Module 13: Access

Control
Cybersecurity Essentials 3.0
Module Objectives
Module Title: Access Control
Module Objective: Configure local and server-based access control.

Topic Title Topic Objective

Access Controls Configure secure access on a host.

Access Control Concepts Explain how access control protects network data.

Account Management Explain the need for account management and access control strategies.

AAA Usage and Operation Configure server-based authentication with TACACS+ and RADIUS.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
13.1 Access Controls

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Access Controls
Physical Access Controls
• Physical access controls are actual barriers deployed to prevent direct physical contact with
systems.

• The goal is to prevent unauthorized users from gaining physical access to facilities, equipment,
and other organizational assets.

• Some examples of physical access controls are:

• Guards to monitor the facility
• Fences to protect the perimeter
• Motion detectors to detect moving objects
• Laptop locks to safeguard portable equipment
• Locked doors to prevent unauthorized access
• Swipe cards to allow access to restricted areas
• Guard dogs to protect the facility
• Video cameras to monitor a facility by collecting and recording images
• Mantrap-style entry systems to stagger the flow of people into the secured area and trap any
unwanted visitors
• Alarms to detect intrusion
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Access Controls
Logical Access Controls
• Logical access controls are the hardware and software solutions used to manage access to
resources and systems.

• These technology-based solutions include tools and protocols that computer systems use for
identification, authentication, authorization, and accountability.

• Logical access control examples

• Encryption is the process of taking plaintext and creating ciphertext.
• Smart cards have an embedded microchip.
• Passwords are protected strings of characters.
• Biometrics are users’ physical characteristics.
• Access control lists (ACLs) define the type of traffic allowed on a network.
• Protocols are sets of rules that govern the exchange of data between devices.
• Firewalls prevent unwanted network traffic.
• Routers connect at least two networks.
• Intrusion detection systems monitor a network for suspicious activities.
• Clipping levels are certain allowed thresholds for errors before triggering a red flag.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Access Controls
Administrative Access Controls
• Administrative access controls are the policies and procedures defined by organizations to
implement and enforce all aspects of controlling unauthorized access.

• Administrative controls focus on personnel and business practices.

• Examples of administrative controls

• Policies are statements of intent.
• Procedures are the detailed steps required to perform an activity.
• Hiring practices define the steps an organization takes to find qualified employees.
• Background checks are a type of employee screening that includes information of
past employment verification, credit history, and criminal history.
• Data classification categorizes data based on its sensitivity.
• Security training educates employees about the security policies at an organization.
• Reviews evaluate an employee’s job performance.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
Access Controls
Administrative Access Controls in Detail
• The concept of administrative access controls involves three security services: authentication,
authorization, and accounting (AAA).

• These services provide the primary framework to control access, preventing unauthorized access
to a computer, network, database, or other data resource.

• Authentication:
• It verifies the identity of each user, to prevent unauthorized access.
• Users prove their identity with a username or ID.
• In addition, users need to verify their identity by providing one of the following:
• Something they know (such as a password)
• Something they have (such as a token or card)
• Something they are (such as a fingerprint)
• In the case of two factor authentication, which is increasingly becoming the norm,
the system requires a combination of two of the above rather than just one to verify
someone’s identity.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Access Controls
Administrative Access Controls in Detail (Cont.)
• Authorization:
• It determines which resources users can access, along with the operations that users can
perform.​
• Some systems accomplish this by using an access control list, or an ACL.
• An ACL determines whether a user has certain access privileges once the user
authenticates.
• ​It can also control when a user has access to a specific resource.

• Accounting:
• It keeps track of what users do — including what they access, the amount of time they
access resources, and any changes they make.
• Cybersecurity accounting services track each data transaction and provide auditing results.
• System administrators can set up computer policies to enable system auditing.
• Cybersecurity accounting tracks and monitors in real time.

• The concept of AAA is like using a credit card that identifies who can use it, how much that user
can spend, and accounts for items or services the user purchased.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
Access Controls
What Is Identification?
• It enforces the rules established by the authorization policy.

• Every time access to a resource is requested, the access controls determine whether to grant or
deny access.

• A unique identifier ensures the proper association between allowed activities and subjects.

• A username is the most common method used to identify a user.

• A username can be an alphanumeric combination, a personal identification number (PIN), a smart

card or biometric — such as a fingerprint, retina scan, or voice recognition.

• A unique identifier ensures that a system can identify each user individually, therefore allowing an
authorized user to perform the appropriate actions on a particular resource.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
Access Controls
Federated Identity Management
• It refers to multiple enterprises that let their users use the same identification credentials to gain
access to the networks of all enterprises in the group.
• Unfortunately, this broadens the scope and increases the probability of a cascading effect should
an attack occur.
• A federated identity links a subject’s electronic identity across separate identity management
systems, such as being able to access several websites using the same social login credentials.
• The goal of federated identity management is to share identity information automatically across
castle boundaries.
• From the individual user’s perspective, this means a single sign-on to the web.
• It is imperative that organizations scrutinize the identifying information shared with partners, even
within the same corporate group, for example.
• The sharing of social security numbers, names, and addresses may allow identity thieves the
opportunity to steal this information from a partner to perpetrate fraud.
• The most common way to protect federated identity is to tie login ability to an authorized device.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
Access Controls
Authentication Methods
• Users prove their identity with a username or ID and need to verify their identity by providing one of
the following.

What you know:

• Passwords, passphrases, or PINs are all examples of something that the user knows.

• The terms passphrase, passcode, passkey, and PIN are all generically referred to as
password — a string of characters used to prove a user’s identity.

• A password should be at least eight characters and contain a combination of upper and
lowercase letters, numbers, and special characters.

• Users need to use different passwords for different systems because if a criminal cracks the
user’s password once, the criminal will have access to all the user’s accounts.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
Access Controls
Authentication Methods (Cont.)

What you have:

• Smart cards and security key fobs are examples of something that users possess that can
be used for authentication purposes.

• A smart card is a small plastic card, about the size of a credit card, with a small chip
embedded in it that is capable of processing, storing, and safeguarding data.

• A security key fob is a device that is small enough to attach to a keyring.

• In most cases, security key fobs are used for two factor authentication (2FA), which is much
more secure than a username and password combination.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
Access Controls
Authentication Methods (Cont.)
Who you are:
• Biometric security compares unique physical characteristics against stored profiles to
authenticate users.

• There are two types of biometric identifiers:

• Physiological characteristics — fingerprints, DNA, face, hands, retina, or ear features.
• Behavioral characteristics — patterns of behavior such as gestures, voice, gait, or
typing rhythm.

• Biometrics is becoming increasingly popular in public security systems, consumer electronics

and point-of-sale applications.

• Implementing biometrics involves a reader or scanning device, software that converts the
scanned information into digital form and a database that has biometric data stored for
comparison.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Access Controls
Multi-Factor Authentication
• It uses at least two methods of verification — such as a password and something you have, for
example, a security key fob.

• This can be taken a step further by adding something you are, such as a fingerprint scan.

• Multi-factor authentication can reduce the incidence of online identity theft because it means
knowing a password will not give cybercriminals access to a user’s account.

• Note that two-factor authentication (2FA) is a method of multi-factor authentication that entails two
factors, but the two terms are often used interchangeably.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Access Controls
Authorization
Authorization controls what a user can and cannot do on the network after successful authentication.
• After a user proves their identity, the system checks to see what network resources the user
can access and what they can do with the resources.

When to implement authorization

• Authorization uses a set of attributes that describes the user’s access to the network, to answer the
question, ‘What read, copy, edit, create, and delete privileges does this user have?’

• The system compares these attributes to the information contained within the authentication
database, determines a set of restrictions for that user, and delivers it to the local device where the
user is connected.

• Authorization is automatic and does not require users to perform additional steps after
authentication.

• System administrators have set the network up to implement authorization immediately after the user
authenticates.
© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Access Controls
Authorization (Cont.)
Using authorization
• Defining authorization rules is the first step in controlling access.

• An authorization policy establishes these rules.

• A group membership policy defines authorization based on users’ membership in a specific group.

• All employees of an organization may have a swipe card, for example, which provides access to
the premises, but it might not allow access to a server room.

• An authority-level policy defines access permissions based on an employee’s position within the
organization.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Access Controls
Packet Tracer - Configure Access Control
In the following Packet Tracer activity, you will complete the following objectives:

Part 1: Configure and Use AAA Authentication Credentials

Part 2: Configure and Use Email Services
Part 3: Configure and Use FTP Services

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Access Control Concepts
Access Control Models (Cont.)
Access Control Models Description
This is the least restrictive model and allows users to control access to their data as owners of
Discretionary access control
that data. DAC may use ACLs or other methods to specify which users or groups of users have
(DAC)
access to the information.
This applies the strictest access control and is typically used in military or mission critical
Mandatory access control
applications. It assigns security level labels to information and enables users with access based
(MAC)
on their security level clearance.
Access decisions are based on an individual’s roles and responsibilities within the organization.
Role-based access control Different roles are assigned security privileges, and individuals are assigned to the RBAC profile
(RBAC) for the role. Roles may include different positions, job classifications, or groups of job
classifications. Also known as a type of non-discretionary access control.
ABAC allows access based on attributes of the object (resource) to be accessed, the subject
Attribute-based access control
(user) accessing the resource, and environmental factors regarding how the object is to be
(ABAC)
accessed, such as time of day.
Network security staff specify sets of rules regarding or conditions that are associated with
Rule-based access control
access to data or systems. These rules may specify permitted or denied IP addresses, or
(RBAC)
certain protocols and other conditions. Also known as Rule-Based RBAC.
Time-based access control TAC Allows access to network resources based on time and day.
(TAC) © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36
13.5 Access Control Summary

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 65
Access Control Summary
What Did I Learn in this Module?
• Physical access controls are actual barriers deployed to prevent direct physical contact with systems.
• Logical access controls are hardware and software solutions used to manage access resources and systems.
• Administrative access controls involves three security services: authentication, authorization, and accounting.
• Identification enforces the rules established by the authorization process.
• Authorization controls what a user can and cannot do on the network after successful authentication.
• Accountability traces an action back to a person or process making the change to the system.
• The CIA triad consists of confidentiality, integrity, and availability.
• Zero trust is a comprehensive approach to securing all access across networks, applications, and environments.
• Access control methods include DAC, MAC, RBAC, ABAC, RBAC, and TAC.
• Privilege escalation is a common exploit where vulnerabilities in servers or access control systems are exploited to grant
access to an unauthorized user or software process.
• Account types can include administrator accounts, user accounts, service accounts, and guest accounts.
• Permission levels can be assigned to files and folders to include full control, modify, read and execute, write, and read.
• Robust practices for securing privileged accounts must be taken because they are often the target of cybercriminals.

© 2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 66
Access Control Summary
What Did I Learn in this Module?
• Authentication management aims to ensure secure sign in while still providing ease of use.
• HMAC uses an encryption key with a hash function to authenticate a web user.
• An authentication protocol authenticates data between two entities to prevent unauthorized access.
• A network must be designed to control who is allowed to connect to it and what they are allowed to do when they are
connected.
• AAA systems provide the necessary framework to enable scalable security.
• AAA authentication can be used to authenticate users for local access, or it can be used to authenticate users for remote
network access.
• Cisco provides two common methods of implementing AAA services: Local AAA Authentication and Server-based AAA
Authentication.
• Centralized AAA is more scalable and manageable than local AAA and is the preferred AAA implementation.
• A centralized AAA system can leverage Active Directory or LDAP for user authentication and group membership, while
maintaining its own authorization and accounting databases.
• Devices communicate with the centralized AAA server using with the RADIUS or TACACS+ protocols.
• Centralized AAA also enables the use of the accounting method that reports usage data in AAA logs.
• Various types of accounting information that can be collected are network accounting, connection
accounting, EXEC accounting, system accounting, command accounting, and resource ©accounting.
2020 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67