Where are access controls needed most? It is impossible to secure every asset in your organization individually. Consider and weigh the value of assets and their relative risk levels against the cost and inconvenience of each access control. In many cases a simple username and password prompt will sufficiently protect assets in question. For more critical assets, two or more layers of access control provide additional protection. The most common multilayered access control systems will use a token or challenge-response device in addition to a username and password. Using a network diagram will help determine where to place access controls on a network.
Employing a multilayered approach to access controls is an effective way to mitigate both budget and staff limitations to risk mitigation within an organization. Instead of taking each asset individually and trying to secure it, you should layer your security efforts. Layering ensures that behind each layer of security lies another which covers any gaps that may exist. In an ideal system of access controls, these layers of security should cover all seven domains of a typical IT infrastructure. Each domain plays a part in a multilayered access control system. A multilayered approach ensures that if one layer fails, your attacker will land face first into another line of defense. The type of access control system, called defense-in-depth, is designed to eliminate the possibility of having any single points of failure — it is instead designed to handle failure in stride, only to present another layer of defense. We can use the apt analogy of a castle, which employs many layers of defense: a moat, a drawbridge, a curtain wall (outer wall), a gatehouse. There is never just one point of failure that could bring the whole system down!
The User Domain
This one is quite simple. The primary layer in the user domain is in the training of personnel. All users should be trained in order to recognize common social engineering attacks, for example: identifying and avoiding phishing e-mails or being trained to not allow piggybacking. Piggybacking, like tailgating, is when a person tags along with another person who is authorized to gain entry into a restricted area. In an electronic sense, this is where a user fails to log off their terminal, allowing an unauthorized use to “piggyback” on the authorized user’s session. In a physical sense, this may be getting an authorized person to hold the door open for them (bypassing an RFID scanner or checkpoint), or pretending to be a member of a crowd that is entering largely unchecked. In addition to this, users should be trained to create strong passwords and to change them regularly.
The Workstation Domain
There are three important elements to securing the workstation domain: virus scanning, OS patching, and host firewalls. Virus scanning will help mitigate viruses coming in from files downloaded, e-mails, or even infected USB drives. The idea here is that if we can stop the virus at the entry point (the initial user’s workstation), then we can prevent it from infecting the rest of the workstations on the network. Regularly patching operating systems will harden them against known vulnerabilities and exploitable bugs, making it more difficult for an intruder to get through the outer layers of security to attack the workstation.
The LAN Domain
On the local area network, security layers involve the deployment of IDS/IPS as well as server-level virus scanning. Because servers are also vulnerable to viruses and exploits like user’s workstations, it is imperative to have a virus scanner running on every server. An intrusion detection system (IDS) analyzes traffic patterns over the network or systems and compares them to known patterns of malicious behavior. Any malicious behavior is then reported to a systems admin or is collected using an event management system to allow for later review. An intrusion prevention system (IPS) is a bit more sophisticated in that it analyzes traffic patterns and reacts in real time to its analysis, blocking suspicious traffic and malicious activity. Many modern systems combine the functions of an IDS/IPS into one system, simplifying the process for an administrator to configure flexible responses based upon their threat environment.
The LAN-to-WAN Domain
In this domain, the firewall is the primary security layer. Firewalls prevent unauthorized traffic from moving from one side of the firewall to the other (for example, from the LAN to the WAN) while allowing authorized traffic to pass freely. Here are some of the common types of firewalls I’d like to touch on:
- A packet filter firewall scans each packet that passes through the firewall and either rejects or allows it to pass, using custom rulesets to determine which course of action to take.
- A stateful inspection firewall performs the same tasks as a packet filtering firewall but it also understands the connection state. That is to say, it will allow traffic from a previously established connection instead of constantly requiring repeated comparisons against firewall rulesets.
- An application gateway monitors traffic going to and from a specific application. This runs on a firewall system between two networks. These are used primarily for communications applications (e.g. FTP or SSL). In effect, the proxy established by an application gateway acts on behalf of the connecting client, hiding and protecting individual computers on the network behind the firewall. There are two connections created: one between client and proxy server and one between proxy server and destination.
- A proxy server intercepts all messages entering an leaving a protected network. It is effectively hiding the location and details of the protected network from the rest of the world. Proxy servers are used to monitor and restrict web browsing in organizations. Certain websites or search terms can be blocked by using a proxy server, or it can be configured to allow only specified URIs.
Remote Access Domain
In this domain, IP tunneling and VPNs are the primary layer of security. An IP tunnel is created by encapsulating packets within a new IP packet and then sending the encapsulated packets via a secured route across the Internet. A VPN uses IP tunneling the same way a LAN uses Ethernet cables.
In this domain, the primary security activity is patching on a regular basis – most organizations and enterprise environments use patch management software that automatically check for updates from multiple application vendors, taking a huge chunk of the burden off IT staff. Note: If a patch does not contain a security fix or improve core functionality, it is probably not a good idea to install it. New patches introduce volatility into the environment and depending on which industry your organization is a part of, there may be some serious testing required before one can apply patches. Heavily regulated industries require any changes in the environment to undergo thorough regression and user acceptance testing to ensure that the patch to one application doesn’t negatively impact other applications running in the environment (for example, by changing shared DLLs or libraries). Unless a patch contains a critical security fix or updates critical functionality, be careful installing it or committing to putting it through extensive testing!