Chapter 8 Access

manner by which user gets to the info; method of communications
type of access dependent on security requirements of info.
in theory, access should be unrestricted, relying on authorizations to grant access only to those who should have it but securing/limiting access is often easier than controlling authorization & authentication: "belt & suspenders" solution
different access methods require different levels of identification, authentication, authorization, accountability

Global access to anyone, anywhere, anytime

Access methods/modes: different security needs

Evolution of computing:
batch: one job. physical access to card reader, printer
timesharing: mainframe terminals or dial-up
departmental: minicomputer. adds system-to-system access thru point-to-point connection
distributed: PCs on LAN share info
global: Internet access
pervasive: wireless

Physical access should be most restricted because allows compromise. Locks, logging, clean desk, dumpster diving (searching trash)
Direct access: directly connected links; terminals, console
Network access: LAN owned & operated by organization. Protocols with no security, eg. cleartext. Broadcast protocols.
Remote access: over public or external comm. beyond your control. Security perimeter: points at which info travels in or out of your control.
Social access: talk

Access points as security checkpoints: access should be limited where there is change in level of security required, change in security admin, change in level of threat.
Security domain: common control, similar threats & level of security. Independently managed from other security domains. Uniform security policies. Interact with other security domains at access points.
Domain of trust: part of a security domain that uses one authentication.
VPN virtual private network: secure connection between domains of trust. Cryptographic tunnel over public network. Can connect perimeter devices (eg. firewalls) of one domain to another or connect end-nodes (client to server). Authenticated users create a connection from wherever they are to the secure VPN server.

Access server: controls access across an access point.
network security: limit flow of info over a part of the network, or limits connectivity to specific hosts.
switch: send packet only to destination
filter: isolates sections
router: packet sent based on source & destination & type of packet
firewall: restrict traffic to authorized comm from authenticated users
proxies: isolate connections by becoming both the endpoint for the inside and outside connection

host-based security: access controlled by host itself. Admin-intensive.
connection type: modems, console
connection origin
trust other hosts

Traditional assumption that insiders are friendly and outsiders are not is no longer true.