What are the three common techniques for verifying a persons identity and access privileges?

Terminal Access Controller Access Control System/Terminal Access Controller Access Control System Plus

Terminal access controller access control system (TACACS) is used in authenticating remote users. TACACS has gone through three major “generations”:

TACACS TACACS was first developed during the days of Advanced Research Projects Agency Network (ARPANET), and it offers authentication and authorization, but it does not offer any accounting tools.

Terminal Access Controller Access-Control System Plus (TACACS+) TACACS+ is a Cisco proprietary version of TACACS that is incompatible with previous versions. TACACS+ uses individual databases for each. TACACS+ was the first revision to offer secure communications between the TACACS+ client and the TACACS+ server. Vulnerabilities and attacks common with TACACS+ are as follows:

The encryption used in TACACS+ is based on a shared secret that is rarely changed, so a compromise at any point would ultimately expose future compromises.

Birthday attacks The pool of TACACS+ session IDs is not very large; therefore, it is reasonable that two users could have the same session ID.

Buffer overflow Like RADIUS, TACACS+ can fall victim to buffer-overflow attacks.

Packet sniffing The length of passwords can be easily determined by “sniffing” a network.

Lack of integrity checking An attacker can alter accounting records during transmission because the accounting data is not encrypted during transport.

EXAM WARNING

Make sure you understand the difference between TACACS and TACACS+. The most important thing to remember is that TACACS uses UDP as its transport protocol, whereas TACACS+ uses TCP. Also, TACACS+ is a proprietary version owned by Cisco.

TACACS and TACACS+

The Terminal Access Controller Access Control System (TACACS) is a centralized access control system that requires users to send an ID and static (reusable) password for authentication. TACACS uses UDP port 49 (and may also use TCP). Reusable passwords are a vulnerability: the improved TACACS+ provides better password protection by allowing two-factor strong authentication.

It is important to note that TACACS+ is not backwards compatible with TACACS. TACACS+ uses TCP port 49 for authentication with the TACACS+ server. The actual function of authentication is very similar to RADIUS, but there are some key differences.

RADIUS only encrypts the password (leaving other data, such as username, unencrypted). TACACS+, on the other hand, encrypts all data below the TACACS+ header. This is an improvement over RADIUS and is more secure.

18 The Security/Protection Officer and Technology Tools: Electronic Access

An EAC system is ideally used as a part of a fully integrated facility management system. In such a system, EAC is interfaced and integrated with fire safety/life safety systems, video surveillance systems (CCTV), communications systems, and nonsecurity systems such as HVAC.

In an integrated system, EAC systems allow users to be accessed into various areas or limited areas. They can track access and provide attendance records. As a safety feature and for emergency response situations, they can determine where persons are located in facilities. In general, EAC systems are very flexible and strides in technology are making them even more so.

This section barely covers all that you need to know about EAC. The best way to learn about EAC is to actually work with EAC systems, take advantage of every opportunity to work with EAC systems, seek assignments where EAC systems are used, as well as ask questions from control room operators, your supervisors, and EAC vendors and service technicians. There are many excellent sources where you can read about EAC and related systems.

Chapter Overview

Access control systems are electronic systems that facilitate automated approval for authorized personnel to enter through a security portal without the need for a security officer to review and validate the authorization of the person entering the portal, typically by using a credential to present to the system to verify their authorization. A security portal is a door or passageway that creates an entry point in a security boundary. Common security portals include standard doors (such as shown in Fig. 2.1 using an HID Global Corporation reader), vestibules, revolving doors, and vehicle entry barriers.

Access control systems are an important part of an overall security program that is designed to deter and reduce both criminal behavior and violations of an organization’s security policies. But it is important to remember that it is only a part.

First, it is important to understand that access control is not an element of security; it is a concession that security programs make to daily operational necessities. Perfect security involves perfect access control. By that, I mean that in a perfect security environment, not one person can enter who is not absolutely known without question to be an ardent supporter of the security portion of the overall mission of the organization. In a real organization, this virtually never happens. Access control systems are an automated method to allow “presumed” friendlies to enter controlled, restricted, and secured areas of a facility with only minimal vetting at the access control portal. Indeed, access control portals are doorways through a security perimeter in which the entrants are “assumed” to be friendly, due to their status as an employee, contractor, or softly vetted visitor.

Understanding this, a new light is shed on the role of access control systems. They are a vulnerability that exists right in the heart of the security system. As such, one can now understand why one must understand Risk, Managing Risk, and Types of Countermeasures to understand how to properly utilize access control systems. One must also completely understand access control system principles so as not to create unseen vulnerabilities in the heart of the Security Program.

Access Control Systems

Access control systems are based on the premise that issuing keys to all employees who need them is generally not cost-effective. Another premise of an access control system is that it would be cost prohibitive to rekey the facility should a key be lost. Finally, an access control system can limit employee access; allowing them entry only to areas in which they are authorized, or granting entry during certain times of day.

An access control system uses a means of verification, known as a credential, to allow a person to enter an area. The credential can be something that is known, generally a personal identification number; something that is carried, such as a card or token; or something that the authorized person has, such as a fingerprint or iris (the colored part of the eye). The credential is entered, swiped, presented, or scanned, and, after some level of verification, access is granted or denied.

Access control systems come with various means of operation and scope from a single door to many thousands of doors or alarms around the world. At the small end of the access control spectrum is the single door keypad at which a person enters a code that is mechanically or electronically verified. Most access control systems use a card-based credential, which is swiped or presented to an electronic reader to gain access. These systems can be used across just a few doors to many thousands of doors and sensors connected via the company’s computer network. The most secure access control systems utilize a biometric authentication process. Biometrics entails using something that is part of the person for verification of identity, such as fingerprints, hand geometry, vein pattern recognition, voice print, and iris recognition. Biometrics can be used as the sole means of verification, but are frequently used in conjunction with a card reader.

Another main component of medium- to large-sized access control systems is the distributed processor, sometimes referred to as a field controller. This computer is installed between the main computer and the card reader at the door and communicates back to the main computer only when necessary, such as to request updated information about card holders or when there is an alarm. The distributed processor makes all of the decisions as to granting or denying access to a person who presents their card at the card reader, therefore taking the processing load off the main computer and allowing the entire system to operate faster. The distributed processor also allows the system to continue to operate if the connection back to the main computer is interrupted. Typically, distributed processors control between 2 and 16 doors and allow for the connection of various sensors, just like a regular alarm system. Distributed processors can communicate to the main computer via a communications protocol such as RS-232 or RS-485, although an increasing number of systems are now being connected to a company’s internal computer network (intranet). Newer systems are taking the network connection all the way down to the card reader at the door. Other systems use a Web-based interface for programming the system and can communicate down to the distributed processor via the network or through the wireless data network available from cell phone companies.

The main computer in an access control system can be a simple desktop computer for small systems up to redundant mirrored servers for very large systems, or any combination in between. In smaller systems, the computer is used for entering cardholder information and programming the system, whereas in larger systems there may be multiple computers dedicated to programming and photo badge creation or monitoring and controlling the various alarms and doors connected to the system. In the largest systems the desktops communicate to a server, which is a high-speed computer able to perform several thousand operations per second: essential for controlling the flow of data back and forth across a large access control system. In some cases, a secondary server is kept on standby to act as a reserve to the primary server should it fail or need periodic maintenance. When this secondary server is receiving the same updates at almost the same time as the primary server and can automatically take over the processing load, it is said to be redundant or mirrored.

Access control systems can be used to monitor alarms, such as door alarms, duress buttons, or environmental situations (high or low temperature, sump pump, water level). The control systems typically contain a graphical interface that allows the application to show building layout or to import floor plans from another application. Thus, all activity in the system is presented on a single screen. Automatic actions for certain events can be programmed into such a system, such as calling up a particular camera when a door goes into alarm.

Access Control System Networking

Access control systems on TCP/IP Ethernet networks on a single system at a single site may involve four main logical elements:

The core network

The server network

The workstation network

The access control panel network

Additionally, more complex system integrations may involve:

Integrated security system interfaces

Multisite network interfaces

Integration to the business IT network

VLANs

2.3.3 Role-Based Access Control

RBAC systems are based on a user’s roles and responsibilities. Users aren’t given access to systems, roles are assigned to users, and access is granted to roles. In an RBAC system, roles are centrally managed by the administrator. The administrator determines what roles exist within their company and then maps these roles to job functions and tasks. Roles can effectively be implemented using security groups. You start by creating a security group representing each role and you assign permissions and rights to these groups. Then you simply add the appropriate users to the appropriate security groups, depending on their role or job function.

Since access is defined based on roles and specific job functions, you have more knowledge of what access users really require to perform this job. This aids in being able to grant access based on the principle of least privilege. The principle of least privilege states that users should be given the minimum amount of rights needed for them to do their job. Role-based access models also lend themselves to easier delegation. Delegation allows you to give administrative rights to someone else. You don’t have to give them full administrative rights. You can specify certain rights for them or certain objects for them to have administrative rights over.

RBAC systems can be difficult to implement. This is in part due to the large amount of up-front work that must be done. A lot of effort is required to identify all the various roles within an organization. It’s a little easier in a newer organization. But in a large, already-established organization it can take quite some time to identify all the necessary roles and configure your systems to recognize and make use of these roles.

Most Internet-based service providers use some sort of RBAC system. This makes it easier for them to automate user creation and access activities. Service providers have to deal with thousands and thousands of users. They can’t spend much time figuring out what access each user needs so they just determine which role to place the user in and the user is automatically given the appropriate rights.

Access Control Systems

Access control systems (ACSs) rely on administrator-defined rules that allow or restrict user access to protected network resources. These access rules can, for example, require strong user authentication such as tokens or biometric devices to prove the identity of users requesting access. They can also restrict access to various network services based on time of day or group need.

Some ACS products allow for the creation of an access control list (ACL), which is a set of rules that define security policy. These ACLs contain one or more access control entries (ACEs), which are the actual rule definitions themselves. These rules can restrict access by specific user, time of day, IP address, function (department, management level, etc.), or specific system from which a logon or access attempt is being made.

A good example of an ACS is SafeWord by Aladdin Knowledge Systems. SafeWord is considered a two-factor authentication system in that it uses what the user knows (such as a personal identification number, or PIN) and what the user has (such as a one-time passcode, or OTP, token) to strongly authenticate users requesting network access. SafeWord allows administrators to design customized access rules and restrictions to network resources, applications, and information.

In this scheme, the tokens are a key component. The token's internal cryptographic key algorithm is made “known” to an authentication server when the token's file is imported into a central database.

When the token is assigned to a user, its serial number is linked to that user in the user's record. On making an access request, the authentication server prompts the user to enter a username and the OTP generated by the token. If a PIN was also assigned to that user, she must either prepend or append that PIN to the token-generated passcode. As long as the authentication server receives what it expects, the user is granted whatever access privileges she was assigned.