students should consider that in some scenarios, the "old" policies might still be enforced.
