Access Controls and Firewall Technologies

Security controls

pertain to different mechanisms that act as safeguards or countermeasures prescribed for aninformation system to protect the C-I-A of the system and its information

Physical Controls

Typically provide ways of controlling, directing or preventing the movement of people and equipment throughout a specific physical location, such as an office suite, factory or other facility.

Technical Controls

Also called logical controls are security controls that computer systems and networks directly implement. These provide automated protection from unauthorized access or misuse, facilitate detection of security violations and support security requirements for applications and data.

Administrative Controls

Also known as managerial controlsare directives, guidelines or advisories aimed at the people within the organization. They provide frameworks, constraints and standards for human behavior, and should cover the entire scope of the organization’s activities and its interactions with external parties and stakeholders

Authentication

This process of verifying or proving the user’s identification is known as

Something you know

Passwords or passphrases

Something you have

Tokens, memory cards, smart cards

Something you are

Biometrics, measurable characteristics

Single-factor Authentication

SFA

Multi-factor Authentication

MFA

SFA, MFA

Methods of Authentication

Knowledge-based, Token-based, Characteristic-based

three common techniques for authentication

Knowledge-based authentication

uses a passphrase or secret code to differentiate between an authorized and unauthorized user. If you have selected a personal identification number (PIN), created a password or some other secret value that only you know, then you have experienced knowledge-based authentication.

Token or Characteristics

For better security, a second or third form of authentication that is based on a ____ or ____ would be required prior to resetting the password.

Authorization

determine which resources users can access, along with the operations that users can perform. Some systems accomplish this by using an access control list, or an ACL

ACL

determines whether a user has certain access privileges once the user authenticates

Authorization

can also control when a user has access to a specific resource. For example, employees may have access to a sales database during work hours, but the system locks them out afterhours.

Accountability or Non-repudiation

This is a legal term and is defined as the protection against an individual falsely denying having performed a particular action

Accountability or Non-repudiation

It provides the capability to determine whether a given individual took a particular action, such as created information, approved information or sent or received a message.

Logical Controls

Discretionary Access Control (DAC), Mandatory Access Control (MAC), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC)

Discretionary Access Control (DAC)

a user who has access to a file is usually able to share that file with or pass it to someone else. This grants the user almost the same level of access as the original owner of the file.

Mandatory Access Control (MAC)

Means that only properly designated security administrators, as trusted subjects, can modify any of the security rules that are established for subjects and objects within the system. it is mandatory for security administrators to assign access rights or permissions; with Discretionary Access Control, it is up to the object owner’s discretion

Role Based Access Control (RBAC)

provides each worker privileges based on what role they have in the organization. Only Human Resources staff have access to personnel files, for example; only Finance has access to bank accounts; each manager has access to their own direct reports and their own department.

Attribute-Based Access Control (ABAC)

Allows access based on attributes of the object (resource) to be accessed, the subject (user) accessing the resource, and environmental factors regarding how the object is to be accessed, such as time of day.

Privileged access management concept

To preserve the confidentiality of information and ensure that it is only available to personnel who are authorized to see it, we use

Privileged access management concept

It means each user is granted access only to the items they need and nothing further. The more critical information a person has access to, the greater the security should be around that access

firewall

is a system, or group of systems, that enforces an access control policy between networks

Common properties of firewalls

are resistant to network attacks, are the only transit point between internal corporate networks and external networks because all traffic flows through the firewall, enforce the access control policy

Types of firewall

Packet Filtering (Stateless) Firewall, Stateful firewall, application gateway firewall (proxy firewall), Next-generation firewalls (NGFW), Host-based (server and personal) firewall, Transparent firewall, Hybrid firewall,

Packet Filtering (Stateless) Firewall

It is typically a router firewall, which permits or denies traffic based on Layer 3 and Layer 4 information. They are stateless firewalls that use a simple policy table look up that filters traffic based on specific criteria.

Stateful firewalls

provide stateful packet filtering by using connection information maintained in a state table

Stateful filtering

is a firewall architecture that is classified at the network layer.

application gateway firewall (proxy firewall),

as shown in the figure, filters information at Layers 3, 4, 5, and 7 of the OSI reference model. Most of the firewall control and filtering is done in software. When a client needs to access a remote server, it connects to a proxy server. The proxy server connects to the remote server on behalf of the client. Therefore, the server only sees a connection from the proxy server.

Next-generation firewalls (NGFW)

go beyond stateful firewalls by providing: • Integrated intrusion prevention • Application awareness and control to see and block risky apps • Upgrade paths to include future information feeds • Techniques to address evolving security threats

Host-based (server and personal) firewall

A PC or server with firewall software running on it.

Transparent firewall

Filters IP traffic between a pair of bridged interfaces.

Hybrid firewall

A combination of the various firewall types. For example, an application inspection firewall combines a stateful firewall with an application gateway

Zone-based policy firewalls (ZPFs)

use the concept of zones to provide additional flexibility

zone

is a group of one or more interfaces that have similar functions or features.

Zones

help you specify where a Cisco IOS firewall rule or policy should be applied. In the figure, security policies for LAN 1 and LAN 2 are similar and can be grouped into a zone for firewall configurations.