Can you secure a network through access control systems only?
Security in not about relying on a single process to protect assets! A belts AND suspenders approach is the best way to minimize the risk of compromise. Access control list are only a small part of the equation! They relate to who will have access to a particular resource once they have been authenticated. The key here is ACLs support known users to the system NOT unknown users. Network security is a cat and mouse game. The smarter you get at protecting your assets; the hacker will always be one step away! As long as computers are accessible from the Internet they will always be at risk. Many vendors will tell you their product does it all! BUT in reality they don’t and they often fail miserably. Those companies that speak in terms parts to a security plan understand that a layered approach to computer security increases your chances at successfully defending your resources! SO what are these different layers and how are the applied?
First there are firewalls. Firewalls are designed to block unauthorized access while permitting outward communication (wikipedia.org, 2009). They sit on the perimeter of your network and the Internet. They control which packets are allowed to pass through to internal resources. Firewalls have a default set of attack signatures whereby they can tell when they are under attacked based on the type and frequency of the packets they “see”. Additionally, network administrators can programmed the device to apply complex rule sets that will determine if the traffic is legitimate or not! These rules bases can be set to allow or deny packets based on the port, source IP address, destination of the traffic, time of day, and contents of the packet. Firewalls can also be deployed within a network infrastructure to protect resources with higher protection needs such as medical information or financial records. They can be deployed on hosts within a secured network in keeping with the belts and suspenders approach… protect the network…protect the host!
Network Access Controls discover and evaluates endpoint compliance status, provisions the appropriate network access, provides remediation capabilities, if needed, and continually monitors endpoints for changes in compliance status (symantec.com, 2008). In other words, any device that connects into your network it is checked to make sure that it conforms to your minimum requirements before it will be allowed to use your protected resources. We (as network administrators) can take measures that minimize who can use our network by making sure that unused wall jacks are not connect to the network or using MAC address to filter to determine who can get an IP address but this will not stop an determined threat or the casual use of networked PDAs. Network Access Control devices proactively scan your network for new devices and agents are delivered to the device wanting access. The end-user agrees allow the agent to “attach” itself to the client and then when access is no longer needed deletes itself from the host machine. Symantec calls this technology, dissolvable agents!
Never under estimate the value of keeping your machines fully patched. Software Updates can insure that vulnerabilities are closed and cannot be used as an attack vector! Applying patches just to keep current is not always the best thing to do. Very often new bugs can be introduced into an otherwise stable environment. Understanding what services a system is offering and patching the system that is vulnerable. There’s no need to patch the httpd daemon if you’re not running/installed web services. Change management plans are a big part of this scenario!
Access Control Lists (or ACLs) is a permission-based method for securing resources (very often is relates to objects on a file system or in a database). In an ACL-based security model, when a subject requests to perform an operation on an object, the system first checks the list for an applicable entry in order to decide whether to proceed with the operation (wikipedia.org, 2009). ACLs allows for greater control over the access to files. In the standard POSIX model, there are owner, group and other permissions, each having read, write and execute attributes assigned to them… very restrictive especially considering that only one user and one group can be assigned to the file/directory. With ACLs, the options are much more varied! You can have multiple owners and multiple groups assigned to a file/directory. In addition, you have the following permissions attributes:
Figure 1. Available ACLs permissions attributes for OSX Server v10.5 (Heese, 2009)
NOTE: You can specify not only ALLOW permissons but also DENY permissions!
One thing to keep in mind when deploying ACLs is that not all file systems support them. Formatting your hard disk, writing data to disk and then discovering an un-supported file system can lead to a lot of wasted time!
Virus Protection is an overlooked aspect of file security. Very often people think in terms of protecting my computer. But it is more than that. Viruses can erase files but Trojans can allow others to gain access to your computer (whether it’s a personal computer or a file server). Critical data such as credit card numbers are often stored in databases and once a computer has been compromised, it’s only a matter of time before the data housed on that computer is lost. One thing to keep in mind when working on a server is never to browse the Internet (especially with root privileges). Much of the malware spread across the Internet takes advantage of vulnerabilities within certain OSs and browsers. Why take the risk. Yes it’s a pain in the bottom but think of all the hassles you’ll have to deal with should you host become compromised. To illustrate the point a little further, it has been recently reported that ATMs are being compromised by some very sophisticated pieces of malware. Now granted the ATMs themselves are being compromised but rather hardware security modules (or HSM) that encrypt and decrypt your PIN as it makes its way from the ATM to the bank clearinghouses are. Specially configured malware can be installed on these devices, and it grabs the decrypted PIN numbers out of memory and writes them to a log file that can be retrieved at a later date (Anderson, 2009).
The last item I want to touch on is log files and while not a security mechanism, it is something worthy of protecting. We often don’t put much thought into log files until there is a problem. Unfortunately, if your log files reside on the same host that’s been compromised, then you should consider that the log files have been altered. Why alter a log file? While many daemons will spit lots of information to syslog so will attempts (or more importantly FAILED attempts) to access a host be recorded. When an attacker is trying to compromise your system, one of the first things he will probably do is completely erase the log files, or erase evidence of his trespass out of those files. Moving you log files off of a host and onto a dedicated syslog server insure that you access can be properly evaluated without the fear that they may have been compromised.
Ultimately, security is NOT about set and forget. You must take an active role! It is not about one size fits all! One single solution will prevent you host from compromise! If you machine is out on the Internet long enough, it will get compromised. That’s not to say that the bad guys are looking for you. Remember we are dealing with computers. The bad guys let the computer work for them. Throwing as many obstacles in the path of the cracker will discourage only the most determined of individuals.
Resources:
Anderson, N., (2009, April 15), PIN-grabbing malware compromises bank networks, Retrieved on May 11th, 2009 from http://arstechnica.com/tech-policy/news/2009/04/pin-grabbing-malware-compromises-bank-networks.ars
Heese, B., (2009, May 11), Available ACLs permissions attributes for OSX Server v10.5
Unknown, (2008, December), Symantec™ Network Access Control, Retrieved on May4th 2009 from http://eval.symantec.com/mktginfo/enterprise/fact_sheets/b-datasheet_network_access_control_12-2008_12836809-3.en-us.pdf
Unknown, (2009), Main: Syslog Security Tip, Retrieved on May 11th, 2009 from http://www.syslog.org/wiki/Main/SyslogSecurityTip
Various, (2009, April 24), Access control list, Retrieved on May 6th, 2009 from http://en.wikipedia.org/wiki/Access_control_list
Various, (2009, May 4), Firewall, Retrieved on May 4th, 2009 from http://en.wikipedia.org/wiki/Firewall_(networking)
