SophiaPretty
$14/per page/Negotiable
Access Control, Digital Signature and Virtual Private Networks
Access Control
Access control is the method by which systems determine whether and how to admit a user into a trusted area of the organization—that is, information systems, restricted areas such as computer rooms, and the entire physical location. Access control is achieved by means of a combination of policies, programs, and technologies. Access controls can be mandatory, non- discretionary, or discretionary.
Mandatory access controls (MACs) use data classification schemes; they give users and data owners limited control over access to information resources. In a data classification scheme, each collection of information is rated, and each user is rated to specify the level of information that user may access. These ratings are often referred to as sensitivity levels, and they indicate the level of confidentiality the information requires. A variation of this form of access control is called lattice-based access control, in which users are assigned a matrix of authorizations for particular areas of access. The level of authorization may vary between levels, depending on the classification authorizations individuals possess for each group of information or resources. The lattice structure contains subjects and objects, and the boundaries associated with each pair are demarcated. Lattice-based control specifies the level of access each subject has to each object. With this type of control, the column of attributes associated with a particular object (such as a printer) is referred to as an access control list (ACL). The row of attributes associated with a particular subject (such as a user) is referred to as a capabilities table.
Nondiscretionary controls are a strictly-enforced version of MACs that are managed by a central authority in the organization and can be based on an individual’s role—role-based controls—or a specified set of tasks (subject- or object-based)—task-based controls. Role-based controls are tied to the role a user performs in an organization, and task-based controls are tied to a particular assignment or responsibility. The role and task controls make it easier to maintain the controls and restrictions associated with a particular role or task, especially if the individual performing the role or task changes often. Instead of constantly assigning and revoking the privileges of individuals who come and go, the administrator simply assigns the associated access rights to the role or task, and then whenever individuals are associated with that role or task, they automatically receive the corresponding access. When their turns are over, they are removed from the role or task and the access is revoked.
Discretionary access controls (DACs) are implemented at the discretion or option of the data user. The ability to share resources in a peer-to-peer configuration allows users to control and possibly provide access to information or resources at their disposal. The users can allow general, unrestricted access, or they can allow specific individuals or sets of individuals to access these resources. For example, a user has a hard drive containing information to be shared with office coworkers. This user can elect to allow access to specific individuals by providing access, by name, in the share control function.
In general, all access control approaches rely on the following mechanisms:
Identification
Identification is a mechanism whereby an unverified entity—called a supplicant—that seeks access to a resource, proposes a label by which they are known to the system. The label applied to the supplicant (or supplied by the supplicant) is called an identifier (ID), and must be mapped to one and only one entity within the security domain. Some organizations use composite identifiers, concatenating elements—department codes, random numbers, or special characters—to make unique identifiers within the security domain. Other organizations generate random IDs to protect the resources from potential attackers. Most organizations use a single piece of unique information, such as a complete name or the user’s first initial and surname.
Authentication
Authentication is the process of validating a supplicant’s purported identity. There are three widely used authentication mechanisms, or authentication factors:
Something a Supplicant Knows This factor of authentication relies upon what the supplicant knows and can recall—for example, a password, passphrase, or other unique authentication code, such as a personal identification number (PIN). A password is a private word or combination of characters that only the user should know. One of the biggest debates in the information security industry concerns the complexity of passwords. On the one hand, a password should be difficult to guess, which means it cannot be a series of letters or a word that is easily associated with the user, such as the name of the user’s spouse, child, or pet. Nor should a password be a series of numbers easily associated with the user, such as a phone number, Social Security number, or birth date. On the other hand, the password must be something the user can easily remember, which means it should be short or easily associated with something the user can remember.
A passphrase is a series of characters, typically longer than a password, from which a virtual password is derived. For example, while a typical password might be “23skedoo,” a typical passphrase might be “MayTheForceBeWithYouAlways,” represented as “MTFBWYA.”
Something a Supplicant Has This authentication factor relies upon something a supplicant has and can produce when necessary. One example is dumb cards, such as ID cards or ATM cards with magnetic stripes containing the digital (and often encrypted) user PIN, against which the number a user input is compared. The smart card contains a computer chip that can verify and validate a number of pieces of information instead of just a PIN. Another common device is the token, a card or key fob with a computer chip and a liquid crystal display that shows a computer-generated number used to support remote login authentication. Tokens are synchronous or asynchronous. Once synchronous tokens are synchronized with a server, both devices (server and token) use the same time or a time-based database to generate a number that must be entered during the user login phase. Asynchronous tokens, which don’t require that the server and tokens all maintain the same time setting, use a challenge/response system, in which the server challenges the supplicant during login with a numerical sequence. The supplicant places this sequence into the token and receives a response. The prospective user then enters the response into the system to gain access.
Something a Supplicant Is or Can Produce This authentication factor relies upon individual characteristics, such as fingerprints, palm prints, hand topography, hand geometry, or retina and iris scans, or something a supplicant can produce on demand, such as voice patterns, signatures, or keyboard kinetic measurements. Some of these characteristics are known collectively as biometrics.
Authorization
Authorization is the matching of an authenticated entity to a list of information assets and corresponding access levels. This list is usually an ACL or access control matrix. In general, authorization can be handled in one of three ways:
Authorization credentials (sometimes called authorization tickets) are issued by an authenticator and are honored by many or all systems within the authentication domain. Sometimes called single sign-on (SSO) or reduced sign-on, authorization credentials are becoming more common and are frequently enabled using a shared directory structure such as the Light-weight Directory Access Protocol (LDAP).
Accountability
Accountability, also known as auditability, ensures that all actions on a system—authorized or unauthorized—can be attributed to an authenticated identity. Accountability is most often accomplished by means of system logs and database journals, and the auditing of these records.
Systems logs record specific information, such as failed access attempts and systems modifications. Logs have many uses, such as intrusion detection, determining the root cause of a system failure, or simply tracking the use of a particular resource.
Firewalls
A firewall in an information security program is similar to a building’s firewall in that it prevents specific types of information from moving between the outside world, known as the untrusted network (for example, the Internet), and the inside world, known as the trusted network. The firewall may be a separate computer system, a software service running on an existing router or server, or a separate network containing a number of supporting devices. Firewalls can be categorized by processing mode, development era, or structure.
Firewall Processing Modes
Firewalls fall into five major processing-mode categories: packet-filtering firewalls, application gateways, circuit gateways, MAC layer firewalls, and hybrids. Hybrid firewalls use a combination of the other four modes, and in practice, most firewalls fall into this category, since most firewall implementations use multiple approaches.
The packet-filtering firewall, also simply called a filtering firewall, examines the header information of data packets that come into a network. A packet-filtering firewall installed on a TCP/IP-based network typically functions at the IP level and determines whether to drop a packet (deny) or forward it to the next network connection (allow) based on the rules programmed into the firewall. Packet-filtering firewalls examine every incoming packet header and can selectively filter packets based on header information such as destination address, source address, packet type, and other key information.
Packet-filtering firewalls scan network data packets looking for compliance with or violation of the rules of the firewall’s database. Filtering firewalls inspect packets at the network layer. If the device finds a packet that matches a restriction, it stops the packet from traveling from one network to another.
Application Gateways The application gateway, also known as an application-level firewall or application firewall, is frequently installed on a dedicated computer, separate from the filtering router, but is commonly used in conjunction with a filtering router. The application firewall is also known as a proxy server since it runs special software that acts as a proxy for a service request. For example, an organization that runs a Web server can avoid exposing the server to direct user traffic by installing a proxy server configured with the registered domain’s URL. This proxy server receives requests for Web pages, accesses the Web server on behalf of the external client, and returns the requested pages to the users. These servers can store the most recently accessed pages in their internal cache, and are thus also called cache servers. The benefits from this type of implementation are significant. For one, the proxy server is placed in an unsecured area of the network or in the demilitarized zone (DMZ)—an intermediate area between a trusted network and an untrusted network—so that it, rather than the Web server, is exposed to the higher levels of risk from the less-trusted networks. Additional filtering routers can be implemented behind the proxy server, limiting access to the more secure internal system, and thereby further protecting internal systems.
One common example of an application-level firewall (or proxy server) is a firewall that blocks all requests for and responses to requests for Web pages and services from the internal computers of an organization, and instead makes all such requests and responses go to intermediate computers (or proxies) in the less-protected areas of the organization’s network. This technique is still widely used to implement electronic commerce functions.
The primary disadvantage of application-level firewalls is that they are designed for one or a few specific protocols and cannot easily be reconfigured to protect against attacks on other protocols. Since application firewalls work at the application layer (hence the name), they are typically restricted to a single application (e.g., FTP, Telnet, HTTP, SMTP, and SNMP). The processing time and resources necessary to read each packet down to the application layer diminishes the ability of these firewalls to handle multiple types of applications.
Circuit Gateways The circuit gateway firewall operates at the transport layer. Again, connections are authorized based on addresses. Like filtering firewalls, circuit gateway firewalls do not usually look at traffic flowing between one network and another, but they do prevent direct connections between one network and another. They accomplish this by creating tunnels connecting specific processes or systems on each side of the firewall, and then allowing only authorized traffic, such as a specific type of TCP connection for authorized users, in these tunnels. A circuit gateway is a firewall component often included in the category of application gateway, but it is in fact a separate type of firewall.
MAC Layer Firewalls While not as well known or widely referenced as the firewall approaches above, MAC layer firewalls are designed to operate at the media access control sublayer of the data link layer (Layer 2) of the OSI network model. This enables these firewalls to consider the specific host computer’s identity, as represented by its MAC or network interface card (NIC) address in its filtering decisions. Thus, MAC layer firewalls link the addresses of specific host computers to ACL entries that identify the specific types of packets that can be sent to each host, and block all other traffic.
Hybrid Firewalls Hybrid firewalls combine the elements of other types of firewalls—that is, the elements of packet filtering and proxy services, or of packet filtering and circuit gateways. A hybrid firewall system may actually consist of two separate firewall devices; each is a separate firewall system, but they are connected so that they work in tandem. For example, a hybrid firewall system might include a packet-filtering firewall that is set up to screen all acceptable requests, then pass the requests to a proxy server, which in turn requests services from a Web server deep inside the organization’s networks. An added advantage to the hybrid firewall approach is that it enables an organization to make a security improvement without completely replacing its existing firewalls.
Digital signatures
Message authentication protects two parties who exchange messages from any third party. However, it does not protect the two parties against each other. Several forms of dispute between the two are possible. For example, suppose that John sends an authenticated message to Mary, consider the following disputes that could arise.
Both scenarios are of legitimate concern. Here is an example of the first scenario: An electronic funds transfer takes place, and the receiver increases the amount of funds transferred and claims that the larger amount had arrived from the sender. An example of the second scenario is that an electronic mail message contains instructions to a stockbroker for a transaction that subsequently turns out badly. The sender pretends that the message was never sent.
In situations where there is not complete trust between sender and receiver, something more than authentication is needed. The most attractive solution to this problem is the digital signature. The digital signature must have the following properties:
Thus, the digital signature function includes the authentication function.
Digital Signature Requirements
Here are the requirements for a digital signature:
Direct Digital Signature
The term direct digital signature refers to a digital signature scheme that involves only the communicating parties (source, destination). It is assumed that the destination knows the public key of the source.
Confidentiality can be provided by encrypting the entire message plus signature with a shared secret key (symmetric encryption). Note that it is important to perform the signature function first and then an outer confidentiality function. In case of dispute, some third party must view the message and its signature. If the signature is calculated on an encrypted message, then the third party also needs access to the decryption key to read the original message. However, if the signature is the inner operation, then the recipient can store the plaintext message and its signature for later use in dispute resolution.
The validity of the scheme just described depends on the security of the sender’s private key. If a sender later wishes to deny sending a particular message, the sender can claim that the private key was lost or stolen and that someone else forged his or her signature. Administrative controls relating to the security of private keys can be employed to thwart or at least weaken this ploy, but the threat is still there, at least to some degree. One example is to require every signed message to include a timestamp (date and time) and to require prompt reporting of compromised keys to a central authority.
Another threat is that some private key might actually be stolen from X at time T. The opponent can then send a message signed with X’s signature and stamped with a time before or equal to T.
Digital signatures were created in response to the rising need to verify information transferred via electronic systems. Asymmetric encryption processes are used to create digital signatures. When an asymmetric cryptographic process uses the sender’s private key to encrypt a message, the sender’s public key must be used to decrypt the message. When the decryption is successful, the process verifies that the message was sent by the sender and thus cannot be refuted. This process is known as nonrepudiation and is the principle of cryptography that underpins the authentication mechanism collectively known as a digital signature. Digital signatures are, therefore, encrypted messages that can be mathematically proven authentic.
The management of digital signatures is built into most Web browsers. In general, digital signatures should be created using processes and products that are based on the Digital Signature Standard (DSS). When processes and products are certified as DSS compliant, they have been approved and endorsed by U.S. federal and state governments, as well as by many foreign governments, as a means of authenticating the author of an electronic document. NIST has approved a number of algorithms that can be used to generate and verify digital signatures. These algorithms can be used in conjunction with the sender’s public and private keys, the receiver’s public key, and the Secure Hash Standard (SHS) to quickly create messages that are both encrypted and nonrepudiable. This process first creates a message digest using the hash algorithm, which is then input into the digital signature algorithm along with a random number to generate the digital signature. The digital signature function also depends upon the sender’s private key. The resulting encrypted message contains the digital signature, which can be verified by the recipient using the sender’s public key.
Digital Certificates
A digital certificate is an electronic document or container file that contains a key value and identifying information about the entity that controls the key. The certificate is often issued and certified by a third party, usually a certificate authority. A digital signature attached to the certificate’s container file certifies the file’s origin and integrity. This verification process often occurs when you download or update software via the Internet.
Unlike digital signatures, which help authenticate the origin of a message, digital certificates authenticate the cryptographic key that is embedded in the certificate. When used properly these certificates enable diligent users to verify the authenticity of any organization’s certificates. This is much like what happens when the Federal Deposit Insurance Corporation issues its FDIC logo to banks to assure customers that their bank is authentic.
Virtual Private Networks (VPNs)
Virtual private networks are implementations of cryptographic technology. A virtual private network (VPN) is a private and secure network connection between systems that uses the data communication capability of an unsecured and public network. The Virtual Private Network Consortium (VPNC) (www.vpnc.org) defines a VPN as “a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures.” VPNs are commonly used to securely extend an organization’s internal network connections to remote locations. The VPNC defines three VPN technologies: trusted VPNs, secure VPNs, and hybrid VPNs. A trusted VPN, also known as a legacy VPN, uses leased circuits from a service provider and conducts packet switching over these leased circuits. The organization must trust the service provider, who provides contractual assurance that no one else is allowed to use these circuits and that the circuits are properly maintained and protected—hence the name trusted VPN. Secure VPNs use security protocols and encrypt traffic transmitted across unsecured public networks like the Internet. A hybrid VPN combines the two, providing encrypted transmissions (as in secure VPN) over some or all of a trusted VPN network.
A VPN that proposes to offer a secure and reliable capability while relying on public networks must accomplish the following, regardless of the specific technologies and protocols being used:
In the most common implementation, a VPN allows a user to turn the Internet into a private network. As you know, the Internet is anything but private. However, an individual or organization can set up tunneling points across the Internet and send encrypted data back and forth, using the IP-packet-within-an-IP-packet method to transmit data safely and securely. VPNs are simple to set up and maintain and usually require only that the tunneling points be dual-homed—that is, connecting a private network to the Internet or to another outside connection point.
Transport Mode In transport mode, the data within an IP packet is encrypted, but the header information is not. This allows the user to establish a secure link directly with the remote host, encrypting only the data contents of the packet. The downside to this implementation is that packet eavesdroppers can still identify the destination system. Once an attacker knows the destination, he or she may be able to compromise one of the end nodes and acquire the packet information from it. On the other hand, transport mode eliminates the need for special servers and tunneling software, and allows the end users to transmit traffic from anywhere. This is especially useful for traveling or telecommuting employees.
Figure 1. Transport Mode VPN
Figure 1 illustrates the transport mode methods of implementing VPNs. There are two popular uses for transport mode VPNs. The first is the end-to-end transport of encrypted data. In this model, two end users can communicate directly, encrypting and decrypting their communications as needed. Each machine acts as the end node VPN server and client. In the second, a remote access worker or tele-worker connects to an office network over the Internet by connecting to a VPN server on the perimeter. This allows the tele-worker’s system to work as if it were part of the local area network. The VPN server in this example acts as an intermediate node, encrypting traffic from the secure intranet and transmitting it to the remote client, and decrypting traffic from the remote client and transmitting it to its final destination. This model frequently allows the remote system to act as its own VPN server, which is a weakness, since most work-at-home employees do not have the same level of physical and logical security they would have if they worked in the office.
Tunnel Mode Tunnel mode establishes two perimeter tunnel servers that encrypt all traffic that will traverse an unsecured network. In tunnel mode, the entire client packet is encrypted and added as the data portion of a packet addressed from one tunneling server to another. The receiving server decrypts the packet and sends it to the final address. The primary benefit to this model is that an intercepted packet reveals nothing about the true destination system.
One example of a tunnel mode VPN is provided with Microsoft’s Internet Security and Acceleration (ISA) Server. Figure 2 shows an example of tunnel mode VPN implementation. On the client end, a user can establish a VPN by configuring his or her system to connect to a VPN server. The process is straightforward. First, connect to the Internet through an ISP or direct network connection. Second, establish the link with the remote VPN server.
Figure 2. Tunnel Mode VPN
To learn more about access control and firewalls, check the following sites:
Authentication
http://www.cypherpunks.to/~peter/T3_Authentication.pdf
Types of Firewalls
http://searchnetworking.techtarget.com/tutorial/Introduction-to-firewalls-Types-of-firewalls
Firewall Basics and Network Security
https://www.youtube.com/watch?v=0UXdEGAhPj4
Digital Signatures
http://www.cs.ucsb.edu/~ckrintz/papers/security/crypto-tutorial.html
Digital Signature
http://www.tutorialspoint.com/internet_technologies/digital_signature.htm
Virtual Private Networking Basics
http://documentation.netgear.com/reference/nld/vpn/pdfs/FullManual.pdf
After reading the Module 4 Case, write a 2- to 3-page paper (excluding the title page and reference page), and do the following:
Use information from the modular background readings as well as the given resources. Also, you could use any good quality resource you can find. Please cite all sources and provide a reference list at the end of your paper.
Length: 2-3 pages (excluding the title page and reference pages) and double-spaced.
The following items will be assessed in particular:
Attachments: