3. Access Control¶
Firewall 1¶
- A Firewall is nothing more than a concept, applied in a software or set of software and hardware, which aims to offer security features and interconnection of networks, regulating all traffic passing through it, according to the policies previously established.
- It can allow or block the continuity of the communication if it does not present any non-compliance or threat to the network.
- It is generally placed in a topology between public networks (internet) and private networks (internal network segments).
- It started in the 80s with the rise of TCP/IP and the internet, and the need to isolate internal networks from the internet.
- The first firewall proposal, or packet filter, came in 1989 by Jeff Mogul of Digital Equipment Corp (DEC), marking, therefore, the first generation.
- AT & T Bell Labs, through Steve Bellovin and Bill Cheswick, developed in 1991 the first concept of what would be consolidated later as stateful packet filtering, or simply stateful firewall. This stage was marked as the second generation of firewalls.
- Features such as VPN, URL filters, QoS, integration or incorporation of antivirus, WAF and other solutions have allowed for greater robustness in the construction of secure environments for companies.
- In 2006, Web Application Firewalls (WAF) appeared as a standalone solution; but also incorporated as a resource for Unified Threat Management (UTM).
- In 2008, Palo Alto Networks brought to the market the concept of next-generation firewalls (NGFW), solving the performance problem presented by UTMs, and adding an important feature: visibility and application-based controls.
Introduction of Firewall in Computer Network 2¶
- A Firewall is a device based on software or hardware that monitors the traffic and decides to:
- Allow: If it is safe.
- Reject: block the traffic, but respond with an unreachable error.
- Drop: block the traffic, but do not respond.
- Before Firewalls, network security was performed by Access Control Lists (ACLs) residing on routers, But:
- ACL only knows the IP and does NOT know the actual content of the packets.
- ACL cannot keep threats out of the network.
- Most traffic that reaches the firewall is one of these three major Transport Layer protocols: TCP, UDP or ICMP.
- Generations of Firewall:
- First Generation: Packet Filtering Firewalls.
- Allow or block packets based on their source and destination IP addresses, ports, and protocols.
- Work at the network layer of the OSI model, or the first three layers.
- Treat each packet in isolation.
- Maintain a table for trusted IP addresses.
- Second Generation: Stateful Firewalls.
- Keep track of the state of network connections (such as TCP streams, or UDP communication) traveling across it.
- Treat each packet in the context of its connection and its history.
- Third Generation: Application Layer Firewalls.
- Work on any OSI layer, up to the application layer.
- Block specific content, such as certain websites, viruses, and some types of attacks.
- Detect when protocols (such as HTTP, FTP, or DNS) are being abused.
- Are hosts that run a proxy server.
- They prevent direct connections between external hosts and internal hosts, as they act as a proxy which all traffic must pass through.
- They can also perform Network Address Translation (NAT).
- Next Generation: Next Generation Firewalls.
- Use deep packet inspection to detect malware and application-specific attacks.
- Application inspection and control.
- SSL and SSH inspection.
- First Generation: Packet Filtering Firewalls.
- Magic Firewall: a firewall created and managed by CloudFlare, it is pre-configured with a set of rules that protects against a wide range of attacks.
- Types of Firewalls:
- Host-based Firewalls:
- Software firewall installed on a single host (node in the network, machine).
- Network firewalls can not protect the host from internal attacks or unauthorized local access.
- Network-based Firewalls:
- Work at the network layer, thus controlling the traffic for all hosts behind them.
- Have two or more Network Interface Cards (NICs).
- Host-based Firewalls:
- Advantages of Firewalls:
- Prevention from Unauthorized Access.
- Prevention from malware and other threats.
- Control over the network access.
- Monitoring network traffic.
- Regulation compliance.
- Network segmentation.
- Disadvantages of Firewalls:
- Complexity: complex to configure and maintain.
- Limited protection: not all threats can be blocked.
- False sense of security: users may think that they are completely protected.
- Limited adaptability: cannot adapt to new threats easily.
- Performance impact: may slow down the network.
- Limited scalability: may not be able to handle large networks.
- Limited VPN support: may not support all VPN protocols and features.
- COST: may be expensive to purchase and maintain.
Access Control Models 3¶
- Access control is the combination of policies and technologies that decide which authenticated users may access which resources. It has 4 types:
- Mandatory Access Control (MAC).
- Discretionary Access Control (DAC).
- Role-Based Access Control (RBAC).
- Privileged Access Management (PAM).
Mandatory Access Control MAC¶
- Control is with Centralized security management.
- Provides the most secure AC.
- Works by applying labels to users and resources:
- Classification and clearance:
- Resources are classified (restricted, secret, top secret, etc.).
- Users have clearance levels that control what they can access.
- Compartment:
- Resources have compartments (finance, HR, etc.) that state which groups of users can access them, regardless of their clearance level.
- Users can be in multiple compartments.
- Classification and clearance:
- MAC originated in the military and intelligence community.
- Advantages: Security enforced from higher up, and clear separation of duties between groups.
- Disadvantages: Limits collaboration, and requires dedicated security staff.
Discretionary Access Control DAC¶
- Decentralized security management.
- Resource owners decide who can access their resources.
- Owners can be the creator of the resource or an administrator.
- Uses Access Control Lists (ACLs) to control access.
- The Share function in most operating systems is a form of DAC.
- The ACL tables of the resource can be modified at any time by the owner, or anyone have permission to do so.
- The owner can grant access to individual users or groups.
- Advantages: Simple, Flexible with business needs.
- Disadvantages: Conflicting permissions, security administrators having little control; and inconsistent security policies.
Role-Based Access Control RBAC¶
- Centralized security management.
- RBAC decides what users can do based on their role in the organization.
- It implements the principle of least privilege.
- Advantages: Simple, Flexible, Maintainable, Secure, and Centralized, non-discretionary policies.
- Disadvantages: Complex to deploy (role engineering), and difficult to audit as users can have multiple roles.
Privileged Access Management PAM¶
- Centralized security management.
- It is a type of RBAC that focuses on privileged users.
- PAM gives administrators limited, ephemeral access privileges on an as-needed basis.
- These systems enforce network security best practices such as eliminating shared passwords and manual processes.
- Advantages:
- Reduced threat surface: fewer privileged accounts, and no shared passwords.
- Minimizing permission creep: users only have access to what they need as it prevents collecting privileges.
- Auditable logging: all privileged access is logged.
- Disadvantages: Complexity and internal resistance.
What is access control? 4¶
- Once a user is authenticated, access control then authorizes the appropriate level of access and allowed actions associated with that user’s credentials and IP address.
- Attribute-based access control (ABAC) is a method of access control that evaluates attributes associated with a user, system, or resource to determine if a given action should be permitted or denied. E.g. only allow access to the file before the end of the month. Only allow access to the file if the user is located in Berlin.
Identity & access management 5¶
- IAM: Identity & Access Management.
- Identity:
- Identity is created when signing up for a website or service, or when you join an organization.
- It includes name, address, and email; it defines role and access rights.
- Usually stored in a centralized database managed by IT professionals.
- Authentication: profs identity, like National ID card, and is called AuthN.
- Authorization: grants access to resources, like driver licenses or boarding passes, and is called AuthZ.
- Four factors of authentication (systems validate identity based on 4 factors):
- Something you know (password, PIN, etc.).
- Something you have (ID card, phone, Authenticator app, etc.).
- Requires the user to have a physical device in their possession.
- The device may be lost or stolen.
- Something you are (biometrics, like fingerprint, face, etc.).
- Common biometrics: Facial scan, fingerprint, hand geometry, iris scan, retina scan, voice print, keyboard dynamics, and signature.
- Privacy concerns: in case of a data breach, biometrics can not be changed, unlike passwords.
- Somewhere you are (location, IP address, etc.).
- Location or IP can be spoofed, thus it is a weak factor.
- Building successful password management:
- Set password length and complexity requirements.
- Don’t force symbols and numbers in passwords.
- Limit unsuccessful login attempts, the account should be locked after 3-5 failed attempts for 30 minutes.
- Enforce password rotation periodically.
- Always hash passwords, and do NOT encrypt them.
- Hashes can not be reversed, but encryption can (with the key).
- Hashes are always the same length regardless of the input, but encryption is not.
- Hashes are always unique for different inputs, but encryption is not.
- In case of a data breach, usually the keys are also stolen, so the encryption is useless, but hashes are still secure.
- Hashing and comparing hashes is faster than encrypting and decrypting.
- Use CAPTCHA to prevent brute force or password-guessing attacks.
- CAPTCHA: Completely Automated Public Turing test to tell Computers and Humans Apart.
- Each one of the 4 factors of authentication is not effective on its own, but when combined, they are very effective; hence the term multi-factor authentication (MFA).
- Most common MFA:
- One-time password (OTP) sent to the user’s phone or email.
- Dedicated 2FA apps like Google Authenticator, Authy, etc.
- Text message-based 2FA is not secure as it is vulnerable to SIM swapping or SIM port attacks.
- SIM port attack: the attacker convinces the mobile carrier to transfer the victim’s phone number to a SIM card in the attacker’s possession.
- Step-up authentication:
- When a user tries to access a resource, they are prompted for additional authentication factors.
- E.g. when accessing the settings you have to re-enter your password.
- Prevents Account Takeover (ATO).
- Can be activated when a suspicious activity is detected.
- User Access Review (UAR):
- Periodically review user access rights.
- Remove access rights that are no longer needed.
- Prevents Permission Creep.
Access control models 6¶
- Identification: the user claims an identity.
- Authentication: the user proves their identity.
- Authorization: the user is granted access to resources and right permissions.
- Subject: Active entity, like a user or a process.
- Object: Passive entity, like a file or a printer.
- MAC is the highest level of security, but it is not flexible, and it is difficult to implement.
- SELinux: Security-Enhanced Linux, is an example of MAC, it is a built-in security mechanism in the Linux kernel.
- DAC is the lowest level of security, but it is flexible, and it is easy to implement.
- NFTS: New Technology File System, is an example of DAC, it is the default file system in Windows.
- RABAC role-based access control is in the middle, it is more secure than DAC, but less secure than MAC.
- It is balanced between flexibility and control.
- It is the most common access control model.
- Windows OS/Windows OS-based domain: is an example of RABAC.
- Rule-based access control (RBAC):
- Access is granted based on a set of rules.
- Works well with RABAC and access control lists (ACLs).
- Firewalls are an example of Rule-based access control.
Basics of access control 7 8 11¶
- The best place of access control is on the resource itself or in the DB or data lack 7.
- This can give the most granular control in today’s world 7.
- The chipped Access card 8:
- The card contains an antenna and chip.
- The chip is powered through the antenna.
- The antenna is powered when it is close or touching the reader.
- Once the chip is powered, it starts to transmit the data encrypted in it as 0/1s as a power frequency changes.
- Policy Decision Point (PDP): is the brain of the access control system, it is the one that makes the decision 11.
- Policy Enforcement Point (PEP): is the one that enforces the decision made by the PDP 11.
Introduction to Firewalls 9 10¶
- A Firewall can be placed in the middle between a switch and a router 9.
- Firewalls can be used to Prevent DDOS attacks by blocking spike requests from a single IP address 9.
- Security Zones are used by firewalls to group devices with similar security requirements 9.
- Antivirus programs have built-in host-based firewalls 10.
References¶
-
Firewall: history. (2015, July 21). OSTEC. https://ostec.blog/en/perimeter/firewall/ ↩
-
Introduction of firewall in computer network. (2019, November 21). GreeksforGreeks. Retrieved January 1, 2022, from https://www.geeksforgeeks.org/introduction-of-firewall-in-computer-network/ ↩
-
Risk, E. (2021, July 30). Access control models: MAC, DAC, RBAC, & PAM explained. Twingate. https://www.twingate.com/blog/access-control-models/ ↩
-
Secure access. (n.d.). Citrix. https://www.citrix.com/en-in/solutions/secure-access/what-is-access-control.html ↩
-
Whiteman, M. (2020). Cybersecurity (CS 3550): lecture 11: Identity & access management [PowerPoint slides]. Baruch College Open Educational Resources. https://academicworks.cuny.edu/bb_oers/12/ ↩
-
Everything security. (2019, May 5). Access control models [Video]. YouTube. https://www.youtube.com/watch?v=TXCim0E8W8M ↩
-
Intricity101. (2021, January 12). What is access control? [Video]. YouTube. https://www.youtube.com/watch?v=GgquXOl4_t0 ↩↩↩
-
Kantech Support. (2017, July 5). Basics of access control [Video]. YouTube. https://www.youtube.com/watch?v=2QTFiQVdrgg ↩↩
-
Networklessons.com. (2017, September 26). Introduction to Firewalls [Video]. YouTube. https://www.youtube.com/watch?v=JtKq39I7z6k ↩↩↩↩
-
PowerCert Animated Videos. (2019, June 17). What is a firewall? [Video]. YouTube. https://www.youtube.com/watch?v=kDEX1HXybrU ↩↩
-
Study Notes and Theory. (2020, August 28). Attribute-based access control [Video]. YouTube. https://www.youtube.com/watch?v=KU-yyj2e7lg ↩↩↩