3.1.

2 Physical Access Controls

Physical access controls are actual barriers deployed to prevent direct
physical contact with systems. The goal is to prevent unauthorized users
from gaining physical access to facilities, equipment and other organizational
assets.

For example, physical access control determines who can enter (or exit),
where they can enter (or exit) and when they can enter (or exit).

Here are some examples of physical access controls:

 Guards to monitor the facility

 Fences to protect the perimeter

 Motion detectors to detect moving objects

 Laptop locks to safeguard portable equipment

 Locked doors to prevent unauthorized access

 Swipe cards to allow access to restricted areas

 Guard dogs to protect the facility

 Video cameras to monitor a facility by collecting and recording images

 Mantrap-style entry systems to stagger the flow of people into the

secured area and trap any unwanted visitors

 Alarms to detect intrusion

3.1.3 Logical Access Controls

Logical access controls are the hardware and software solutions used to
manage access to resources and systems. These technology-based solutions
include tools and protocols that computer systems use for identification,
authentication, authorization and accountability.

Logical access control examples include:

 Encryption is the process of taking plaintext and creating ciphertext.

 Smart cards have an embedded microchip.

 Passwords are protected strings of characters.

  Biometrics are users’ physical characteristics.

 Access control lists (ACLs) define the type of traffic allowed on a

network.

 Protocols are sets of rules that govern the exchange of data between
devices.

 Firewalls prevent unwanted network traffic.

 Routers connect at least two networks.

 Intrusion detection systems monitor a network for suspicious activities.

 Clipping levels are certain allowed thresholds for errors before

triggering a red flag.

3.1.4 Administrative Access Controls

Administrative access controls are the policies and procedures defined by

organizations to implement and enforce all aspects of controlling
unauthorized access.

Administrative controls focus on personnel and business practices.

 Policies are statements of intent.

 Procedures are the detailed steps required to perform an
activity.
 Hiring practices define the steps an organization takes to find
qualified employees.
 Background checks are a type of employee screening that
includes information of past employment verification, credit
history and criminal history.
 Data classification categorizes data based on its sensitivity.
 Security training educates employees about the security
policies at an organization.
 Reviews evaluate an employee's job performance.

3.1.5 Administrative Access Controls in Detail

Let’s look into administrative access controls in more detail.

The concept of administrative access controls involves three security
services: authentication, authorization and accounting (AAA).

These services provide the primary framework to control access, preventing

unauthorized access to a computer, network, database or other data
resource.

 Authentication

The first A in AAA represents authentication. Authentication verifies the

identity of each user, to prevent unauthorized access. Users prove their
identity with a username or ID. In addition, users need to verify their identity
by providing one of the following:

 Something they know (such as a password)

 Something they have (such as a token or card)

 Something they are (such as a fingerprint)

In the case of two factor authentication, which is increasingly becoming the

norm, the system requires a combination of two of the above rather than just
one to verify someone’s identity.

 Authorization

Authorization services determine which resources users can access, along

with the operations that users can perform.

Some systems accomplish this by using an access control list, or an ACL. An

ACL determines whether a user has certain access privileges once the user
authenticates. Just because you can log onto the corporate network does not
mean that you have permission to use the high-speed color printer, for
example.

Authorization can also control when a user has access to a specific resource.
For example, employees may have access to a sales database during work
hours, but the system locks them out afterhours.

 Accounting

Not related to financial accounting, accounting in AAA keeps track of what

users do — including what they access, the amount of time they access
resources, and any changes they make.
For example, a bank keeps track of each customer account. An audit of that
system can reveal the time and amount of all transactions and the employee
or system that executed the transactions. Cybersecurity accounting services
work the same way. The system tracks each data transaction and provides
auditing results. System administrators can set up computer policies to
enable system auditing.

The concept of AAA is like using a credit card. The credit card identifies who
can use it, how much that user can spend and accounts for items or services
the user purchased. Cybersecurity accounting tracks and monitors in real
time.

3.1.6 What Is Identification?

Identification enforces the rules established by the authorization

policy. Every time access to a resource is requested, the access
controls determine whether to grant or deny access.

A unique identifier ensures the proper association between allowed

activities and subjects. A username is the most common method
used to identify a user. A username can be an alphanumeric
combination, a personal identification number (PIN), a smart card or
biometric — such as a fingerprint, retina scan or voice recognition.

A unique identifier ensures that a system can identify each user

individually, therefore allowing an authorized user to perform the
appropriate actions on a particular resource.

3.1.8 Federated Identity Management

Federated identity management refers to multiple enterprises that let their

users use the same identification credentials to gain access to the networks
of all enterprises in the group. Unfortunately, this broadens the scope and
increases the probability of a cascading effect should an attack occur.

Generally speaking, a federated identity links a subject’s electronic identity

across separate identity management systems, such as being able to access
several websites using the same social login credentials.
The goal of federated identity management is to share identity information
automatically across castle boundaries. From the individual user’s
perspective, this means a single sign-on to the web.

It is imperative that organizations scrutinize the identifying information

shared with partners, even within the same corporate group, for example.
The sharing of social security numbers, names and addresses may allow
identity thieves the opportunity to steal this information from a partner to
perpetrate fraud. The most common way to protect federated identity is to
tie login ability to an authorized device.

3.1.9 Authentication Methods

As we mentioned earlier, users prove their identity with a username or ID. In

addition, users need to verify their identity by providing one of the following.

 What you know

Passwords, passphrases or PINs are all examples of something that the

user knows. Passwords are the most popular method used for authentication.

The terms passphrase, passcode, passkey and PIN are all generically referred
to as password. A password is a string of characters used to prove a user’s
identity. If this string of characters relates back to a user (for instance, if it is
their name, birthdate or address), it will be easier for cybercriminals to guess
this user’s password.

Several publications recommend that a password be at least eight

characters. Users should not create a password that is so long that it is
difficult to memorize, or conversely, so short that it becomes vulnerable to
password cracking. Passwords should contain a combination of upper and
lowercase letters, numbers, and special characters.

Users need to use different passwords for different systems because if a

criminal cracks the user’s password once, the criminal will have access to all
of the user’s accounts. A password manager can help you create and use
strong passwords — and means that you do not have to remember each of
these passwords, eithe

 What you have

Smart cards and security key fobs are both examples of something that
users have in their possession that can be used for authentication purposes.
A smart card is a small plastic card, about the size of a credit card, with a
small chip embedded in it. The chip is an intelligent data carrier, capable of
processing, storing and safeguarding data. Smart cards contain private
information, such as bank account numbers, personal identification, medical
records and digital signatures, using encryption to keep data safe while
providing a means to authenticate.

A security key fob is a device that is small enough to attach to a keyring. In

most cases, security key fobs are used for two factor authentication (2FA),
which is much more secure than a username and password combination.

For example, let’s say you want to access your e-banking, which uses two
factor authentication. First, you enter your username (identification). Then,
the password, which is your first authentication factor. Then, you need a
second one, because it's 2FA. You enter a PIN or card to your security fob,
and it displays a number. Proving that you have access to this device, which
was issued to you, this number is the second factor, which you then enter to
log in to the e-banking account, in this example.

 Who you are

Unique physical characteristics, such as a fingerprint, retina or voice, which

identify a specific person are called biometrics. Biometric security compares
physical characteristics against stored profiles to authenticate users. In this
case, a profile is a data file containing known characteristics of an individual.
The system grants the user access if their characteristics match saved
settings. A fingerprint reader is a common biometric device.

There are two types of biometric identifiers:

 Physiological characteristics — fingerprints, DNA, face, hands, the

retina or ear features.

 Behavioral characteristics — patterns of behavior such as gestures,

voice, gait or typing rhythm.

Biometrics is becoming increasingly popular in public security systems,

consumer electronics and point-of-sale applications. Implementing biometrics
involves a reader or scanning device, software that converts the scanned
information into digital form and a database that has biometric data stored
for comparison.
3.1.10 Multi-Factor Authentication

As we’ve touched upon earlier, multi-factor authentication uses at least two

methods of verification — such as a password and something you have, for
example, a security key fob. This can be taken a step further by adding
something you are, such as a fingerprint scan.

Multi-factor authentication can reduce the incidence of online identity theft

because it means knowing a password will not give cybercriminals access to
a user’s account.

For example, an online banking website might require a password and a one-
off PIN that the user receives on his or her smartphone. In this case, your
first factor is your password, and your second factor the temporary PIN,
because it proves you have access to what is registered as your phone.

Withdrawing cash from an ATM is another, simple example of multi-factor

authentication as the user must have the bank card as well as know the PIN
before the ATM will dispense cash.

Note that two factor authentication (2FA) is a method of multi-factor

authentication that entails two factors in particular, but the two terms are
often used interchangeably.

3.1.12 Authorization

Authorization controls what a user can and cannot do on the network after
successful authentication. After a user proves their identity, the system
checks to see what network resources the user can access and what they
can do with the resources.

When to implement authorization

Authorization uses a set of attributes that describes the user’s access to the
network, to answer the question, ‘What read, copy, edit, create and delete
privileges does this user have?’

The system compares these attributes to the information contained within

the authentication database, determines a set of restrictions for that user,
and delivers it to the local device where the user is connected.

Authorization is automatic and does not require users to perform additional

steps after authentication. System administrators have set the network up to
implement authorization immediately after the user authenticates.
Using authorization

Defining authorization rules is the first step in controlling access. An

authorization policy establishes these rules.

A group membership policy defines authorization based on users’

membership in a specific group. All employees of an organization may have
a swipe card, for example, which provides access to the premises, but it
might not allow access to a server room. It may be that only senior-level
employees and IT team members may access the server room with their
swipe cards.

An authority-level policy defines access permissions based on an employee’s

position within the organization.

3.1.15 Implementing Accountability

Select the arrows to find out about the third administrative access
control, which is accountability.

What is accountability?

Accountability traces an action back to a person or process making this

change to a system. Accountability then collects this information and reports
the usage data. The organization can use this data for such purposes as
auditing or billing. The collected data might include the log-in time for a user,
whether the user login was a success or failure, or what network resources
the user accessed. This allows an organization to trace actions, errors and
mistakes during an audit or investigation.

Implementing accountability

Implementing accountability consists of technologies, policies, procedures

and education. Log files provide detailed information based on the
parameters chosen. For example, an organization may look at the log for
login failures and successes. Login failures can indicate that a criminal tried
to hack an account, and login successes tell an organization which users are
using what resources and when.

The organization’s policies and procedures spell out what actions should be
recorded and how the log files are generated, reviewed and stored.

Providing accountability
Data retention, media disposal and compliance requirements all provide
accountability. Many laws require the implementation of measures to secure
different data types. These laws guide an organization on the right way to
handle, store and dispose of data. The education and awareness of an
organization’s policies, procedures and related laws can also contribute to
accountability.

3.2 Access Control Concepts

3.2.1 Zero Trust Security

Zero trust is a comprehensive approach to securing all access across

networks, applications, and environments. This approach helps secure access
from users, end-user devices, APIs, IoT, microservices, containers, and more.
It protects an organization’s workforce, workloads, and the workplace. The
principle of a zero trust approach is, “never trust, always verify.” Assume
zero trust any time someone or something requests access to assets. A zero
trust security framework helps to prevent unauthorized access, contain
breaches, and reduce the risk of an attacker's lateral movement through a
network.

Traditionally, the network perimeter, or edge, was the boundary between

inside and outside, or trusted and untrusted. In a Zero trust approach, any
place at which an access control decision is required should be considered a
perimeter. This means that although a user or other entity may have
successfully passed access control previously, they are not trusted to access
another area or resource until they are authenticated. In some cases, users
may be required to authenticate multiple times and in different ways, to gain
access to different layers of the network.

The three pillars of zero trust are workforce, workloads, and

workplace.

1. Zero Trust for the Workforce

This pillar consists of people (e.g., employees, contractors, partners, and
vendors) who access work applications by using their personal or corporate-
managed devices. This pillar ensures only the right users and secure devices
can access applications, regardless of location.

2. Zero Trust for Workloads

This pillar is concerned with applications that are running in the cloud, in
data centers, and other virtualized environments that interact with one
another. It focuses on secure access when an API, a microservice, or a
container is accessing a database within an application.

3. Zero Trust for the Workplace

This pillar focuses on secure access for any and all devices, including on the
internet of things (IoT), that connect to enterprise networks, such as user
endpoints, physical and virtual servers, printers, cameras, HVAC systems,
kiosks, infusion pumps, industrial control systems, and more.

3.2.2 Access Control Models

An organization must implement proper access controls to protect its

network resources, information system resources, and information.

A security analyst should understand the different basic access control

models to have a better understanding of how attackers can break the
access controls.

The various types of access control methods.

1) Discretionary access control (DAC)

 This is the least restrictive model and allows users to control access to
their data as owners of that data.

 DAC may use ACLs or other methods to specify which users or groups
of users have access to the information.

2) Mandatory access control (MAC)

 This applies the strictest access control and is typically used in military
or mission critical applications.
  It assigns security level labels to information and enables users with
access based on their security level clearance.

3) Role-based access control (RBAC)

 Access decisions are based on an individual’s roles and responsibilities

within the organization.

 Different roles are assigned security privileges, and individuals are

assigned to the RBAC profile for the role.

 Roles may include different positions, job classifications or groups of

job classifications.

 Also known as a type of non-discretionary access control

4) Attribute-based access control (ABAC)

ABAC allows access based on attributes of the object (resource) to be accessed,
the subject (user) accessing the resource, and environmental factors regarding
how the object is to be accessed, such as time of day.
5) Rule-based access control (RBAC)

 Network security staff specify sets of rules regarding or conditions that

are associated with access to data or systems.

 These rules may specify permitted or denied IP addresses, or certain

protocols and other conditions.

 Also known as Rule Based RBAC.

6) Time-based access control (TAC)

TAC Allows access to network resources based on time and day.

##Another access control model is the principle of least privilege, which

specifies a limited, as-needed approach to granting user and process access
rights to specific information and tools. The principle of least privilege states
that users should be granted the minimum amount of access required to
perform their work function.

A common exploit is known as privilege escalation. In this exploit,

vulnerabilities in servers or access control systems are exploited to grant an
unauthorized user, or software process, higher levels of privilege than they
should have. After the privilege is granted, the threat actor can access
sensitive information or take control of a system.
3.2.3 Network Access Control (NAC) Systems

Network access control (NAC) systems support access management by

enforcing organizational policies regarding the people and devices that are
attempting to access the network. NAC systems allow cybersecurity
professionals to monitor the users and devices that are attached to the
network, and manually control access as required.

Network access control systems provide the following capabilities:

 Rapidly enforcing access policies that have been created for different
operational conditions.

 Recognizing and profiling connected users and devices to prevent

malicious software on non-compliant systems from causing damage.

 Providing secure access to network guests, often through registration

portals.

 Evaluating device compliance with security policies by user type,

device type, and operating system prior to permitting network access.

 Mitigating security incidents by blocking, isolating, or repairing non-

compliant devices.

Because BYOD and IoT networking greatly expand the network attack
surface, NAC system automation features make focused control of network
access by such devices practical. The NAC system is configured to enforce
organizational policies. The relevant policies are enacted to permit or deny
network access according to a wide range of factors that the NAC system
detects on the devices that are attempting access. Without NAC systems it
would be impossible for cybersecurity personnel to evaluate the thousands
of devices that could attempt to access the network.

NAC is an important component of a zero-trust security architecture that

enforces security policy compliance with all devices and users that attempt
to access the network.

3.3 Account Management

3.3.2 Account Types

An organization should not share accounts for privileged users,

administrators or applications. The administrator account should only be
used to administer a system. If a user accesses a malware-infected website
or opens a malicious email while using the administrator account, this would
put the organization at risk.

Administrators must be aware of the default group and user accounts that
might be installed by an operating system. Knowing about these accounts
will help an administrator decide which should be permitted and which of
these accounts should be disabled.

This is because default accounts such as the guest or administrator account

can be a security risk in older systems as attackers are familiar with the
default settings used. To improve security, always replace any default
accounts and make sure that all account types require a password.

-_- It's important to properly manage accounts to maintain security.

-_-

 On hiring a new employee, create an identity profile, register the

employee's computer and mobile devices, and enable
access to the organization's network. As the Identity Provider (IdP), the
organization is responsible for authenticating their identity.
 Disable or deactivate any accounts that are no longer needed and
retrieve any organizational data or applications from the user's
devices.
 Grant a user no more access than is necessary to perform assigned
tasks (least privilege).
 Review user access to identify any access control adjustments that
need to be made.
 Use time of day restrictions to control when a user can log in.
 Use location restrictions to control where a device or user can log in
from.
 Geofencing is used to trigger an action when a user enters or exits a
geographic boundary.
 Geolocation identifies a device based on its geographic location.
 Geotagging adds an identifier to something based on the location (like
a photo taken on a smartphone tagged with the coordinates of where
the photo was taken).

3.3.3 Privileged Accounts

Cybercriminals target privileged accounts. Why? Because these are the

most powerful accounts in the organization with elevated, unrestricted
access to systems. Administrators use these accounts to deploy and
manage operating systems, applications and network devices.
Organizations should adopt robust practices for securing privileged
accounts.

 Identify and reduce the number of privileged accounts.

 Enforce the principle of least privilege. The principle means that users,
systems, and processes only have access to resources (networks,
systems and files) that are absolutely necessary to perform their
assigned function.

 Revoke access rights when employees leave or change jobs.

 Eliminate shared accounts with passwords that do not expire.

 Secure password storage.

 Eliminate shared credentials for multiple administrators.

 Automatically change privileged account passwords every 30 or 60

days.

 Record privileged sessions.

 Implement a process to change embedded passwords for scripts and

service accounts.

 Log all user activity.

 Generate alerts for unusual behavior.

 Disable inactive privileged accounts.

 Use multi-factor authentication for all administrative access.

 Implement a gateway between the end user and sensitive assets to

limit network exposure to malware.

Continuously securing and locking down privileged accounts is critical to

the security of the organization. Regularly evaluate this process and make
adjustments to improve protection.

3.3.4 File Access Control

Let’s take a closer look at how permissions can help secure data.

Permissions are rules configured to limit folder or file access for an

individual or a group. Users should be limited to only the resources they
need on a computer system or network. For example, they should not be
able to access all files on a server if they only need access to a single
 folder. It may be easier to provide access to the entire drive, but it is more
secure to limit access to only the folder they need. This is the principle
of least privilege and closely connected to the concept of ‘need to know’
access. Limiting access to resources also prevents cybercriminals from
accessing those resources if the user’s computer becomes infected.

more about the permission levels that are available for files and
folders.??

Full control

Users can:

 See the contents of a file or folder. > >Change and delete existing
files and folders.

 Create new files and folders. >> Run programs in a folder

modify

Users can change and delete existing files and folders but cannot create new
ones.

Read and execute

Users can see the contents of existing files and folders and can run programs
in a folder.

Write

Users can create new files and folders and make changes to existing files
and folders.

Read

Users can see the contents of a folder and open files and folders.

3.3.7 Account Policies in Windows

In most networks that use Windows computers, an administrator configures

Active Directory with domains on a Windows server. Windows computers that
join the domain become domain members.

The administrator configures a domain security policy that applies to all

domain members. For example, account policies are automatically set when
a user logs in to Windows.
When a computer is not part of an Active Directory domain, the user
configures policies through Windows Local Security Policy. In all versions of
Windows except Home edition, enter ‘secpol.msc’ at the Run command to
open the Local Security Policy tool.

Select the arrows to find out more about configuring security

policies.

 Password Policy

An administrator can configure user account policies such as password

policies and lockout policies.

In the example shown, users must change their passwords every 90 days
and use each new password for at least one day. Passwords must contain
eight characters and three of the following four categories: uppercase
letters, lowercase letters, numbers and symbols. Lastly, the user can reuse a
password after 24 unique passwords.

This is just an example; different password policies can be set, depending on

organizational requirements and needs.

 Account Lockout Policy

An account lockout policy locks an account for a set duration when too many
incorrect login attempts occur.

For example, the policy shown here allows the user to enter the wrong
username and/or password five times. After five attempts, the account locks
users out for 30 minutes. After 30 minutes, the number of attempts resets to
zero and the user can attempt to log in again.

 Audit Policies

More security settings are available by selecting the ‘local policies’ folder in
Windows. An audit policy creates a security log file used to track the
following events:

 Account logon events.

 Audit account management.

 Directory service access.

 Object access.

 Policy changes.
  Privilege use.

 Process tracking.

 System events.

3.3.8 Authentication Management

Authentication and authorization issues include unencrypted credentials,

incorrect permissions and access violations. But how do you keep
cybercriminals out while still making it easy for authorized users to log in?
Authentication management aims to ensure secure sign in while still
providing ease of use.

 A Single Sign On (SSO) solution allows the user to use one set of
login credentials to authenticate across multiple applications. This way,
the user only needs to remember one strong password.

 OAuth is a standard that enables a user’s account information to be

used by third-party services such as Facebook or Google.

 A password vault can protect and store the user’s credentials with a
single strong password required to access them.

 Many organizations implement Knowledge-Based Authentication

(KBA) to provide a password reset should a user forget their password.
KBA is based on personal information known by the user or a series of
questions.

3.3.10 Hash-Based Message Authentication Code (HMAC)

Hash-Based Message Authentication Code (HMAC) uses an encryption key

with a hash function to authenticate a web user. Many web services use
basic authentication, which does not encrypt the username and password
during transmission. Using HMAC, the user sends a private key identifier and
an HMAC. The server looks up the user’s private key and creates an HMAC.
The user’s HMAC must match the one calculated by the server.

VPNs using IPsec rely on HMAC functions to authenticate the origin of every
packet and provide data integrity checking.

how Cisco products use hashing.

Cisco products use hashing for entity authentication, data integrity and data
authenticity purposes.

 Cisco IOS routers use hashing with secret keys in an HMAC-like manner
to add authentication information to routing protocol updates.

 IPsec gateways and clients use hashing algorithms, such as MD5 and
SHA-1 in
HMAC mode, to provide packet integrity and authenticity.

 Cisco software images on Cisco.com have an MD5-based checksum

available so that customers can check the integrity of downloaded
images.

3.3.12 Authentication Protocols and Technologies

An authentication protocol authenticates data between two entities to

prevent unauthorized access. A protocol outlines the type of information that
needs to be shared in order to authenticate and connect.

Extensible Authentication Protocol (EAP)

A password from the client is sent using a hash to the authentication server.
The authentication server has a certificate (the client does not need a
certificate).
Password Authentication Protocol (PAP)

A username and password are sent to a remote access server in plaintext.

Most network operating system remote servers support PAP.

Challenge Handshake Authentication Protocol (CHAP)

CHAP validates the identity of remote clients using a one-way hashing

function created by the client. The service also calculates the expected hash
value. The server (the authenticator) compares the two values. If the values
match, the transmission continues. CHAP also periodically verifies the
identity of the client during the transmission.

802.1x

An organization authenticates your identity and authorizes access to the

network. Your identity is determined based on credentials or a certificate
which is confirmed by a RADIUS server.

RADIUS

When simple username/password authentication is needed, use RADIUS to

either accept or deny access. RADIUS only encrypts the user’s password from
the RADIUS client to the RADIUS server. The username, accounting and
authorized services are transmitted in cleartext. When RADIUS is integrated
into a product, security measures that protect against replay attacks are
necessary.

TACACS+

TACACS+ uses TCP as its transport protocol. TACACS+ encrypts all of the
data (username, password, accounting and authorized services) between the
client and the server. Since network administrators can define ACLs, filters
and user privileges, TACACS+ is a better choice for corporate networks
requiring more sophisticated authentication steps and control over
authorization activities.

Kerberos

Kerberos uses strong encryption, requesting a client to prove its identity to a

server, with the server in turn authenticating itself to the client.

The Kerberos server contains user IDs and hashed passwords for all users
that will have authorizations to realm services. The Kerberos server also has
shared secret keys with every server to which it will grant access tickets. The
basis for authentication in a Kerberos environment is the ticket. Tickets are
used in a two-step process with the client. The first ticket is a ticket-granting
ticket issued by the authentication service to a requesting client. The client
can then present this ticket to the Kerberos server with a request for a ticket
to access a specific server.

This client-to-server ticket (aka service ticket) is used to gain access to a

server’s service. Since the entire session can be encrypted, this eliminates
the inherently insecure transmission of items (such as passwords) that can
be intercepted on the network. Tickets are timestamped and expire, so any
attempt to reuse a ticket will not be successful.

3.3.13 Applications of Cryptographic Hash Functions

As we have seen previously, cryptographic hash functions help us to ensure

data integrity and verify authentication. Cryptographic hash functions are
used in the following situations:

 To provide proof of authenticity when used with a symmetric secret

authentication key such as IP security (IPsec) or routing protocol
authentication.

 To provide authentication by generating one-time and one-way

responses to challenges in authentication protocols.

 To provide message integrity check proof (such as those used in

digitally signed contracts) and Public Key Infrastructure (PKI)
certificates (like those accepted when accessing a secure website).

When choosing a hashing algorithm, use SHA-256 or higher, as they are

currently the most secure. Avoid SHA-1 and MD5 due to security flaws that
have been discovered.

3.3.15 Access Control Strategies

Access control strategies enable an organization to grant or restrict access to

a network device or data.

<<Mandatory access control

Mandatory access control restricts the actions that a user can perform on an
object (such as a file, a port or a device). An authorization rule enforces
whether a user can access the object.

Organizations use mandatory access control where different levels of

security classifications exist. Every object has a label, and every user has a
clearance. A mandatory access control system restricts a user based on the
security classification of the object and the label attached to the user

<<Discretionary access control

In systems that employ discretionary access controls, the owner of an object

can decide which users can access that object and what specific access they
may have.

Permissions and access control lists can be used to implement discretionary

access control. The owner of a file can specify what permissions (such as
read, write, or execute) other users may have. An access control list uses
rules to determine what traffic can enter or exit a network.

<<Role-based access control

Role-based access control depends on the role or job function of the user.
Specific roles require permissions to perform certain operations and users
acquire permissions through their role.

Role-based access control can work in combination with discretionary access

controls or mandatory access controls by enforcing the policies of either one.
Role-based access control helps to implement security administration in
large organizations with hundreds of users and thousands of possible
permissions. Organizations widely accept the use of role-based access
control to manage computer permissions within a system, or application, as
a best practice.

<<Rule-based access control

Rule-based access control uses access control lists to help determine

whether to grant access. A series of rules is contained in the access control
list and the decision to grant access depends on these rules. For example, a
rule stating that no employee may have access to the payroll file after hours
or on weekends.

As with mandatory access control, users cannot change the access rules.
Importantly, organizations can combine rule-based access control with other
strategies for implementing access restrictions. For example, mandatory
access control methods can utilize a rule-based approach for
implementation.
  Rule-based access control grants or denies access to users based
on a set of rules and limitations.

 Role-based access control provides access based on an individual's

position in an organization.

 Discretionary access control provides access based on permissions

set by the object owner.

 Mandatory access control restricts access based on the security

classification of the object and the label attached to the user.

--

3.4 AAA usage and operation

3.4.1 AAA Operation

A network must be designed to control who is allowed to connect to it and

what they are allowed to do when they are connected. These design
requirements are identified in the network security policy. The policy
specifies how network administrators, corporate users, remote users,
business partners, and clients access network resources. The network
security policy can also mandate the implementation of an accounting
system that tracks who logged in and when and what they did while logged
in. Some compliance regulations may specify that access must be logged
and the logs retained for a set period of time.

The Authentication, Authorization, and Accounting (AAA) protocol provides

the necessary framework to enable scalable access security.

The three independent security functions provided by the AAA architectural

framework.

I. Authentication

 Users and administrators must prove that they are who they say they
are.

 Authentication can be established using username and password

combinations, challenge and response questions, token cards, and
other methods.

 AAA authentication provides a centralized way to control access to the

network.

II. Authorization
  After the user is authenticated, authorization services determine which
resources the user can access and which operations the user is allowed
to perform.

 An example is “User ‘student’ can access host server XYZ using SSH
only.”

III. Accounting

 Accounting records what the user does, including what is accessed, the
amount of time the resource is accessed, and any changes that were
made.

 Accounting keeps track of how network resources are used.

 An example is "User ‘student’ accessed host server XYZ using SSH for
15 minutes."

This concept is similar to the use of a credit card, as indicated by the figure.
The credit card identifies who can use it, how much that user can spend, and
keeps account of what items the user spent money on.

3.4.2 AAA Authentication

AAA Authentication can be used to authenticate users for administrative

access or it can be used to authenticate users for remote network access.
Cisco provides two common methods of implementing AAA services.

Local AAA Authentication

This method is sometimes known as self-contained authentication because it

authenticates users against locally stored usernames and passwords, as
shown in the figure. Local AAA is ideal for small networks.

Server-Based AAA Authentication

This method authenticates against a central AAA server that contains the
usernames and passwords for all users, as shown in the figure. Server-based
AAA authentication is appropriate for medium-to-large networks.

Centralized AAA is more scalable and manageable than local AAA

authentication and therefore, it is the preferred AAA implementation.

A centralized AAA system may independently maintain databases for

authentication, authorization, and accounting. It can leverage Active
Directory or Lightweight Directory Access Protocol (LDAP) for user
authentication and group membership, while maintaining its own
authorization and accounting databases.
Devices communicate with the centralized AAA server using either the
Remote Authentication Dial-In User Service (RADIUS) or Terminal Access
Controller Access Control System (TACACS+) protocols.

The table lists the differences between the two protocols

TACACS+ RADIUS
Functionality It separates It combines
authentication, authentication and
authorization, and authorization but
accounting functions separates accounting,
according to the AAA which allows less
architecture. This allows flexibility in
modularity of the security implementation than
server implementation TACACS+

Standard Mostly Cisco supported Open/RFC standard

Transport TCP port 49 UDP ports 1812 and 1813,
or 1645 and 1646

Protocol CHAP Bidirectional challenge Unidirectional challenge

and response as used in and response from the
Challenge Handshake RADIUS security server to
Authentication Protocol the RADIUS client
(CHAP)
Confidentiality Encrypts the entire body Encrypts only the
of the packet but leaves a password in the access-
standard TACACS+ request packet from the
header. client to the server. The
remainder of the packet is
unencrypted, leaving the
username, authorized
services, and accounting
unprotected

Customization Provides authorization of Has no option to authorize

router commands on a router commands on a
per-user or per-group per-user or per-group
basis basis
Accounting Limited Extensive

3.4.3 AAA Accounting Logs

Centralized AAA also enables the use of the Accounting method. Accounting
records from all devices are sent to centralized repositories, which simplifies
auditing of user actions.

AAA Accounting collects and reports usage data in AAA logs. These logs are
useful for security auditing. The collected data might include the start and
stop connection times, executed commands, number of packets, and number
of bytes.

One widely deployed use of accounting is to combine it with AAA

authentication. This helps with managing access to internetworking devices
by network administrative staff. Accounting provides more security than just
authentication. The AAA servers keep a detailed log of exactly what the
authenticated user does on the device, as shown in the figure. This includes
all EXEC and configuration commands issued by the user. The log contains
numerous data fields, including the username, the date and time, and the
actual command that was entered by the user. This information is useful
when troubleshooting devices. It also provides evidence against individuals
who perform malicious actions.
 1. When a user has been authenticated, the AAA accounting process
generates a start message to begin the accounting process.

2. When the user finishes, a stop message is recorded and the accounting
process ends.

The following displays the various types of accounting information that can
be collected.

1) Network Accounting

Network accounting captures information for all Point-to-Point Protocol (PPP)

sessions, including packet and byte counts.

2) Connection Accounting

Connection accounting captures information about all outbound connections

that are made from the AAA client, such as by SSH.

3) EXEC Accounting

EXEC accounting captures information about user EXEC terminal sessions

(user shells) on the network access server, including username, date, start
and stop times, and the access server IP address.

4) System Accounting
System accounting captures information about all system-level events (for
example, when the system reboots or when accounting is turned on or off).

5) Command Accounting

Command accounting captures information about the EXEC shell commands

for a specified privilege level, as well as the date and time each command
was executed, and the user who executed it.

6) Resource Accounting

The Cisco implementation of AAA accounting captures “start” and “stop”

record support for connections that have passed user authentication. The
additional feature of generating “stop” records for connections that fail to
authenticate as part of user authentication is also supported. Such records
are necessary for users employing accounting records to manage and
monitor their networks.

Records what the user does, including what is accessed, the amount of time
the resource is accessed, and any changes that were made

Accounting

Uses a created set of attributes that describes the user’s access to the
network

Authorization

Established using username and password combinations, challenge and

response questions, token cards, and other methods

Authentication

Collects and reports usage data so that it can be employed for purposes such
as auditing or billing

Accounting

Users and administrators must prove that they are who they say they are
Authentication

What a user can and cannot do on the network

Authorization

Which resources the user can access and which operations the user is
allowed to perform

Authorization

Provides leverage against individuals who perform malicious actions

Accounting

A way to control who is permitted to access a network

Authentication