New England College Week 5 Network Access Control Questions

User Generated

unevxnagu

Writing

New England College

Description

5.1 Provide a brief definition of network access control.

5.2 What is an EAP?

5.3 List and briefly define four EAP authentication methods.

5.4 What is EAPOL?

5.5 What is the function of IEEE 802.1X?

5.6 Define cloud computing.

5.7 List and briefly define three cloud service models.

5.8 What is the cloud computing reference architecture?

5.9 Describe some of the main cloud-specific security threats.


Note : Complete your answers on a WORD Document,

Unformatted Attachment Preview

Network Security Essentials: Applications and Standards Sixth Edition Chapter 5 Network Access Control and Cloud Security Copyright © 2017 Pearson Education, Inc. All Rights Reserved Network Access Control (NAC) • An umbrella term for managing access to a network • Authenticates users logging into the network and determines what data they can access and actions they can perform • Also examines the health of the user’s computer or mobile device Copyright © 2017 Pearson Education, Inc. All Rights Reserved NAC Systems Deal with Three Categories of Components (1 of 3) Access requester (AR) • Node that is attempting to access the network and may be any device that is managed by the N AC system, including workstations, servers, printers, cameras, and other IP-enabled devices • Also referred to as supplicants, or clients Copyright © 2017 Pearson Education, Inc. All Rights Reserved NAC Systems Deal with Three Categories of Components (2 of 3) Policy server • Determines what access should be granted • Often relies on backend systems Network access server (NAS) • Functions as an access control point for users in remote locations connecting to an enterprise’s internal network Copyright © 2017 Pearson Education, Inc. All Rights Reserved NAC Systems Deal with Three Categories of Components (3 of 3) • May include its own authentication services or rely on a separate authentication service from the policy server Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-1: Network Access Control Context Copyright © 2017 Pearson Education, Inc. All Rights Reserved Network Access Enforcement Methods • The actions that are applied to ARs to regulate access to the enterprise network – Many vendors support multiple enforcement methods simultaneously, allowing the customer to tailor the configuration by using one or a combination of methods Copyright © 2017 Pearson Education, Inc. All Rights Reserved Common NAC Enforcement Methods • IEEE 802.1X • Virtual local area networks (VLANs) • Firewall • DHCP management Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-2: EAP Layered Context Copyright © 2017 Pearson Education, Inc. All Rights Reserved Authentication Methods • EAP provides a generic transport service for the exchange of authentication information between a client system and an authentication server • The basic EAP transport service is extended by using a specific authentication protocol that is installed in both the EAP client and the authentication server Copyright © 2017 Pearson Education, Inc. All Rights Reserved Commonly Supported EAP Methods • EAP Transport Layer Security • EAP Tunneled TLS • EAP Generalized Pre-Shared Key • EAP-IKEv2 Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-3: EAP Protocol Exchanges Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-4: EAP Message Flow in PassThrough Mode Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.1: Terminology Related to IEEE 802.1X (1 of 5) Authenticator An entity at one end of a point-to-point LAN segment that facilities authentication of the entity to the other end of the link. Authentication Exchange The two-party conversation between systems performing an authentication process. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.1: Terminology Related to IEEE 802.1X (2 of 5) Authentication Process The cryptographic operations and supporting data frames that perform the actual authentication. Authentication Server (AS) An entity that provides an authentication service to an authenticator. This service determines, from the credentials provided by supplicant, whether the supplicant is authorized to access the services provided by the system in which the authenticator resides. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.1: Terminology Related to IEEE 802.1X (3 of 5) Authentication Transport The datagram session that actively transfers the authentication exchange between two systems. Bridge Port A port Of an IEEE 802.10 or 802.1Q bridge. Edge Port A bridge port attached to a LAN that has no other bridges attached to it. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.1: Terminology Related to IEEE 802.1X (4 of 5) Network Access Port A point of attachment of a system to a LAN. It can be a physical port, such as a single LAN MAC attached to a physical LAN segment, or a logical port, for example, an IE EE 802.11 association between a station and an access point. Port Access Entity (PAE) The protocol entity associated with a port. It can support the protocol functionality associated with the authenticator, the supplicant, or both. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.1: Terminology Related to IEEE 802.1X (5 of 5) Supplicant An entity at one end of a point-to-point LAN segment that seeks to be authenticated by an authenticator attached to the Other end of that link. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-5: 802.1X Access Control Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.2: Common EAPOL Frame Types Frame Type Definition EAPOL-EAP Contains an encapsulated EAP packet. E POL-Start A supplicant can issue this packet instead of waiting for a challenge from the authenticator. EAPOL-Logoff Used to return the state of the port to unauthorized when the supplicant if finished using the network. EAPOL-Key Used to exchange cryptographic keying information. A Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-6: Example Timing Diagram for IEEE 802.1X Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Computing NIST defines cloud computing, in NIST SP-800-145 (The N IST Definition of Cloud Computing ), as follows: “A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.” Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-7: Cloud Computing Elements Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-7: Cloud Computing Contexts Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Computing Reference Architecture (1 of 2) NIST SP 500-292 (NIST Cloud Computing Reference Architecture ) establishes a reference architecture, described as follows: “The NIST cloud computing reference architecture focuses on the requirements of “what” cloud services provide, not a “how to” design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Computing Reference Architecture (2 of 2) in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.” Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-9: NIST Cloud Computing Reference Architecture Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Provider (1 of 3) • Cloud provider (CP) – Can provide one or more of the cloud services to meet IT and business requirements of cloud consumers – For each of the three service models (SaaS, PaaS, Ia aS), the CP provides the storage and processing facilities needed to support that service model, together with a cloud interface for cloud service consumers Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Provider (2 of 3) ▪ ▪ For SaaS, the CP deploys, configures, maintains, and updates the operation of the software applications on a cloud infrastructure so that the services are provisioned at the expected service levels to cloud consumers For PaaS, the CP manages the computing infrastructure for the platform and runs the cloud software that provides the components of the platform, such as runtime software execution stack, databases, and other middleware components Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Provider (3 of 3) ▪ For IaaS, the CP acquires the physical computing resources underlying the service, including the servers, networks, storage, and hosting infrastructure Copyright © 2017 Pearson Education, Inc. All Rights Reserved Roles and Responsibilities (1 of 3) Cloud carrier • A networking facility that provides connectivity and transport of cloud services between cloud consumers and CPs Cloud auditor • An independent entity that can assure that the CP conforms to a set of standards Copyright © 2017 Pearson Education, Inc. All Rights Reserved Roles and Responsibilities (2 of 3) • Useful when cloud services are too complex for a cloud consumer to easily manage • Three areas of support can be offered by a cloud broker: – Service intermediation ▪ Value-added services such as identity management, performance reporting, and enhanced security Copyright © 2017 Pearson Education, Inc. All Rights Reserved Roles and Responsibilities (3 of 3) – Service aggregation ▪ The broker combines multiple cloud services to meet consumer needs not specifically addressed by a single CP, or to optimize performance or minimize cost – Service arbitrage ▪ A broker has the flexibility to choose services from multiple agencies Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Security Risks and Countermeasures (1 of 2) • The Cloud Security Alliance [CSA10] lists the following as the top cloud specific security threats, together with suggested countermeasures: Abuse and nefarious use of cloud computing • Countermeasures: Stricter initial registration and validation processes; enhanced credit card fraud monitoring and coordination; comprehensive introspection of customer network traffic; monitoring public blacklists for one’s own network blocks Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Security Risks and Countermeasures (2 of 2) Malicious insiders • Countermeasures: Enforce strict supply chain management and conduct a comprehensive supplier assessment; specify human resource requirements as part of legal contract; require transparency into overall information security and management practices, as well as compliance reporting; determine security breach notification processes Copyright © 2017 Pearson Education, Inc. All Rights Reserved Risks and Countermeasures (1 of 5) Insecure interfaces and APIs • Countermeasures: Analyzing the security model of CP interfaces; ensuring that strong authentication and access controls are implemented in concert with encryption machines; understanding the dependency chain associated with the API Copyright © 2017 Pearson Education, Inc. All Rights Reserved Risks and Countermeasures (2 of 5) Shared technology issues • Countermeasures: Implement security best practices for installation/configuration; monitor environment for unauthorized changes/activity; promote strong authentication and access control for administrative access and operations; enforce SLAs for patching and vulnerability remediation; conduct vulnerability scanning and configuration audits Copyright © 2017 Pearson Education, Inc. All Rights Reserved Risks and Countermeasures (3 of 5) Data loss or leakage • Countermeasures: Implement strong API access control; encrypt and protect integrity of data in transit; analyze data protection at both design and run time; implement strong key generation, storage and management, and destruction practices Copyright © 2017 Pearson Education, Inc. All Rights Reserved Risks and Countermeasures (4 of 5) Account or service hijacking • Countermeasures: Prohibit the sharing of account credentials between users and services; leverage strong two-factor authentication techniques where possible; employ proactive monitoring to detect unauthorized activity; understand CP security policies and SLAs Copyright © 2017 Pearson Education, Inc. All Rights Reserved Risks and Countermeasures (5 of 5) Unknown risk profile • Countermeasures: Disclosure of applicable logs and data; partial/full disclosure of infrastructure details; monitoring and alerting on necessary information Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (1 of 10) Governance Extend organizational practices pertaining to the policies. procedures. and standards used for application development and service provisioning in the cloud as well as the design,implementation,testing,use,and monitoring or deployed or engaged services. Put in place audit mechanisms and tools to ensure organizational practices are followed throughout the system lifecycle. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (2 of 10) Compliance Understand the various types of laws and regulations that impose security and privacy obligations on the organization and potentially impact cloud computing initiatives. particularly those involving data location. privacy and security controls. records management. and electronic discovery requirements. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (3 of 10) Review and the cloud provider-s offerings with respect to the organizational requirements to be met and ensure that the contract terms adequately meet the requirements. Ensure that the cloud provider' s electronic discovery capabilities and processes do not compromise the privacy or security of data and applications. Trust Ensure that service arrangements have sufficient means to allow visibility into the security and privacy controls and processes employed by the cloud provider, and their performance over time. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (4 of 10) Establish clear, exclusive ownership rights over data. Institute a risk management program that is flexible enough to adapt to the constantly evolving and shifting risk landscape for the lifecycle of the system. Continuously monitor the security state of the information system to support ongoing risk management decisions. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (5 of 10) Architecture Understand the underlying technologies that the cloud provider uses to provision services, including the implications that the technical controls involved have on the security and privacy or the system. over the full system lifecycle and across all system components. Identity and Access Management Ensure that adequate safeguards are in place to secure authentication. authorization, and other identity and access management functions. and are suitable for the organization Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (6 of 10) Software Isolation Understand virtualization and other logical isolation techniques that the cloud provider employs in its multitenant software architecture. and assess the risks involved for the organization. Data protection Evaluate the suitability of the cloud provider's data management solutions for the organizational data concerned and the ability to control access to data, to secure data while at rest, in transit, and in use, and to sanitize data. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (7 of 10) Take into consideration the risk of collating organizational data with those of other organizations whose threat profiles are high or whose data collectively represent significant concentrated value. Fully understand and weigh the risks involved in cryptographic key management with the facilities available in the cloud environment and the processes established by the cloud provider. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (8 of 10) Availability Understand the contract provisions and procedures for availability, data backup and recovery , and disaster recovery , and ensure that they meet the organization's continuity and contingency planning requirements. Ensure that during an intermediate or prolonged disruption or a serious disaster, critical operations can be immediately resumed, and that all operations can be eventually reinstituted in a timely and organized manner. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (9 of 10) Incident response Understand the contract provisions and procedures for incident response and ensure that they meet the requirements of the organization. Ensue that the cloud provider has a transparent response process in place and sufficient mechanisms to share information during and after an incident. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.3: NIST Guidelines on Security and Privacy Issues and Recommendations (10 of 10) Ensure that the organization can respond to incidents in a coordinated fashion with the cloud provider in accordance with their respective roles and responsibilities for the computing environment. Copyright © 2017 Pearson Education, Inc. All Rights Reserved Data Protection in the Cloud (1 of 4) • The threat of data compromise increases in the cloud • Database environments used in cloud computing can vary significantly Multi-instance model • Provides a unique DBMS running on a virtual machine instance for each cloud subscriber • This gives the subscriber complete control over role definition, user authorization, and other administrative tasks related to security Copyright © 2017 Pearson Education, Inc. All Rights Reserved Data Protection in the Cloud (2 of 4) Multi-tenant model • Provides a predefined environment for the cloud subscriber that is shared with other tenants, typically through tagging data with a subscriber identifier • Tagging gives the appearance of exclusive use of the instance, but relies on the CP to establish and maintain a sound secure database environment Copyright © 2017 Pearson Education, Inc. All Rights Reserved Data Protection in the Cloud (3 of 4) • Data must be secured while at rest, in transit, and in use, and access to the data must be controlled • The client can employ encryption to protect data in transit, though this involves key management responsibilities for the CP • For data at rest the ideal security measure is for the client to encrypt the database and only store encrypted data in the cloud, with the CP having no access to the encryption key Copyright © 2017 Pearson Education, Inc. All Rights Reserved Data Protection in the Cloud (4 of 4) • A straightforward solution to the security problem in this context is to encrypt the entire database and not provide the encryption/decryption keys to the service provider – The user has little ability to access individual data items based on searches or indexing on key parameters – The user would have to download entire tables from the database, decrypt the tables, and work with the results – To provide more flexibility it must be possible to work with the database in its encrypted form Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-10: An Encryption Scheme for a Cloud-Based Database Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Security as a Service (SECAAS) (1 of 2) • The Cloud Security Alliance defines SecaaS as the provision of security applications and services via the cloud either to cloud-based infrastructure and software or from the cloud to the customers’ on premise systems • The Cloud Security Alliance has identified the following SecaaS categories of service: – Identity and access management – Data loss prevention – Web security Copyright © 2017 Pearson Education, Inc. All Rights Reserved Cloud Security as a Service (SECAAS) (2 of 2) – – – – – – – E-mail security Security assessments Intrusion management Security information and event management Encryption Business continuity and disaster recovery Network security Copyright © 2017 Pearson Education, Inc. All Rights Reserved Figure 5-11: Elements of Cloud Security as a Service Copyright © 2017 Pearson Education, Inc. All Rights Reserved Table 5.4: Control Functions and Classes Technical Operational Management Access Control Audit and Accountability Identification and Authentication System and Communication Protection Awareness and Training Configuration and Management Contingency Planning Incident Response Maintenance Media Protection Physical and Environmental Protection Personnel Security System and Information Integrity Certification. Accreditation and Security Assessment Planning Risk Assessment System and Services Acquisition Copyright © 2017 Pearson Education, Inc. All Rights Reserved Summary • Network access control – Elements of a network access control system – Network access enforcement methods • IEEE 802.1X port-based network access control • Cloud computing – Elements – Reference architecture • Extensible authentication protocol – Authentication methods – EAP exchanges – Cloud security as a service • Cloud security risks and countermeasures • Data protection in the cloud • Addressing cloud computing security concerns Copyright © 2017 Pearson Education, Inc. All Rights Reserved Copyright Copyright © 2017 Pearson Education, Inc. All Rights Reserved
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running Head: NETWORK ACCESS CONTROL

Network Access Control
Student’s Name
Instructor
Institution Affiliation
Date

NETWORK ACCESS CONTROL

2

5.1 Provide a brief definition of network access control.
Network Access Control (NAC) refers to a computer security strategy that focuses on the
unification of different endpoint security technologies, including vulnerability assessment and
the use of antivirus, system authentication methodologies, and network security enforcement.
The approaches support the visibility of the networks and the access management by enforcing
the policies on the users and different endpoints of the corporate networks.
5.2 What is EAP?
The Extensible Authentication Protocol (EAP) refers to a protocol that is used by wireless
networks to extend the authentication approaches that are implemented by the Point-to-Point
Protocol (PPP). Authentication methods supported by the Extensible Authentication Protocol
include one-time passwords and certificates (Valmikam & Koodli, 2015).
5.3 List and briefly define four EAP authentication methods.








EAP-MD5 -Uses the...


Anonymous
Great! 10/10 would recommend using Studypool to help you study.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags