Practical_assignment-531

Colin Horn

Week6Slides2.pptx

Home >Information Systems homework help >Practical_assignment-531

Access Control, Authentication, and Public Key Infrastructure

Lesson 6

Access Control System Implementations

Access Control Solutions for Remote Workers

www.jblearning.com

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Transform Policy Definitions into Implementation Tasks

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Policy

Standard

Guideline

Procedure

Follow Standards Where Applicable

IEEE

National Institute of Standards and Technology (NIST)

Federal Information Security Management Act (FISMA)

ISO

Internet Engineering Task Force (IETF)

PCI Security Standards Council

Center for Internet Security (CIS)

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Identity Management and Access Control

A way to identify all associates within an organization

Reviewing identities and ensuring they are categorized correctly will limit mistakes

Every organization has its own standards for acceptable identity depending on the risk

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

User Behavior, Application, and Network Analysis

By understanding normal behavior, you are able to detect activities that are unusual

User behavior and application analysis provides the data needed to ensure systems are available

Network analysis provides details on both users and applications as well as network traffic

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Size and Distribution of Staff and Assets

Creating a complete inventory of IT assets is one of the first steps in implementing access controls

The access control system should be based on the risk against the data and network access

Have the tools available so administrator can manage any size staff and assets

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Multilayer Access Control

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

User Access Control Profiles

Systems Access

Applications Access

File and Folder Access

Data Access

Access Controls for Employees, Remote Employees, Customers, and Business Partners

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Virtual private network (VPN)

Intranets

Extranets

Secure e-commerce sites with encryption

Access Controls for Employees, Remote Employees, Customers, and Business Partners (Cont.)

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Secure online banking access control implementations

Logon/password access

Identification imaging and authorization

Best Practices for Access Control Implementations

Understand the roles within the organizations

Understand the data that resides on the network

Establish a baseline

Monitor activities on a continuous basis

Create guidelines and policies that are easy to understand and implement

Manage user accounts appropriately

Manage remote access capabilities

Provide strong security

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

Remote Access Methods

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

RADIUS

RAS

TACACS+

VPN

Identification, Authentication, and Authorization (IAA)

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

USB Tokens:

Password required(second authentication factor) to gain access to the computer system

Hard to duplicate and tamper resistant

Ability to store digital certificates that can be used in a public key infrastructure (PKI) environment

Key Questions to Discuss:

Does second authentication factor assure complete security?

Even though USB devices are hard to duplicate and tamper resistant, what factors still allow sensitive information stored in USBs vulnerable?

Can you come up with more weaknesses or strengths of USBs???

Smart Cards—Advantages

Contains a microprocessor–enables storage and processing of data and use of more robust authentication schemes:

Valid recognition of smart card (first authentication factor)

Requirement of password (second authentication factor)

Smart Cards—Disadvantage Requires installation of a hardware reader and associated software drivers on the consumer’s home computer

Why is it a disadvantage? Let’s discuss!!!!

Password Generating Tokens

Unique pass-code, also known as a one-time password (OTP)—ensures that the same OTP is not used consecutively

User name and regular password (first authentication factor)

OTP generated by the token (second authentication factor)

What makes password generating tokens so secure ???

Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs substantially increase the difficulty of a cyber thief capturing and using OTPs gained from keyboard logging.

Biometric Techniques and Identifiers

Fingerprint Recognition

Face Recognition

Voice Recognition

Keystroke Recognition

Handwriting Recognition

Finger and Hand Geometry

Retinal Scan

Iris Scan

Key Questions to Discuss for Biometrics

How can biometrics help financial institutions in replacing the use of Automated Teller Machine (ATM) cards?

Currently, some financial institutions, domestic and foreign, that use fingerprint recognition and other biometric technologies to authenticate ATM users, are eliminating the need for an ATM card and the expense of replacing lost or stolen cards.

Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer.

Web Browsers

Today, Web browsers such as Internet Explorer, Mozilla Firefox, and Apple Safari (to name a few), are installed on almost all computers. Because Web browsers are used so frequently, it is vital to configure them securely.

Often, the Web browser that comes with an operating system is not set up in a secure default configuration.

Not securing your Web browser can lead quickly to a variety of computer problems caused by anything from spyware being installed without your knowledge to intruders taking control of your computer.

Vulnerabilities

Ideally, computer users should evaluate the risks from the software they use. Many computers are sold with software already loaded. Unfortunately, it is not practical for most people to perform this level of analysis.

There is an increasing threat from software attacks that take advantage of vulnerable Web browsers.

We have observed a trend whereby new software vulnerabilities are exploited and directed at Web browsers through use of compromised or malicious Web sites.

This problem is made worse by a number of factors, including the following:

Many users have a tendency to click on links without considering the risks of their actions.

Web page addresses can be disguised or take you to an unexpected site.

Many Web browsers are configured to provide increased functionality at the cost of decreased security.

http://www.cert.org/tech_tips/securing_browser

Key Questions to Discuss

Are Web browsers secure?

What are the vulnerabilities of Web browsers?

Why do we need to secure the Web browsers?

How can Web browsers be made secure?

Reducing Risks in Web Browsers Force authentication(strong authentication preferred)

Configure browser for safe operation

Use remote access server (RAS) to validate access

Use secure protocols

Use host and network firewalls

Use antivirus (update it frequently)

Guard against malware

3/27/17

Identification

The process of uniquely distinguishing an individual

Authentication

The process of verifying that users are who they say they are

Authorization

Determining which actions are allowed or not allowed by a user or system

Access Protocols to Minimize Risk

Authentication, Authorization, and Accounting (AAA)

Remote Authentication Dial In User Service (RADIUS)

Remote Access Server (RAS)

Terminal Access Controller Access Control System Plus (TACACS+), XTACACS, and TACACS+

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

Authentication, Authorization, and Accounting (AAA)

Network services that provide security through:

A framework of access controls and policies

Enforcement of policies

Information needed for billing purposes

Framework that multiple protocols are based on

Example: RADIUS protocol uses the AAA framework to provide the three AAA components, but supports authentication and authorization separately from accounting

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

Remote Authentication Dial In User Service (RADIUS)

A client/server protocol that provides authentication and authorization for remote users

Also provides accounting capabilities

A network protocol providing communication between a network access server (NAS) and an authentication server

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

RADIUS Infrastructure

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

Remote Access Server (RAS)

Provides authentication for remote access in an Internet and dial-up scenario

Process:

User connects to the RAS

Credentials are compared against database

If credentials match, authentication has occurred, and user is granted access to the network

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

TACACS+

A Cisco-proprietary protocol developed to provide access control for routers, network access servers, and other network devices via one or more centralized servers

Utilizes TCP, ensuring message delivery

Is an extension of TACACS but differs by:

Separating authentication, authorization, and accounting architecture

Encrypts the communication

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

RADIUS vs. TACACS+

Attributes	RADIUS	TACACS+
Transport Protocol	User Datagram Protocol (UDP)	Transmission Control Protocol/Internet Protocol (TCP/IP)
Encryption	Encrypts only password	Encrypts the entire body of the packet
Authentication, authorization, and accounting (AAA)	Not considered a pure AAA architecture	Pure AAA

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

Remote Authentication Protocols

Point-to-Point Protocol (PPP)

Challenge Handshake Authentication Protocol (CHAP)

Extensible Authentication Protocol (EAP)

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

Virtual Private Networks (VPNs)

A secure connection over an unsecure network—the Internet

Security over VPN is provided through encryption

Tunneling protocols

Point-to-Point Tunneling Protocol (PPTP)

Layer 2 Tunneling Protocol (L2TP)

Internet Protocol Security (IPSec)

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

Web Authentication

Ensuring users are who they say they are through a Web application

User ID and password is the basic form of authentication

Other forms of authentication:

One-time password authentication

Digital certificates

Knowledge-based authentication (KBA)

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

Best Practices for Remote Access Controls to Support Remote Workers

Determine the security risk associated with remote access

Select a remote access option that addresses security needs

Determine the appropriate level of authentication based on the security risk

Ensure the systems that are accessing the network meet the security policies of the organization

Ensure protection of the systems that remote workers access

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17

Week 6 Homework Assignments

Read Chapters 11 and 12

Lecture Quiz

20 multiple choice questions

30 minutes to complete

Only ONE attempt

Page ‹#›

Access Control, Authentication, and PKI

www.jblearning.com

3/27/17