Network Security Essentials: Applications
and Standards
Sixth Edition
Chapter 5
Network Access Control
and Cloud Security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Network Access Control (NAC)
• An umbrella term for managing access to a network
• Authenticates users logging into the network and
determines what data they can access and actions they
can perform
• Also examines the health of the user’s computer or
mobile device
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
NAC Systems Deal with Three Categories
of Components (1 of 3)
Access requester (AR)
• Node that is attempting to access the network and may
be any device that is managed by the N AC system,
including workstations, servers, printers, cameras, and
other IP-enabled devices
• Also referred to as supplicants, or clients
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
NAC Systems Deal with Three Categories
of Components (2 of 3)
Policy server
• Determines what access should be granted
• Often relies on backend systems
Network access server (NAS)
• Functions as an access control point for users in remote
locations connecting to an enterprise’s internal network
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
NAC Systems Deal with Three Categories
of Components (3 of 3)
• May include its own authentication services or rely on a
separate authentication service from the policy server
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-1: Network Access Control Context
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Network Access Enforcement Methods
• The actions that are applied to ARs to regulate access to
the enterprise network
– Many vendors support multiple enforcement methods
simultaneously, allowing the customer to tailor the
configuration by using one or a combination of
methods
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Common NAC Enforcement Methods
• IEEE 802.1X
• Virtual local area networks (VLANs)
• Firewall
• DHCP management
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-2: EAP Layered Context
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Authentication Methods
• EAP provides a generic transport service for the
exchange of authentication information between a client
system and an authentication server
• The basic EAP transport service is extended by using a
specific authentication protocol that is installed in both the
EAP client and the authentication server
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Commonly Supported EAP Methods
• EAP Transport Layer Security
• EAP Tunneled TLS
• EAP Generalized Pre-Shared Key
• EAP-IKEv2
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-3: EAP Protocol Exchanges
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-4: EAP Message Flow in PassThrough Mode
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.1: Terminology Related to IEEE
802.1X (1 of 5)
Authenticator
An entity at one end of a point-to-point LAN segment that
facilities authentication of the entity to the other end of the
link.
Authentication Exchange
The two-party conversation between systems performing
an authentication process.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.1: Terminology Related to IEEE
802.1X (2 of 5)
Authentication Process
The cryptographic operations and supporting data frames
that perform the actual authentication.
Authentication Server (AS)
An entity that provides an authentication service to an
authenticator. This service determines, from the credentials
provided by supplicant, whether the supplicant is
authorized to access the services provided by the
system in which the authenticator resides.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.1: Terminology Related to IEEE
802.1X (3 of 5)
Authentication Transport
The datagram session that actively transfers the
authentication exchange between two systems.
Bridge Port
A port Of an IEEE 802.10 or 802.1Q bridge.
Edge Port
A bridge port attached to a LAN that has no other bridges
attached to it.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.1: Terminology Related to IEEE
802.1X (4 of 5)
Network Access Port
A point of attachment of a system to a LAN. It can be a
physical port, such as a single LAN MAC attached to a
physical LAN segment, or a logical port, for example, an IE
EE 802.11 association between a station and an access
point.
Port Access Entity (PAE)
The protocol entity associated with a port. It can support
the protocol functionality associated with the authenticator,
the supplicant, or both.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.1: Terminology Related to IEEE
802.1X (5 of 5)
Supplicant
An entity at one end of a point-to-point LAN segment that
seeks to be authenticated by an authenticator attached to
the Other end of that link.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-5: 802.1X Access Control
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.2: Common EAPOL Frame
Types
Frame Type
Definition
EAPOL-EAP
Contains an encapsulated EAP packet.
E POL-Start
A supplicant can issue this packet
instead of waiting for a challenge from
the authenticator.
EAPOL-Logoff
Used to return the state of the port to
unauthorized when the supplicant if
finished using the network.
EAPOL-Key
Used to exchange cryptographic keying
information.
A
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-6: Example Timing Diagram for IEEE
802.1X
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Computing
NIST defines cloud computing, in NIST SP-800-145 (The N
IST Definition of Cloud Computing ), as follows:
“A model for enabling ubiquitous, convenient, on-demand
network access to a shared pool of configurable
computing resources (e.g., networks, servers, storage,
applications, and services) that can be rapidly
provisioned and released with minimal management
effort or service provider interaction. This cloud model
promotes availability and is composed of five essential
characteristics, three service models, and four
deployment models.”
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-7: Cloud Computing Elements
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-7: Cloud Computing Contexts
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Computing Reference Architecture
(1 of 2)
NIST SP 500-292 (NIST Cloud Computing Reference
Architecture ) establishes a reference architecture,
described as follows:
“The NIST cloud computing reference architecture
focuses on the requirements of “what” cloud services
provide, not a “how to” design solution and
implementation. The reference architecture is intended to
facilitate the understanding of the operational intricacies
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Computing Reference Architecture
(2 of 2)
in cloud computing. It does not represent the system
architecture of a specific cloud computing system;
instead it is a tool for describing, discussing, and
developing a system-specific architecture using a
common framework of reference.”
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-9: NIST Cloud Computing
Reference Architecture
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Provider (1 of 3)
• Cloud provider (CP)
– Can provide one or more of the cloud services to
meet IT and business requirements of cloud
consumers
– For each of the three service models (SaaS, PaaS, Ia
aS), the CP provides the storage and processing
facilities needed to support that service model,
together with a cloud interface for cloud service
consumers
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Provider (2 of 3)
▪
▪
For SaaS, the CP deploys, configures,
maintains, and updates the operation of the
software applications on a cloud infrastructure
so that the services are provisioned at the
expected service levels to cloud consumers
For PaaS, the CP manages the computing
infrastructure for the platform and runs the
cloud software that provides the components of
the platform, such as runtime software
execution stack, databases, and other
middleware components
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Provider (3 of 3)
▪
For IaaS, the CP acquires the physical
computing resources underlying the service,
including the servers, networks, storage, and
hosting infrastructure
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Roles and Responsibilities (1 of 3)
Cloud carrier
• A networking facility that provides connectivity and
transport of cloud services between cloud consumers and
CPs
Cloud auditor
• An independent entity that can assure that the CP
conforms to a set of standards
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Roles and Responsibilities (2 of 3)
• Useful when cloud services are too complex for a cloud
consumer to easily manage
• Three areas of support can be offered by a cloud broker:
– Service intermediation
▪ Value-added services such as identity
management, performance reporting, and
enhanced security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Roles and Responsibilities (3 of 3)
– Service aggregation
▪ The broker combines multiple cloud services to
meet consumer needs not specifically addressed
by a single CP, or to optimize performance or
minimize cost
– Service arbitrage
▪ A broker has the flexibility to choose services from
multiple agencies
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Security Risks and
Countermeasures (1 of 2)
• The Cloud Security Alliance [CSA10] lists the following as
the top cloud specific security threats, together with
suggested countermeasures:
Abuse and nefarious use of cloud computing
• Countermeasures: Stricter initial registration and
validation processes; enhanced credit card fraud
monitoring and coordination; comprehensive
introspection of customer network traffic; monitoring
public blacklists for one’s own network blocks
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Security Risks and
Countermeasures (2 of 2)
Malicious insiders
• Countermeasures: Enforce strict supply chain
management and conduct a comprehensive supplier
assessment; specify human resource requirements as
part of legal contract; require transparency into overall
information security and management practices, as well
as compliance reporting; determine security breach
notification processes
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Risks and Countermeasures (1 of 5)
Insecure interfaces and APIs
• Countermeasures: Analyzing the security model of CP
interfaces; ensuring that strong authentication and
access controls are implemented in concert with
encryption machines; understanding the dependency
chain associated with the API
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Risks and Countermeasures (2 of 5)
Shared technology issues
• Countermeasures: Implement security best practices for
installation/configuration; monitor environment for
unauthorized changes/activity; promote strong
authentication and access control for administrative
access and operations; enforce SLAs for patching and
vulnerability remediation; conduct vulnerability scanning
and configuration audits
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Risks and Countermeasures (3 of 5)
Data loss or leakage
• Countermeasures: Implement strong API access
control; encrypt and protect integrity of data in transit;
analyze data protection at both design and run time;
implement strong key generation, storage and
management, and destruction practices
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Risks and Countermeasures (4 of 5)
Account or service hijacking
• Countermeasures: Prohibit the sharing of account
credentials between users and services; leverage strong
two-factor authentication techniques where possible;
employ proactive monitoring to detect unauthorized
activity; understand CP security policies and SLAs
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Risks and Countermeasures (5 of 5)
Unknown risk profile
• Countermeasures: Disclosure of applicable logs and
data; partial/full disclosure of infrastructure details;
monitoring and alerting on necessary information
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (1 of 10)
Governance
Extend organizational practices pertaining to the policies.
procedures. and standards used for application
development and service provisioning in the cloud as well
as the design,implementation,testing,use,and monitoring or
deployed or engaged services.
Put in place audit mechanisms and tools to ensure
organizational practices are followed
throughout the system lifecycle.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (2 of 10)
Compliance
Understand the various types of laws and regulations that
impose security and privacy obligations on the organization
and potentially impact cloud computing initiatives.
particularly those involving data location. privacy and
security controls. records management. and electronic
discovery requirements.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (3 of 10)
Review and the cloud provider-s offerings with respect to
the organizational requirements to be met and ensure that
the contract terms adequately meet the requirements.
Ensure that the cloud provider' s electronic discovery
capabilities and processes do not compromise the privacy
or security of data and applications.
Trust
Ensure that service arrangements have sufficient means to
allow visibility into the security and privacy controls and
processes employed by the cloud provider, and their
performance over time.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (4 of 10)
Establish clear, exclusive ownership rights over data.
Institute a risk management program that is flexible enough
to adapt to the constantly evolving and shifting risk
landscape for the lifecycle of the system.
Continuously monitor the security state of the information
system to support ongoing risk management decisions.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (5 of 10)
Architecture
Understand the underlying technologies that the cloud
provider uses to provision services, including the
implications that the technical controls involved have on the
security and privacy or the system. over the full system
lifecycle and across all system components.
Identity and Access Management
Ensure that adequate safeguards are in place to secure
authentication. authorization, and other identity and access
management functions. and are suitable for the
organization
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (6 of 10)
Software Isolation
Understand virtualization and other logical isolation
techniques that the cloud provider employs in its multitenant software architecture. and assess the risks involved
for the organization.
Data protection
Evaluate the suitability of the cloud provider's data
management solutions for the organizational data
concerned and the ability to control access to data, to
secure data while at rest, in transit, and in use, and to
sanitize data.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (7 of 10)
Take into consideration the risk of collating organizational
data with those of other organizations whose threat profiles
are high or whose data collectively represent significant
concentrated value.
Fully understand and weigh the risks involved in
cryptographic key management with the facilities available
in the cloud environment and the processes established by
the cloud provider.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (8 of 10)
Availability
Understand the contract provisions and procedures for
availability, data backup and recovery , and disaster
recovery , and ensure that they meet the organization's
continuity and contingency planning requirements.
Ensure that during an intermediate or prolonged disruption
or a serious disaster, critical operations can be immediately
resumed, and that all operations can be eventually
reinstituted in a timely and organized manner.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (9 of 10)
Incident response
Understand the contract provisions and procedures for
incident response and ensure that they meet the
requirements of the organization.
Ensue that the cloud provider has a transparent response
process in place and sufficient mechanisms to share
information during and after an incident.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.3: NIST Guidelines on Security and
Privacy Issues and Recommendations (10 of 10)
Ensure that the organization can respond to incidents in a
coordinated fashion with the cloud provider in accordance
with their respective roles and responsibilities for the
computing environment.
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Data Protection in the Cloud (1 of 4)
• The threat of data compromise increases in the cloud
• Database environments used in cloud computing can
vary significantly
Multi-instance model
• Provides a unique DBMS running on a virtual machine
instance for each cloud subscriber
• This gives the subscriber complete control over role
definition, user authorization, and other administrative
tasks related to security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Data Protection in the Cloud (2 of 4)
Multi-tenant model
• Provides a predefined environment for the cloud
subscriber that is shared with other tenants, typically
through tagging data with a subscriber identifier
• Tagging gives the appearance of exclusive use of the
instance, but relies on the CP to establish and maintain a
sound secure database environment
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Data Protection in the Cloud (3 of 4)
• Data must be secured while at rest, in transit, and in use,
and access to the data must be controlled
• The client can employ encryption to protect data in
transit, though this involves key management
responsibilities for the CP
• For data at rest the ideal security measure is for the client
to encrypt the database and only store encrypted data in
the cloud, with the CP having no access to the encryption
key
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Data Protection in the Cloud (4 of 4)
• A straightforward solution to the security problem in this
context is to encrypt the entire database and not provide
the encryption/decryption keys to the service provider
– The user has little ability to access individual data
items based on searches or indexing on key
parameters
– The user would have to download entire tables from
the database, decrypt the tables, and work with the
results
– To provide more flexibility it must be possible to work
with the database in its encrypted form
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-10: An Encryption Scheme for a
Cloud-Based Database
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Security as a Service (SECAAS) (1 of 2)
• The Cloud Security Alliance defines SecaaS as the
provision of security applications and services via the
cloud either to cloud-based infrastructure and software or
from the cloud to the customers’ on premise systems
• The Cloud Security Alliance has identified the following
SecaaS categories of service:
– Identity and access management
– Data loss prevention
– Web security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Cloud Security as a Service (SECAAS) (2 of 2)
–
–
–
–
–
–
–
E-mail security
Security assessments
Intrusion management
Security information and event management
Encryption
Business continuity and disaster recovery
Network security
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Figure 5-11: Elements of Cloud Security as
a Service
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Table 5.4: Control Functions and Classes
Technical
Operational
Management
Access Control
Audit and Accountability
Identification and
Authentication
System and
Communication
Protection
Awareness and Training
Configuration and
Management
Contingency Planning
Incident Response
Maintenance
Media Protection
Physical and Environmental
Protection
Personnel Security System
and
Information Integrity
Certification. Accreditation
and
Security Assessment
Planning Risk Assessment
System and Services
Acquisition
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Summary
• Network access control
– Elements of a network
access control system
– Network access
enforcement methods
• IEEE 802.1X port-based
network access control
• Cloud computing
– Elements
– Reference architecture
• Extensible authentication
protocol
– Authentication methods
– EAP exchanges
– Cloud security as a service
• Cloud security risks and
countermeasures
• Data protection in the cloud
• Addressing cloud computing
security concerns
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Copyright
Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Purchase answer to see full
attachment