Presentation on theme: "CISSP CBK #2 Access Control. Access Control This Chapter presents the following material Identification Methods and technologies Authentication Methods."— Presentation transcript:
CISSP CBK #2 Access Control
Access Control This Chapter presents the following material Identification Methods and technologies Authentication Methods DAC, MAC and role based (non-DAC) models Accountability, monitoring, and auditing Unauthorized Disclosure of Information Intrusion Detection Systems Threats to access control practices and technologies
Access Controls Access controls are security features that control how people can interact with systems, and resources. Goal is to protect from un-authorized access.
Access Access is the data flow between an subject. Subject is a person, process or program Object is a resource (file, printer etc)
Access Control (157) Access control should support the CIA triad! Let’s quickly go over the CIA triad again
Components of Access Control (158) Quick overview: details on each coming up Identification – who am I? (userid etc) Authentication – prove that I am who I say I Authorization – now what am I allowed to access Auditing – Big Brother can see what I accessed.
CISSP BUZZWORD Logical (technical) access controls are used for these 4 items.* –Things like smart cards and biometrics, and passwords, and audit system, and SELinux these are all examples of logical
Identification (159 & 162) Identifies a user uniquely (hopefully) SSN, UID, SID, Username Should Uniquely identify a user for accountability (don’t share) Standard naming scheme should be used Identifier should not indicate extra information about user (like position) DO NOT SHARE (NO group accounts)
Authentication (160) Proving who you say you are, usually one of these 3 –Something you know (password) –Something you have (smart card) –Something you are (biometrics) What is wrong with just using one of these methods?
Strong Authentication (161) Strong Authentication is the combination of 2 or more of these (also called multi-factor authentication) and is encouraged! –Strong Authentication provides a higher level of assurance*
Authorization What does this mean? What are some type of authorization mechanism? (ACLs, permissions) We will go more indepth on this later Authorization is a preventative “control”* (we will talk about controls later)
Auditing What is the purpose of auditing? Auditing is a “detective” control* (we will talk about this later)
Recap Identification – what is it? Authentication – how is this different from identification Authorization – what does this mean? Auditing – what’s the point?
Identity Management (162) Identity management products are used to id, authenticate and authorize users in an automated means. It’s a broad term. These products may (or may not) include –User account management –Access controls –Password management –Single Sign on –Permissions
ID Management and the CISSP (164) Know for the exam that ID management solutions include –Directories –Web Access Management –Password Management –Single Sign On –Account Management –Profile update
Profiles updates What is a profile (not a windows profile) A profiles is the collection of data about a – –Home address –Phone –Start date –Certifications –etc
Profile updates (117) IdM systems may have centralized tools to manage profiles, may have “self service” portals where users can update their own info. Profiles are similar to ‘digital Identity’
Directories (165) Information about the users and resources –LDAP (based on X.500) Key concept is namespaces (like branches of a tree) and DN (distinguished names) Can anyone explain namespaces and DNs? DN=CN and multiple DCs can include OUs –Active Directory (an implementation of LDAP) –Legacy NT (flat directory structure) –Novell Netware (???)
Directories Role in ID management Specialized database optimized for reading and searching operations Important because all resource info, users attributes, authorization info, roles, policies etc can be stored in this single place. Directories allow for centralized management! However these can be broken up and delegated. (trees in a forest)
Meta and Virtual Directories (167) Meta-directories allow for a centralized directory if users information is in multiple different directories (meta-directories synchronizes it’s data against the other databases) Like meta-dirs, but instead of storing data, just provide links or pointers to the data in the alternate directory Advantages and Disadvantages?
Web Access management (168) Uses a webserver(s) to deliver resources Users authentications against the web server using whatever Auth scheme implemented If authenticated requests and object Web server verifies authorization If so web server returns objects Mainly used for external users/access Very Web 2.0, you probably see a lot of this now a days.
Password Management (171) Allows for users to change their passwords, May allow users to retrieve/reset password automatically using special information (challenge questions) or processes Helpdesk assisted resets/retrievals (same as above, but helpdesk people might ask questions instead of automated) May handle password synchronization
Single Sign On Log in one time, and access resources many places Not the same as password synchronization SSO software handles the authorization to multiple systems What is a security problems with this? What are advantages?
Account Management Software Idea is to centrally manage user accounts rather than to manually create/update them on multiple systems Often include workflow processes that allow distributed authorization. I.e.. A manager can put in a user request or authorize a request, tickets might be generated for a Key card system for their locations, Permissions might be created for their specific needs etc. Automates processes Can includes records keeping/auditing functions Can ensure all accesses/accounts are cleaned up with users leave.
Federation (I hate this word) (178) A Federation is multiple computing and/or network providers agreeing upon standards of operation in a collective fashion. (self governing entities that agree on common grounds to easy access between them) A federated Identity is an identity and entitlements that can be used across business boundaries. (MS passport, Google checkout)
Identity Management Overview Idea is to manage, identify and authorize users in an automated fashion Know for the exam that ID management solutions include –Directories –Web Access Management –Password Management –Single Sign On –Account Management –Profile update
Who needs ID management(178) Really everyone! (at least anyone that you will probably deal with) See table on Page 178
Biometrics (179) Bio – life, metrics - measure Biometrics verifies (authenticates) an individuals identity by analyzing unique personal attribute (something they ARE) Require enrollment before being used* (what is enrollment? Any ideas) EXPENSIVE COMPLEX
Biometrics (179) Can be based on –behavior (signature dynamics) – might change over time –Physical attribute (fingerprints, iris, retina scans) –We will talk about the different types of biometrics later Can give incorrect results False negative – Type 1 error* (annoying) False positive – Type 2 error* (very bad)
CER (179) Crossover Error Rate (CER)* is an important metric that is stated as a percentage that represents the point at which the false rejection rate equals the false positive rate. Lower number CER is better/more accurate*. (3 is better than an 4) Also called Equal Error Rate Use CER to compare vendors products objectively
Biometrics (180) Systems can be calibrated, for example of you adjust the sensitivity to decrease fall positives, you probably will INCREASE false negatives, this is where the CER come in. Draw diagram on board Some areas (like military) are more concerned with one error than the other (ex. Would rather deny a valid user than accept an invalid user) Can you think of any situations for each case?
Biometric problems? Expensive Unwieldy Intrusive Can be slow (should not take more than seconds)* Complex (enrollment)
Biometric Types Overview* (182) We will talk in more depth of each in the next couple slides Fingerprint Palm Scan Hand Geometry Retina Scan Iris Scan Keyboard Dynamics Voice Print Facial Scan Hand Topography
Fingerprint (182) Measures ridge endings an bifurcations (changes in the qualitative or topological structure) and other details called “minutiae” Full fingerprint is stored, the scanners just compute specific features and values and sends those for verification against the real fingerprint.
Palm Scan Creases, ridges, grooves Can include fingerprints
Hand Geometry Overall shape of hand Length and width of fingers This is significantly different between individuals
Retina Scan Reads blood vessel patterns on the back of the eye. Patterns are extremely unique
Iris Scan Measures colors Measures rifts Measures rings Measures furrow (wrinkle, rut or groove) Most accurate of all biometric systems IRIS remains constant through adulthood Place scanner so sun does NOT shine through aperture*
Signature Dynamics Most people sign in the same manner (really???) Monitor the motions and the pressure while moving (as opposed to a static signature) Type I (what is type I again?) error high Type II (what is type II again?) error low
Keyboard dynamics Measure the speeds and motions as you type, including timed difference between characters typed. For a given phrase This is more effective than a password believe it or not, as it is hard to repeats someone's typing style, where as it’s easy to get someone's password.
Voice Print Enrollment, you say several different phrases. For authentication words are jumbled. Measures speech patterns, inflection and intonation (i.e.. pitch and tone)
Facial Scan Geometric measurements of Bone structure Nose ridges Eye width Chin shape Forehead size
Hand Topography Peaks and valleys of hand along with overall shape and curvature This is opposed to size and width of the fingers (hand geometry) Camera on the side at an angle snaps a pictures Not unique enough to stand on it’s own, but can be used with hand geometry to add assurance
Biometrics wrap up We covered a bunch of different biometrics Understand some are behavioral* based –Voice print –Keyboard dynamics –Can change over time Some are physically based –Fingerprint –Iris scan
Biometrics wrap Up Fingerprints are probably the most commonly used and cheapest Iris scanning provides the most “assurance” Some methods are intrusive Understand Type I and Type II errors Be able to define CER, is a lower CER value better or worse?
Passwords (184) What is a password? (someone tell me because I forgot…) Works on what you KNOW Simplest form of authentication* Cheapest form of authentication* Oldest form of authentication Most commonly used form of authentication* WEAKEST form of authentication*
Problems with Passwords (184) People write down passwords (bad) People use weak passwords (bad) People re-use passwords (bad) If you make passwords to hard to remember people often write them down If you make them too easy… they are easily cracked
How to make a good password Don’t use common words Don’t use names or birthdates Use at least 8 characters Combine numbers, symbols and case Use a phrase and take attributes of a phrase, transpose characters
Attacks on Password (185) Sniffing (Electronic Monitoring) Brute force attacks Dictionary Attack Social Engineering (what is social Engineering?) Rainbow tables – a table that contains passwords in hash format for easy/quick comparison
Passwords and the OS (184) The OS should enforce password requirements –Aging –when a password expires –Reuse of old passwords –Minimum number of characters –Limit login attempts – disable logins after a certain number of failed attempts
System password protection System should NOT store passwords in plaintext. Use a hash (what is a hash?) Can encrypt hashes Passwords salts – random values added to the encryption/hash process to make it harder to brute force (one password may hash/encrypt to multiple different results)
Cognitive passwords (187) Not really passwords, but facts that only a user would know. Can be used to verify who you are talking to without giving out password, or for password reset challenges. Not really secure, I’m not a big fan.
One Time Password Password is good only once then no longer valid Used in high security environments VERY secure Not vulnerable to electronic eavesdropping, but vulnerable to loss of token, (though must have pin) Require a token device to generate passwords. (RSA SecureID key is an example)
One Time Password Token Type One of 2 types Synchronous – uses time to synchronize between token and authentication server –Clocks must be synchronized! –Can also use counter-sync which a button is pushed that increments values on the token and the server
OTP Token Types (189) Asynchronous –Challenge response Auth sends a challenge (a random value called a nonce)* User enters nonce into token, along with PIN Token encrypts nonce and returns value Users inputs value into workstation If server can decrypt then you are good.
Other Types of Authentication (190) Digital Signature (talk about in more depth in chapter 8). –Take a hash value of a message, encrypt hash with your private key –Anyone with your public key can decrypt and verify message is from you.
Passphrase (190) Simply a phrase, application will probably make a “virtual password” from the passphrase (etc a hash) Generally more secure than a password –Longer –Yet easier to remember
Memory Cards (191) NOT a smart card Holds information, does NOT process A memory card holds authentication info, usually you’ll want to pair this with a PIN… WHY? You tell me. A credit card or ATM card is a type of memory card, so is a key/swipe card Usually insecure, easily copied.*
Smart Card (193) Much more secure than memory cards Can actually process information Includes a microprocessor and ICs Can provide two factor authentication, as you the card can store authentication protected by a pin. (so you need the card, and you need to know something) Two type –Contact –contactless
Smart Card Attacks (193) There are attacks against smart cards Fault generation – manipulate environmental controls and measure errors in order to reverse engineer logic etc.
Smart Card Attacks Side Channel Attacks – Measure the cards while they work –Differential power analysis – measure power emissions –Electromagnetic analysis – example frequencies emitted
Smart Card Attacks Micro probing* - using needles to vibrations to remove the outer protection on the cards circuits. Then tap into ROMS if possible or “die” ROMS to read data (use chemicals to stain ROMS and determine values) (this is actually done… someone just reversed engineered the game boy BIOS using this method)
OK enough authentication already
Authorization Now that I am who I say I am, what can I do? –Both OSes and Applications can provide this functionality. –Authorization can be provided based on user, groups, roles, rules, physical location, time of day (temporal isolation)* or transaction type (example a teller may be able to withdrawal small amounts, but require manager for large withdrawals)
Authorization principals (pg 197) Default NO access (implicit deny)* Need to Know
Authorization Creep* (197) What is authorization creep*? (permissions accumulate over time even if you don’t need them anymore) Auditing authorization can help mitigate this. SOX requires yearly auditing.
Single Sign on (200) Why is this section here? It’s poorly located, but anyway let’s follow the flow of the book)
SSO Idea One identification/authentication instance for all networks/systems/resources Eases management Makes things more secure (not written down passwords hopefully) Can focus budgets and time on securing one method rather than many! Makes things integrated
SSO downsides Centralized point of failure* Can cause bottlenecks* All vendors have to play nicely (good luck) Often very difficult to accomplish* (golden ring of network authentication) One ring to bind them all! (wait...no…) If you can access once, you can access ALL!
SSO technologies Kerberos (yeay!) SESAME
Kerberos (201) From MIT’s Athena project Designed to eliminate transmitting passwords over the network. Scalable, reliable, secure, flexible Uses Symmetric Key cryptology*
Kerberos Components* (201) Key Distribution Center. (you CAN/SHOULD have backups KDCs, though the exam states that this is a central point of failure for Kerberos*) Principals (users, applications, and services) each principal gets an account!* Tickets, generated by TGS on KDC Important ticket is the Ticket Granting Ticket* Realm is the domain of all principals that a Kerberos server provides tickets for.
Kerberos Process (202) Go over process on page 202* Understand the different between a session key and a secret key* (pg 203) Note* Kerberos systems MUST be time synchronized
Kerberos Problems* Single point of failure* (though this can be made redundant) KDC must be scalable Secret keys are stored on the workstation, if you can get these keys, you can break things Same with session keys Vulnerable to password guessing Traffic is not encrypted if not enabled
SESAME European technology, developed to extend Kerberos and improve on it’s weaknesses Sesame uses both symmetric and asymmetric cryptography. Uses “Privileged Attribute Certificates” rather than tickets, PACS are digitally signed and contain the subjects identity, access capabilities for the object, access time period and lifetime of the PAC. PACS come from the Privileged Attribute Server.
SESAME procedure (205) See page 206, note that SESAME uses public/private keys for initial authentication. (send an authenticator message, and a timestamp or random number, sign this message)
Access Control Models (211) A framework that dictates how subjects access objects. Uses access control technologies and security mechanisms to enforce the rules Business goals and culture of the organization will prescribe which model it uses Every OS has a security kernel/reference monitor (talk about in another chapter) that enforces the access control model.
Access Control Models DAC MAC Roles based Each will be discussed in upcoming slides
DAC Discretionary Access Control* Owner or creator of resource specifies which subjects have which access to a resource. Based on the Discretion of the data owner* Common example is an ACL (what is an ACL?) Commonly implemented in commercial products (Windows, Linux, MacOS)
MAC Mandatory Access Control* Data owners cannot grant access!* OS makes the decision based on a security label system* Users and Data are given a clearance level (confidential, secret, top secret etc)* Rules for access are configured by the security officer and enforced by the OS.
MAC (212) MAC is used where classification and confidentiality is of utmost importance… military. Generally you have to buy a specific MAC system, DAC systems don’t do MAC –SELinux –Trusted Solaris
MAC sensitivity labels Again all objects in a MAC system have a security label* Security labels can be defined the organization. They also have categories to support “need to a certain level. Categories can be defined by the organization If I have “top secret” clearance can I see all projects in the “secret” level???
Role Based Access Control (214) Also called non-discretionary. Uses a set of controls to determine how subjects and objects interact. Allows you to be assigned a role, and your roles dictates your access to a resources, rather than your direct user. This scales better than DAC methods You don’t have to continually change ACLs or permissions per user, nor do you have to remember what perms to set on a new user, just make them a certain role You can simulate this with “groups” in Windows and Linux, especially with LDAP/AD.
Role based Access control When to use If you need centralized access If you DON’T need MAC ;) If you have high turnover*
Software and Hardware Guards Allow the exchange of data between trusted and less trusted systems. We will talk about this in another chapter, let’s not worry about it now.
Access Control technologies that support access control models (217) We will talk more in depth of each in the next few slides. Rule-based Access Control Constrained User Interfaces Access Control Matrix Access Control Lists Content-Dependant Access Control Context-Dependant Access Control
Rule Based Access Control (217) Uses specific rules that indicate what can and cannot transpire between subject and object. “if x then y” logic Before a subject can access and object it must meet a set of predefined rules. –ex. If a user has proper clearance, and it’s between 9AM -5PM then allow access However it does NOT have to deal specifically with identity/authorization –Ex. May only accept attachments 5M or less
Rules Based Access Control Is considered a “compulsory control” because the rules are strictly enforced and not modifiable by users. Routers and firewalls use Rule Based access control heavily
Constrained User Interfaces (218) Restrict user access by not allowing them see certain data or have certain functionality Views – only allow access to certain data (canned interfaces) Restricted shell – like a real shell but only with certain commands. (like Cisco's non-enable mode) Menu – similar but more “gui” Physically constrained interface – show only certain keys on a keypad/touch screen. – like an ATM. (a modern type of menu) Difference is you are physically constrained from accessing them.
Access Control Matrix* (220) Table of subjects and objects indicating what actions individuals subjects can take on individual objects* –See page 220 (top)
Capability Table* Bound to subjects, lists what permissions a subject has to each object This is a row in the access matrix (see 220 bottom) NOT an ACL.. In fact the opposite
ACL* Lists what (and how) subjects may access a certain object. It’s a column of an access matrix –See page 220
Content Dependant Access Controls (221) Access is determined by the type of data. –Example, filters that look for specific things like “confidential”, “SSN”, images. –Web Proxy servers may be content based.
Context Dependant Access Control (221) System reviews a Situation then makes a decision on access. –A firewall is a great example of this, if session is established, then allow –Another example, allow access to certain body imagery if previous web sessions are referencing medical data.
Review of Access Control Technology / Techniques Constrained User Interfaces* –view, shell, menu, physical Access Control Matrix* Capability Tables* ACL* Content Dependant Access Control Context Dependant Access Control You should really know ALL of these and be able to differential between similar types!
Centralized Access Control Administration (223) What is it? A centralized place for configuring and managing access control All the ones we will talk about (next) are “AAA” protocols* –Authentication –Authorization –Auditing
Centralized Access Control Technologies We will talk about each of these in the upcoming slides Radius TACACS, TACACS+ Diameter
Radius* (223) Initially developed by Livingston to authenticate modem users Access Server sends credentials to Radius server. Which sends back authorization and connection parameters (IP address etc) (see diagram on 224) Can use multiple authentication type (PAP, CHAP, EAP) Uses UDP port 1812, and auditing 1813* Sends Attribute Value Pair (Ex. IP= ) Access server notifies Radius server on disconnect (for auditing)
What is radius used for Network access –Dial up –VLAN provisioning –IP address assignment
Radius benefits It’s been around, a lot of vendor support
Radius issues Radius can share symmetric key between NAS and Radius server, but does not encrypt attribute value pairs, only user info. This could provide info to people doing reconnaissance PAP password go clear text from dial up user to NAS
TACACS(+) (225) TACACS uses fixed passwords TACACS uses TCP or UDP port 49 TACACS is old (1990) TACACS+ replaces it TACACS+ can support one time passwords Provides the same functionality of Radius TACACS+ uses TCP port 49
TACACS+ benefits TCP? Is this a benefit? Discuss… Encrypts ALL traffic TACACS+ separates each AAA function. –For example can use AD for authentication (radius can actually do this too.. But you have to write plug-ins) Has more AVP pairs than Radius, more flexible
Diameter (229) Builds upon Radius Similar functionality to Radius and TACACS+ NOT Backwards compatible with Radius (book is wrong) but is similar and an upgrade path Uses TCP, or STCP (stream TCP)
Diameter benefits With Diameter the DS can connect to the NAS (i.e.. Could say kick user off now). Radius servers only respond to client requests. Has a lot more AVP pairs (2^32 rather than 2^8)
Centralized Access Controls overview Idea centralize access control Radius, TACACS, diameter Is Active Directory a type of Centralized Access Control? Decentralized is simply maintaining access control on all nodes separately.
Controls and Control Types* STOP Before we move on you need to understand the definitions/terms that we are about to cover for the exam. (controls and control types) They are used ambiguously on the exam, so you need to think about them. We will give an overview now, but we’ll keep seeing them again and again.
Controls and Control Types* Not directly in book There are Controls and Control types, need to understand these ` Controls –Administrative –Physical –Technical Now we’ll talk about control types
Control types (241 skip ahead) Types (can occur in each “control” category) –Deterrent – intended to discourage attacks –Preventative – intended to prevent incidents –Detective – intended to detect incidents –Corrective – intended to correct incidents –Recovery – intended to bring controls back up to normal operation –Compensative – provides alternative controls to other controls
Administrative Controls (back to 231) Personnel – HR practices Supervisory – Management practices (supervisor, corrective actions) Training – that’s pretty obvious Testing – not technical, and managements* responsibility to ensure it happens
Physical Controls (223) Physical Network Segregation (not logical) – ensure certain networks segments are physically restricted Perimeter Security – CCTV, fences, security guards, badges Computer Controls – physical locks on computer equipment, restrict USB access etc.
Physical Controls continued Work Area Separation – keep accountants out of R&D areas Cabling – shielding, Fiber Control Zone – break up office into logical areas (lobby – public, R&D- Top Secret, Offices – secret)
Technical or Logical controls (235) Using technology to protect System Access – Kerberos, PKI, radius (specifically access to a system) Network Architecture – IP subnets, VLANS, DMZ Network Access – Routers, Switches and Firewalls that control access Encryption – protect confidentiality, integrity Auditing – logging and notification systems.
Ok we went out of order.. Skip to 247 This is out of WAY out of order, but for the exam you should know the table on 247 (Access control practices) let’s read it together.
Unauthorized Disclosure of Information Sometimes things are disclosed un- intentionally. In the next couple slides we will talk about Object reuse Emanation security
Object reuse (248) Media may be re-used without cleaning off old data! Fix this –Destroy or wipe (destroy) old data –Why destroy? –What is degaussing?*
Emanation Security (249) All devices give off electrical / magnetic signals. This can be used against you (we’ve all seen Alias and 24?) Hard/expensive to do often but not always. A non-obvious example is reading info from a CRT bouncing off something (we’ve seen CSI right?) Tempest* is a standard to develop countermeasures to protect against this. Let’s talk about emanation countermeasures
Emanation Countermeasures Faraday cage – a metal mesh cage around an object, it negates a lot of electrical/magnetic fields. White Noise – a device that emits uniform spectrum of random electronics signals. You can buy sounds frequency white noise machines. (call centers, doctors) Control Zones – protect sensitive devices in special areas with special walls etc.
Intrusion detection (250) IDS allow you to detect intrusion and unauthorized access. Different types (we will discuss), but usually consist of Sensors Storage Analysis engine Management Console (see diagram on 260)
NIDS Network Based –Monitor network traffic ONLY –Can be of multiple types (discuss later) –Watch out for switches (use mirroring), and subnets (use multiple sensors)
HIDS Host based – installed on computers –Monitor logs –Monitor system activity –Monitor configuration files –Could monitor network traffic to and from the computer installed on only. –Multiple types – discussed later
IDS types (251) Signature based – like a virus scanner, look for known attack signature MUST be updated with new signatures Will not stop unknown attacks (0-day) Relatively high rate of assurance Commonly used
Statistical Anomaly Based IDS / heuristic Based on what is “normal” behavior (builds a profile) Detects when thing are not normal Very subjective - Very high rate of false positives, may lead to info being ignored. – Require high degree of knowledge and maintenance to run - Can possibly detect zero days +
Protocol* based IDS What is a protocol? Anyone? Understand the protocols it’s watching (like HTTP, SMTP) Looks for deviations from the normal protocol traffic Good to combined with other IDS types (signature based, or statistical based) A lot of protocols are open to interpretation which can confuse protocol based IDS*
Rules Based 255 Uses expert system/knowledge based systems. These use a database of knowledge and an “inference engine”) to try to mimic human knowledge. It’s like of a person was watching data in real time and had knowledge of how attacks work.
IDS review Signature Based Anomaly Based Rule Based When studding review the table on page 257
IPS Like an IDS, but actively take steps to neutralize attacks in real time. (doest require IDS functionality) Might reset TCP connections, might updates firewall rules to block traffic. Cool right? May create problems in troubleshooting network behavior/issues.
Honey Pots/ Honey Nets (263) Computer or network setup to “distract” attackers to this machine/net rather than the real machines. Can be restricted and monitored so you can see who’s trying to do what, and stop them. Be weary of enticement vs. entrapment. Can anyone explain the difference?
Threats to Access Control We will talk about these later.. But let’s review these now Dictionary attacks – what is this? Sniffers – what is this? Brute force attacks – how is this different then a dictionary attack. Spoofing login/trusted path Phishing Identity theft
Wow that was a lot, lets review Read quick tips on pg 269 Lets’ review the questions from the book.