Access controls enable the protection of security assets by restricting access to systems and data by users, applications and other systems. Without a doubt, access controls are the cornerstone of any enterprise information security program.
In this CISSP Essentials Security School lesson, Domain 2, Access Control, expert CISSP exam trainer Shon Harris offers a video presentation detailing how access controls support the core security principles of confidentiality, integrity and availability by inducing subjects to positively identify themselves, verify they possess appropriate credentials and the necessary rights and privileges to obtain access to the target resource and its information. Key focus areas include access control principles; administration and practices; models and technologies; types, methods and techniques; and threat monitoring.
Prepare for the video by reading the Domain 2 spotlight article, which provides an in-depth look at the challenges and principles behind access controls, their diverse variety, what threats they can mitigate and the challenges of selecting, implementing and administering them.
After watching the video, test your comprehension of this material with our Domain 2, Access Control quiz. Upon completion, return to the CISSP Essentials Security School table of contents to select your next lesson.
About the instructor:
Shon Harris is a CISSP, MCSE and President of Logical Security, a firm specializing in security educational and training tools. Logical Security offers curriculum, virtual labs, instructor slides and tools for lease by training companies, security companies, military organizations, government sectors and corporations.
Shon is also a security consultant, an engineer in the Air Force's Information Warfare unit, an entrepreneur and an author. She has authored two best selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is currently finishing her newest book, Gray Hat Hacking: The Ethical Hacker's Handbook.
CISSP is a registered certification mark of the International Information Systems Security Certification Consortium, Inc., also known as (ISC)2.
Read the full transcript from this video below:
CISSP Essentials training: Domain 2, Access Control
Host: Welcome to Search Security CISSP Essentials, Mastering
the Common Body of Knowledge.
This is the second in a series of ten classes, exploring the fundamental concepts, technologies, and practices of information systems security corresponding to the CISSP's Common Body of Knowledge.
In our last class, we explored security management practices. Today's class will examine topics covered in the second domain of the CBK, access control. The cornerstone of information security is controlling how resources are accessed, so they can be protected from unauthorized modification or disclosure. The controls that enforce access control can be hardware or software tools, which are technical, physical, or administrative in nature.
In this class, lecturer Shon Harris will cover identification methods and technologies, biometrics, authentication models and tools, and more. Shon Harris is a CISSP, MCSE, and president of Logical Security, a firm specializing in security education and training. Logical Security provides training for corporations, individuals, government agencies, and many organizations. You can visit Logical Security at www.logicalsecurity.com.
Shon is also a security consultant, a former engineer in the Air Force's Information Warfare unit, and an established author. She has authored two best-selling CISSP books, including CISSP All-in-One Exam Guide, and was a contributing author to the book Hacker's Challenge. Shon is currently finishing her newest book, Gray Hat Hacking: The Ethical Hacker's Handbook. Thank you for joining us today, Shon.
Shon Harris: Thank you for having me.
Host: Before we get started, I'd like to point out several resources that supplement today's presentation. On your screen, the first link points to a library of our CISSP Essentials classes, where you can attend previous classes, and register to attend future classes as they become available. The second link on your screen allows you to test what you've learned with a helpful practice quiz on today's material. And finally, you'll find a link to the Class 2 Spotlight, more detailed information on this domain. And now, were ready to get started. It's all yours, Shon.
Shon Harris: Thank you. Thank you for joining us today, we are going to go over the Access Control domain. This is a very large domain for the CISSP exam. It's not as difficult; students don't usually find it as difficult as the other domains, but it does have a lot of material in it. In this domain we talk about different access control types, technologies and methods for authentication and authorization, we'll look quickly at some of the models that are integrated into applications and operating systems that control access, and how subjects and objects communicate within the software itself. We also need to understand how to properly administer access to the company's assets. And then we'll quickly look at intrusion detection systems.
Now, in the last class that we had, I talked about different types of controls, and I said that this is a theme throughout all of the domains was in the Common Body of Knowledge, and it's important for you to not only understand the different types of controls, physical, technical and administrative, but you'll need to know examples of each kind, and how they apply within the individual domain. Since we're talking about access control right now, we have listed some of the controls that a company can put in place, to control either physical or logical access.
Physical controls, of course, can be that you actually have locks, you have security guards, you have fences, you have sensitive areas that are blocked off that maybe need some type of swipe-card access to it. Technical controls would be what you would think of; it's access control, logical controls that are built into applications, operating systems, biometrics, encryption. And administrative controls also come into the play of access control, although most, a lot of people don't think about it. You need to have a security program that outlines how, the role of security within your environment, but also who is allowed to access what assets, and the ramifications for these, if these expectations are not met.
Now even though we have three categories of controls, we also have different characteristics that individual controls can provide. The individual controls -- and when we say controls, it's the same thing as a countermeasure or a safeguard, it's a mechanism that is put in place to provide some type of security service -- these different controls can provide different types of services.
The control can be preventative, meaning that you're trying to make sure something bad does not take place. Preventative controls could be developing and implementing a security program, encrypting data, you encrypt data to try to prevent anybody from reviewing your confidential information.
Something that provides detective service is something that you would look at after something bad happened. So maybe a system goes down, you're going to look at the log to try to piece back together what took place, and try to figure out how to fix the problem. Intrusion detection systems are detective controls, because they're looking after the fact, maybe after an attack took place.
Corrective means that something bad has already happened, and you have controls that can fix the problem and get the environment or the computer back to a state of working. An example of a corrective control could be, you have antivirus software. Once a file actually gets infected, your antivirus software, if it's configured to do this, will try to strip that, the virus, out of the infected file; it's going to try to correct the situation.
There's other types of corrective controls within your operating systems and software. These entities will save state information. State information is really how the variables are populated at a certain snapshot in time. Applications and operating systems will save state information, so if there's some type of a glitch, maybe a power glitch, or maybe there's an operating system glitch, it will try to correct the situation, and bring you back to the state, and save your data.
Now, deterrent. Some people have a problem, or don't really understand the difference between deterrent and preventative. Deterrent is that you're trying to tell the bad guy, "We're protecting ourselves, we're serious about security, so you need to move on to an easier target." Preventative means you're trying to prevent something bad from taking place. Deterrent means that you have something that's actually visible in some way, to tell the possible intruder that they're going to have to go through some work to actually carry out the damage they want to. And an example is when people actually put "Beware of Dog" signs up. Some people may not even have a dog, but they're just trying to tell the bad guy, "Go away, because we have some type of security mechanism."
And if you have an access control that provides recovery, and there's different kinds of mechanisms that can provide different types of recovery; for example, if your data actually got corrupted, you need to recover the data from some kind of backup. And compensation just means there's alternate controls that provide similar types of service that you can choose from.
Now you need to be familiar with a combination, like administrative detective, you need to understand physical detective, technical detective, you also need to know administrative preventative, technical preventative, physical preventative. And what I mean by this is that you need to understand, if something is detective and administrative, that it's trying to accomplish certain types of tasks, and you need to know examples of each kind.
Here we have some examples of detective administrative. In job rotation, a lot of people don't understand how it's detective in nature, but it is, a very powerful control that companies can put in place. The security purpose of using job rotation is that if you have one person in a position, and they are the only ones that carry out that job, they're the only ones who really know how that job is supposed to be carried out and what they're doing, they could be carrying out fraudulent activity and nobody else would know. So the company should rotate individuals in and out of different positions, to possibly uncover fraudulent activity taking place. And this is definitely a control that's used in financial institutions.
Now, this is different than separation of duties. Separation of duties would be an administrative preventative control. Separation of duties means that you want to make sure that one entity cannot carry out a critical task by themselves, so you split that task up, so that these two entities would have to carry out their piece of the task before the task can be completed, and that's preventative because you're trying to prevent fraudulent activity from taking place. Job rotation is detective, because you rotate somebody into a new position, and since they may uncover some of the fraudulent activity that could've been happening.
So we have examples of detective technical-again that's after the fact, intrusion detection systems, reviewing logs, forensics and detective physical, physical controls that can be used to understand what took place, and possibly... now you need to go after the bad guy, now you need to try to get the environment back up to a working state, or you need to start collecting evidence for prosecution.
Now, there's different authentication mechanisms that we use today, and they all have one or more of these characteristics: it's something that you know, something that you have, or something that you are. And something that you know would be like a PIN number, a password, a passphrase. Something that you have would be a memory card, a smart card, a swipe card. And something that you are is a physical attribute, so something that you are is talking about biometric systems, and we're going to look at different types of biometric systems in a minute.
Now, most of our authentication systems today just use one of these, and combine it with a username or a user account number, and that's considered one-factor. Two-factor means that you have two steps necessary to actually carry out the authentication piece. Two-factor authentication provides more protection. It's also referred to as strong authentication. So there's different types of mechanisms to authenticate individuals or subjects before they can actually access subjects or objects within your environment. These are the ones that you need to know for the CISSP exam.
Biometrics is a type of technology that will review some type of physical attribute, and in biometrics, what happens is that an account is set up for an individual, and there's an enrollment period that goes through. So for example, let's say the administrator set up a account for me, and the biometrics system that we're using is fingerprint, so I will put my finger into a reader. Now this reader is going to read specific vectors on my finger, and extract that information. That information from my finger is held into a profile or reference file, and then it's put into a backend database, just as our passwords and such would be kept in a back-end database. When I need to authenticate, I will put in some type of username or user account number, and then I will put my finger into the reader. The reader will pull the information, will read the same vectors on my finger and compare it to the profile that is kept in the database. If there's a match, then I'm authenticated.
Token devices, there's several different types of token devices. Within the CISSP exam, you need to understand the difference between synchronous and asynchronous token devices. And these devices actually create one-time passwords, and one-time passwords provide more protection than a static password, because you only use it once. If the bad guy sniffs your traffic and uncovers that password, it's only good for a short window of time. So the token devices, synchronous is time or event-based, and asynchronous is based on challenge-response. And for the exam, you need to understand the differences between them, and how they work, and the security aspects of both of them.
The other authentication mechanisms are memory cards and smart cards, and cryptographic keys. And cryptographic keys means that you're actually using your private key to prove you are who you say you are. It's not a public key, and when you go into cryptography you truly understand the difference between a private key and a public key, and the different security characteristics each of them provide. But today we use cryptography for a lot of different reasons. If you're using cryptography for authentication, you're providing your private key. Now, within biometrics, we have different types of errors that we need to be aware of.
A type one error means that somebody who should be authenticated and authorized to access assets within the environment, did not happen. So if we experience a type one error, that means that someone who should've been authenticated, did not. So the scenario I went through, I went through an enrollment period, the system has a profile on me, I've authenticated, I've gone through the steps of being authenticated, and it shuts me out, it doesn't let me in. And this can happen with biometrics, especially if it's a finger reader, if it's a fingerprint reader, then of course if you have a cut, or you have dirt; voiceprint, if you have a cold, or if there's some type of problem with your voice. So because biometrics looks at such sensitive information, there is a chance for more type one errors.
Now type two errors is actually more dangerous than type one errors, it means you're allowing the imposter, you're allowing somebody to authenticate who should not be able to authenticate. So let's say Bob, has never gone through an enrollment period, and should not be allowed to access our company assets, but he goes through the process of authentication, the biometric system lets him in, and that's a type two error.
Now there's a metric, that's Crossover Error Rate, and this is used, the CER value is used, to determine the accuracy of different biometric systems. And the definition of the CER value is when type one equals tape two errors. That means you have just as many type one errors as you have type two errors. And the reason that we use this metric is because when you get a biometric system, you calibrate it to meet your needs and your environment. The more sensitive that you actually make your biometric system, you will have a reduction in type two errors, so you're trying to keep that bad guy out, but you're going to have an increase in type one errors, meaning that the people who are supposed to be authenticated are going to be kept out.
So, companies have to do a balance between type one errors and type two errors, because if you have too many type one errors, people who are supposed to be authenticated are not getting in. So you will calibrate this device to meet the necessary sensitivity level for your environment. And, let's say you and I are customers, we're looking at different biometric devices. Well how do we know that one is more accurate than the other? We don't know that, we as customers don't know that. We can go by the vendor's hype on how great their product is, but what's better is to have biometric systems that are tested by a third party, that come up with an actual rating, which is a CER rating. So a CER rating indicates how accurate the biometric system is, so the lower the CER rating, the more accurate a biometric system is.
Now, there's several different types of biometric systems used today, some of them of course we use more often than others. Biometrics has been around for a long time, and it really hasn't been that popular until after 9/11, mainly because the society has kind of a push back to biometrics, because it seems to get too much into our space, it's too intrusive. We're used to having to provide a PIN number or password.
So for the CISSP exam, you need to know the difference between all of the biometric system types. For example, the retina scan will look at the blood vessel patterns behind the eye, iris scan will look at the color patterns around the pupil, signature dynamics is something that's different than you actually just signing a check. Signature dynamics is collecting a lot of electrical information on how you sign your name, how you hold the pen, the pressure that you use, how fast you sign your name, and the static result, your actual signature. So it's easy to forge somebody's signature, but it's very difficult to write their name exactly as they write it.
You also need to know the difference between hand topology and geometry. Hand topology is a side view of the hand, where geometry is the top view of the hand. So in topology, if you had a topology reader, you would put your hand in, and then there's a camera or a reader off to the side that will look at the thickness of your hand, you know your knuckles and such, and then geometry as the reader on top that looks at the whole view of your hand.
Now I said that memory cards and smart cards are used for authentication, and memory cards are very simplistic, it just means that they have a strip on the back of the card that holds data, that's all it does, it just holds data. Memory card doesn't have any intelligence, it can't do anything with the data. A smart card is different, it actually has a microprocessor, it has integrated circuits, and you have to authenticate to your smart card to actually unlock it, because your smart card is like a little tiny computer; it can actually do stuff, it can process data. And, when you look at a smart card, you see that there's a gold seal. That gold seal is the input output channels that your card will communicate to the reader.
So you put your card into a reader, and not only is it going to communicate to the reader through that gold seal, the input-output, but it's also going to get its power from the reader. So you put your card through, you put in your PIN number. If you put it in correctly, you unlock this smart card. And the smart card could do a lot of things, it depends on how it's coded. It could hold your private key, if you're working within a PKI so you need to authenticate, it could respond to a challenge-response, it can create a one-time password, it could hold a lot of your work history information.
And smart cards are really catching on more today. They've been popular in many different countries outside of the United States, United States is now kind of catching up, where the military has changed over for their ID all to smart cards, a lot of credit cards are using smart cards, and they provide more protection because you have to authenticate to them, and also it's harder to compromise a smart card.
In fact, some smart cards, if I try to authenticate, like I put my PIN number in incorrectly, let's say four times, it can actually lock itself, where I have to call the vendor to get an access code to override that. Some smart cards will actually physically just burn out their own integrated circuits, so if I maybe do like a brute force attack, I try to authenticate, authenticate, authenticate, and after I reach a certain threshold, it will just go ahead and burn its own circuits, so that the physical card cannot be used anymore.
Now in this domain, we also look at single sign-on technologies. And the goal of single sign-on is that users only have to type in one credential set, and they'll be able to access all of the resources within the environment they need to carry out their task. This is kind of a big thing in some markets today, there's a lot of companies that's trying to accomplish single sign-on through their products. And that helps the user because today, in most environments, users have to have several different username and passwords, or whatever credential sets, to be able to access different types of servers, different types of resources.
That also adds to the burden of administration, when we've got all of these different types of systems and have to keep all of these various user credential sets. So single sign-on, you just log in once, and you access the resources you need, but it's kind of a utopia that a lot of companies are going after right now. The difficulty is because you're trying to get a lot of diverse technologies to be able to understand and treat one credential set the same, and let's say you have five different flavors of UNIX in your environment, you have different Windows versions, you have legacy systems, it's not easy to accomplish. So even though there's a lot of different technologies for single sign-on, these are the ones that will be covered in the CISSP exam that you need to know about.
Now Kerberos is an authentication protocol that's been around for quite some time. It's been integrated and used in UNIX environments, and it's catching on more and more today, mainly because Microsoft has integrated it into its Windows 2000 family. And in fact, Windows 2000 will try to authenticate you through Kerberos first, and if your system is not configured to be able to do that, then it'll drop down to another authentication method. Now Kerberos is based on symmetric key cryptography, which is important. And there's different components within Kerberos, we have the KDC, Key Distribution Center, and principals and the realms.
Now, a quick overview, is that within an environment, a network that is using Kerberos, what can't happen is that users and services cannot communicate directly. I cannot communicate directly to a print server; I have to go through steps to properly authenticate myself. Services cannot communicate, remote services cannot communicate directly to each other. They have to be authenticated. So the KDC holds all of the symmetric keys for all of the principals. And just like with the different technologies, each technology can come up with their own terms.
If you're not familiar with principals or realms, a KDC is responsible for all the services and users within an environment. All those services and users are referred to as principals. An environment is referred to as a realm. If you're familiar with the term of domain, within Microsoft, a domain controller is responsible for one domain. [It's] the same type of thing, a KDC is responsible for one realm, and a realm is made up of principals.
Now the KDC is made up of two main services, the authentication server, and the ticket granting service. And I'll just quickly walk through the steps that happen within Kerberos. Let's say I come in to work, and I need to authenticate. So I'm going to send over my username over the KDC, actually to the authentication service on the KDC. I send over my username, but I do not send over my password, and that's a good thing, because since the password is not going over the network, somebody can't grab it and try to use it. So I send over my username, the KDC will look up to see if it knows Shon Harris, it does know Shon Harris, it's going to send over an initial ticket that's encrypted. Initial ticket gets to my computer, and my password is converted into a secret key.
Now, the key, my password and the secret key, is used to decrypt the initial ticket. If I've typed in the correct password, I can decrypt this initial ticket. If that takes place properly, I am now authenticated to my local system. If I need to communicate to something outside of myself, here we have a file server, I have to send an initial ticket over the ticket granting service. And basically that initial ticket says to the ticket granting service, "Look, I've authenticated, I need to talk to the file server, create another ticket for me." Ticket granting service will create a second ticket, called Ticket Granting Ticket, and it'll have two session keys. It comes over to me, I pull out one of the session keys, and I send it over to the file server, and we both have session keys now. And I just did a really quick overview, these steps actually get a little bit deeper, a little bit more complex, and you actually need to understand them for the exam, along with some of the downfalls of Kerberos itself.
Now large portion of this domain goes into different models, different access control models. And these models -- most people I find, aren't really familiar with where these models come into play -- they are the core of an application or an operating system. When a vendor actually builds an operating system, they have to make a decision, before they even write a piece of code, what type of access control is going to be used within their product. The discretionary access control means that data owners can choose who can access their files and their data. And this is the model and environment that we're most used to, because all of Windows, Macintosh, most flavors of UNIX and Linux work on DAC. And it just means that you can determine who can access what files and directories within your system.
And you know if you're working on a DAC system, if you're in Windows, you do a right-click, you look at Security Properties, and you can see who has read access, who has full control, and you can choose who has these levels of access. In a Linux environment, if you can do the CHMOD command, and change the actual attributes on files, you're working in a DAC model because it allows you to make those decisions. Now, that's different than a MAC model. Mandatory Access Control makes its decisions, the system will make the decisions, the data owners and the user will not make decisions.
In the MAC model, the operating system will make decisions based on the clearance of the user, and the classification of the object. So if I'm trying to access, let's say I have top-secret clearance, I'm trying to access a file that has secrets, my clearance dominates the classification, and the operating system will allow me to access that. So, Mandatory Access Control is much more strict, it doesn't allow users to do anything, it doesn't allow users to make any decision or configuration changes. And MAC systems are used in more of like government environments, military environments, where secrets really have to be kept secret.
Role-based just means that you're setting up roles or groups, you assign rights or permissions to those roles or groups, and then you put users in them, and they inherit those rights.
And even though I'm going very quickly over these, you need to know a lot of this stuff to much more of a depth that I'm actually covering for the exam. When do you use these type of models, in what environment, the characteristics of the different models, the mechanisms used in the models, the restrictions, all of that. Most of us are not familiar with Mandatory Access Control systems unless we work in that type of environment. The most recent operating system that came out that's MAC, Mandatory Access Control, is SE Linux, Security Enhanced Linux, that was developed by the NSA and Secure Computing.
Now, we also need to be concerned about how we're controlling access. So far we've looked at some controls that we could put in place, the different types of controls, what characteristics those controls will provide, preventative, corrective, deterrent, and we looked at authentication mechanisms that will provide either something that you know, something that you have, something that you are. And we looked at single sign-on technologies. Now we need to look at, how do we properly administer the control, especially remotely? In today's environment, we have a lot of remote users that need to access our corporate assets, so how do we deal with that?
And the three main protocols we need to know about are RADIUS, TACACS, and Diameter. Now, RADIUS has been around for a long time. It's an open protocol. And anytime anything is referred to as open, it means it's available to vendors to manipulate the code to work in their product. So different vendors have taken the RADIUS protocol and manipulated it enough to work seamlessly in their product. So we have different flavors of RADIUS.
Each one of these protocols that we're talking about is
referred to as a triple A protocol, which means it carries out authorization, authentication, and
auditing. And auditing also includes something that most people don't think about, but auditing is
the way for ISPs to keep track of the amount of bandwidth that's being used, so it could charge the
corporation properly. So it's not just auditing on keeping track of what happened, but also used in
So in RADIUS, just to walk through a quick scenario, let's say I want to access the Internet. I will connect to my ISP, and my ISP will go through a handshake of how authentication will take place, but what I'm communicating to is an access server. This access server is actually the RADIUS client. I am not a RADIUS client, the access server is a RADIUS client. The RADIUS client communicates to a RADIUS server. The RADIUS server is the component that has all of the username and passwords and the different connection parameters.
So I will send my credentials over to the RADIUS client, which is the access server. The RADIUS client will send that information over to the RADIUS server, the RADIUS server will determine if I've entered the right credentials or not, and send and accept or decline back to the RADIUS client. Now the RADIUS server will also send not just an accept or decline, but it could indicate the type of connection that needs to be set up, how much bandwidth I'm allowed, if I need a VPN setup, etc. And that's just to get on the Internet. A lot of times when you need to communicate with your corporate environment, you're going to have to go through a second set of authentication, and a lot of companies do use RADIUS in that mode also.
Now, TACACS is not an open protocol, TACACS is a proprietary protocol, it's been developed and owned by Cisco. So, they're not going to allow you to have the code for free, and manipulate it as you see fit. It works with their products. Now, TACACS has gone through generations, as TACACS, extended TACACS, and now we're at TACACS+. Even though TACACS and RADIUS basically do the same thing, there are some differences. The authentication, authorization, and auditing pieces of TACACS+ are separate. In RADIUS they're all clumped together; you get them all, you don't have a choice.
In TACACS+, the administrator, who is configuring and setting this up, can choose what services he or she actually wants. TACACS also allows the administrator to come up with more detailed, oriented profiles than RADIUS, meaning that if you have Sally authenticating remotely into the corporate world, then she can have her own profile on what she can and can't access, which can be different than Mark's. That's something different. Also, TACACS+ communicates over TCP, which is a reliable transport protocol, where RADIUS goes over UDP. And, RADIUS does not protect the RADIUS client to the RADIUS server communication as well as TACACS+ does. Between the RADIUS client and the RADIUS server, just the user password is encrypted. Between TACACS+, the client and the password, all of this communication going back and forth, is encrypted.
Now, Diameter is a new protocol that a lot of people don't know about. The goal is that it's supposed to possibly replace RADIUS. The reason that Diameter was created is that we have a lot of devices today that need to be able to authenticate differently than the traditional methods. The traditional methods of remote authentication, at one time happened over SLIP connections, now it's happening over PPP connections, and uses traditional ways of authenticating, PAP, CHAP, or EAP. But we have wireless devices, we have smartphones, we have a lot of devices that can't, or don't, communicate over these types of connections, also don't have the resources to have a full TCP/IP stack, and maybe need to authenticate different ways.
So Diameter allows for different types of authentication, it really opens the door to the types of devices that can authenticate to your environment, and how that authentication can take place. Now I didn't come up with this, they came up with this. Whoever created Diameter, they said "Diameter is twice of RADIUS." If you get it, "radius and diameter," they're saying, "Diameter is twice of RADIUS." So I guess if you come up with a new protocol, you can come up with your own goofy name.
Now in this domain also, we go through intrusion detection systems. Two basic approaches to IDS is network-based versus host-based. And network-based means that you have sensors that are in different locations within your environment, and you have to be aware that whatever type of traffic you're trying to monitor, that's where you need to have a sensor, and a sensor is either a dedicated device, or it's a computer running IDS software, and the network interface card is put in promiscuous mode. Promiscuous mode just means it can look at all the traffic going back and forth.
So another thing is, where do you actually place that sensor? Do you want it in your DMZ? A lot of companies put an IDS sensor in their DMZ. Companies have to make a decision on if they're going to put a sensor in front of their firewall, that is facing an untrusted environment. If you put a sensor outside of your environment, in front of your firewall, you're going to get an amazing amount of traffic, so a lot of companies don't do that, because there's so much junk, there's so much traffic. Some companies who require a higher level of protection will put a sensor outside the firewall to find out who's knocking, and start to gather statistics on trying to be able to predict the type of attacks that may take place. Because there's certain things, certain pings, sweeps, and probes, and activities that you can determine, "Okay, this is what the person's after, this is the type of attack we need to be prepared for."
So a network-based is different than a host-based; a host-based just means that you've got some type of software that's on an individual system, and that's its world, it doesn't understand network traffic, it doesn't care about network traffic. It just cares about what's going on within that single computer. And a host-based IDS would be looking at user activity, what's trying to access system and configuration files, what types of access are coming in from the outside, and trying to determine any type of malicious activity.
We can also split the IDSes up into signature and behavioral-based. Now, signature-based is basically the same type of idea as antivirus software. Antivirus software has signatures that are just patterns to try to map to an actual virus. In IDS, we have signatures which are patterns that the IDS uses to be able to determine if there's a certain attack going on. For example, there's an attack called the LAND attack; in the LAND attack, the source and destination IP address and port are the same, because in a packet, the source and destination IP addresses have to be different. I send you a packet, my source IP address, and your destination IP address. Well, if I'm a bad guy, I can manipulate that header, and have the source and destination address to be yours, and if your system is vulnerable to a LAND attack, that just means your TCP/IP stack has no idea how to interpret that. And that's an example of a signature.
So if a IDS actually has that signature, and it finds a packet that has the same source and destination address, it will then alert that there's this type of attack going on.
There's other types of attacks that could be identified this way; XNIS, which means all the flags within headers are turned on, a lot of different types of fragment attacks is where the offsets within the headers are incorrect. And signature is different than behavioral-based. A behavioral-based system will learn about what is considered normal in your environment. And really how IDSes started was behavioral-based, behavioral host-based systems. They were developed and used within the military, the military was not as concerned about attacks, but concerned about users misusing their resources. But we've extended behavioral-based to look for attacks in network-based systems.
So behavioral-based, what'll happen is, you'll install this IDS in your environment, and it goes through a learning mode, it learns on what are the normal activities for your environment, the user activities, the types of protocols that are used, how much UDP traffic is used compared to TCP traffic. And after this learning mode, which is usually a couple of weeks, then you have a profile. The profile is used to compare the rest of your traffic, compared to this profile. Anything that does not match the profile is considered an attack. Now, one benefit of a behavioral-based is that it can detect new attacks, because it's just something out of the normal, out of norm. So behavioral can detect new attacks, where signature-based can only detect attacks that have been identified, and signatures were written about them.
Now, two types of behavioral-based IDS is statistical and anomaly-based. And statistical means that you have a certain threshold set, and you as a network administrator would do this configuration. Because in our example here, you may have 10 FTP requests over a ten minute period, and that's fine; there could be that many requests within your whole environment, that's not a problem. But if you have 50 FTP requests within 10 minutes, that is out of the norm. That means that something actually is going on, somebody's trying to break into some type of FTP servers that you have. So this is just one example, you've several different statistical-based thresholds to be able to determine if an attack's going on.
And an anomaly based just means that again, something does not match the historical values that were set before your IDSes learned what's normal, and if something is out of the norm, it's considered an anomaly. Now what's important is that when you put your IDS in this learning mode, that you make sure that your environment is pristine, because companies have put their IDS in learning mode and have been under attack. If that's true, then the IDS thinks that's normal, and will incorporate that into the profile.
Now, this is pretty quick, I'm going through a very large domain. There's a lot of things that I didn't actually cover, that's covered in the Access Control domain. But the crux of this domain is understanding the difference between identification, authorization, authentication, the technologies and methods for each one of those, how they interact, the mechanisms that can provide these; mainly authentication is looked at. And we looked at the cryptographic keys, the memory cards, the smart cards.
We didn't go into passwords and passphrases, virtual passwords, but those are components you use for authentication. Single sign-on, you actually need to know specific characteristics about SESAME, and thin clients, and a lot more about Kerberos than I covered. The different models are hit pretty hard, DAC, MAC, role-based, rule-based, and again, into intrusion detection systems, we also go into this domain. We look at different types of attacks that can happen against the different methods and technologies that are addressed in this domain. So, this is just a quick one-hour look at this domain, it's a very large domain, and very important for corporations to understand how to properly control access to the assets that they're needing to protect.
Host: Thank you, Shon. This concludes class two of CISSP Essentials, Mastering the Common Body of Knowledge: Access Control. Be sure to visit www.searchsecurity.com/CISSPEssentials, for additional class materials based on today's lesson, and to register for our next class, on cryptography. Thanks again to our sponsor, and thank you for joining us, have a great rest of the day.
This was first published in July 2008