Security+ Topic - Access Control

So lets talk a little about access control, in specific the technical aspect of determining which information should be allowed to interact with other information or users. This could be anything from servers getting resources, a cross-connect in a database table, or an application requiring some sort of access to work. Its not only limited to the technological side though. There are still people to take into consideration as they have needs that may go beyond a simple login to their computer. Without being to specific on an operating system, there are measures called access control lists that help take care of what can and cannot be accessed. These can be found on almost any piece of equipment that has to deal with multiple users or access control.


What does this mean for you?


First of all it means you need to check yourself. You put security measuring in place for a reason right? Test them. Oh you just have a firewall and you think your good? Lets take a look at that then. What are you wanting to protect? What is the risk analysis for what is on your network or the work done by employees on your network? How are attackers or inside threats going to get into your network? Do you have accounts without passwords? Are internal servers viewable from the outside? Lets face it, you could ask yourself what-if questions all day long. The big thing here is that you take a real hard look at what is going on with your network. Its easy to overlook something when you are dealing with the same network for the last year. There are little things that you know in the back of your mind that you are going to address or not that big of a deal but when a third party comes in and takes a look at your network they see it as a hole for attack.


I worked for a company a while back that had to be in compliance with processing credit card data. When we started this new project it made me a bit nervous as I was worried about data breach. I had to make sure I took an attack point of view to cover as many bases as I could. This turned out to be a continual process also. I am a huge fan of the Nagios monitoring software and so that is what I use to make sure certain things are working or not working on my network. Even though it has a wealth of plugins to monitor the network I have chosen to write custom scripts that will check for things not working either.


For the risk analysis of my internal network I chose very specific outside DNS servers in order to mitigate my DNS highjacking risk. In order to enforce this I then applied firewall rules that denied any DNS traffic unless its destination went to those specific DNS servers. To bring this full 360 I then told Nagios to check a few DNS servers on the internet. If the DNS server was the ones I said are ok then the check returned ok and if the check failed against an unauthorized server then it was ok also. The second half to this is that if a unauthorized DNS server responded then I know that a firewall rule got messed up or another rule allowed it (top down design).


Each organization has a different risk analysis and here I presented just a couple things in order to help you with yours. I hope that you are able to utilize some of this in your own network in order to help protect your domain controllers, web servers, clients, printers, and all sorts of other stuff you have to perform a risk analysis against.

-- Joe McShinsky