IT404

Network Security
Module 10
Network Access Control

MAIN REFERENCE
• Network Security Bible, 2nd Edition, Eric Cole, Wiley, 2009.
Learning Outcomes

1 2 3 4
• To describe • To evaluate • To define • Evaluate
various various access identification, remote
access control types authentication, access
control authorization security
models and and
accountability controls
Basic Terminologies
Designed to control information access and mitigating access-related vulnerabilities exploited by
threats to a network.
Threats?
 an event or activity that has the potential to cause harm to the network
Vulnerability?
 Weakness exploited by a threat
Risk?
 Probability for a threat to materialise

“Subject” and “Object” often applicable in discussing access control.

10.1 Access Control Model
Access control model can be classified based on who can control and change the access that is allowed.

• Access control model can be classified as:

a) Discretionary Access Control (DAC)
- the owners of objects get to decide within their discretion (following policy and procedures), what objects a
given subject can access
b) Mandatory Access Control (MAC)
- means must be found to formally match the authorizations allocated to the subject to the sensitivity of the
objects that are the target of the access request.
c) Non-discretionary Access Control
- access privileges might be based on the individual's role in the organization (role-based) or the subject's
responsibilities and duties (task-based).

4
10.2 Means and Types of Control
• Means to be control are administrative, technical (logical), and physical
• Three common controls types are Preventive, Detective, and Corrective
• To implement an effective controls, means and types of control must be combined such as:
– Preventive in Administrative
– Preventive in Technical
– Preventive in Physical
– Detective in Administrative
– Detective in Technical
– Detective in Physical
– Centralized or Decentralized Access Controls

5
10.3 Identification vs. Authentication

Identification Authentication
– is the act of a user professing an – is verification that the user's claimed
identity to a system identity is valid
– usually in the form of a logon ID – usually implemented through a user
– establishes user accountability for his password at logon time
or her actions on the system – is provided through a variety of means
from secret passwords to using biometric
characteristics
– accomplished by testing one or more of
the following items:
◦ Something you know, e.g. password
◦ Something you have, e.g. smart card
◦ Something you are (physically), e.g.
fingerprint

6
10.4 Authentication, Authorization, Accountability (AAA)

Identification and authentication are part of AAA

• Authorization of the user refers to after authentication, a user is

granted and permissions to access certain computer resources and
information key: GRANT ACCESS

• Accountability is refers to once users are given access, all their

actions should be logged, to hold them accountable for what they
do on the system key: LOG

7
10.5 Authentication, Authorization, Accountability (AAA)
PASSWORD BIOMETRICS SINGLE SIGN-ON
One-time password – Automated means to identify ID and password
provides high level of identity based on
security physiological
characteristics.
Dynamic vs statis password Apply as one-to-many search Example, Kerberos system
or one-to-one
Use of passphrase Mostly used for access
control
Type 2 Type 3
Example, retina scans,
fingerprints, facial
recognition, voice

8
10.6 Kerberos

 Based on symmetric key cryptography

 Developed under Project Athena at MIT
 3rd party authentication protocol

9
10.7 Remote Access

• AAA is important requirements during a remote access session.

• Services and protocols used to provide AAA capabilities:
– Remote Authentication and Dial-In User Service (RADIUS)
– Terminal Access Controller Access Control System (TACACS) and TACACS+
– Password Authentication Protocol (PAP)
– Challenge Handshake Authentication Protocol (CHAP)

10
10.8 RADIUS characteristics

• Is a central authentication service for dial-up users

• Describes in RFC 2865
• It incorporates an authentication server and dynamic passwords
• RADIUS protocol is an open, lightweight, UDP-based protocol that can be modified to work
with a variety of security systems
• It provides authentication, authorization, and accounting services to routers, modem servers,
and wireless applications

11
Authentication Protocols: RADIUS
 A RADIUS server providing centralized authentication

12
10.9 Principal Components of RADIUS
• A network access server (NAS)
– Processes connection requests and initiates an access exchange with the user through protocols such
as Point-to-Point Protocol (PPP) or the Serial Line Internet Protocol (SLIP)
– Produces the username, password, NAS device identifier
– NAS sends the information to the RADIUS server for authentication
• Access Client
– A device (router) or individual dialing into an ISP network to connect to the Internet
• The RADIUS server
– Compares the NAS information with data in trusted database to provide authentication and
authorization services
– NAS also provides accounting information to the RADIUS server for documentation purposes

13
10.10 TACACS and TACACS+
• Is an authentication protocol that provides remote access authentication and related services such as
event logging

• In a TACACS system, user passwords are administered in a central database rather than in
individual routers, which provides an easily scalable network security solution.

– TACACS-enabled network device prompts the remote user for a username and static
password
– TACACS-enabled device queries a TACACS server to verify that password
– TACACS does not support prompting for a password change or for the use of dynamic password
tokens

• TACACS has been superseded by TACACS+, which provides for dynamic passwords, two-factor
authentication, and improved audit functions.

14
10.11 Elements of TACACS+
• Access Client
– A person or device such as router that dials in to an ISP
• A network access server (NAS)
– A server that processes requests for connections.
– NAS conducts access control exchanges with the client, obtaining information such as
password, username and NAS port number
– Data is transmitted to the TACACS+ server for authentication
• The TACACS+ server
– A server that authenticates the access request and authorizes services
– Receives accounting and documentation information from the NAS

15
10.12 Password Authentication Protocol
• One of authentication mechanisms
• In PAP, a user provides an unencrypted username and password, which are compared with
the corresponding information in a database of authorized users.
• However, this method is not secure and is vulnerable to an attacker who intercepts this
information because the username and password are usually sent in the clear

16
Two-step authentication used in PAP
10.13 Challenge Handshake Authentication Protocol (CHAP)

• Described in RFC 1994

• It provides authentication after the
establishment of the initial communication link
between the user and CHAP.
• CHAP is a more secure procedure for connecting
to a system than the Password Authentication
Procedure (PAP)
• CHAP operation comprises a three-way
handshaking procedure

17
Summary
 Access controls are crucial in protecting the network and its associated
resources.

 Databases are another important tool in providing access controls and

implementing the concept of least privilege through database Views.