Network Security Defined - Access Control


Access control techniques allow access to devices on the network to authorized users only. Access control methods can include hardware or software features, operating procedures, management procedures, or any combination of these methods.


Access Control

Access control techniques determine which resources the user can access and just what the user can do with the resources. Effective access control relies on effective authentication — if the user cannot be properly identified, it is not possible to control the resources that the user can access.

There are two major types of access control that provide different levels of protection: discretionary access control and mandatory access control.

The use of discretionary or mandatory access control depends on the type of security policy established for the organization or network.


Discretionary Access Control

In discretionary access control the system manager or user decides how to protect files and resources. The system manager or user also decides how and with whom the files and resources are to be shared. Most systems provide a method to establish read, write, and execute permissions for users, directories, and resources.

Access to files and resources can be changed at will and can be established on the basis of:

  • Ownership of the file, directory, or resource
  • Individual, group, or world (public or other) access permissions
  • Access control list permissions


Ownership Access Control

In ownership access control, if a user creates the file, directory, or resource, the user is the owner. The user can read, change, or delete the file. If the user is not the owner, that user has no rights to the file.

Access based just on ownership is simple but restrictive; this scheme does not let the user share data and resources with other users.


Individual, Group, and World Access

Access to files and resources can be granted to individual users, members of a specific group of users, or all users (world, public, or other). The system manager or user does this by setting read, write, execute, or other permissions.


Access Control Lists

A common way to provide access control is through access control lists (ACLs). ACLs provide a powerful way to control access to network resources. ACLs are lists of users and their permissions (the kind of access allowed for various users). For example, one user can read and write to a file while another user can only read the file.

Access control list techniques range from quite simple to very complex. Some techniques include:

  • Outgoing and incoming service access restrictions
  • Packet filtering


Outgoing and Incoming Service Access Restrictions

Outgoing and incoming service access restrictions use ACLs. Service access restrictions control which user or hosts can access TCP services such as TELNET or FTP.

Access restrictions are set on a per-user or per-host basis. Access for a user is either ON or OFF. For example, with outgoing access restrictions, individual users can be denied or granted permission to use TELNET to get out of the system. Conversely, individual users can be denied or granted permission to use TELNET to get into the system.


Packet Filtering

Packet filtering restricts datagrams that might be destined for this system. Packet filtering is set on a per host basis. The system drops all rejected datagrams. This software-based filtering allows datagrams to be filtered by:

  • Protocol (IP, ICMP, UDP, or TCP)
  • Source and destination address
  • UDP destination port or TCP destination port

Packet filtering lets users keep certain networks or individual hosts from sending datagrams to the system. For example, a business site suspects someone from XYZ University has been trying to gain access to the site. The business site’s system administrator can set up address filtering based on the address of the specific network or hosts at the university. The business system drops all datagrams sent from the specified address at XYZ University.


Mandatory Access Control

Mandatory access control can be used in systems that process sensitive data, for example, government or research groups. In mandatory access control schemes, the system protects the files and resources. This type of access can be implemented to handle a number of different security levels, such as Top Secret, Confidential, Unclassified, Company Officers Only, Company Proprietary, Internal Use Only, or All.

The system applies an access control sensitivity label to every user, file, and resource in the system. By comparing the labels the system (not the system manager or user) determines which user can access what information in the system.

A label consists of two parts:

  • A classification — a single hierarchical level to permit access, for example, Top Secret, Secret, Confidential, Company Officers, Internal Users Only, and so on.
  • A set of categories — a nonhierarchical list representing distinct areas of information, such as MIS, Marketing, Engineering, Service, or Hardware, Software, Research.


The IP Security Option Standard

One type of mandatory access control is the IP Security Option (IPSO). IPSO screens IP- datagrams coming over the network and prevents those without the proper label from accessing the system. IPSO also screens IP-datagrams that originate from the system and prevents those without the proper label from being transmitted over the network.

The IPSO screening is done by comparing the content of the label associated with the IP datagram against the label at the IP layer within the system. The system rejects the datagram if the labels do not match exactly.

The IPSO standard was developed for the U.S. Department of Defense (DoD). IPSO consists of two protocols for use with the Internet protocol: the DoD Basic Security Option (BSO), and the DoD Extended Security Option (ESO). Both protocols define the content of the access control sensitivity labels.

The BSO protocol defines the content of the access control sensitivity labels to be attached to IP datagrams coming into and leaving the system. The ESO describes the requirements and mechanism to increase the number of hierarchical security classifications and protection authorities. This option is used only with the basic security option. To date, no implementation of the ESO exists.

Use of the BSO by an intermediate or end system requires configuring the system to include maximum and minimum security level parameters. The maximum security level parameter specifies the highest classification level that can be present in the label attached to IP datagrams sent or received by the system.

The minimum security level parameter specifies the lowest classification level that can be present in the label attached to IP datagrams sent or received by the system.


Contents of the IPSO Label

The IPSO access control sensitivity label includes a hierarchical security classification and a protection authority identification. The IPSO security level classifications currently defined in the BSO include Top Secret, Secret, Confidential, and Unclassified, in that order.

The IPSO protection authorities represent U.S. Government protection authority models. For example, some requirements for a Top Secret classification for the National Security Agency might differ from requirements for a Top Secret classification for DoE.

The IPSO protection authorities currently defined in the BSO include:

  • Department of Defense Joint Chiefs of Staff (SIOP-ESI)
  • Director of Central Intelligence (SCI)
  • National Security Agency (NSA)
  • Department of Energy (DoE)
  • Designated Approving Authority (GENSER)