Lesson 5 | Access Control |
Objective | Control access to your network/improve security and Access Control |
Network Access Control
Whenever limits are placed on individuals or systems to access only what they are supposed to, you are engaging in access control.
Your network's internal mechanisms ensure that each user and system can access only what the security policy allows.
At the system level, the two ways to implement control are access control lists and execution control lists.
Access control list (ACL)
An ACL is a list of the entities that can access the resource, such as users, servers, programs, or applets, and their access levels, such as read-only, write-only, read-write, delete, create, access, or other actions.
If one of these entities attempts to perform an operation beyond its authorized level of access, the operating system will raise an exception or error notification.
For example, each user or group is assigned an access level in an ACL specifying the operations that each user or group may perform on the database and the documents it
contains. An authorized user must still pass the ACL test to gain access to a database.
Execution control list (ECL)
An ECL allows the operating system to limit a program's activity. Traditionally, the operations of a program have been predetermined by its creators, and could not be modified or limited in any significant way.
With an ECL you can determine which of the program's activities are appropriate, and which are not. In essence, you can exert operating system-level control over a single application.
For example, an ECL can minimize the threat of a malicious program, further direct the activity of Java applets, and stop
trojan horses[1] .
It can forbid the transmission of certain data and alert you to the unauthorized transmission attempt. Eventually, software vendors will
begin shipping ECLs, allowing any user to determine the program's parameters.
Access Control Mechanisms
Access control mechanisms are essential when securing servers. You must define what users can access on servers, services, and daemons.
A hacker can defeat even the most sophisticated operating system with the latest ACL and ECL methods if the administrator uses default settings.
[1]
Trojan (trojan horse):A file or program that purports to operate in a legitimate way, but which also has an alternative, secret operation,
such as emailing sensitive company information to a hacker. A trojan horse is a specific program that destroys information on a hard drive.