Information Technology Security

MSI
2017/2018
T4 – Network Access Control and Cloud Security
Network Access Control (NAC)

• An umbrella term for managing access to a network

• Authenticates users logging into the network and determines

what data they can access and actions they can perform

• Also examines the health of the user’s computer or mobile device

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Elements of a Network Access Control System

NAC systems deal with three

categories of components:
Access requester (AR) Policy server Network access server (NAS)
•Node that is attempting to access the •Determines what access should be •Functions as an access control point
network and may be any device that granted for users in remote locations
is managed by the NAC system, •Often relies on backend systems connecting to an enterprise’s internal
including workstations, servers, network
printers, cameras, and other IP- •Also called a media gateway, remote
enabled devices access server (RAS), or policy server
•Also referred to as supplicants, or •May include its own authentication
clients services or rely on a separate
authentication service from the
policy server

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Network Access Control Context

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Network Access Enforcement Methods

• The actions that are applied to ARs to regulate access to the

enterprise network

• Many vendors support multiple enforcement methods

simultaneously, allowing the customer to tailor the
configuration by using one or a combination of methods

Common NAC enforcement methods:

• IEEE 802.1X
• Virtual local area networks (VLANs)
• Firewall
• DHCP management
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
EAP Layered Context

• EAP is an authentication
framework for providing the
transport and usage of keying
material and parameters
generated by EAP methods

• Can be used in wired and

wireless networks

• It only defines message

formats. Each protocol that
uses EAP defines a way to
encapsulate EAP messages
within that protocol's
messages.
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Authentication Methods

• EAP provides a generic transport service for the exchange of

authentication information between a client system and an
authentication server
• The basic EAP transport service is extended by using a specific
authentication protocol that is installed in both the EAP client and
the authentication server

Commonly supported EAP methods:

• EAP Transport Layer Security

• EAP Tunneled TLS
• EAP Generalized Pre-Shared Key
• EAP-IKEv2

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

EAP Methods

• EAP-TLS (EAP Transport Layer Security): encapsulates TLS in EAP

messages, uses its handshake for mutual authentication between
client and server using digital certificates
• EAP-TTLS (EAP Tunneled TLS): as EAP-TLS, but only the server
authenticates with its own certificate, activates tunnel to
authenticate the client using other EAP method or legacy
protocols such as PAP
• EAL-GPSK (EAP Generalized Pre-Shared Key): for mutual
authentication and session key derivation using a pre-shared key
(PSK)
• EAP-IKEv2: based on the IKE (Internet Key Exchange) Protocol
version 2
• …

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

EAP and encapsulation
• EAP is in wide use. For example, in IEEE 802.11 (Wi-Fi) the WPA
and WPA2 standards have adopted IEEE 802.1X with various EAP
Types as the official authentication mechanism.
• Each protocol that uses EAP defines a way to encapsulate EAP
messages within that protocol's messages:
• IEEE 802.1X: IEEE Standard for port-based Network Access Control (PNAC)
• PEAP: encapsulates EAP within a potentially encrypted and authenticated
Transport Layer Security (TLS) tunnel.
• RADIUS and Diameter: often used by Network Access Server (NAS) devices to
forward EAP packets between IEEE 802.1X endpoints and AAA servers
• PANA: IP-based protocol that allows a device to authenticate itself with a
network to be granted access
• PPP: PPP has supported EAP since EAP was created as an alternative to the
Challenge-Handshake Authentication Protocol (CHAP) and the Password
Authentication Protocol (PAP)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

EAP Protocol Exchanges

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

EAP Message Flow

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

802.1X (Access Control)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

802.1X (Terminology)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

EAPOL (EAP over LAN)

• Operates at the network layers and makes use of an IEEE 802 LAN
(Ethernet, Wi-Fi) at the link level
• Enables a supplicant to communicate with an authenticator and
supports the exchange of EAP packets for authentication
• Also relevant in the context of IEEE 802.11 Wireless LAN security

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

EAPOL with 802.1X (Timing Diagram)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Computing

• NIST defines cloud computing, in NIST SP-800-145 (The NIST

Definition of Cloud Computing ), as follows:

“A model for enabling ubiquitous, convenient, on-demand

network access to a shared pool of configurable computing
resources (e.g., networks, servers, storage, applications, and
services) that can be rapidly provisioned and released with
minimal management effort or service provider interaction.
This cloud model promotes availability and is composed of five
essential characteristics, three service models, and four
deployment models.”

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Computing Elements

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Computing essential characteristics

• Broad network access: capabilities available over the network and

accessed through standard mechanisms

• Rapid elasticity: expand and reduce resources according to the service

requirements

• Measured service: resource usage can be monitored, controlled and

reported

• On-demand self-service: resources are not permanent parts of an IT

infrastructure

• Resource pooling: provider’s computing resources are pooled to serve

multiple consumers, multi-tenant model, location independence

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Computing service models

• Software as a service (SaaS): consumer uses the provider’s

applications running on a cloud infrastructure, e.g: Google Apps,
Salesforce

• Platform as a service (PaaS): consumer deploys created or

acquired applications using languages and tools supported by the
provider, e.g: Microsoft Azure, Apache Stratos

• Infrastructure as a service (IaaS): provides supports provisioning,

storage and communication resources which the consumer uses
to deploy and run arbitrary applications, e.g: Digital Ocean, AWS
Elastic Compute Service

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Computing deployment models

• Public cloud: cloud infrastructure is made available to the general

public and owned by an organization selling cloud resources

• Private cloud: cloud infrastructure operated solely for an

organization (on or off premises)

• Community cloud: cloud infrastructure shared by several

organizations with shared concerns (on or off premises)

• Hybrid cloud: cloud infrastructure is a composition of two or

more clouds (private, community, or public)

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Computing Context

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Computing Reference Architecture

• NIST SP 500-292 (NIST Cloud Computing Reference Architecture)

establishes a reference architecture, described as follows:

“The NIST cloud computing reference architecture focuses on

the requirements of “what” cloud services provide, not a
“how to” design solution and implementation. The reference
architecture is intended to facilitate the understanding of the
operational intricacies in cloud computing. It does not
represent the system architecture of a specific cloud
computing system; instead it is a tool for describing,
discussing, and developing a system-specific architecture using
a common framework of reference.”

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Computing Reference Architecture

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Provider

Cloud provider (CP)

For each of the three service models

(SaaS, PaaS, IaaS), the CP provides
Can provide one or more of the cloud
the storage and processing facilities
services to meet IT and business
needed to support that service
requirements of cloud consumers
model, together with a cloud
interface for cloud service consumers

For SaaS, the CP deploys, configures, For PaaS, the CP manages the
maintains, and updates the operation computing infrastructure for the For IaaS, the CP acquires the physical
of the software applications on a platform and runs the cloud software computing resources underlying the
cloud infrastructure so that the that provides the components of the service, including the servers,
services are provisioned at the platform, such as runtime software networks, storage, and hosting
expected service levels to cloud execution stack, databases, and infrastructure
consumers other middleware components

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Roles and Responsibilities

Cloud carrier Cloud auditor

• A networking facility that • An independent entity that can
provides connectivity and assure that the CP conforms to
transport of cloud services a set of standards
between cloud consumers and
CPs

Cloud broker
• Useful when cloud services are too complex for a cloud consumer to
easily manage
• Three areas of support can be offered by a cloud broker:
• Service intermediation
• Value-added services such as identity management, performance
reporting, and enhanced security
• Service aggregation
• The broker combines multiple cloud services to meet consumer
needs not specifically addressed by a single CP, or to optimize
performance or minimize cost
• Service arbitrage
• A broker has the flexibility to choose services from multiple
agencies

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Risks and Countermeasures

Insecure Shared
Data loss or
interfaces and technology
leakage
APIs issues
Countermeasures:
implement security best
Countermeasures: practices for
Countermeasures:
analyzing the security installation/configuration;
implement strong API
model of CP interfaces; monitor environment for
access control; encrypt and
ensuring that strong unauthorized
protect integrity of data in
authentication and access changes/activity; promote
transit; analyze data
controls are implemented strong authentication and
protection at both design
in concert with encryption access control for
and run time; implement
transmission; administrative access and
strong key generation,
understanding the operations; enforce SLAs for
storage and management,
dependency chain patching and vulnerability
and destruction practices
associated with the API remediation; conduct
vulnerability scanning and
configuration audits

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Risks and Countermeasures (continued)

• Account or service hijacking:

• Countermeasures: prohibit the sharing of account credentials
between users and services; leverage strong two-factor
authentication techniques where possible; employ proactive
monitoring to detect unauthorized activity; understand CP
security policies and SLAs

• Unknown risk profile (client cedes control to the CP on a number

of issues that may affect security):
• Countermeasures: disclosure of applicable logs and data;
partial/full disclosure of infrastructure details; monitoring and
alerting on necessary information

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Risks and Countermeasures (continued)

• Abuse and nefarious use of cloud computing:

• It is easy for attackers to get inside the cloud (e.g. free trials)
and conduct attacks
• Countermeasures: stricter initial registration and validation
processes, enhanced credit card fraud monitoring, introspection
of customer network traffic

• Malicious insiders (level of trust onto the CP, e.g: CP system

administrators, managed security services providers):
• Countermeasures: comprehensive supplier assessment,
monitor environment for unauthorized activities, strong
authentication and access control for administrative access,
SLAs for patching and vulnerability remediation, vulnerability
scanning and audits
© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.
Data Protection in the Cloud

• The threat of data compromise increases in the cloud

• Database environments used in cloud computing can vary
significantly
• Multi-instance model
• Provides a unique DBMS running on a virtual machine instance for each
cloud subscriber
• This gives the subscriber complete control over role definition, user
authorization, and other administrative tasks related to security
• Multi-tenant model
• Provides a predefined environment for the cloud subscriber that is shared
with other tenants, typically through tagging data with a subscriber
identifier
• Tagging gives the appearance of exclusive use of the instance, but relies on
the CP to establish and maintain a sound secure database environment

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Data Protection in the Cloud

• Data must be secured while at rest, in transit, and in use, and access to the data
must be controlled
• The client can employ encryption to protect data in transit, though this involves
key management responsibilities for the CP
• For data at rest the ideal security measure is for the client to encrypt the
database and only store encrypted data in the cloud, with the CP having no
access to the encryption key
• A straightforward solution to the security problem in this context is to encrypt
the entire database and not provide the encryption/decryption keys to the
service provider
• The user has little ability to access individual data items based on searches or indexing
on key parameters
• The user would have to download entire tables from the database, decrypt the tables,
and work with the results
• To provide more flexibility it must be possible to work with the database in its encrypted
form

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Encryption Scheme for a Cloud-Based Database

• Data owner: produces data to be

made available for controlled
release

• User: human entity that requests

(queries) the system

• Client: Frontend that transforms

user queries into queries on the
encrypted data

• Server: An organization that

receives encrypted data and
makes it available for distribution
to clients

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Cloud Security as a Service (SecaaS)

• The Cloud Security Alliance defines SecaaS as the provision of security

applications and services via the cloud either to cloud-based infrastructure and
software or from the cloud to the customers’ on-premise systems
• The Cloud Security Alliance has identified the following SecaaS categories of
service:
• Identity and access management
• Data loss prevention
• Web security
• E-mail security
• Security assessments
• Intrusion management
• Security information and event management
• Encryption
• Business continuity and disaster recovery
• Network security

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Elements of Cloud Security as a Service

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Summary
• Network access control • IEEE 802.1X port-based network access control

• Elements of a network access control system • Cloud computing

• Network access enforcement methods • Elements

• Extensible authentication protocol • Reference architecture

• Authentication methods • Cloud security risks and countermeasures

• EAP exchanges • Data protection in the cloud

• Cloud security as a service • Addressing cloud computing security concerns

© 2017 Pearson Education, Inc., Hoboken, NJ. All rights reserved.

Bibliography

Cryptography and network security, Stallings,

Pearson, 2017, Chapter 16: Network Access Control
and Cloud Security