UNIT-3

PART-1
 Network attack
 Need for Intrusion Detection Systems
 IDS Types
 Characteristics of ID
 ID Methodology
 Network Attack
1. Malware
2. Virus
3. Worm
4. Botnet
5. DoS (Denial of Service)
6. DDoS (Distributed DoS)
7. Packet sniffer
8. IP Spoofing
9. Man-in-the-Middle Attack
10. Compromised-Key Attack
11. Phishing
12. DNS spoofing
MALWARE
 MALWARE
 Malware, short for malicious software,
refers to any intrusive software developed
by cyber criminals (often called hackers) to
steal data and damage or destroy
computers and computer systems.
 Malware
 Malicious software which is specifically designed to
disrupt, damage, or gain authorized access to a
computer system.

 Much of the malware out there today is self-replicating:

once it infects one host, from that host it seeks entry into
other hosts over the Internet, and from the newly
infected hosts, it seeks entry into yet more hosts.

 In this manner, self-replicating malware can spread

exponentially fast.
 Virus
 A malware which requires some form of user’s
interaction to infect the user’s device.

 The classic example is an e-mail attachment

containing malicious executable code.
 If a user receives and opens such an attachment, the
user inadvertently runs the malware on the device.
WORMS
 WORMS
 Can Replicate themselves
 Can infect multiple computers
 Network worms spread through computer
network
 Outdated OS
 No antivirus software
VIRUS vs WORMS
 Worm
 A malware which can enter a device
without any explicit user interaction.
 For example, a user may be running a
vulnerable network application to which an
attacker can send malware.
 In some cases, without any user
intervention, the application may accept
the malware from the Internet and run it,
creating a worm.
 Botnet
 A network of private computers infected
with malicious software and controlled as a
group without the owners’ knowledge, e.g.
to send spam.
 To get down the server
 To shut down the website
 DoS (Denial of Service)

 A Denial-of-Service (DoS) attack is an

attack meant to shut down a machine or
network, making it inaccessible to its
intended users
 DDoS (Distributed DoS)
 DDoS is a type of DOS attack where multiple
compromised systems, are used to target a
single system causing a Denial of Service
(DoS) attack.
 DDoS attacks leveraging botnets with
thousands of comprised hosts are a common
occurrence today.
 DDoS attacks are much harder to detect and
defend against than a DoS attack from a single
host.
DOS vs DDOS
PACKET SNIFFER
 Packet sniffer
 A passive receiver that records a copy of every
packet that flies by is called a packet sniffer.
 These packets can contain all kinds of sensitive
information, including passwords, social
security numbers, trade secrets, and private
personal messages.

 Some of the best defenses against packet

sniffing involve cryptography.
 IP Spoofing
 The ability to inject packets into the Internet
with a false source address is known as IP
spoofing, and is but one of many ways in
which one user can masquerade as another
user.
 To solve this problem, we will need end-point
authentication, that is, a mechanism that will
allow us to determine with certainty if a
message originates from where we think it
does.
IP SPOOFING
Concealing Identity: Hackers may use IP spoofing to hide their true IP address
while launching attacks, making it difficult for defenders to trace the origin of
malicious activities.

Bypassing Access Controls: By spoofing a trusted IP address, attackers can

potentially bypass access controls that rely on IP-based authentication

Distributed Denial of Service (DDoS) Attacks: In DDoS attacks, spoofed IP

addresses are often used to flood a target server or network with an overwhelming
amount of traffic, making it unavailable to legitimate users.
MAN IN MIDDLE ATTACK
 Man-in-the-Middle Attack
 a man-in-the-middle attack occurs when
someone between you and the person
with whom you are communicating is
actively monitoring, capturing, and
controlling your communication
transparently.

 For example, the attacker can re-route a

data exchange.
Compromised Key attack
 Compromised-Key Attack
 A key is a secret code or number necessary to
interpret secured information.
 Although obtaining a key is a difficult and
resource-intensive process for an attacker, it is
possible.
 After an attacker obtains a key, that key is
referred to as a compromised key.
 An attacker uses the compromised key to gain
access to a secured communication without the
sender or receiver being aware of the attack.
PHISING
 Phishing – The fraudulent practice of
sending emails purporting to be from
reputable companies in order to induce
individuals to reveal personal information,
such as passwords and credit card
numbers.
DNS Spoofing
 DNS spoofing
 Domain Name Server (DNS) spoofing, or
DNS cache poisoning, is an attack
involving manipulating DNS records to
redirect users toward a fraudulent,
malicious website that may resemble the
user's intended destination.
 The need for Intrusion Detection
Systems
 A computer system should provide confidentiality, integrity
and assurance against denial of service. However, due to
increased connectivity (especially on the Internet), and the
vast spectrum of financial possibilities that are opening up,
more and more systems are subject to attack by intruders.
 These subversion attempts try to exploit flaws in the
operating system as well as in application programs and
have resulted in spectacular incidents like the Internet
Worm incident of 1988 [12]. (Eugene H Spafford. The
Internet Worm Program: An Analysis. In ACM Computer
Communication Review; 19(1), pages 17-57, Jan 1989. )
 There are two ways to handle subversion
attempts. One way is to prevent
subversion itself by building a
completely secure system. We could, for
example, require all users to identify and
authenticate themselves; we could protect
data by various cryptographic methods
and very tight access control mechanisms.
 However this is not really feasible because:
1. Designing and implementing a totally secure system
is thus an extremely difficult task.
2. The vast installed base of systems worldwide
guarantees that any transition to a secure system,
(if it is ever developed) will be long in coming.
3. Cryptographic methods have their own problems.
Passwords can be cracked, users can lose their
passwords, and entire crypto-systems can be
broken.
4. Even a truly secure system is vulnerable to abuse
by insiders who abuse their privileges.
5. It has been seen that the relationship between the
level of access control and user efficiency is an
inverse one, which means that the stricter the
mechanisms, the lower the efficiency becomes.
 We thus see that we are stuck with systems that
have vulnerabilities for a while to come.
 If there are attacks on a system, we would like to
detect them as soon as possible (preferably in real-
time) and take appropriate action. This is essentially
what an Intrusion Detection System (IDS) does.
 An IDS does not usually take preventive measures
when an attack is detected; it is a reactive rather
than pro-active agent.
 It plays the role of an informant rather than a police
officer.
 IDS types
 IDS in general has three basic types
based on its location:
1. Host IDS
2. Network IDS
3. Hybrid IDS, as shown in Fig. 1
 Host Intrusion Detection System
(HIDS)
 Run on independent hosts or devices on the network.
 A HIDS monitors the incoming and outgoing packets
from the device only and will alert the administrator if
suspicious or malicious activity is detected.
 It takes a snapshot of existing system files and
compares it with the previous snapshot.
 If the analytical system files were edited or deleted, an
alert is sent to the administrator to investigate.
 An example of HIDS usage can be seen on mission-
critical machines, which are not expected to change
their layout.
 Network Intrusion Detection
System (NIDS)
 Set up at a planned point within the network to
examine traffic from all devices on the network.
 It performs an observation of passing traffic on the
entire subnet and matches the traffic that is passed
on the subnets to the collection of known attacks.
 Once an attack is identified or abnormal behavior is
observed, the alert can be sent to the administrator.
 An example of a NIDS is installing it on the subnet
where firewalls are located in order to see if someone
is trying to crack the firewall.
Hybrid Intrusion Detection
System
 Hybrid intrusion detection system is made by the
combination of two or more approaches to the
intrusion detection system.
 In the hybrid intrusion detection system, the host
agent or system data is combined with network
information to develop a complete view of the
network system.
 The hybrid intrusion detection system is more
effective in comparison to the other intrusion
detection system.
 Prelude is an example of Hybrid IDS.
 Characteristics of ID
 ID monitors a whole system or just a part of it.
 ID occurs either during an intrusion or after it.
 ID can be stealth or openly advertised.
 If suspicious activity occurs it produces an alarm and
keeps logs that can be used for reports on long term
development.
 Human (administrator )needed for alarm processing.
 ID systems can produce an alarm and/or produce an
automated response.
 IDS methodology
 Signature-Based Detection
 Anomaly-Based Detection
 Stateful Protocol Analysis
 Signature-Based Detection
 Signature is a pattern
 Pattern we are searching in data packet
 Attackers target data packet and add
malicious code into it.(attack
pattern/signature)
 Create database , and stores all known
attacks
 If signature /pattern matches intrusion
detects.
 Cannot identify unknown attacks
 Signature Creation :Security experts or
organizations create signatures by analyzing
known attacks and identifying unique
characteristics or patterns associated with them.

 Signature Database: The signatures are stored

in a database.This database is regularly updated
to include new signatures as new threats
emerge and known attack patterns evolve.
 Packet Inspection: When network traffic
or system logs pass through the IDS, the
system inspects each packet or log entry
for matches against the signatures in its
database.
 Alert Generation: If a packet or log entry
matches a signature in the database, the
IDS generates an alert.

 Response: Depending on the configuration of the IDS, it

may take automated actions in response to detected
threats, such as blocking the source IP address, or
triggering other security measures.
 Anomaly-Based Detection
 Based on deviation(Abnormal)
 Ex: System Admin work to provide login And
access to other Employees
 Software developers job is to develop
software /debugging etc….
 Developer tries to do a job of administrator by
doing his job

Anomaly-based IDSes typically work by taking a
baseline of the normal traffic and activity taking
place on the network.

 process of analyzing and recording typical patterns of activity within a

network, over a period of time when it is operating under normal conditions.

 They can measure the present state of traffic on

the network against this baseline
 Baseline Establishment:The IDS first establishes a baseline of normal
behavior by analyzing network traffic, system logs, user behavior, or other
relevant data over a period of time

 Behavior Monitoring: the IDS continuously monitors network traffic, system logs, or
other data sources for deviations from the baseline.

 Anomaly Detection: When the IDS identifies deviations or anomalies that exceed
predefined thresholds or criteria, it generates alerts.

 Alert Analysis: Security analysts or administrators review the alerts generated by the anomaly-
based IDS

 Response and Mitigation: organizations can take appropriate response actions to mitigate the
potential threat
 SIGNATURE / ANOMALLY
Based on pattern based on behaviour

Patterns database if behaviour differ from predefine

alarm generated

Detects only known attacks predefine ruling is difficult

Detects unusual behaviour that may

Unable to identify not be malicious
new attacks
 Stateful Protocol Analysis
Inspects and detects suspicious or malicious activity within network traffic.

 Session Tracking: The IDS tracks the state of network sessions by maintaining information
about active connections, including source and destination IP addresses, protocol types, and
other relevant data

 Packet Inspection: As packets traverse the network, the IDS inspects them using stateful
protocol analysis techniques.

 Protocol Parsing: The IDS parses the payload of network packets to understand the structure
and semantics protocols being used (e.g., HTTP, FTP, SMTP). This allows the IDS to extract
relevant information from the network traffic, such as URLs, file transfers, email content, and
other application-specific data
 Stateful Protocol Analysis
 Keeping Track of Conversations: Imagine your network is like a busy party with lots of people
talking (devices communicating). The IDS listens in on these conversations. But instead of just
hearing individual words (packets), it pays attention to the whole chat (session).

 Understanding the Chatter: The IDS isn't just eavesdropping, it's also understanding what's
being said. It knows the different "languages" (protocols) people use to talk. For example, it
understands when someone's speaking "HTTP" (web browsing) or "SMTP" (email).

 Spotting Strange Talk: Now, if someone starts saying weird things, like talking about breaking
into the house (malicious activity), the IDS notices. It's because it's paying attention to the whole
conversation, not just individual words.

 Remembering Who's Who: The IDS doesn't just forget who's talking. It remembers who started
the conversation, who they're talking to, and what they're talking about. This helps it make sense
of what's normal and what's not.

 Raising the Alarm: When the IDS hears something suspicious, like someone talking about
breaking in, it doesn't just ignore it. It raises the alarm (generates an alert) so that you, the
homeowner (network administrator), know something fishy might be going on

 Taking Action: Finally, it's up to you, the homeowner, to decide what to do. Maybe you check it
out yourself (investigate) or call the police (take action to block or stop the suspicious activity).
 Stateful Analysis: By maintaining state information about network sessions, the IDS can perform
stateful analysis to detect anomalies, deviations from expected behavior, and known attack
patterns.

 Alert Generation: When the IDS detects suspicious or malicious activity through stateful protocol
analysis, it generates alerts .

 Response and Mitigation: Based on the alerts generated by the IDS, security administrators
can take appropriate response actions.
 Stateful Protocol Analysis
 Stateful protocol analysis approaches:
 Traffic rate monitoring-If IDPS detects sudden increase in traffic it can
stop and reset all traffic.

 Protocol state tracking-IDPS maintains a record of connection ‘s state

and allows packets to pass through if it is an established connection.

 Dynamic Application layer protocol analysis-Can identify applications not

using standard ports.(http/smtp/ftp)

 IP packet reassembly-Can reassemble fragmented packets to prevent

fragments from passing through to the internal network.
INTRUSION PREVENTION SYSTEM -
IPS
 It's a security technology that monitors network , system
activities for malicious or unwanted behavior and can
react

 in real-time, to block or prevent those activities.

 it can take actions such as
 blocking the offending traffic,
 alerting system administrators,
 terminating connections to prevent further damage.
 How Does an IPS Work?
 work by scanning all network traffic.
 deeply inspects every packet that travels across the network.
 If any malicious or suspicious packets are detected
 block the offending source IP address or user account from accessing any
application.
 Reprogram or reconfigure the firewall to prevent a similar attack occurring in
the future.
 Remove or replace any malicious content that remains on the network
following an attack.
 Types of IPS
 Network-Based IPS: A Network-Based IPS is installed at
the network perimeter
and monitors all traffic that enters and exits the network.

 Host-Based IPS: A Host-Based IPS is installed on

individual hosts and monitors
the traffic that goes in and out of that host.
 Why Do You Need an IPS?
 Protection Against Known and Unknown Threats
 An IPS can detect and block malicious traffic in real-time,
preventing attacks from doing any damage.
 Many industries have regulations that require the use of
an IPS to protect sensitive information and prevent data
breaches.
 An IPS is a cost-effective way to protect your network
compared to the cost of dealing with the after security
breach.
 An IPS provides increased network visibility, allowing you
to see what’s happening on your network and identify
potential security risks.
Detection Method of Intrusion Prevention System

 Signature-based detection
 Statistical anomaly-based detection
 Stateful protocol analysis detection
 IPS System Configuration
 Decide what to watch for
 Create rules
 Keep it updated
 Keep records
 Adjust as needed
 IPS System Configuration
 Define security policies: Identify security goals, threat types,
acceptable network behavior, and compliance needs.
 Choose deployment mode: Decide if the IPS will actively
monitor in-line or passively analyze out-of-band network
traffic.

 Inline:inspects each packet of data passing through the network in real-time. If it

detects anything suspicious, it can take immediate action, such as blocking the traffic

 Out-of-band analysis:It's like having a security camera that records everything

happening, and then security personnel review the footage later to identify any
suspicious activity.
 Configure network interfaces: Set up IPS network connections with
proper IP addresses, subnet masks, and gateway settings.

 Update signature database: Regularly refresh the IPS signature

database for the latest threat intelligence.

 Define signature policies: Specify the types of threats to detect,

sensitivity levels, and blocking actions.

 Set up alerting and logging: Configure mechanisms to alert

administrators

 Configure blocking actions: Define actions for the IPS to take upon
detecting threats, such as blocking traffic or sending alerts.
Test and validate configuration: Thoroughly test the IPS in a controlled
environment to ensure effective threat detection without disrupting
normal traffic.

Monitor and fine-tune: Continuously monitor IPS performance,

adjusting settings and updating policies to adapt to changing threats
and network conditions.
IDS: Intrusion Detection Systems focus IPS :not only detect but also actively
on detecting and alerting administrators prevent or block detected threats
about potential security threats

IDS provides valuable insights into IPS complements this by offering

network activity proactive protection against known
threats and attacks in real-time,
This visibility allows administrators to
investigate and respond to security reducing the reliance on manual
events promptly, intervention and response
even if the IPS may not have been able
to prevent them.

while an IPS can effectively prevent intrusions in real-time, IDS plays a

crucial role in early threat detection and provides valuable visibility into
network activity.
 Role of Router in IDS
A router is a device that connects two or more packet-switched networks or
subnetworks.

It serves two primary functions: managing traffic between these networks by

forwarding data packets to their intended IP addresses,

and allowing multiple devices to use the same Internet connection.

 Role of Router in IDS
Packet Filtering and Traffic Shaping: By filtering out potentially malicious
traffic before it reaches the internal network, routers can help reduce the
workload on the IDS.

Logging and Monitoring: Routers often have logging capabilities that record
information about network traffic passing through them.

IDS can utilize these router logs as a data source for detecting and analyzing
potential security threats.

Intrusion Detection at the Network Perimeter: Routers are typically positioned

at the network perimeter, By detecting and alerting on potential threats at the
perimeter, routers contribute to the overall security posture of the network.
Traffic Redirection for Analysis: Routers can be configured to redirect copies of
network traffic to monitoring device for analysis. This allows the
IDS to inspect network traffic without disrupting the flow of data to its intended
destination.

Threat Intelligence Exchange:Threat intelligence refers to information collected,

analyzed, and used to understand cyber threats and the actors behind them
Routers can exchange threat intelligence data
with security platforms.
 Firewalls
A Firewall is a network security device
that monitors and filters incoming and
outgoing network traffic based on an
security policies.

It acts as a barrier between a trusted

internal network and untrusted external
networks such as the internet. Firewalls
can be hardware, software, or a
combination of both.
The Need For Firewalls
Network Security: With the proliferation of cyber threats such as
malware, ransomware, and hacking attempts, a firewall provides a critical
layer of defense to safeguard networks from unauthorized access and
malicious activities.

Protection of Sensitive Data: Firewalls help prevent unauthorized access to

sensitive data, such as personal information, financial records by controlling the flow
of traffic in and out of a network.

Compliance Requirements: Many industries and regulatory bodies have established

compliance standards that mandate the use of firewalls as part of a comprehensive
security strategy.

Secure Remote Access: As remote work becomes increasingly prevalent, firewalls

play a crucial role in securing remote access connections, ensuring that employees
can access corporate resources securely from anywhere without compromising
network security.
Protection from Cyber Attacks: Firewalls act as a
barrier against various cyber attacks, including denial-
of-service (DoS) attacks, phishing attempts, and
intrusions, by analyzing network traffic and blocking
malicious activities before they can reach their intended
targets.

Control and Monitoring: Firewalls enable organizations to

monitor and control network traffic, allowing them to enforce
security policies, detect suspicious activities, and investigate
security incidents effectively.
Types Of Firewall
Packet Filtering Firewall: A packet filtering firewall applies a
set of rules to each incoming and outgoing IP packet and then
forwards or discards the packet .

The firewall is typically configured to filter packets going in both

directions (from and to the internal network).

It has set of rules based on source address, destination

address, port number & protocols, Source and destination
transport-level address:

If rule matched then forward or discard

Default action : Forward/Discard

Data will not be checked & Its not secure

 LIMITATIONS OF PACKET FILTERING

• Limited Protection:packet filter firewalls do not examine

upper-layer data, they cannot prevent attacks

• Restricted Logging Capability: Because of the limited information

available to the firewall, the logging functionality present in packet filter
firewalls is limited.

• Limited Support for Advanced Authentication: Most packet filter

firewalls lack support for advanced user authentication methods, primarily
because of their inability to handle upper-layer functionalities.
Application-Level Firewall / Proxy firewall
 A packet filtering firewall, even with the added
functionality of stateful packet inspection, is still
severely limited.

 firewall that can examine the application payload and

scan packets for worms, viruses, spam mail, and
inappropriate content.

 More secure, there is no direct connection between the

client and server

 firewall is built using proxy agents. Such a “proxy

firewall” acts as an intermediary between the client and
server.
 PROXY
INTERNET FIREWALL INTERNAL HOST
 Circuit-Level Gateway

• Uses 2 TCP connections.

• Between external Host and gateway

• Between internal host and gateway

• Do not Check the packet contents.

• Works at the session layer of OSI

Stateful Inspection Firewalls (SPI)
 Connection oriented

 keep track of each network connection when from the request is coming
or response is going.

 state of active connections and uses this information to determine which

network packets to allow through the firewall.

 State table

 incoming packet that it cannot match in its state table, it refers to its
Access Control List (ACL) to determine whether to allow the packet to
pass.
 SCENARIO
• Alice, is browsing the web
• Alice opens her web browser and requests to visit a website
• The firewall examines the packet and sees that it's the beginning of a new
outgoing connection.
• The firewall adds an entry to its state table
• recording Alice's computer's IP address, the destination website's IP
address, the source and destination port numbers, and the protocol being
used (usually TCP for web browsing).
• Since the packet is part of a new outgoing connection and complies with
the firewall's security policies, it's allowed to pass through the firewall.
• her computer sends and receives packets back and forth. The firewall
inspects each packet, checking them against the state table to ensure
they belong to the established connection.
• the stateful firewall dynamically updates its state table, keeping track of
the connection's status.
• If Alice closes her browser or finishes her session, the firewall removes the
corresponding entry from the state table
• If an attacker were to attempt to initiate a malicious connection to Alice's
computer, the stateful firewall would block
•

Disadvantages the additional processing required to manage and

verify packets against the state table

incoming packet doesnot match in its state table, it refers to its Access
Control List (ACL) to determine whether to allow the packet to pass.

the system receives a large number of external packets, which slows

the firewall because it attempts to compare all of the incoming packets
first to the state table and then to the ACL
BASTION HOST
A bastion host is a specialized computer or server
that is configured and deployed with specific
security measures to serve as a secure entry point
into a network from an untrusted network, such as
the internet.
Characteristics of bastion
Secure Entry Point: unauthorized access and potential security threats.

Single Point of Access: single point of entry for remote users or systems.

Controlled Authentication: strong authentication methods such as VPN

credentials, or multi-factor authentication

Minimal Services: Bastions are configured to run only essential services

and applications necessary for their function as secure entry points

Logging and Monitoring: Bastions typically feature extensive logging and

monitoring capabilities to record access attempts and activities.
 Configuring and Setting Up
Firewalls

1. Screened host firewall, single-homed bastion configuration

2. Screened host firewall, dual homed bastion configuration
3. Screened subnet firewall configuration
 Screened host firewall, single-homed bastion
configuration
Screened Host Firewall: 2 firewall

External Firewall (also known as the screening router):

This firewall sits between the internal network and the internet.
filter incoming traffic from the internet, allowing only authorized
traffic to enter the internal network.

Internal Firewall (also known as the bastion host): This

firewall sits between the external firewall and the internal
network.
It acts as an additional layer of defense, providing further
filtering and security for traffic entering the internal network.
Single-Homed Bastion Configuration:
This bastion host acts as a single point of entry for external
users who need to access internal resources, such as
remote employees

• 1 Network Interface – external to internal

External users connect to the bastion host using secure

protocols like SSH (Secure Shell) or VPN (Virtual Private
Network). Once authenticated, they can then access
specific internal resources or services via the bastion host.
Screened host firewall, Dual-
homed bastion configuration
• 2 network interfaces, each connected to a different network
segment.
intermediary or gateway between the external and internal
networks.

It controls and monitors traffic flowing between the two

networks, enforcing security policies and providing access to
internal resources for authorized users or systems
3. Screened subnet firewall
configuration
two packet filtering routers are used, one between
the basiton host and internet

the basiton host and the internal network.

This configuration creates an isolated subnetwork,

Alert Correlation
“Correlating alarms”: Combining the fragmented information
contained in the alert sequences and interpreting the whole
flow of alerts.

to identify patterns, relationships, or sequences that indicate a

larger, more significant threat.
ACCESS CONTROL

Access control is the method by which

systems determine whether and how to admit
a user into a trusted area of the organization
 Access control
mechanisms/Functions

1. Identification: I am a user of the system.

2. Authentication: I can prove I’m a user of the system.
3. Authorization: Here’s what I can do with the system.
4. Accountability: You can verify my use of the system
 Identification

• uniquely identifying individuals or entities seeking access to

resources, systems, or facilities within an organization

• provide a label by which they are known to the system.

• This label is called an identifier (ID), and it must be mapped

within the security domain.

• Composite identifiers by concatenating elements—

department codes, random numbers, or special characters—
to make unique identifiers
Authentication:

• Authentication is the process of validating a user’s

purported identity.

• Username
• email address
• digital certificate

• along with authentication factors to prove their

identity.
Authorization:

Authorization is the matching of an

authenticated entity to a list of
information assets and corresponding
access levels.
Accountability:

Accountability, also known as auditability,

ensures that all actions on a system—authorized
or unauthorized—can be attributed to an
authenticated identity.
Network access control (NAC)

Network access control (NAC) is a security

technology term for managing access to a network.

NAC authenticates users logging into the network and

determines what data they can access and actions they
can perform.

NAC also examines the health of the user’s computer

or mobile device
Elements Of NAC:

1. Access requestor

2. Policy server:

3. Network access server (NAS)

Elements Of NAC:
• Access requestor: typically refers to an
entity or system that requests access to
resources, data, or services within a
network or system environment.

• including workstations, servers, printers,

cameras.
Policy server:
Based on the AR’s request and an enterprise’s
defined policy, the policy server determines
what access should be granted.

The policy server often relies on backend

systems, including antivirus, patch
management, or a user directory, to help
determine the host’s condition.
Network access server (NAS)
• The NAS functions act as an access control point
for users in remote locations connecting to an
enterprise’s internal network

• Provide access

• NAS may include its own authentication services

or rely on a separate authentication service from
the policy server.
TYPES OF ACCESS CONTROL
Discretionary access controls (DACs):

• Allows users to control and possibly provide access to information or resources of

their own

• The users can allow general, unrestricted access, or they can allow specific people
or groups of people to access these resources.

• For example, a user might have a hard drive that contains information to be shared
with office coworkers.

Non-discretionary access controls (NDACs

• are managed by a central authority in the organization.

• access is determined by policies and rules established by system administrators or

security policies.

• Lattice-based access control (LBAC) is a model for controlling access to resources

in computer systems, particularly in multi-level security environments

• Lattice based control specifies the level of access each subject has to each object
 Role based control:

• RBAC assigns permissions to users based on their roles within an organization.

• Users are grouped into roles, and permissions are associated with each role.

• This simplifies administration and enhances security by ensuring

that users only have access to resources necessary for their roles.
Mandatory access controls
(MACs)
• In MAC, access control is determined by the system based on security labels
assigned to each resource and each user.

• Users and resources are assigned sensitivity labels, and access is granted or
denied based on predefined rules or policies.

• MAC is commonly used in high-security environments such as military or

government systems.