NamHB's Blog

Access Control

Nam Ha Bach's photo
Nam Ha Bach
·

5 min read

Note for first Module. Try on. Ganbatte Kudasai. Hikaru is light. I am Hikaru. And Hikaru use Kent. Kendy mean is candy, but this case, it is katana.
First!
A. Access Control and Methodology
Access Control Basic:
Access Control:
Bảo vệ khỏi những truy cập trái phép (unauthorize access)
Two entities:
Subject: active request access to object, like user, computer...
Object: passive contain data and information, such as computer, data, file...
Security Principle: CIA: Confidentiality - Integrity - Availablity
3 steps: Indentification, Authentication, Authorization -> resource
Logical Access: tools for IAAA ( 3 steps + acountablity)
2 steps Authenication: use public infor, like username, user number, and enter private info, such as password, PIN
Strong Authentication: two factor authentication
Indentification compoments: unique, naming schema, nondescriptive user, not share.
Authentication methods: biometric, password (PW managment, PW checker, PW hash and encryption, PW aging, Limit Login, cognitive pw, on-time PW, card...)
Authorization:
Access Criteria: role, group, physical or logical location, time of day
=> Authorization creep: Default no access, Least privilege ( need to know), single sign-on,
kerberos: single sign-on system on distributed enviroments.
Physical Access:
Control: dua ra cac van de kiem soat doi tuong tu threat
Cabel Protection: su dung nguyen lieu chan tu truong tot nhat emanation
su dung cap quang fiber optical
Separation: of duties and work areas. Moi nguoi moi se co mot vung rieng de tranh nghe len + lam quyen. ( shoulder suffing)
giam sat nhan vien thuc hien cong viec nhay cam ( sensitive process)

Admin access: quan tri co tinh truy cap
Policies and procedures:
Securirty awarencess training: cac khoa dao tao ngan han cho nhan vien
Monitoring: giam sat
Logical Access: gan quyen
object access restriction: chi cho user dc authorized
encryption:
network architecture:

Access Control Techniques:
Control type: moi loai hiem hoa se co tung cach xu ly
preventative: hiem hoa co the phog chong -> avoid
dectective -> identify: nhan dang kha nang do tim
corrective: khi mot thong tin bi chinh sua ( khi khac phuc su co) -> fix: dam bao truy cap binh thuong
recovery -> backup: dam bao hoat dong
Control categories:
Physical Preventative Control: han che user ( smart card)
y thuc user
technique preventative control: han che user trong viec theo doi hoat dong
encryption + anti virus
Security labels:
top secret, secert, confidental , sensitive ( unclassified)
dung de danh dau phan loai muc do quan trong cua thong tin
1 subject pai dc cap quyen tuong ung vs muc do truy cap: vd nhan vien dc xep vao muc do nao ko ( ko pai la top secret)
Discretionary: DAC: truy cap co lua chon.
xac dinh dua tren truy cap
nguoi so huu co quyen chi quyen truy cap
Mandatory: MAC: truy cap dua tren rule-base: cac luat dc dinh nghia san. Moi tai
nguyen va user dc gan 1 label de dc truy cap tuong ung
quyen truy cap cua 1 subject tuong duong vs object dc gan
None Discretationary: role base access control: dua tren vai tro, dua tren nhiem vu mieu ta cua user
Access Control List:
Access control implementation:
Centraized Authenication: chung thuc tap trung -> dam bao an toan, tuy nhien
toc do cham
Single point of failuer: 1 diem fail toan bo he thong fail, hoac 1 ngu
pass wa he thong thi se co toan quyen
Radius: dial up connection
Tacacs:
single factor: chi doi hoi 1 dieu kieu
two factor authentication: 2 dk de truy cap
Decentraized: remote
overhead administrator
Security domain:
Hybrid model: phoi hop giua 2 model

Authenication: 3 types: what you know what you have what you are
type 1: password, PIN, passpharse ( virtual password)
strong password: strong, length.
type 2: token, ticket, one-time password
time-base password
ticket: message chua ticket mess va subject dc quyen access
token: tu dong xay dung 1 password dong bo he thong
type 3: biometric
CER Cross Error Rate gia tri he thong dua tren giao diem ( FRR False Rejection Rate) va FAR False Acception Rate. Do sai so cua thiet bi pai co 2 sai so con = nhau
single - sign on:
kerberos: su dung khoa doi xung, cung cap che do end-to-end
KDC: key distribution center, noi giu tat ca khoa bao mat.
ticket granting server: dc trien khai boi KDC
AS: authenication service.
Qua trinh thuc hien: subject gui yeu cau vao server, KDC chung thuc, gui cho subject, subject gui ticket nay cho object, vd la file server, object chung thuc, roi cho phep subject
Sesame: su dung phuong phap public key

Attack:
brute force: password guesting
dictionary:
denial of service
spoofing
man in the middle
monitoring

Security Model and Architecture

Organizaion:
CPU
CPU
ALU
Registers
Clock
RAM
Dynamic RAM
Static RAM: flip - flop
ROM
Eresable ROM
Memotry Addressing
Cache Memory
Vitual Memory
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Nam Habach