Author Topic: about access control  (Read 576 times)

santhoshidatasoft

  • Brown belt
  • ******
  • Posts: 668
  • Karma: +0/-0
about access control
« on: March 08, 2014, 09:36:21 AM »
   
What are the two main types of access control lists (ACLs)?

nidhinpereira

  • Green Belt
  • *****
  • Posts: 261
  • Karma: +0/-0
Re: about access control
« Reply #1 on: March 08, 2014, 10:54:34 AM »
An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.

A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied. For more information, see How DACLs Control Access to an Object. For information about how to properly create a DACL, see Creating a DACL.

A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. For more information about SACLs, see Audit Generation and SACL Access Right.

Do not try to work directly with the contents of an ACL. To ensure that ACLs are semantically correct, use the appropriate functions to create and manipulate ACLs. For more information, see Getting Information from an ACL and Creating or Modifying an ACL.

ACLs also provide access control to Microsoft Active Directory directory service objects. Active Directory Service Interfaces (ADSI) include routines to create and modify the contents of these ACLs. For more information, see Controlling Access to Active Directory Objects.

afsalabdulla

  • Green Belt
  • *****
  • Posts: 218
  • Karma: +0/-0
Re: about access control
« Reply #2 on: March 08, 2014, 12:29:58 PM »
Hello,

When a subject requests an operation on an object in an ACL-based security model, the operating system first checks the ACL for an applicable entry to decide whether the requested operation is authorized. A key issue in the definition of any ACL-based security model is determining how access control lists are edited, namely which users and processes are granted ACL-modification access.

Filesystem ACLs
In the 1990s the ACL and RBAC models were extensively tested and used to administrate file permissions. A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access control entries (ACEs) in the Microsoft Windows NT,[2] OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
Most of the Unix and Unix-like operating systems (e.g. Linux,[3] BSD, or Solaris) support POSIX.1e ACLs, based on an early POSIX draft that was abandoned. Many of them, for example AIX, FreeBSD,[4] Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem,[5] support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem[6] and recent Richacls,[7] which brings NFSv4 ACLs support for Ext4 filesystem.

Networking ACLs
On some types of proprietary computer hardware (in particular routers and switches), an Access Control List refers to rules that are applied to port numbers or IP Addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure Access Control Lists based on network domain names, this is generally a questionable idea because individual TCP, UDP, and ICMP packets do not contain domain names. Consequently, the device enforcing the Access Control List must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the Access Control List is protecting. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like Firewalls, ACLs are subject to security regulations and standards such as PCI DSS.

Thanks
afsal

santhoshidatasoft

  • Brown belt
  • ******
  • Posts: 668
  • Karma: +0/-0
Re: about access control
« Reply #3 on: March 26, 2014, 12:52:15 AM »
ACLs are a network filter utilized by routers and some switches to permit and restrict data flows into and out of network interfaces. When an ACL is configured on an interface, the network device analyzes data passing through the interface, compares it to the criteria described in the ACL, and either permits the data to flow or prohibits it.

There are a variety of reasons we use ACLs. The primary reason is to provide a basic level of security for the network. ACLs are not as complex and in depth of protection as stateful firewalls, but they do provide protection on higher speed interfaces where line rate speed is important and firewalls may be restrictive. ACLs are also used to restrict updates for routing from network peers and can be instrumental in defining flow control for network traffic.

As I mentioned before, ACLs for routers are not as complex or robust as stateful firewalls, but they do offer a significant amount of firewall capability. As an IT network or security professional, placement of your defenses is critical to protecting the network, its assets and data. ACLs should be placed on external routers to filter traffic against less desirable networks and known vulnerable protocols.

One of the most common methods in this case is to setup a DMZ, or de-militarized buffer zone in your network. This architecture is normally implemented with two separate network devices.

Regardless of what routing platform you utilize, all have a similar profile for defining an access control list. More advanced lists have more distinct control, but the general guidelines are as follows:

Access control list name (depending on the router it could be numeric or combination of letters and numbers)
A sequence number or term name for each entry
A statement of permission or denial for that entry
A network protocol and associated function or ports
Examples include IP, IPX, ICMP, TCP, UDP, NETBIOS and many others
Destination and Source targets
These are typically addresses and can be defined as a single discrete address, a range or subnet, or all addresses
Additional flags or identifiers
These additional statements request additional functions when a match is found for the statement. These flags vary for each protocol but a common flag added to statements is the log feature that records any match to the statement into the router log


nidhinpereira

  • Green Belt
  • *****
  • Posts: 261
  • Karma: +0/-0
Re: about access control
« Reply #4 on: March 26, 2014, 09:36:33 AM »
An access control list (ACL), with respect to a computer file system, is a list of permissions attached to an object. An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects.[1] Each entry in a typical ACL specifies a subject and an operation. For instance, if a file has an ACL that contains (Alice, delete), this would give Alice permission to delete the file.

There are several types of access control lists and most are defined for a distinct purpose or protocol. On Cisco routers, there are two main types: standard and extended. These two types are the most widely used ACLs and the ones I will focus on in this and future articles, but there are some advanced ACLs as well. Some of the advanced ACLs include reflexive ACLs and dynamic ACLs and they are defined as follows. Reflexive ACLs, also known as IP Session ACLs, are triggered from an outbound ACL for traffic initiated from the internal network. The router will identify this new traffic flow and create an entry in a separate ACL for the inbound path. Once the session ends, the entry in the reflexive ACL is removed.

Dynamic ACLs or lock-and-key ACLs are created to allow user access to a specific source/destination host through a user authentication process. Cisco implementations utilize IOS Firewall capabilities and do not hinder existing security restrictions.

shajahan

  • Green Belt
  • *****
  • Posts: 341
  • Karma: +0/-0
Re: about access control
« Reply #5 on: April 28, 2014, 07:28:19 AM »
Filesystem ACLs
In the 1990s the ACL and RBAC models were extensively tested and used to administrate file permissions. A filesystem ACL is a data structure (usually a table) containing entries that specify individual user or group rights to specific system objects such as programs, processes, or files. These entries are known as access control entries (ACEs) in the Microsoft Windows NT,[2] OpenVMS, Unix-like, and Mac OS X operating systems. Each accessible object contains an identifier to its ACL. The privileges or permissions determine specific access rights, such as whether a user can read from, write to, or execute an object. In some implementations, an ACE can control whether or not a user, or group of users, may alter the ACL on an object.
Most of the Unix and Unix-like operating systems (e.g. Linux,[3] BSD, or Solaris) support POSIX.1e ACLs, based on an early POSIX draft that was abandoned. Many of them, for example AIX, FreeBSD,[4] Mac OS X beginning with version 10.4 ("Tiger"), or Solaris with ZFS filesystem,[5] support NFSv4 ACLs, which are part of the NFSv4 standard. There are two experimental implementations of NFSv4 ACLs for Linux: NFSv4 ACLs support for Ext3 filesystem[6] and recent Richacls,[7] which brings NFSv4 ACLs support for Ext4 filesystem.

Networking ACLs
On some types of proprietary computer hardware (in particular routers and switches), an Access Control List refers to rules that are applied to port numbers or IP Addresses that are available on a host or other layer 3, each with a list of hosts and/or networks permitted to use the service. Although it is additionally possible to configure Access Control Lists based on network domain names, this is generally a questionable idea because individual TCP, UDP, and ICMP packets do not contain domain names. Consequently, the device enforcing the Access Control List must separately resolve names to numeric addresses. This presents an additional attack surface for an attacker who is seeking to compromise security of the system which the Access Control List is protecting. Both individual servers as well as routers can have network ACLs. Access control lists can generally be configured to control both inbound and outbound traffic, and in this context they are similar to firewalls. Like Firewalls, ACLs are subject to security regulations and standards such as PCI DSS.

santhoshidatasoft

  • Brown belt
  • ******
  • Posts: 668
  • Karma: +0/-0
Re: about access control
« Reply #6 on: December 17, 2016, 08:35:33 AM »
An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.

A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object's DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object's DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied. For more information, see How DACLs Control Access to an Object. For information about how to properly create a DACL, see Creating a DACL.