Friday, February 10, 2012

Chapter 9

This chapter dealt with access control. The first section of the chapter went over the ideas and terminology behind access control, then launched into a discussion about the various models and methods of controlling access to a computer system. The first, mandatory access control (MAC) is considered the most restrictive, and is used by the US military on their networks. It operates in the same way as the security clearance regimen that government agencies use, allowing only those who have access to a certain level of information to gain access to that information on the network. Discretionary access control (DAC) was next, and is considered to be the least restrictive model. Administrators of an object in the system can give access to those they choose and create and administer objects at will. Role-based access control was next, and assigns access based on the job function of those who are on the network. Last was rule-based access control (RBAC) which assigns access levels based on a set of per-determined rules set by the administrator. Unlike role-based, rule based access can't be changed by users. The third part of the chapter dealt with some ground rules for access control, including separation of duties (keeping custodial and owner duties separate) job rotation (changing the duties of an administrator periodically), least privilege (only granting necessary levels of access for a job), implicit denial (only granting access if necessary conditions are met) and mandatory vacations (rotating administration duties to prevent buildups of power and access). Next, the implementation of access control was discussed. Access control lists are permissions attached to an object. Group policy is a feature in windows that allows administration of access levels using active directory. Account restrictions are used to allow employees to only be able to use the network at certain times of the day, week, etc so as to cut down on potential attacks. Account expiration is used to keep former employees from hacking or accessing a system after termination. Lastly, authentication services are often used to make certain only authorized users can get into a system. RADIUS is a dial-in service that is used for remote clients. Radius clients are often devices attached to a network that allow for remote users to connect, such as access points, etc. Kerberos authenticates network users using tickets that identify and authenticate a user as having access to a network. Terminal access control/access control is similar to radius used on many unix-based systems. LDAP is a service that authenticates users by keeping a copy of their access credentials, and keeps track of the resources on a network and the user's level of access to them.

No comments:

Post a Comment