Chapter 20: Identity and Access Management Controls
Access Control Models
MAC
DAC
ABAC
RBAC
RB-RBAC
Access Control
Access control comprises mechanisms for limiting access to information or resources, based on
-
-
- user identity
- membership in groups
-
Routers and operating systems store this information in an Access Control List (ACL).
An ACL consists of access control entries (ACEs).
A guide to understanding Cisco Access Control Lists:
Cisco Access Control Lists (ACL) at
http://www.networkclue.com/routing/Cisco/access-lists/index.aspx
Another example courtesy of JLSNet:
http://www.jlsnet.co.uk/index.php?page=cc_access
What these rules look like as Linux kernel firewall rules (thanks to the JustLinux Forums):
http://www.justlinux.com/forum/showthread.php?threadid=150675
Windows rights based on group membership are inherited rights. These may include:
-
-
-
- Full Control
- Modify
- Read
- List Contents
- Execute
- Write
-
-
Mandatory Access Control (MAC)
This type of access control is used in government and military environments where objects are labelled as “Top Secret” or “Secret,” for example.
No subject can alter another subject’s access level.
All access is strictly defined at the object level:
-only members of a specific group have access
and at the group level:
-access to an object requires membership in a certain group.
Role Based Access Control (RBAC)
All access is defined by a user’s specific role, for instance:
-
-
-
- Manager
- Accountant
- HR
-
-
One user may have many roles.
Discretionary Access Control (DAC)
This is the least restrictive model. Think of Windows workgroup permissions: the user of a PC shares a folder, assigns a password, and sets permission (for instance, read-only).
The user decides everything.
Rule-Based Role-Based Access Control (RB-RBAC)
Yes, this is a thing. The Security+ test may ask about Rule-Based Access Control, or Rule-Based Role-Based Access Control (RB-RBAC). Think of this as a protocol where a rule-based mechanism like a router assigns a role to a user based on those rules.
Biometrics
Fingerprint, iris, retina, voice, face
False Positives and False Negatives
False Acceptance Rate
False Rejection Rate
Crossover Error Rate
Other Layers of Security Based on Authentication
File system security
Database security