Log in / Register
Home arrow Computer Science arrow The InfoSec Handbook
< Prev   CONTENTS   Next >

Implementing Access Controls

In the following section we have described different mechanisms used for implementing access controls effectively.

Access Control Lists (ACLs)

Access Control Lists are the primitive choice for implementing access to network resources. These are implemented in the devices that provide access to a network. A network device or a computer system is configured with the rights that need to be provided to each user to each item on the network. Each resource has two basic rules – deny and allow. When an ACL is configured, for example, user1 is allowed to access a specific server in the network whereas user2 is denied access to the same server. This may seem like a simplistic approach, but the implementation may have several complex rules. Two levels of ACLs are implemented – file system level ACLs and Network level ACLs.

File System ACLs

Files have three basic rights – read, write, and execute, respectively allowing a user to read the contents of a file, write to the file, and execute the file if it is a program application or a script capable of running on the system. Further, the file access can be given at the user level as well as the group level. If a user belongs to a particular group, he or she has certain access to files and vice versa. In the case of file systems, a file or a directory may also have multiple access rules attached to it. In UNIX (and many other operating systems), access permission for every file and directory is controlled by two identifications – the User Identification number (UID) and the Group Identification number (GID). Every user has a unique user name and is a member of at least one group. This information is stored in a password file. Only the administrator can create or modify a user name and its permissions.

An example of the output that is produced by the 'ls –l' command is shown in Figure 4-5.

Figure 4-5. ls – l command

Field 1: A set of permission flags Field 2: Link count

Field 3: Owner of the file Field 4: Associated group Field 5: Size of a file in bytes

Field 6–8: Date and Time of the last modification Field 9: Name of the file

Network ACLs

Network ACLs, shown in Figure 4-6, provide secured access to a network. It acts as a network filter to filter out unnecessary traffic. It is not as sophisticated as a firewall or other network security devices, however, it provides the basic access security to a network. ACL filter enables you to control traffic into and out of your network. This control is as simple as permitting or denying hosts inside the organizational network. ACLs are normally configured at the access device such as routers or switches. When a packet arrives at the router, the router extracts the ACL rules and based on the ACL rule, the packet is permitted or denied (dropped). ACL is implemented at the network layer of the TCP/IP and OSI model.

Figure 4-6. Example of Network ACL

ACLs consist of the permit/deny rule, source IP address, destination IP address, and the traffic type (IP or TCP). As soon as a packet enters the network, its source and destination addresses are checked against the ACL rule and based on the rule packet, it is either permitted or denied into the network. Advanced rules also check for the type of traffic. For example, the FTP uses TCP port 21 to transfer files and the Internet Message Access Protocol (IMAP) uses port 143, and secured e-mail port 22.

Found a mistake? Please highlight the word and press Shift + Enter  
< Prev   CONTENTS   Next >
Business & Finance
Computer Science
Language & Literature
Political science