Credit Security Soft Test——Chapter 7 Principles and Applications of Access Control Technology

Enterprise 2023-07-01 20:39:48 views: null

    Summary of information security engineer tutorial notes (click me to jump (●ˇ∀ˇ●))

  1. Access Control Overview
  2. access control model
  3. access control type
  4. Access control policy design and implementation
  5. Access control process and security management
  6. Main products and technical indicators of access control
  7. Application of access control technology ※※

Proposition rules: 3 points for multiple-choice questions in the morning, 5 points for access control concepts combined with firewall or linux in the afternoon

1. Overview of Access Control

1.1 Access Control Concept

  In the network information environment, resources are not infinitely open, but can only be used by users under certain constraints (for example, ordinary netizens can only browse news websites and cannot modify their content). Because of the value of networks and information, it is inevitable that they will be subject to accidental or deliberate unauthorized use and destruction.

  Access control refers to the management of resource object accessor authorization, control methods and operating mechanisms.

  Visitors can be users, processes, applications, etc.; and resource objects are also called objects, that is, objects to be accessed, which can be files, application services, data, etc.; authorization is the way that visitors can access resource objects, such as Read, write, delete, append, or accept and send email services, etc.; control is to monitor and restrict the use of visitors and make decisions on whether to allow users to access resource objects, such as denying access, granting permission, prohibiting operations, etc. .

1.2 Access Control Objectives

  • Prevent illegal users from entering the system
  • Prevent legitimate users from illegally using system resources, that is, prohibit legitimate users from unauthorized access.

insert image description here

2. Access control model

  The access control mechanism consists of a set of security mechanisms, which can be abstracted into a simple model. The components are subject, reference monitor (Reference Moitor), object (Object), access control database, and audit library

insert image description here

  • Subject: is the implementer of the operation of the object. Entities are usually people, processes, or devices, and are generally processes that perform operations on behalf of users. For example, for a file to be edited, the editing process is the subject of accessing the file, while the file is the object. (In short, it is the initiator of the action)
  • Object: The object that is manipulated by the subject.
  • Reference monitor: It is a collection of decision-making units and execution units of access control. control
  • access control database
  • Audit library: store the operation information of the subject's access to the object, including access success and access failure

3. Types of access control

Commonly used access control types mainly include discretionary access control, mandatory access control, role-based access control, and attribute-based access control.

3.1 Discretionary Access Control (DAC)

It is a relatively low-level access control method. Autonomy, in simple terms, means that the owner of the file (object) can do whatever he wants.

  DAC means that the owner of the object grants access rights to other users in the system according to his own security policy. At present, there are two kinds of implementation methods of autonomous access control, that is, row-based autonomous access control and column-based autonomous access control.

(1) Row-based discretionary access control

  The row-based autonomous access control method is to attach a detailed list of objects accessible to the subject to each subject, which is divided into three forms according to the information in the table, namely capability list, prefix table (profiles) ) and password (password).

  • Capability table : Capability is the key to access the object, which determines whether the user can access the object and what access mode (read, write, execute) it has. Subjects with certain capabilities can access objects in a given mode.
  • Prefix table : Contains the protected object name and the subject's access rights to it. When a subject wants to access an object, the discretionary access control mechanism checks that the subject prefixed with OH has the access rights it requests.
  • Password : In the password-based autonomous access control mechanism, each object has a corresponding password. The subject must provide the password of the object to the system before accessing the object. If correct, he can access the object.

(2) Column-based autonomous access control

  In the column-based autonomous access control mechanism, each object is attached with a list of subjects who can access it. It has two forms, namely protection bits (protection bits) and access control list (Access Control List, ACL)

  • protection bit . The access specifies an access mode set through all subjects, subject groups, and object owners, and the access rights are usually represented by bits. UNIX/Linux systems take advantage of this access control method.
  • access control list . ACL is referred to as ACL, which is attached to each object with a subject list, representing the access control matrix. Each entry in the table includes the identity of the subject and the subject's access rights to the object.

  Advantages of autonomous access control: the access mechanism is simple and flexible, and to a certain extent, it can realize the authority isolation and resource protection of multi-level users.
  
  Disadvantages of autonomous access control: the implementation depends on the user's security awareness and skills, and cannot meet the security requirements of high security levels; the resource management is too scattered, which causes great inconvenience to the security of the control system; it cannot prevent Trojan horse attacks, if a certain After the administrator logs in, a Trojan horse program is brought in, and the Trojan horse program key has all the permissions of the administrator

3.2 Mandatory Access Control (Mandatory Access Control, MAC)

MAC detailed study

  MAC means that the system controls the subject's access to the object in a mandatory manner according to the security attributes of the subject and the object. In layman's terms, under mandatory access control, users (or other subjects) and files (or other objects) are marked with fixed security attributes (such as security level, access rights, etc.), and each time an access occurs, the system Check security attributes to determine whether a user has permission to access the file. Among them, multi-level security (MLS), BLP, BIBA, and DTE models are all mandatory access policies.

  访问规则

  • confidentiality rules

1) Only when the subject's license level is higher than or equal to the object's confidentiality level, the subject can read the corresponding object (read below)

2) Only if the subject's permission level is lower than or equal to the object's secrecy level, the subject can write the corresponding object (write above)

  • integrity rules

1) Only if the permission level of the subject is lower than or equal to the integrity level of the object, the subject can read the corresponding object (read up)

2) Only when the permission level of the subject is higher than or equal to the integrity level of the object, the subject can write the corresponding object (write down)

   Compared with discretionary access control, MAC is stricter. Although the user's use of DAC can prevent other users from illegally invading their own network resources, but for the user's accident or accident. Therefore, autonomous access control cannot meet the security level requirements.
  
  In the fields of government departments, military and finance, the MAC mechanism is often used to divide the resources in the system into security levels and different categories, and then perform security management

3.3 Role-Based Access Control

  RBAC performs authorization and management based on the access control required to complete certain responsibilities. RBAC consists of four basic elements: user (U), role (R), session (s) and permission (P).

  In a system, there can be multiple users and multiple roles, and the relationship between users and roles is many-to-many. Permission is the ability of the subject to operate on the object (read, write, modify, execute, etc.). Through authorization, a role can have multiple permissions, and a permission can also be granted to multiple roles. At the same time, a user can play multiple roles, and a role can also be assumed by multiple users

In a system that uses RBAC as authorization access control, the system administrator is responsible for managing the system's role set and access right set

3.4 Attribute Based Access Control (ABAC)

learn

  The specific access control method of ABAC is to authorize or deny the request operation of the subject according to the attribute of the subject, the attribute of the object, the condition of the environment and the access policy. As shown in the figure below, when a subject accesses a controlled resource, attribute-based access control ABAC will check the subject's attributes, object attributes, environmental conditions, and access policies, and then grant access authorization.

insert image description here

4. Design and implementation of access control strategy

4.1 Access Control Policy

  Access control policies are used to specify user access rights to resources to prevent resource loss, leakage or illegal use. When designing access control policies, the following requirements should generally be considered

(1) Security requirements of different network applications, such as internal user access or external user access

(2) Confirmation of all application-related information, such as communication port number, IP address, etc.

(3) Network information dissemination and authorization strategies, such as information security level and classification

(4) Consistency between access control and information classification strategies of different systems

(5) Relevant regulations and contractual obligations on the protection of data and services

(6) Update and maintenance of access rights

  • An access control policy consists of objects to be controlled, access control rules, user rights, or other access security requirements
  • Common types of access control policies: computer room access control policies, dial-up server control policies, router access control policies, switch access control policies, firewall access control policies, host access control policies, database access control policies, client access control policies, network services access control policies, etc.

4.2 Access Control Rules

​ Multiple choice questions in 21 years

In fact, it is a set of access constraints, which is the concrete implementation and manifestation of access control policies.

  main access control rules

(1) Access control rules based on user identity : Use specific user identities to restrict access operations. Usually, users are represented by account numbers and passwords. When the user enters the correct "account number and password", the system allows the user to access. At present, the usage control of the operating system or network equipment basically adopts this rule

(2) Role- based access control rules: control according to the permissions required by users to complete a certain task

(3) Address- based access control rules: Use the physical location or logical address space of the visitor to restrict access operations. For example, important servers and network equipment can be prohibited from remote access, only allow local access, which can increase security. Address-based access control rules include IP address, domain name address, and physical address

(4) Event -based access control rules: Use time to restrict access operations. In some systems, in order to increase the adaptability of access control, control of time factors is added (for example, access to servers is not allowed during off-duty hours)

(5) Access control rules based on abnormal events: Use abnormal events to trigger control operations to avoid further escalation of behaviors that endanger the system.

(6) Access control based on the number of services (for example, when the service capacity of the website is close to a certain threshold, new network access requests are temporarily rejected to ensure the normal operation of the system)

5. Access control process and security management

5.1 Process

The purpose of access control is to protect system assets, prevent illegal users from entering the system and legal users from illegally using system resources. To achieve the management of access control, five steps are generally required

  • Step 1: Identify assets managed by access control (such as browsers, web servers, etc.)
  • Step 2: Analyze the security requirements of managed assets (requirements for confidentiality, integrity, availability, etc.)
  • The third step is to formulate access control policies, determine access control rules and assign user rights
  • Step 4: Implement access control policies, establish a user access notification identity authentication system, and authorize users to access assets according to user types
  • The fifth step is to operate and maintain the access control system, and adjust the access control strategy in time.

5.2 Security Management

  • Least privilege management. Privilege refers to the authority that users have beyond the system access control. This kind of privilege setting is beneficial to system maintenance and configuration, but it is not conducive to system security. The principle of least privilege means that each subject in the system can only have the set of permissions necessary to complete the task. The purpose of least privilege management is that the system should not give the privilege holder additional authority to complete the task, and prevent the abuse of privilege. For this reason, the principle of assigning privileges is "Need to Use", which ensures that the system will not assign too many privileges to users, thereby limiting the harm caused by privileges.
  • User access management: User management is one of the important contents of network security management, mainly including user stool, user authority allocation, access records, authority monitoring, authority cancellation, and revoking users.

insert image description here

  • Password security management. Password is an important basis for most current networks to implement access control for identity authentication. Therefore, password management is particularly important, and generally follows the following principles:

insert image description here

6. Main products and technical indicators of access control

6.1 Main Products

  • 4A system: 4A refers to authentication (Authentication), authorization (Authorization), account (Account), audit (Audit), also known as a unified security management platform, the platform provides network security services such as account, authentication, authorization, and audit in a centralized manner. The technical feature of this product is that it integrates access control mechanisms and functions, and provides various access control services. The platform commonly uses role-based access control methods to facilitate account authorization management
  • Security gateway: This technology is characterized by using network data packet information and network security threat signature database to control access to network communication connection services (such as firewalls, unified threat management UTM, etc.)
  • System security enhancement: The feature of this technology is to use mandatory access control technology to enhance the security of the operating system and database system and prevent the abuse of privileges. (Such as Linux security enhancement system SELinux, Winodws operating system reinforcement.)

6.2 Main technical indicators

(1) The product supports access control policy rule types. Generally speaking, there are many types of rules, which is conducive to the refinement of security control and flexible authorization management

(2) The product supports the maximum number of access control rules: a large number of access control rules indicates that the product has high control capabilities

(3) Inspection speed of product access control rules: the main performance index of the product, fast speed means that the product has better performance

(4) The product's own security and quality assurance level: the protection measures adopted for the product's own security, the product's ability to prevent network attacks, and the level of national information security products achieved by the product.

7. Application of access control technology

7.1 Types of Application Scenarios

There are multiple choice questions

(1) Physical access control : Security measures mainly set up for physical environments or equipment, generally including access control, guards, personal certificates, door locks, and division of physical security areas.

(2) Network access control : access security measures mainly aimed at network resources, generally including network access control, network communication connection control, network area division, network routing control, network node authentication

(3) Operating system access control : Access security measures for computer system resources, such as database table creation, data generation and distribution

(4) Database/data access control : Access security measures for database systems and data, such as database table creation, data generation and distribution.

(5) Application system access control ; access security measures for application system resources, such as business execution operations, business system file reading, etc.

7.2 UNIX/Linux system access control application

This could be a big case

In UNIX and Linux systems, "9-bit mode" is used on each file to identify access control permission information. These binary bits identify "the owner of the file, users in the same group as the owner of the file, and other users" access rights and methods.

insert image description here
insert image description here

7.3 windows access control reference

When a Windows user logs in to the system, the WinLogon process creates an access token for the user, which contains the security ID (SID) of the group to which the user belongs as the user's identity. Objects such as files contain a discretionary access control list (DACL), which indicates who has access, and a system access control list (SACL), which indicates which subjects' access requirements are to be recorded

  • DACL is mainly used to set the access of users and user groups to security objects
  • SACL is used to configure access auditing of security objects (generate logs)
  • Each ACL consists of multiple ACEs (Access Control Entries)

insert image description here

7.4 Other access control application reference

  • The IIS FTP server itself provides three access restriction technical means, namely: user account authentication, anonymous access control and IP address restriction

  • Network access control refers to the realization of network resource operation restrictions through certain technical means, so that users can only access specified resources, such as network routers, network communications, network services, etc.

    • Network communication connection control is often implemented by using firewalls, routers, and gateways. These devices are usually placed at the connection of two different communication networks, so that all communication flows pass through the communication connection controller. Only when the communication flow meets the access control rules , communication is allowed to proceed normally.
    • According to the functions and business purposes of the network, the network is divided into several small subnets (network segments), or external network and internal network, so as to avoid redundant information exchange between networks

insert image description here

  • Web service access control mechanism can be realized by multiple access control links such as network communication, user identity authentication, operating system, database, etc. Various accesses are realized by different technologies. Network communication can be realized through routers, firewalls, or using the access control of the web server itself

Guess you like

Origin blog.csdn.net/qq_43632414/article/details/126715297
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com