CSCE 813 Internet Security Network Access Control

Transcription

1 CSCE 813 Internet Security Network Access Control Professor Lisa Luo Fall 2017

2 Question What is Access Control? Methods for restricting the operations that may perform on a computer system aka Authorization 2

3 Access Control Why do you need access control? Protection Prevent errors oops, I overwrote your files Security Prevent unauthorized access under all conditions 3

4 Security Policy A security policy specifies the rules of security Some statement of secure procedure or configuration that parameterizes the operation of a system Example: Airport Policy Take off your shoes No bottles that could contain > 3 ozs Laptops by themselves Coat off Go through the metal detector Goal: prevent on-airplane (metal) weapon, flammable liquid, dangerous objects... 4

5 Access Control Policy What is access control policy? Check whether a process is authorized to perform operations on an object Authorize Subject: Process Object: Resource that is security-sensitive Operations: Actions taken using that resource An object+operations is called a permission Sets of permissions for subjects in a system is called an access control policy 5

6 Access Control Policy Access control policy determines what operations a particular subject can perform for a set of objects It answers the questions E.g., do you have the permission to read /etc/passwd Does Alice have the permission to view the CSE website? Do students have the permission to share project data? Does Dr. Luo have the permission to change your grades? An Access Control Policy answers these questions 6

7 Simplified Access Control Subjects are the active entities that do things E.g., you, Alice, students, Dr.Luo Objects are passive things that operations are done to E.g., /etc/passwd, CSE website, project data, grades Operations are actions that are taken E.g., read, view, share, change 7

8 The Access Matrix An access matrix is one way to represent access control policy. Columns are objects, subjects are rows To determine if S3 has right to read object O2, find the appropriate entry Often entries list the set of operations permitted for that subject-object pair The access matrix represents O( S * O ) rules O1 O2 O3 S1 R R R S3 -- R -- S3 -- R R 8

9 Question: The Access Matrix Suppose the private key file for S1 is object O1 Only S1 can read Suppose the public key file for S1 is object O2 All can read, only S1 can write Suppose all can read and write from object O3 O1 O2 O3 S1??? S3??? What s the access matrix? S3??? 9

10 Network access control context 10

11 Network Access Control Security goal: AAA Authentication: Is user legit? Accountability: Keep trace of usage Authorization: What is the user allowed to do? Components: Supplicant: User/Client Authenticator: Network edge device Authentication Server: Remote access server or policy server 11

12 Network Access Enforcement Methods IEEE 802.1X used in Ethernet, WiFi Extensible authentication protocol Port-based network access control Firewall DHCP Management VLANs 12

13 Extensible Authentication Protocol (EAP) EAP supports multiple authentication methods. That is why EAP is referred as extensible. EAP provides a generic transport service for the exchange of authentication information between a client and an authentication server. 13

14 EAP Layered Context 14

15 EAP Terminology Supplicant: Entity to be authenticated Authenticator: Authenticating entity at network boundary Authentication Server: Has authentication database 15

16 EAP Message Code Identifier Length Data 1. Code: type of EAP message, e.g., Request (1), Response (2), Success (3), and Failure (4) 2. Identifier: Used to match Response with Request 3. Length: length of the EAP message 4. Data: information related to authentication 16

17 EAP Message Flow EAP-Request/Identity EAP-Response/Identity EAP-Request/Auth Server selects an EAP method Client accepts the EAP method? EAP-Response/Auth... EAP-Success 17

18 Port-based Network Access Control 1. Before a supplicant is authenticated: it cannot send data to network or internet 2. After a supplicant is authenticated: it can send data to network or internet 18

19 EAPOL Frame Types 19

20 EAPOL-Start EAPOL-EAP (EAP-Request/Identity) EAPOL-EAP (EAP-Response/Identity) EAPOL-EAP (EAP-Request/Auth) Server selects an EAP method Client accepts the EAP method? EAPOL-EAP (EAP-Response/Auth)... EAPOL-EAP (EAP-Success) EAPOL-Logoff 20

21 Firewall

22 What is a Firewall? A choke point of control and monitoring Interconnects networks with differing trust Imposes restrictions on network services only authorized traffic is allowed Provides perimeter defence 22

23 General Model of Firewall 23

24 Types of Firewall Characterized by protocol level it controls in Packet filtering firewalls Stateful inspection firewalls Application-level gateways Circuit-level gateways 24

25 Packet Filtering Firewall

26 Firewalls - Packet Filters Filtering rules are based on: Source IP address Destination IP address Protocol (TCP, UDP, ICMP, etc.) Source port number Destination port number Goal: 1. Filtering with incoming or outgoing interfaces 2. Permits or denies certain services 26

27 Packet-Filtering Example Ø A ruleset for SMTP traffic. The goal is to allow inbound and outbound traffic but to block all other traffic. A. Inbound mail from an external source is allowed (port 25 is for SMTP incoming). B. This rule is intended to allow a response to an inbound SMTP connection. C. Outbound mail to an external source is allowed. D. This rule is intended to allow a response to an outbound SMTP connection. E. This is an explicit statement of the default policy. 27

28 Packet-Filtering Example C: outbound A: inbound 25 Resp. B: outbound > D: inbound Resp. Internal network External network 28

29 Problem? Rule D allows external traffic to any destination port above Exploit: An attacker can open a connection with port 5150 to an internal Web proxy server on port This is supposed to be forbidden and could allow an attack on the server. ü Solution: Add a source port field for each row. For rules B and D, the source port is set to 25; for rules A and C, the source port is set to >

30 Updated Rules Source port > > Any C: outbound A: inbound 25 B: outbound > D: inbound Resp. 10 Resp. Source port = Source port = 25 Internal network External network 30

31 Problem? The use of port 25 for SMTP is only a default; an outside machine could be configured to have some other application linked to port 25. Exploit: An attacker could gain access to internal machines by sending packets with a TCP source port of 25. ü Solution: Add an ACK flag field to each row. 31

32 Updated Rules Source port > > Any Flag Ant Any Any ACK Any 32

33 Limitations Packet filter firewalls do not examine upper-layer data, they cannot prevent attacks that employ application-specific vulnerabilities. E.g., it cannot block specific application commands; if it allows a given application, all functions available within that application will be permitted. It does not support user authentication schemes Vulnerable to network layer address spoofing 33

34 Stateful Inspection Firewall

35 Stateful Inspection Firewall Firewall creates a directory of outbound TCP connections, containing an entry for each established connection. Firewall allows inbound traffic to high-numbered ports only for those packets that fit one of the entries in this directory. 35

36 Application-Level Gateway

37 Application-Level Gateway Acts as a relay of application-level traffic 37

38 Process 1. User contacts the gateway 2. Gateway asks the user for the name of the remote host to be accessed. 3. User responds and provides a valid user ID and authentication information 4. Gateway contacts the application on the remote host and relays TCP segments between the two end-points. 38

39 Pros and Cons Pros: Gateway can be configured to support only specific features of an application while denying all other features. It is easy to log and audit all incoming traffic at the application level. Cons: Additional processing overhead 39

40 Circuit-Level Gataway

41 Circuit-Level Gateway 1. The gateway sets up two TCP connections, One between itself and a TCP user on an inner host Another one between itself and a TCP user on an outside host. 2. Once the two connections are established, the gateway relays TCP segments from one connection to the other The gateway determines which connections will be allowed. 41

42 Summary Access control Access control policy Subject, operations, objects Access matrix Network access control IEEE 802.1X used in Ethernet Extensible authentication protocol (EAP) Port-based network access control Firewall Packet filtering firewall Stateful inspection firewall Application-level gateway Circuit-level gatewall 42