comp3123 internet security

42
COMP3123 COMP3123 Internet Security Internet Security Richard Henson Richard Henson University of Worcester University of Worcester October October 2011 2011

Upload: naasir

Post on 14-Jan-2016

22 views

Category:

Documents


0 download

DESCRIPTION

COMP3123 Internet Security. Richard Henson University of Worcester October 2011. Week 4 Access Controls: Network Directories & the PKI. Objectives: Explain the components of a network directory service - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: COMP3123  Internet Security

COMP3123 COMP3123 Internet SecurityInternet Security

Richard HensonRichard Henson

University of WorcesterUniversity of Worcester

OctoberOctober 20112011

Page 2: COMP3123  Internet Security

Week 4 Week 4 Access Controls: Access Controls: Network Directories & the PKINetwork Directories & the PKI

Objectives:Objectives: Explain the components of a network directory Explain the components of a network directory

serviceservice Explain how the use of security policies can help Explain how the use of security policies can help

prevent network internal security breachesprevent network internal security breaches Analyse Windows active directory and compare it Analyse Windows active directory and compare it

with an x500 standard servicewith an x500 standard service Prepare a Windows active directory tree with two Prepare a Windows active directory tree with two

contiguously named domain controllerscontiguously named domain controllers

Page 3: COMP3123  Internet Security

““Network Directories”Network Directories” Directories not to be confused with “folders”…Directories not to be confused with “folders”…

generally a data store that changes only generally a data store that changes only infrequently…infrequently… » e.g. a telephone directorye.g. a telephone directory

to avoid confusion, computer-based directories also to avoid confusion, computer-based directories also called “repositories”called “repositories”

Lots of different “network databases” have Lots of different “network databases” have evolved on the webevolved on the web not a good idea!not a good idea! often contain approx. the same info... often contain approx. the same info... Problem: one updated, all should be Problem: one updated, all should be

» but unlikely in practice unless a managed solutionbut unlikely in practice unless a managed solution

Page 4: COMP3123  Internet Security

Meta-DirectoryMeta-Directory Simple idea of putting all information about Simple idea of putting all information about

any one entity or object in one place…any one entity or object in one place… information about those entities and objects can then be information about those entities and objects can then be

presented in a consistent waypresented in a consistent way simplifies collection and distribution of info on an Intranet simplifies collection and distribution of info on an Intranet

covering the whole organisationcovering the whole organisation Examples of Directory-enabled applicationsExamples of Directory-enabled applications

enforce network policies! enforce network policies! » across the networkacross the network» between networksbetween networks

digital signature verificationdigital signature verification remote dial-in access authorizationremote dial-in access authorization signing in to a networksigning in to a network

Page 5: COMP3123  Internet Security

Network Directories & the PKINetwork Directories & the PKI

Needs to avoid multiple-directories Needs to avoid multiple-directories problem…problem…

Solution: Solution: use the meta directory approachuse the meta directory approach provide digital certificate information on the web as provide digital certificate information on the web as

a “directory service”a “directory service” use LDAP applications to directly access that infouse LDAP applications to directly access that info

Page 6: COMP3123  Internet Security

Distributed DirectoryDistributed Directory Another way of keeping entity information consistent Another way of keeping entity information consistent

if it does need to appear in multiple locationsif it does need to appear in multiple locations entry may appear in multiple directoriesentry may appear in multiple directories

» e.g. one for each email system (if more than one)e.g. one for each email system (if more than one)» e.g. one for gaining access to the network by logging e.g. one for gaining access to the network by logging

onon Paper-based equivalent – series of telephone Paper-based equivalent – series of telephone

directories each covering a clearly define areadirectories each covering a clearly define area collectively cover a wide geographical regioncollectively cover a wide geographical region serve a variety of purposesserve a variety of purposes all part of the same system for communicationall part of the same system for communication

Regular directory synchronisation essential for Regular directory synchronisation essential for maintaining consistency of informationmaintaining consistency of information

Page 7: COMP3123  Internet Security

Development of Internet Development of Internet Directories and Directories and IESGIESG

IESG (Internet Engineering Steering Group) provides IESG (Internet Engineering Steering Group) provides technical management of IETF activitiestechnical management of IETF activities As approp, translate RFC proposals into RFC standardsAs approp, translate RFC proposals into RFC standards

Procedure:Procedure: draft RFC submitteddraft RFC submitted if accepted: IESG elevates it to RFC “draft” statusif accepted: IESG elevates it to RFC “draft” status RFC then given consideration as a standard…RFC then given consideration as a standard… draft RFC eventually may become a true Internet standarddraft RFC eventually may become a true Internet standard

Example of successful evolution: x500 -> LDAPExample of successful evolution: x500 -> LDAP

Page 8: COMP3123  Internet Security

X500 ArchitectureX500 Architecture Internet database based on the OSI modelInternet database based on the OSI model

RFC 1006RFC 1006 allows OSI applications to run over an IP networkallows OSI applications to run over an IP network

Full X500 Architecture:Full X500 Architecture: DMD (directory management domain)DMD (directory management domain) DSA (directory system agent)DSA (directory system agent) DUA (directory user agents)DUA (directory user agents) DIB (directory information base – object oriented!)DIB (directory information base – object oriented!)

» e.g.: a directory service databasee.g.: a directory service database

DIT (directory information tree)DIT (directory information tree)» e.g.: Windows 2000 Active Directorye.g.: Windows 2000 Active Directory

Page 9: COMP3123  Internet Security

X500 ProtocolsX500 Protocols

DAP (Directory Access protocol)DAP (Directory Access protocol) DSP (Directory System protocol)DSP (Directory System protocol) DISP (Directory Information Shadowing DISP (Directory Information Shadowing

Protocol)Protocol) DOP (Directory operational binding DOP (Directory operational binding

management protocol)management protocol) Collectively, these protocols give Collectively, these protocols give

X500 a wide range of functionality, but X500 a wide range of functionality, but the structure is cumbersome…the structure is cumbersome…

Page 10: COMP3123  Internet Security

Simplifying X500 - LDAPSimplifying X500 - LDAP Known as Known as Lightweight Directory Access Lightweight Directory Access

ProtocolProtocol Thanks to University of Michigan Thanks to University of Michigan

Researchers, early 1990sResearchers, early 1990s gave up on the complexities of X.500gave up on the complexities of X.500 came up with a scheme that:came up with a scheme that:

» retained the X.500 directory structureretained the X.500 directory structure» gave it a streamlined access protocol based on gave it a streamlined access protocol based on

standard standard TCPTCP//IPIP instead of ISO instead of ISO Other improvements:Other improvements:

» pared-down referral mechanismpared-down referral mechanism» more flexible security modelmore flexible security model» no fixed replication protocolno fixed replication protocol

Page 11: COMP3123  Internet Security

Microsoft and x500Microsoft and x500 In 1996, Microsoft launched version 4 of its In 1996, Microsoft launched version 4 of its

mailserver software, Exchangemailserver software, Exchange Designed also to provide the infrastructure Designed also to provide the infrastructure

to enable DAP clients to access Microsoft to enable DAP clients to access Microsoft Exchange directory service information…Exchange directory service information… client served as an X.500 DAP client to DAP-client served as an X.500 DAP client to DAP-

compliant directoriescompliant directories» e.g. U.S. Government Defense Messaging System e.g. U.S. Government Defense Messaging System

(DMS)(DMS)

Also designed to manage table entries efficiently Also designed to manage table entries efficiently using a new obj oriented database engine called using a new obj oriented database engine called ESE (Extensible Storage engine)ESE (Extensible Storage engine)

Page 12: COMP3123  Internet Security

Microsoft and LDAPMicrosoft and LDAP Microsoft wanted to use X500 in its directory service Microsoft wanted to use X500 in its directory service

planned for next version of NTplanned for next version of NT Like Michigan Uni, found X500 cumbersome, and adapted Like Michigan Uni, found X500 cumbersome, and adapted

LDAPLDAP Supporting the Open Directory Services Supporting the Open Directory Services

Interface (ODSI), Microsoft helped build a PKI Interface (ODSI), Microsoft helped build a PKI service provider (Verisign) that supports the service provider (Verisign) that supports the LDAP protocolLDAP protocol allowed developers to build applications that register allowed developers to build applications that register

with, access, and manage multiple directory services with, access, and manage multiple directory services with a single set of well-defined interfaceswith a single set of well-defined interfaces

Microsoft Exchange Server 4 supported LDAP Microsoft Exchange Server 4 supported LDAP Internet Explorer supported LDAP from v4 onwardsInternet Explorer supported LDAP from v4 onwards

Page 13: COMP3123  Internet Security

LDAP, ESE, and Active LDAP, ESE, and Active directorydirectory

Windows 2000 “active directory” service Windows 2000 “active directory” service was a successful commercial roll out of was a successful commercial roll out of an X500 compliant directory servicean X500 compliant directory service used LDAP…used LDAP… also used (uses) ESE to manage data tablesalso used (uses) ESE to manage data tables and DNS to integrate with www locationsand DNS to integrate with www locations

Next version of Microsoft Exchange also Next version of Microsoft Exchange also used the ESE/LDAP/DNS combination…used the ESE/LDAP/DNS combination…

Page 14: COMP3123  Internet Security

Directory Services and Directory Services and “Active Directory”“Active Directory”

Active Directory has just one data store, Active Directory has just one data store, known as known as the directory the directory Stored as NTFS.DITStored as NTFS.DIT

» where does “.dit” originate from?where does “.dit” originate from? distributed across ALL domain controllers (dcs)distributed across ALL domain controllers (dcs) links to objects on/controlled by each dclinks to objects on/controlled by each dc changes automatically replicated to all dcschanges automatically replicated to all dcs Contains details of:Contains details of:

» stored stored objectsobjects» shared resourcesshared resources» network user and computer accountsnetwork user and computer accounts

Page 15: COMP3123  Internet Security

Directory Services and Directory Services and Domain TreesDomain Trees

Active Directory logically links domains Active Directory logically links domains together together very useful for very useful for networknetworkss with more than one domain with more than one domain eeach domain is identified in the directory by a DNS ach domain is identified in the directory by a DNS

domain name domain name

MMultiple domains ultiple domains withwith contiguous DNS contiguous DNS domain namesdomain names, make up a , make up a domain treedomain tree if domain names are non-contiguous, structures if domain names are non-contiguous, structures

form separate domain treesform separate domain trees

Page 16: COMP3123  Internet Security

““Trust Relationships” Trust Relationships” between (legacy) NT Domainsbetween (legacy) NT Domains

Account authentication Account authentication betweenbetween domain domains s was first established in the Windows NT was first established in the Windows NT architecturearchitecture Allowed users and computers can be Allowed users and computers can be

authenticated between any domainsauthenticated between any domains

Problem: Windows NT trust relationships Problem: Windows NT trust relationships were isolated and individualwere isolated and individual

Page 17: COMP3123  Internet Security

Active Directory Active Directory Trust RelationshipsTrust Relationships

Automatically created between adjacent Automatically created between adjacent domains (parent and child domains) in domains (parent and child domains) in the treethe treeusers and computers can be authenticated users and computers can be authenticated

between ANY domains in the domain treebetween ANY domains in the domain tree

So how does this all work securely in So how does this all work securely in practice, across an entire enterprise????practice, across an entire enterprise????

Page 18: COMP3123  Internet Security

Access to Network Resources Access to Network Resources and Security Controlsand Security Controls

The set of security mechanisms used to The set of security mechanisms used to define what a user can access after logging define what a user can access after logging on to a secured environmenton to a secured environment enforce “authorisation”enforce “authorisation” ““identification” and “authentication” may also be identification” and “authentication” may also be

associated with logging onassociated with logging on Effect includes:Effect includes:

access to systems & resourcesaccess to systems & resources interactions users can performinteractions users can perform

Page 19: COMP3123  Internet Security

Mechanism of Access ControlMechanism of Access ControlIn WindowsIn Windows

User management User management level:level: pre-defined Groups for Users to belong to pre-defined Groups for Users to belong to control of file and service access permissionscontrol of file and service access permissions trusted relationships across domainstrusted relationships across domains

Translated Translated down to system level down to system level by…by… System Policies and Group PoliciesSystem Policies and Group Policies Control of user and system desktop settingsControl of user and system desktop settings

Page 20: COMP3123  Internet Security

Control of End User Control of End User and System Settingsand System Settings

In Windows, ultimately, controls user access In Windows, ultimately, controls user access through the local Windows registrythrough the local Windows registry first made available to simplify configuration in first made available to simplify configuration in

Windows 95Windows 95» effectively replaced CONFIG.SYS, AUTOEXEC.BAT, effectively replaced CONFIG.SYS, AUTOEXEC.BAT,

SYSTEM.INI and WIN.INI by a single structureSYSTEM.INI and WIN.INI by a single structure

all settings saved into a hierarchical data file called all settings saved into a hierarchical data file called SYSTEM.DATSYSTEM.DAT

Principles later extended to networks…Principles later extended to networks…

Page 21: COMP3123  Internet Security

The local registry The local registry and Windows networksand Windows networks

Like Windows 95, Windows NT v4 allowed Like Windows 95, Windows NT v4 allowed system and user settings to be configured system and user settings to be configured locally by registry overwrite fileslocally by registry overwrite files

However, it also made it possible for files However, it also made it possible for files within a network to overwrite the local registry within a network to overwrite the local registry as well…as well…facility available on any Windows client facility available on any Windows client

machine that used a Windows registrymachine that used a Windows registry

Page 22: COMP3123  Internet Security

What is The Registry?What is The Registry?

Five basic subtrees:Five basic subtrees: HKEY_LOCAL_MACHINEHKEY_LOCAL_MACHINE : local computer info. : local computer info.

Does not change no matter which user is logged Does not change no matter which user is logged onon

HKEY_USERSHKEY_USERS : default user settings : default user settings HKEY_CURRENT_USERHKEY_CURRENT_USER : current user settings : current user settings HKEY_CLASSES_ROOTHKEY_CLASSES_ROOT : software config data : software config data HKEY_CURRENT_CONFIGHKEY_CURRENT_CONFIG : “active” hardware : “active” hardware

profileprofile Each subtree contains one or more subkeysEach subtree contains one or more subkeys

Page 23: COMP3123  Internet Security

Editing Registry SettingsEditing Registry Settings

Generally…. DON’T!!! Contents of the registry Generally…. DON’T!!! Contents of the registry should not be changed in any way unless you should not be changed in any way unless you really know what you are doing!!!really know what you are doing!!!

Special tools available e.g. REGEDT32 for Special tools available e.g. REGEDT32 for those with experience:those with experience: used to edit local registry settings on Windows NT used to edit local registry settings on Windows NT

systemssystems Bearing in mind, however, that registry settings Bearing in mind, however, that registry settings

can also be overwritten in memory by data can also be overwritten in memory by data downloaded across the network…downloaded across the network…

Page 24: COMP3123  Internet Security

System Policy FileSystem Policy File Consists of a collection of registry settingsConsists of a collection of registry settings Can apply different system settings to a Can apply different system settings to a

computer, depending on the user or group computer, depending on the user or group logging onlogging on

Can overwrite:Can overwrite: local machine registry settingslocal machine registry settings current user registry settingscurrent user registry settings

Should therefore only be used by those who Should therefore only be used by those who know what they are doing!!!know what they are doing!!!

Page 25: COMP3123  Internet Security

System Policy FileSystem Policy File NTCONFIG.POLNTCONFIG.POL

provides a list of desktop settings, and provides a list of desktop settings, and therefore can be used to control aspects of therefore can be used to control aspects of appearance of the desktopappearance of the desktop

held on Domain Controllersheld on Domain Controllers read during logon procedureread during logon procedure

Different NTCONFIG.POL files can be Different NTCONFIG.POL files can be applied to:applied to: groupsgroups users users computerscomputers

Page 26: COMP3123  Internet Security

What is a Security Policy?What is a Security Policy? A set of rules and procedures that state the A set of rules and procedures that state the

access rights and privileges of a particular access rights and privileges of a particular user/group of usersuser/group of users

Should also:Should also: confirm the identity of the people that are confirm the identity of the people that are

attempting to access the networkattempting to access the network prevent imposters from accessing, stealing, or prevent imposters from accessing, stealing, or

damaging system resourcesdamaging system resources

Page 27: COMP3123  Internet Security

Implementation Implementation of Security Policyof Security Policy

Intention:Intention:create a computing environment that create a computing environment that

provides users with all of the information provides users with all of the information and resources they need to be successfuland resources they need to be successful

protect the information and resources on protect the information and resources on the network from damage and the network from damage and unauthorized accessunauthorized access

Page 28: COMP3123  Internet Security

Group Policy in Windows 2000 Group Policy in Windows 2000 (and subsequent) Networks(and subsequent) Networks

Group Policy settings Group Policy settings define access to local and network resources from the user's define access to local and network resources from the user's

desktop environment:desktop environment: e.g. Starte.g. Start menu options menu options

» provide access to programs/resources that user needs provide access to programs/resources that user needs to useto use

Group Policy ObjectsGroup Policy Objects used with authenticated users to enhance used with authenticated users to enhance

flexibility and scalability of security beyond flexibility and scalability of security beyond “domains”, and “NT trusted domains”“domains”, and “NT trusted domains”

trust achieved through: trust achieved through: » Active directory – establishment of “trees”Active directory – establishment of “trees”» Kerberos authenticationKerberos authentication

Page 29: COMP3123  Internet Security

Implementation of Group Implementation of Group Policy ObjectsPolicy Objects

Group Policy objects are EXTREMELY Group Policy objects are EXTREMELY POWERFUL…POWERFUL… contain all specified settings to give a group of users contain all specified settings to give a group of users

their desktop with agreed security levels appliedtheir desktop with agreed security levels applied template editing tool available as a “snap-in” with template editing tool available as a “snap-in” with

Windows 2000Windows 2000 creates a specific desktop configuration for a creates a specific desktop configuration for a

particular group of usersparticular group of users The GPO is in turn associated with selected The GPO is in turn associated with selected

Active Directory objects:Active Directory objects: SitesSites DomainsDomains organizational unitsorganizational units

Page 30: COMP3123  Internet Security

Combined Power of Group Combined Power of Group Policies and Active DirectoryPolicies and Active Directory Enables written user/group policies to be Enables written user/group policies to be

easily implemented in softwareeasily implemented in software Enables policies to be applied across whole Enables policies to be applied across whole

domains:domains: beyond in trusted contiguous domains in the beyond in trusted contiguous domains in the

domain treedomain tree or even across any non-contiguous domains in the or even across any non-contiguous domains in the

same forestsame forest Because Active directory is x500 compliant, Because Active directory is x500 compliant,

all the principles of directory services applyall the principles of directory services apply

Page 31: COMP3123  Internet Security

Authentication FactorsAuthentication Factors Classified as type 1, type 2, or type 3:Classified as type 1, type 2, or type 3: Type 1: Knowledge based (what user Type 1: Knowledge based (what user knowsknows))

information provided based on unique knowledge of the information provided based on unique knowledge of the individual being authenticatedindividual being authenticated

Type 2: Token based (what user Type 2: Token based (what user hashas/does)/does) information comes from a token generated by a particular information comes from a token generated by a particular

systemsystem token is tied in some way to the user logging ontoken is tied in some way to the user logging on generally not considered a good idea on its own because generally not considered a good idea on its own because

someone else could have stolen/copied itsomeone else could have stolen/copied it

Type 3: Characteristic based (what user Type 3: Characteristic based (what user isis)) biometric data from the person logging inbiometric data from the person logging in

Page 32: COMP3123  Internet Security

One time Passwords (OTP)One time Passwords (OTP)

Can only be used once…Can only be used once… If user gets it wrong, becomes invalid…If user gets it wrong, becomes invalid…

» locked outlocked out» has to contact administrator to resethas to contact administrator to reset

Implemented as a type 2 factorImplemented as a type 2 factor password characters randomly generatedpassword characters randomly generated

If used properly…If used properly… very secure indeedvery secure indeed problem: degree of randomness…problem: degree of randomness…

Page 33: COMP3123  Internet Security

Single Sign On (SSO)Single Sign On (SSO) Logon once…Logon once…

authenticated for all servers in that environmentauthenticated for all servers in that environment More a convenience matter than a security More a convenience matter than a security

issueissue only one set of authentication factors neededonly one set of authentication factors needed single username/authentication factor database single username/authentication factor database

covering all serverscovering all servers SOME very secure environments have SOME very secure environments have

dropped SSO in favour of separate logon for dropped SSO in favour of separate logon for each servereach server arguable whether this is necessary but avoids the arguable whether this is necessary but avoids the

“all eggs in one basket” argument“all eggs in one basket” argument

Page 34: COMP3123  Internet Security

Password AdministrationPassword Administration

Three aspects:Three aspects: SelectionSelection

» should be a company IS policy that includes choice should be a company IS policy that includes choice of passwordof password

» generally no. of characters is a good match with generally no. of characters is a good match with strength – the higher the betterstrength – the higher the better

ManagementManagement» selection & expiration period must comply with selection & expiration period must comply with

policy policy ControlControl

» policy should be enforced by the network itselfpolicy should be enforced by the network itself» usually achieved through use of “group policies”usually achieved through use of “group policies”

Page 35: COMP3123  Internet Security

Access Control TechniquesAccess Control Techniques

Discretionary (DAC)Discretionary (DAC) access to files/resources controlled by administratoraccess to files/resources controlled by administrator Achieved through ACLs (Access Control Lists)Achieved through ACLs (Access Control Lists)

» consist of ACEs (Access Control Entries)consist of ACEs (Access Control Entries)

the granting of access can be auditedthe granting of access can be audited

Mandatory (MAC)Mandatory (MAC) access dependent on rules/classificationsaccess dependent on rules/classifications classification dependent on security clearance classification dependent on security clearance

levelslevels hierarchical or compartmentalised, or hybridshierarchical or compartmentalised, or hybrids

Page 36: COMP3123  Internet Security

Remote Logon and Remote Logon and Kerberos AuthenticationKerberos Authentication

KDC can maintain a secure database of KDC can maintain a secure database of authorised users,passwords & domain names authorised users,passwords & domain names maintained throughout an active directory maintained throughout an active directory domain tree using domain tree using Kerberos V5 security Kerberos V5 security protocolprotocol uses strong encryptionuses strong encryption freely available from its inventor, MIT freely available from its inventor, MIT

Active Directory + Kerberos = Very Powerful Active Directory + Kerberos = Very Powerful combinationcombination can even be used to authenticate across mobile & can even be used to authenticate across mobile &

wireless networkswireless networks

Page 37: COMP3123  Internet Security

Components of “Enterprise wide” Components of “Enterprise wide” Login with kerberos authenticationLogin with kerberos authentication

Active Directory tree logical connects and Active Directory tree logical connects and “trusts” servers throughout the enterprise“trusts” servers throughout the enterprise

Servers in their turn control access to users Servers in their turn control access to users within domainswithin domains

Group(s) selected during the user Group(s) selected during the user authentication processauthentication process

Group Policy Objects invoked which rewrite Group Policy Objects invoked which rewrite registry settings and control client desktopsregistry settings and control client desktops

Page 38: COMP3123  Internet Security

How much security should be How much security should be applied to domain users?applied to domain users?

General rule: don’t give a user more rights General rule: don’t give a user more rights than they actually needthan they actually need

Think carefully…Think carefully… identify security privileges appropriate to different identify security privileges appropriate to different

types of usertypes of user create a group based on each type of usercreate a group based on each type of user

Allocate each new user to an appropriate Allocate each new user to an appropriate groupgroup automatically will have appropriate access rights…automatically will have appropriate access rights…

Page 39: COMP3123  Internet Security

Users, Groups, Security, and Users, Groups, Security, and NTFS partitionsNTFS partitions

Any file or folder on an NTFS partition will Any file or folder on an NTFS partition will have file permissions imposedhave file permissions imposed

Typical permissions:Typical permissions: No AccessNo Access Read onlyRead only Read and ExecuteRead and Execute WriteWrite ModifyModify Ownership/Full ControlOwnership/Full Control

Much wider range of permissions availableMuch wider range of permissions available

Page 40: COMP3123  Internet Security

Point for debate: is “read only” Point for debate: is “read only” access dangerous?access dangerous?

If information held on server, and accessed If information held on server, and accessed by dumb terminals…by dumb terminals… secure enough!secure enough! this was the case in the days of centralised this was the case in the days of centralised

networks with no distributed processingnetworks with no distributed processing

With client-server networking, read only With client-server networking, read only means “the user can take a copy”means “the user can take a copy” is this dangerous, from an organisational security is this dangerous, from an organisational security

point of view? point of view?

Page 41: COMP3123  Internet Security

What if the network goes wrong? What if the network goes wrong? AccountabilityAccountability

The broad security concept of being able to The broad security concept of being able to hold a human to account for their actions hold a human to account for their actions using …using … a strong authentication environment so one user a strong authentication environment so one user

cannot masquerade as anothercannot masquerade as another strict imposition of “least privilege”strict imposition of “least privilege” regular monitoring of the network environmentregular monitoring of the network environment rigorous inspection of audit logsrigorous inspection of audit logs

Page 42: COMP3123  Internet Security

What if the network goes wrong? What if the network goes wrong? AuditingAuditing

Essential component of security monitoringEssential component of security monitoring A network can generate lots of data on a wide A network can generate lots of data on a wide

variety of network functions and results they variety of network functions and results they returnreturn

this is readily customisable to focus on, for this is readily customisable to focus on, for example, the behaviour of particular users or example, the behaviour of particular users or resourcesresources data normally saved as timestamped .log filesdata normally saved as timestamped .log files audit files help to ensure accountability for user audit files help to ensure accountability for user

behaviourbehaviour