ACCESS CONTROL
This unit will give you a full and comprehensive understanding how access control systems,
how it works, control list and AAA framework.
At the end of this class we will Explain the concept access control and how to Manage access
control
Definition 1. Access control is the protection of information resources or services from
access or use by unauthorized entities (organizations, people, machines, processes). That is
to say, access control refers to the prevention of unauthorized use of a resource
Definition 2. Access control is a security technique that regulates who or what can view or
use resources in a computing environment. It is a fundamental concept in security that
minimizes risk to the business or organization.
There are two types of access control: Physical and Logical access control
Physical access control limits access to campuses, buildings, rooms and physical IT assets.
Logical access control limits connections to computer networks, system files and data
To secure a facility, organizations use electronic access control systems that rely on user
credentials, access card readers, auditing and reports to track employee access to restricted
business locations and proprietary areas, such as data centres. Some of these systems
incorporate access control panels to restrict entry to rooms and buildings, as well as alarms
and lockdown capabilities, to prevent unauthorized access or operations.
Access control systems perform identification authentication and authorization of users and
entities by evaluating required login credentials that can include passwords, personal
identification numbers (PINs), biometric scans, security tokens or other authentication
factors. Multifactor authentication (MFA), which requires two or more authentication
factors, is often an important part of a layered defence to protect access control systems.
Why is access control important?
The goal of access control is to minimize the security risk of unauthorized access to physical
and logical systems. Access control is a fundamental component of security compliance
programs that ensures security technology and access control policies are in place to protect
confidential information, such as customer data. Most organizations have infrastructure and
procedures that limit access to networks, computer systems, applications, files and sensitive
data, such as personally identifiable information (PII) and intellectual property.
Access control systems are complex and can be challenging to manage in dynamic IT
environments that involve on-premises systems and cloud services. After some high-profile
breaches, technology vendors have shifted away from single sign-on (SSO) systems to unified
access management, which offers access controls for on-premises and cloud environments.
How access control works:
These security controls work by identifying an individual or entity, verifying that the person
or application is who or what it claims to be, and authorizing the access level and set of
actions associated with the username or Internet Protocol (IP) address. Directory services
and protocols, including Lightweight Directory Access Protocol (LDAP) and Security Assertion
Markup Language (SAML), provide access controls for authenticating and authorizing users
and entities and enabling them to connect to computer resources, such as distributed
applications and web servers.
Organizations use different access control models depending on their compliance
requirements and the security levels of information technology (IT) they are trying to
protect.
1|Page
�Types of Access control Access control can be split into two groups designed to improve
physical security:
• Physical access control: limits access to campuses, building and other physical assets, e.g.,
a proximity card to unlock a door.
• Logical access control: limits access to computers, networks, files and other sensitive data,
e.g., a username and password.
Access control Models
The main models of access control are:
• Attribute-based Access Control (ABAC): In this model, access is granted or declined by
evaluating a set of rules, policies, and relationships using the attributes of users, systems and
environmental conditions.
• Discretionary Access Control (DAC): In DAC, the owner of data determines who can access
specific resources.
• History-Based Access Control (HBAC): Access is granted or declined by evaluating the
history of activities of the inquiring party that includes behaviour, the time between
requests and content of requests.
• Identity-Based Access Control (IBAC): By using this model network administrators can more
effectively manage activity and access based on individual requirements.
• Mandatory Access Control (MAC): A control model in which access rights are regulated by
a central authority based on multiple levels of security. Security Enhanced Linux is
implemented using MAC on the Linux operating system.
• Organization-Based Access control (OrBAC): This model allows the policy designer to
define a security policy independently of the implementation.
• Role-Based Access Control (RBAC): RBAC allows access based on the job title. RBAC
eliminates discretion on a large scale when providing access to objects. For example, there
should not be permissions for human resources specialist to create network accounts.
• Rule-Based Access Control (RAC): RAC method is largely context based. Example of this
would be only allowing students to use the labs during a certain time of day.
Access control roles
Access control roles (ACRs) are set of privileges that are defines following organization
defined policies. These roles assigned to different users based on their access rights
according to their job role in the organization. Some people use the words group and role
interchangeably, and with many systems they are; but the more careful definition is that a
group is a list of principals, while a role is a fixed set of access permissions that one or more
principals may assume for a period of time using some defined procedure.
AAA Framework
AAA is a standard-based framework used to control who is permitted to use network
resources (through Authentication), what they are authorized to do (through
Authorization), and capture the actions performed while accessing the network (through
Accounting). The administrator can take access to a router or a device through a console but
it is very inconvenient if he is sitting far from the place of that device. So, eventually, he has
to take remote access to that device. But as remote access will be available by using an IP
address, therefore, it is possible that an unauthorized user can take access using that same
IP address therefore for security measures, we have to put authentication. Also, the packets
exchanged between the device should be encrypted so that any other person should not be
able to capture that sensitive information. Therefore, a framework called Authentication,
Authorization and Accounting shorthand AAA is used to provide that extra level of security.
2|Page
�Authentication
The process by which it can be identified that the user, which wants to access the network
resources, valid or not by asking some credentials such as username and password. As
network administrators, we can control how a user is authenticated if someone wants to
access the network.
Authorization
It provides capabilities to enforce policies on network resources after the user has gained
access to the network resources through authentication. After the authentication is
successful, authorization can be used to determine what resources is the user allowed to
access and the operations that can be performed.
Accounting
It provides means of monitoring and capturing the events done by the user while accessing
the network resources. It even monitors how long the user has access to the network. The
administrator can create an accounting method list to specify what should be accounted for
and to whom the accounting records should be sent.
Who is system administrator?
ANSWER: The SysAdmin, or Systems Administrator, is the person responsible for configuring
and managing a company‘s entire infrastructure, including all of the hardware, software, and
operating systems that are necessary to support the running of the business. The SysAdmin
is responsible for Configuring and managing company infrastructure, managing user access
and permissions to all systems and data, perform daily security backups and restored,
manage all monitoring and alerting throughout company applications and infrastructure;
solve and troubleshoot problems.
What happens to organizations that does not have access control implementation?
ANSWER: Everyone in the organization, no matter what their title, would have access to all
the company‘s information on all of their systems and applications. Employees would be
able to make changes to secure data, such as the payroll and customer information. The
scary part is that many organizations often have minimal access management structures in
place or they believe they are managing their access rights correctly, when they may actually
not be. Without proper access management, security risks are high, and it is easy lose track
of who has access to what, easily leading to a security breach.
CONCLUSION: It is important also for an enterprise to develop the security system that
secure the information system against external threats. Very important stage of data
protection building in information system is the creation of high Level model, independent
from the software, satisfying the needs of protection and security of a system.
SUMMARY: One of the basic concepts of protection models is access control. The purpose
of access control to data in information system is a limitation of actions or operations that
the system‘s users can execute. The access control based on role concept represents
interesting alternative in relation to traditional systems of DAC (Discretionary Access Control)
type or MAC (Mandatory Access Control) type. RBAC (Role-Based Access Control) model
based on a role concept defines the user‘s access to information basing on activities that the
user can perform in a system
3|Page
�INTRUSION DETECTION SYSTEMS
What is an intrusion detection system (IDS)
An IDS is either a hardware device or software application that uses known intrusion
signatures to detect and analyse both inbound and outbound network traffic for abnormal
activities.
The safeguarding of security is becoming increasingly difficult, because the possible
technologies of attack are becoming ever more sophisticated; at the same time, less
technical ability is required for the novice attacker, as proven past methods are easily
accessed through the Web. So, Intrusion detection systems (IDS) are being developed in
response to the increasing number of attacks on major sites and networks.
Intrusion detection systems monitor the network traffic, work with signature databases and
by using a heuristic analysis reveal suspicious patters in seemingly not related attempts for
connection establishment (e.g. address range scanning, port range, signatures of known
attacks encapsulated withing the allowed connections etc.) The aim of IDSs is to detect
unusual activities, which can lead to security violence in an operating system or a computer
network, and also a possible counterstrike against them.
IDS uses vulnerability assessment (sometimes referred to as scanning), which is a technology
developed to assess the security of a computer system or network.
Intrusion detection functions include:
• monitoring and analysing both user and system activities,
• analysing system configurations and vulnerabilities,
• assessing system and file integrity,
• ability to recognize patterns typical of attacks,
• analysis of abnormal activity patterns,
• tracking user policy violations.
An intrusion detection system (IDS) inspects all inbound and outbound network activity and
identifies suspicious patterns that may indicate a network or system attack from someone
attempting to break into or compromise a system.
There are several ways to categorize an IDS:
Misuse detection vs. Anomaly detection
• Misuse detection: the IDS analyses the information it gathers and compares it to large
databases of attack signatures. Essentially, the IDS looks for a specific attack that has already
been documented. The intrusion detection technique based on attack signature consists in
looking for “signatures” (a typical character sequence of an attack) in all communications
going through the network. It can detect application-level attacks, even if they conform to
inter-application protocol standards; as such, it complements inter-application protocol
decoding. Like a virus detection system, misuse detection software is only as good as the
database of attack signatures that it uses to compare packets against, so it implies the
maintaining and updating of the attack signatures database; the frequent update of this
database on equipment using this technology is of utmost importance for the relevance of
this technique.
• Anomaly detection: the system administrator defines the baseline or normal state of the
network’s traffic load, breakdown, protocol, and typical packet size. The anomaly detector
monitors network segments to compare their state to the normal baseline and look for
anomalies.
4|Page
�Network-based vs. Host-based systems
• Network-based system, or NIDS: the individual packets flowing through a network are
analysed. The NIDS can detect malicious packets that are designed to be overlooked by a
firewall’s simplistic filtering rules.
• Host-based system, or HIDS: the IDS examines all the activity on each individual computer
or host.
Passive system vs. Reactive system
• Passive system: the IDS detects a potential security breach, logs the information and
signals an alert. The advantage is, that the device is not located inline, but the network
traffic is copied towards it (mirrored). In case of suspicion, it performs only a coresponding
announcements (an e-mail, a SNMP trap message, etc.)
• Reactive system: the IDS responds to the suspicious activity by logging off a user or by
reprogramming the firewall to block network traffic from the suspected malicious source.
Active IDS, usually denoted as a Intrusion Prevention System (IPS), responds to a suspicious
activity, beside the passive announcement (the same as the passive IDS does) proactively, for
instance, by logging a user out of a system or reprogramming a corresponding network
device (typically a firewall) to block the network traffic from a suspicious (and potentially
harmful) source. The IPS device is always located inline with the data traffic to be able to
actively prevent the malicious packets to spread throughout the network. However, this
brings a potential risk in the terms of data throughput (a bottleneck), and contributes to the
total transmission delay of the messages. On the other hand, the modern IPSs are designed
to minimize the processing delay of packets while being inspected (approximately, units or
tens of microseconds).
Intrusion detection and prevention are two broad terms describing application security
practices used to mitigate attacks and block new threats.
The first is a reactive measure that identifies and mitigates ongoing attacks using an
intrusion detection system. It’s able to weed out existing malware (e.g., Trojans, backdoors,
rootkits) and detect social engineering (e.g., man in the middle, phishing) assaults that
manipulate users into revealing sensitive information.
The second is a proactive security measure that uses an intrusion prevention system to pre-
emptively block application attacks. This includes remote file inclusions that facilitate
malware injections, and SQL injections used to access an enterprise’s databases.
This is done through:
•System file comparisons against malware signatures.
•Scanning processes that detect signs of harmful patterns.
•Monitoring user behaviour to detect malicious intent.
•Monitoring system settings and configurations.
Upon detecting a security policy violation, virus or configuration error, an IDS is able to kick
an offending user off the network and send an alert to security personnel.
Despite its benefits, including in-depth network traffic analysis and attack detection, an IDS
has inherent drawbacks. Because it uses previously known intrusion signatures to locate
attacks, newly discovered (i.e., zero-day) threats can remain undetected.
Furthermore, an IDS only detects ongoing attacks, not incoming assaults. To block these,
an intrusion prevention system is required.
WHAT IS AN INTRUSION PREVENTION SYSTEM (IPS)
An IPS complements an IDS configuration by proactively inspecting a system’s incoming
traffic to weed out malicious requests. A typical IPS configuration uses web application
firewalls and traffic filtering solutions to secure applications.
5|Page
�An IPS prevents attacks by dropping malicious packets, blocking offending IPs and alerting
security personnel to potential threats. Such a system usually uses a pre-existing database
for signature recognition and can be programmed to recognize attacks based on traffic and
behavioural anomalies.
While being effective at blocking known attack vectors, some IPS systems come with
limitations. These are commonly caused by an overreliance on predefined rules, making
them susceptible to false positives.
Using Imperva to bolster your IPS configurations
Imperva cloud WAF intrusion prevention solutions are fully customizable tools that block
zero-day and existing web application security threats while reducing false positives.
Imperva cloud WAF IPS features include:
Web Application Firewall (WAF) – The Imperva cloud WAF is a cloud-based firewall
deployed on your network’s edge. It bolsters your existing IPS through signature,
reputational and behavioural heuristics that filter malicious incoming requests and
application attacks—including remote file inclusions and SQL injections.
Advanced features, such as access control, dynamic profiling and application-aware
technologies help minimize false positives. Meanwhile, global crowdsourcing provides a
continually updated database of new threats, thereby ensuring protection from zero-day
threats.
Custom rules – IncapRules expands Imperva cloud WAF capabilities by enabling you to
implement your own security and access control policies. This high degree of customization
helps minimize false positives while rooting out hidden threats specific to your organization.
Two-factor authentication (2FA) – 2FA is a security process requiring users to provide two
means of verification when logging into an account, such as a password and one-time
passcode (OTP) sent to a mobile device. It bolsters intrusion prevention by adding an extra
layer of protection to your application’s sensitive data.
Imperva cloud WAF allows you to deploy two-factor authentication gateways for any URL in
your web application. This solution is fully customizable, letting you choose your verification
method and easily manage a database of approved users. It can also be configured in
seconds and requires no code changes or additional integration.
Summary
In this chapter, we have discussed the typical solutions adopted to provide perimeter
security. Perimeter security is a set of hardware, software and programmatic security
policies that provide levels of protection against remote malicious activity. In addition, we
have described the main features of firewalls and intrusion detection systems, and classify
these systems according to different criteria.
6|Page
