CSC/EE 526: Computer

and Network Security

Lecture 5
Dr. Hang Liu
 Chapter 5
Network Access Control
and Cloud Security
 “No ticket! Dear me, Watson, this is really very
singular. According to my experience it is not
possible to reach the platform of a Metropolitan
train without exhibiting one’s ticket.”

—The Adventure of the Bruce-Partington

Plans,
Sir Arthur Conan Doyle
 Network Access
Control (NAC)
• An umbrella term for managing access to a network

• Authenticates users logging into the network and

determines what data they can access and actions they
can perform

• Also examines the health of the user’s computer or

mobile device
NAC systems deal with three
categories of components:
Access requester (AR) Network access server (NAS) Policy server
• Node that is attempting to • Functions as an access • Determines what
access the network and may control point for users in access should be
be any device that is remote locations connecting granted
managed by the NAC to an enterprise’s internal • Often relies on
system, including network backend systems
workstations, servers, • Also called a media gateway,
printers, cameras, and other remote access server (RAS)
IP-enabled devices • May include its own
• Also referred to as authentication services or
supplicants, or clients rely on a separate
authentication service from
the policy server
Extensible Authentication Protocol

RADIUS: Remote Authentication Dial In User Service

AAA: Authentication, Authorization, and Accounting
 IEEE 802.1X
Access Control Approach
• Port-Based Network
Access Control 802.1X uses:

• The authentication
protocol that is used,
the Extensible
Authentication Controlled ports Uncontrolled ports
Protocol (EAP), is
defined in the IEEE
802.1X standard
Allows the exchange of
Allows the exchange of
PDUs between a
PDUs between the
supplicant and other
supplicant and the other
systems on the LAN only
AS, regardless of the
if the current state of the
authentication state of
supplicant authorizes
the supplicant
such an exchange
 Network Access
Enforcement Methods
• The actions that are applied to access requesters (ARs)
to regulate access to the enterprise network
• Many vendors support multiple enforcement methods
simultaneously, allowing the customer to tailor the
configuration by using one or a combination of methods

Common NAC enforcement methods:

• IEEE 802.1X: makes use of the Extensible Authentication Protocol for the
authentication process)
• Virtual local area networks (VLANs): The NAC system decides to which
of the network’s VLANs it will direct a client
• Firewall: allowing or denying network traffic between an enterprise host
and an external user.
• DHCP management: NAC enforcement occurs at the IP layer based on
subnet and IP assignment, limited security.
RADIUS: Remote Authentication Dial In User Service
AAA: Authentication, Authorization, and Accounting
Extensible Authentication
Protocol (EAP)
• EAP Transport Layer Security
• EAP Tunneled TLS
• EAP Generalized Pre-Shared Key
• EAP-IKEv2
 Authentication
Methods
• EAP provides a generic transport service for the
exchange of authentication information between a
client system and an authentication server

• The basic EAP transport service is extended by using a

specific authentication protocol that is installed in both
the EAP client and the authentication server
Commonly supported EAP methods:

• EAP Transport Layer Security

• EAP Tunneled TLS
• EAP Generalized Pre-Shared Key
• EAP-IKEv2
 Table 5.2
Common EAPOL Frame Types
 Table 5.1

Terminology
Related to IEEE
802.1X
 Cloud Computing
• NIST defines cloud computing, in NIST SP-800-145
(The NIST Definition of Cloud Computing ), as
follows:
“A model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal management
effort or service provider interaction. This cloud model
promotes availability and is composed of five essential
characteristics, three service models, and four
deployment models.”
 Cloud Computing
Reference Architecture
• NIST SP 500-292 (NIST Cloud Computing Reference
Architecture ) establishes a reference architecture, described
as follows:
“The NIST cloud computing reference architecture focuses
on the requirements of “what” cloud services provide, not a
“how to” design solution and implementation. The
reference architecture is intended to facilitate the
understanding of the operational intricacies in cloud
computing. It does not represent the system architecture of
a specific cloud computing system; instead it is a tool for
describing, discussing, and developing a system-specific
architecture using a common framework of reference.”
 Cloud provider (CP)
Cloud
Provider
For each of the three service
models (SaaS, PaaS, IaaS),
Can provide one or more of the CP provides the storage
the cloud services to meet IT and processing facilities
and business requirements of needed to support that
cloud consumers service model, together with
a cloud interface for cloud
service consumers

For SaaS, the CP deploys, For PaaS, the CP manages

configures, maintains, and the computing infrastructure For IaaS, the CP acquires the
updates the operation of the for the platform and runs the physical computing resources
software applications on a cloud software that provides underlying the service,
cloud infrastructure so that the components of the including the servers,
the services are provisioned platform, such as runtime networks, storage, and
at the expected service levels software execution stack, hosting infrastructure
to cloud consumers databases, and other
middleware components
Roles and Responsibilities
Cloud carrier Cloud auditor
• A networking facility that • An independent entity that
provides connectivity and can assure that the CP
transport of cloud services conforms to a set of
between cloud consumers and standards
CPs

Cloud broker
•Useful when cloud services are too complex for a cloud
consumer to easily manage
•Three areas of support can be offered by a cloud broker:
•Service intermediation
•Value-added services such as identity management,
performance reporting, and enhanced security
•Service aggregation
•The broker combines multiple cloud services to meet
consumer needs not specifically addressed by a single CP,
or to optimize performance or minimize cost
•Service arbitrage
•A broker has the flexibility to choose services from
multiple agencies
•e.g. Appirio
Cloud Security Risks and
Countermeasures
• The Cloud Security Alliance [CSA10] lists the
following as the top cloud specific security threats,
together with suggested countermeasures:
Abuse and nefarious use of cloud computing
• Countermeasures: stricter initial registration and validation processes;
enhanced credit card fraud monitoring and coordination; comprehensive
introspection of customer network traffic; monitoring public blacklists for
one’s own network blocks

Malicious insiders
• Countermeasures: enforce strict supply chain management and conduct a
comprehensive supplier assessment; specify human resource requirements
as part of legal contract; require transparency into overall information
security and management practices, as well as compliance reporting;
determine security breach notification processes
Risks and Countermeasures
(continued)

Insecure Shared
Data loss or
interfaces and technology
leakage
APIs issues
Countermeasures:
implement security best
practices for
Countermeasures: installation/configuration; Countermeasures:
analyzing the security monitor environment for implement strong API
model of CP interfaces; unauthorized access control; encrypt and
ensuring that strong changes/activity; promote protect integrity of data in
authentication and access strong authentication and transit; analyze data
controls are implemented access control for protection at both design
in concert with encryption administrative access and and run time; implement
machines; understanding operations; enforce SLAs strong key generation,
the dependency chain for patching and storage and management,
associated with the API vulnerability remediation; and destruction practices
conduct vulnerability
scanning and configuration
audits
Risks and Countermeasures
(continued)

• Account or service hijacking

• Countermeasures: prohibit the sharing of account
credentials between users and services; leverage strong
two-factor authentication techniques where possible;
employ proactive monitoring to detect unauthorized
activity; understand CP security policies and SLAs

• Unknown risk profile

• Countermeasures: disclosure of applicable logs and data;
partial/full disclosure of infrastructure details;
monitoring and alerting on necessary information
 Table 5.3

NIST Guidelines
on Security and
Privacy Issues
and
Recommendations
(page 1 of 2)

(Table can be found on

Pages 154 – 155 in textbook)
 Table 5.3

NIST Guidelines
on Security and
Privacy Issues
and
Recommendations
(page 2 of 2)

(Table can be found on

Pages 154 – 155 in textbook)
 Data Protection in
the Cloud
• The threat of data compromise increases in the cloud

• Database environments used in cloud computing can

vary significantly

Multi-instance model

• Provides a unique database management system (DBMS) running on a virtual

machine instance for each cloud subscriber
• This gives the subscriber complete control over role definition, user
authorization, and other administrative tasks related to security

Multi-tenant model

• Provides a predefined environment for the cloud subscriber that is shared with
other tenants, typically through tagging data with a subscriber identifier
• Tagging gives the appearance of exclusive use of the instance, but relies on the
CP to establish and maintain a sound secure database environment
 Data Protection in
the Cloud
• Data must be secured while at rest, in transit, and in use,
and access to the data must be controlled

• The client can employ encryption to protect data in transit, though

this involves key management responsibilities for the CP

• For data at rest the ideal security measure is for the client to encrypt
the database and only store encrypted data in the cloud, with the CP
having no access to the encryption key

• A straightforward solution to the security problem in this context is to

encrypt the entire database and not provide the
encryption/decryption keys to the service provider
• The user has little ability to access individual data items based on searches
or indexing on key parameters
• The user would have to download entire tables from the database, decrypt
the tables, and work with the results
• To provide more flexibility it must be possible to work with the database in
its encrypted form
 Cloud Security as a
Service (SecaaS)
• The Cloud Security Alliance defines SecaaS as the provision of
security applications and services via the cloud either to cloud-based
infrastructure and software or from the cloud to the customers’ on-
premise systems

• The Cloud Security Alliance has identified the following SecaaS

categories of service:
• Identity and access management
• Data loss prevention
• Web security
• E-mail security
• Security assessments
• Intrusion management
• Security information and event management
• Encryption
• Business continuity and disaster recovery
• Network security
 Summary
• Network access control • IEEE 802.1X port-based
• Elements of a network network access control
access control system
• Network access enforcement
• Cloud computing
methods • Elements
• Reference architecture
• Extensible authentication
protocol • Cloud security risks and
• Authentication methods countermeasures
• EAP exchanges
• Data protection in the cloud
• Cloud security as a service
 Homework

• Chapter 5: Problem 5.3 (5th or 6th edition)

• Due: Wednesday, Nov. 1

• Midterm Nov. 1

• Chapters 1-5