Information security: Principles and applications of access control technology.

Access control is the basic security mechanism of network information systems. Access control refers to the methods and operating mechanisms for authorizing and controlling visitors to resource objects. The visitor is also called the subject, which can be a user, process, application, etc.; the resource object is also called the object, that is, the object being accessed, which can be a file, application service, data, etc.; authorization means that the visitor can perform operations on the resource object. Access methods, such as reading, writing, deleting, appending files, or receiving and sending email services; control means monitoring and restricting visitor usage methods and making decisions on whether to allow users to access resource objects, such as denying access. , authorization, prohibited operations, etc.

Access control overview:

(1) Access control objectives:

◆ Access control has two goals : one is to prevent illegal users from entering the system , and the other is to prevent legitimate users from using system resources , that is, prohibiting unauthorized access by legitimate users .

◆ To achieve the goal of access control : first, effectively authenticate network users, and then grant different access rights to different users , thereby protecting system resources. At the same time, it can also perform system security auditing and monitoring to detect users' attempts to attack the system.

Access control model:

(1) Component elements of the access control reference model:

◆ The access control mechanism consists of a set of security mechanisms , which can be abstracted into a simple model. The main components are: subject, reference monitor, object, access control database, and audit database .

▶Subject: The subject is the operator of the object . An entity is usually a person, process, or device, typically a process that performs operations on behalf of a user. For example, when editing a file, the editing process is the subject of accessing the file, and the file is the object.

▶ Object: The object is the object operated by the subject . Generally speaking, access to an object implies access to its information.

▶ Reference monitor: The reference monitor is a collection of decision-making units and execution units for access control . Control every operation from the subject to the object, supervise the authorized access behavior between the subject and the object, and store important security events in audit files.

▶ Access control database: records information about the subject's access rights to objects and their access methods, and provides the basis for access control decision-making. It is also called the access control policy library . The database changes dynamically with the creation, deletion and modification of permissions of subjects and objects.

▶ Audit library: stores the operation information of the subject accessing the object , including access success, access failure and access operation information.

(2) Access control type development:

◆ Discretionary access control model, ◆ Mandatory access control model, ◆ Role-based access control model:

Discretionary access control models, mandatory access control models, and role-based access control models are commonly used in: resource access in operating systems and database systems ;

◆ Usage-based access control model:

The usage-based access control model is used for privacy protection, sensitive information security restrictions, and intellectual property protection ;

◆ Access control model based on geographical location:

The access control model based on geographic location can be used for authorization control of mobile Internet applications, such as geographic location authorization in taxi services ;

◆ Attribute-based access control model:

Attribute-based access control is an emerging access control method, which mainly provides model access control for distributed network environments and Web services ;

◆ Behavior-based access control model:

The behavior-based access control model provides security risk control based on the subject's activity behavior, such as security management of online behavior and electronic payment operation control;

◆ Temporal-based access control model:

The temporal-based access control model uses temporality as access constraints to enhance the fine-grained access control, such as the limited time use of mobile network traffic packages.

(3) Access control type (DAC) (ACL is inside):

◆ Discretionary access control: means that the owner of the object grants other users in the system access rights to it according to its own security policy .

Row -based autonomous access control: The row-based autonomous access control method is to attach to each subject a detailed list of objects that the subject can access. According to the different information in the table, it can be divided into three forms, namely, capability table , Prefix table and password.

(1) Capability table: Capability is the key to access the object. It determines whether the user can access the object and what access mode (read, write, execute) it has. Subjects with certain capabilities can access objects in a given mode .

(2) Prefix table: The prefix table includes the protected object name and the subject's access rights to it. When a subject wants to access an object, the discretionary access control mechanism checks whether the subject's prefix has the access it requests.

(3) Password: In the password-based autonomous access control mechanism, each object has a corresponding password. Before the subject can access the object, it must provide the password of the object to the system. If correct, it can access the object.

Column - based discretionary access control: Attached to each object is a list of subjects who can access it . It has two forms, namely protection bits and access control lists (ACL).

(1) Protection bit: This method specifies a set of access modes for all subjects, subject groups, and object owners , usually using bits to represent access permissions. UNIX/Linux systems take advantage of this access control method.

(2) Access control list (ACL) : It attaches a subject list to each object, representing the access control matrix . Each entry in the table includes the subject's identity and the subject's access rights to the object.

(4) Mandatory Access Control (MAC):

◆ Mandatory Access Control (MAC): It means that the system controls the subject's access to the object in a mandatory manner according to the security attributes of the subject and the object .

◆ Under the mandatory access control mechanism, each process, each file and other objects in the secure operating system are given corresponding security levels and categories . When a process accesses a file, the system calls the mandatory access control mechanism. When and Only when the security level of the process is not less than the security level of the object, and the scope of the process contains the scope of the file, the process can access the object, otherwise it is denied.

◆ Compared with discretionary access control, mandatory access control is stricter. Although users' discretionary access control can prevent other users from illegally intruding on their network resources, it is not effective against users' accidents or misoperations. Therefore, autonomous access control cannot meet the high security level requirements. In fields such as government departments, military and finance, mandatory access control mechanisms are often used to divide the resources in the system into security levels and different categories, and then perform security management.

(5) Role-based access control (RBAC):

◆ Role-based access control (RBAC) refers to authorization and management based on the access rights required to complete certain responsibilities and tasks . RBAC consists of four basic elements: user (U), role (R), session (S) and permission (P).

◆ In a system, there can be multiple users and multiple roles, and the relationship between users and roles is a many-to-many relationship . Permission is the ability of the subject to operate on the object, such as reading, writing, modifying, and executing. Through authorization, a role can have multiple permissions, and one permission can also be granted to multiple roles. At the same time, a user can play multiple roles, and a role can also be assumed by multiple users.

◆ In a system that uses RBAC as authorization access control, the system administrator is responsible for managing the system's role set and access permission set, and assigning these permissions to the corresponding roles.

Roles are then mapped to users with different job responsibilities . RBAC is quite powerful, flexible and suitable for many types of user needs .

(6) Attribute-based access control (ABAC):

◆ Access control based on security attributes, referred to as ABAC , its access control method is to authorize or deny the subject's requested operations based on the attributes of the subject, the attributes of the object, the conditions of the environment, and the access policy .

Access control policy design and implementation:

(1) Access control policy:

◆ An access control policy consists of objects to be controlled, access control rules, user rights, or other access security requirements . In a network system, there are many access control strategies, including computer room access control strategy, dial-up server access control strategy, router access control strategy, switch access control strategy, firewall access control strategy, host access control strategy, database access control strategy, Client access control policy, network service access control policy, etc.

(2) Access control rules:

◆ Access control rules are actually sets of access constraints and are the specific implementation and manifestation of access control policies . Currently, common access control rules include user identity-based, time-based, address-based, service quantity-based, etc. The main access control rules are introduced below.

▶ Access control rules based on user identity: Users are usually represented by account names and passwords. When the " account name and password " entered by the user are both correct, the system will allow the user to access.

▶ Role- based access control rules: role-based access control rules are controlled according to the permissions required by users to complete a certain task .

▶ Address- based access control rules: Use the physical location or logical address space of the visitor to restrict access operations.

▶ Time -based access control rules: For example, access to servers is not allowed during off-hours .

▶ Access control rules based on abnormal events: For example, when a user in the system fails to log in three times, the system will freeze the account for a period of time .

▶ Access control rules based on the number of services: For example, in order to prevent denial of service attacks, when the service capability approaches a certain threshold, the website will temporarily deny new network access requests to ensure the normal operation of the system .

Access control process and security management:

(1) Access control process:

◆ The purpose of access control is to protect system assets , prevent illegal users from entering the system and legitimate users from non-use of system resources . To implement access control management, five steps are generally required:

The first step is to clarify the assets managed by access control , such as network system routers, Web services, etc.;

The second step is to analyze the security requirements of managed assets , such as confidentiality requirements, integrity requirements, availability requirements, etc.;

The third step is to formulate access control policies and determine access control rules and user permission assignments;

The fourth step is to implement access control policies , establish a user access identity authentication system, and authorize users to access assets based on user types;

The fifth step is to operate and maintain the access control system and adjust the access policy in time.

(2) Least privilege management:

◆ Privilege: It is the authority that a user has beyond system access control.

◆ Least privilege: means that each subject in the system can only have the set of permissions necessary to complete the task.

◆ The purpose of least privilege management: the system should not give the privilege holder additional authority to complete the task, to prevent the abuse of privileges.

◆ The principle of allocation of privileges: "use on demand"

(3) User access management:

◆ User management is one of the important contents of network security management. Its main tasks include: user registration, user permission allocation, access records, permission monitoring, permission cancellation, and user withdrawal .

(4) Password security management:

◆ Password is an important basis for most current networks to implement access control and identity authentication. Therefore, password management is particularly important and generally adheres to the following principles:

▶ The password selection should be at least 8 characters , and should be a combination of uppercase and lowercase letters, numbers, and special characters ;

▶ Do not use the same password as the account ;

▶ Replace the system default password and avoid using the default password ;

▶ Limit the number of account logins, 3 times are recommended ;

▶ It is forbidden to share account numbers and passwords ;

▶ The password file should be encrypted and stored, and only the super user can read it ;

▶ It is forbidden to transmit passwords on the network in plain text ;

▶ Passwords should have a time-limited mechanism to ensure frequent changes and prohibit reuse of passwords ;

▶ Run the password cracking tool on all accounts to check whether there are accounts with weak passwords or no passwords .

Main products and technical indicators of access control:

(1) Main access control products:

◆ The main product types of access control include 4A systems, security gateways, system security enhancements, etc., which are introduced below:

◆ 4A system: 4A refers to authentication, authorization, account, and audit . The Chinese name is unified security management platform . The platform provides centralized network security services such as account, authentication, authorization, and audit . Platforms commonly use role-based access control methods to facilitate account authorization management.

◆ Security gateway: The technical feature of security gateway products is to use network packet information and network security threat signature database to control access to network communication connection services. Such products are a special kind of network security products, such as firewalls, unified threat management (UTM), and so on .

◆ System security enhancement: The technical characteristic of system security enhancement products is that they usually use mandatory access control technology to enhance the security of operating systems and database systems to prevent privilege abuse.

Main technical indicators of access control:

◆ The product supports access control policy rule types ;

◆ The maximum number of access control rules supported by the product ;

◆ Product access control rule checking speed ;

◆ Product safety and quality assurance level ;

Access control technology applications:

(1) Access control technology application scenario types:

◆ Physical access control : Security measures mainly set for the physical environment or equipment entities, generally including access control systems, guards, personal documents, door locks, and physical security zone divisions .

◆ Network access control : Access security measures mainly taken for network resources, generally including network access control, network communication connection control, network area division, network routing control, and network node authentication.

◆ Operating system access control : access security measures taken for computer system resources, such as file read and write access control, process access control, memory access control, etc.

◆ Database/data access control : access security measures for database systems and data, such as database table creation, data generation and distribution .

◆ Application system access control : Access security measures taken for application system resources, such as business execution operations, business system file reading , etc.

Study books: Information security engineer tutorial...