2  A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification.

Slides:



Advertisements
Similar presentations
Operating System Security
Advertisements

Access Control Chapter 3 Part 3 Pages 209 to 227.
Access Control Methodologies
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Access Control Patterns Fatemeh Imani Mehr Amirkabir university of technology, Department of Computer Engineering & Information Technology.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Access Control Intro, DAC and MAC System Security.
Chapter 11 Firewalls.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
User Domain Policies.
Role Based Access control By Ganesh Godavari. Outline of the talk Motivation Terms and Definitions Current Access Control Mechanism Role Based Access.
Lecture 7 Access Control
Lecture slides prepared for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 4 “Overview”.
ACCESS CONTROL & INTRUSION DETECTION BY:RAUL FERNANDES
7-Access Control Fundamentals Dr. John P. Abraham Professor UTPA.
Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering
ADVANCED LINUX SECURITY. Abstract : Using mandatory access control greatly increases the security of an operating system. SELinux, which is an implementation.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
Li Xiong CS573 Data Privacy and Security Access Control.
Working with Workgroups and Domains
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Security Policy What is a security policy? –Defines what it means for a system to be secure Formally: Partition system into –Secure (authorized) states.
© G. Dhillon, IS Department Virginia Commonwealth University Principles of IS Security Formal Models.
Switch off your Mobiles Phones or Change Profile to Silent Mode.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Security+ All-In-One Edition Chapter 19 – Privilege Management Brian E. Brzezicki.
CSCE 201 Introduction to Information Security Fall 2010 Access Control.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 4 – Access Control.
G53SEC 1 Access Control principals, objects and their operations.
Li Xiong CS573 Data Privacy and Security Access Control.
Access Control. What is Access Control? The ability to allow only authorized users, programs or processes system or resource access The ability to disallow.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.
Cryptography and Network Security Sixth Edition by William Stallings.
Academic Year 2014 Spring Academic Year 2014 Spring.
INTRODUCTION TO BIOMATRICS ACCESS CONTROL SYSTEM Prepared by: Jagruti Shrimali Guided by : Prof. Chirag Patel.
COEN 350: Network Security Authorization. Fundamental Mechanisms: Access Matrix Subjects Objects (Subjects can be objects, too.) Access Rights Example:
CSCE 201 Introduction to Information Security Fall 2010 Access Control Models.
Access Control / Authenticity Michael Sheppard 11/10/10.
Understand Audit Policies LESSON Security Fundamentals.
Privilege Management Chapter 22.
Computer Security: Principles and Practice
I NTRUSION P REVENTION S YSTEM (IPS). O UTLINE Introduction Objectives IPS’s Detection methods Classifications IPS vs. IDS IPS vs. Firewall.
Role Of Network IDS in Network Perimeter Defense.
E-Commerce E-Commerce Security?? Instructor: Safaa S.Y. Dalloul E-Business Level Try to be the Best.
IDS Intrusion Detection Systems CERT definition: A combination of hardware and software that monitors and collects system and network information and analyzes.
Database Security. Introduction to Database Security Issues (1) Threats to databases Loss of integrity Loss of availability Loss of confidentiality To.
Access Controls Mandatory Access Control by Sean Dalton December 5 th 2008.
PREPARED BY: MS. ANGELA R.ICO & MS. AILEEN E. QUITNO (MSE-COE) COURSE TITLE: OPERATING SYSTEM PROF. GISELA MAY A. ALBANO PREPARED BY: MS. ANGELA R.ICO.
Chapter 4 Access Control. Access Control Principles RFC 4949 defines computer security as: “Measures that implement and assure security services in a.
22 feb What is Access Control? Access control is the heart of security Definitions: * The ability to allow only authorized users, programs or.
Access control Presented by: Pius T. S. : Christian C. : Gabes K. : Ismael I. H. : Paulus N.
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
SECURITY Prepared By: Dr. Vipul Vekariya.. 2 S ECURITY Secure system will control, through use of specific futures, access to information that only properly.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Identity and Access Management
TCSEC: The Orange Book.
Access Control in Cloud Security
Access Control Model SAM-5.
Access Control CSE 465 – Information Assurance Fall 2017 Adam Doupé
Access control techniques
Outline Introduction Characteristics of intrusion detection systems
CompTIA Security+ Study Guide (SY0-401)
OS Access Control Mauricio Sifontes.
Chapter 4: Security Policies
Presentation transcript:

2

 A system can protect itself in two ways: It can limit who can access the system. This requires the system to implement a two-step process of identification (asking you who you are) and authentication (asking you to prove it)  It can limit what user can do after they have accessed the system.This requires the system to implement access control mechanisms. 3

4

 The primary purpose of security mechanisms in a system is to control access to resources.  Resources: Files, memory areas, processor time, devices, database records. Some history...  Early systems had no internal access control.  Any user could access any file simply by knowing its name.  Access control became a more serious issue with the emergence of disk storage, on which les of many users could be stored (before the days of network and interactive computing). 5

 An access control policy dictates… -what types of access are permitted, - under what circumstances, and - by whom.  Vital for security in operating systems 6

Identification. {eg: username, account number…} Authorization. {eg: pwds, pin nos, tokens…} Authentication. {digital signature, fingerprint…} 7

 Discretionary access control (DAC)  Mandatory access control (MAC)  Role-based access control (RBAC) 8

 Controls access based on… - the identity of the requestor and - on access rules (authorizations) stating what requestors are (or are not) allowed to do.  This policy is termed “ discretionary ” because: an entity might have access rights that permit the entity, by its own volition, to enable another entity …to access some resource. 9

 What is DAC ?  Why is DAC needed ?  Where it is used ?  How is DAC implemented..?  Advantages of DAC ?  Disadvantages of DAC ? 10

 Discretionary access control (DAC) is a policy determined by the owner of an object.  The owner decides who is allowed to access the object, and what privileges they have. 11

-- File and data ownership : Every object in the system has an owner. In most DAC systems, each object's initial owner is the subject that caused it to be created. The access policy for an object is determined by its owner. -- Access rights and permissions: These are the controls that an owner can assign to other subjects for specific resources. 12

 In computer security, discretionary access control (DAC) is a type of access control defined by the Trusted Computer System Evaluation Criteria(TCSEC) as : “ a means of restricting access to objects based on the identity of subjects and/or groups to which they belong. The controls are discretionary in the sense that a subject with a certain access permission is capable of passing that permission (perhaps indirectly) on to any other subject (unless restrained by mandatory access control)”. 13

 Usually implemented through Access control lists (ACLs)  Each resource object on a DAC based system has an Access Control List (ACL) associated with it.  An ACL contains a list of users and groups to which the user has permitted access together with the level of access for each user or group. 14

 DAC is typically the default access control mechanism for most desktop operating systems.  widely used in commercial and government sectors.  Operating systems must be built differently depending upon whether they are going to provide DAC or any other access functionality.  For example, Windows-based platforms provide a DAC access structure. 15

 Flexibility  Simplicity  Ease of implementation 16

 increases the risk that data will be made accessible to users that should not necessarily be given access.  DAC mechanisms fail to recognize a fundamental difference between human users and computer programs.  However, DAC is known to be inherently weak for two reasons. 17

First, granting read access is transitive. First, granting read access is transitive. Information can be copied from one object to another; therefore, there is no real assurance on the flow of information in a system. No restrictions apply to the usage of information when the user has received it. Second, DAC policy is vulnerable to Trojan horse attacks; because programs inherit the identity of the invoking user. Second, DAC policy is vulnerable to Trojan horse attacks; because programs inherit the identity of the invoking user. 18

 Controls access based on… -comparing security labels (which indicate.. how sensitive or critical system resources are) with security clearances (which indicate..system entities are eligible to access certain resources).  This policy is termed “mandatory ” because an entity that has clearance to access a resource may not, just by its own volition, enable another entity to access that resource. 19

WHAT IS MAC ?  In computer security, mandatory access control (MAC) refers to a type of access control by which the operating system constrains the ability of a subject to access or generally perform some sort of operation on an object or target.computer securityaccess controloperating system  MAC takes a hierarchical approach to controlling access to resources.  The term mandatory in MAC has acquired a special meaning derived from its use with military systems. MAC means access controls that are mandated by order of a government and so enforcement is supposed to be more imperative than for commercial applications. 20

IDEA OF MAC:  A system mechanism (e.g., the operating system) controls access to an object and an individual user cannot alter that access.Neither the subject nor the owner of the object can determine whether access is granted.  The system mechanism will check information associated with both the subject and the object to determine whether the subject should access the object.  Rules describe the conditions under which access is allowed.Mandatory policies are also called rule-based policies.  Under a MAC enforced environment access to all resource objects (such as data files) is controlled by settings defined by the system administrator. As such, all access to resource objects is strictly controlled by the operating system based on system administrator configured settings. 21

GOALS OF MAC :  Preserve confidentiality and integrity of information  Prevent some types of Trojan horse attacks  Prevent that a user can change security attributes. WHERE IT IS USED ?  Systems that implement MAC models are used in highly secured environments, such as military or government organizations and in Defence departments. 22

 Controls access based on… users have - the roles that users have within the system and what accesses are allowed to users -on rules stating what accesses are allowed to users in given roles. 23

 Role-based access control (RBAC) models make access decisions based on the rights and permissions assigned to a role or group, not an individual user.  In role based systems, users get assigned roles based on their functions in that system. These systems are centrally administered, they are nondiscretionary. An example is a hospital.  It is an access policy determined by the system, not the owner. 24

USE AND AVAILABILITY…  RBAC is a flexible access control technology whose flexibility allows it to implement DAC or MAC.  used to manage user privileges (computer permissions) within a single system or application. Access under RBAC is based on a user's job function within the organization to which the computer system belongs.  used in commercial applications and also in military systems, where multi- level security requirements may also exist.  This kind of model is effective in large companies that have high turnover rates because it allows the administrator to simply place new employees into roles instead of creating new permissions for each and every person who joins the company. 25

 SECURITY INTRUSION… A security event, or a combination of multiple security events,that constitutes a security incident in which an intruder gains, or attempts to gain, access to a system (or system resource) without having authorization to do so.  INTRUSION DETECTION… A security service that monitors and analyzes system events for the purpose of finding, and providing real-time or near real- time warning of, attempts to access system resources in an unauthorized manner. 26

 Host-based IDS: Monitors the characteristics of a single host and the events occurring within that host for suspicious activity  Network-based IDS: Monitors network traffic for particular network segments or devices and analyzes network, transport, and application protocols to identify suspicious activity. 27

 SENSORS :  responsible for collecting data.  The input may be any part of a system that could contain evidence of an intrusion.Types of input include network packets, log files, and system call traces.Sensors collect and forward this information to the analyzer.  ANALYZERS :  receive ip from 1 or more sensors or from other analyzers.  responsible for determining if an intrusion has occurred.The o/p of this component indicates that an intrusion has occurred.The output may include evidence supporting the conclusion. 28

 USER INTERFACE: The user interface to an IDS enables a user to view output from the system or control the behavior of the system. In some systems, the user interface may equate to a manager, director, or console component. 29

31