Cryptography

and Network
Security
Sixth Edition
by William Stallings

Vietnam – Korea University

of Information and Communication Technology
 Chapter 16

Network Access Control

and Cloud Security
Vietnam – Korea University
of Information and Communication Technology
 “No ticket! Dear me, Watson, this is really very
singular. According to my experience it is not
possible to reach the platform of a Metropolitan
train without exhibiting one’s ticket.”

—The Adventure of the Bruce-Partington

Plans,
Sir Arthur Conan Doyle

Vietnam – Korea University

of Information and Communication Technology
 Network Access Control (NAC)

• An umbrella term for managing access

to a network
• Authenticates users logging into the
network and determines what data
they can access and actions they can
perform
• Also examines the health of the user’s
computer or mobile device
Vietnam – Korea University
of Information and Communication Technology
 Elements of a Network Access Control
System

NAC systems deal with three

categories of components:
Access requester (AR) Policy server Network access server (NAS)
• Node that is attempting to access the • Determines what access should be • Functions as an access control point
network and may be any device that is granted for users in remote locations
managed by the NAC system, • Often relies on backend systems connecting to an enterprise’s internal
including workstations, servers, network
printers, cameras, and other IP- • Also called a media gateway, remote
enabled devices access server (RAS), or policy server
• Also referred to as supplicants, or • May include its own authentication
clients services or rely on a separate
authentication service from the policy
server

Vietnam – Korea University

of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Network Access Enforcement Methods

• The actions that are applied to ARs to

regulate access to the enterprise network
– Many vendors support multiple enforcement
methods simultaneously, allowing the customer
to tailor the configuration by using one or a
combination of methods
Common NAC enforcement methods:
• IEEE 802.1X
• Virtual local area networks (VLANs)
• Firewall
• DHCP management
Vietnam – Korea University
of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Authentication Methods

• EAP provides a generic transport service for the

exchange of authentication information between a
client system and an authentication server
• The basic EAP transport service is extended by using
a specific authentication protocol that is installed in
both the EAP client and the authentication server

Commonly supported EAP methods:

• EAP Transport Layer Security
• EAP Tunneled TLS
• EAP Generalized Pre-Shared Key
• EAP-IKEv2
Vietnam – Korea University
of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Table 16.1

Terminology
Related to IEEE
802.1X

Vietnam – Korea University

of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Table 16.2
Common EAPOL Frame Types

Vietnam – Korea University

of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Cloud Computing
• NIST defines cloud computing, in NIST SP-800-145
(The NIST Definition of Cloud Computing ), as follows:
“A model for enabling ubiquitous, convenient, on-demand network
access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be
rapidly provisioned and released with minimal management effort or
service provider interaction. This cloud model promotes availability
and is composed of five essential characteristics, three service
models, and four deployment models.”

Vietnam – Korea University

of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Cloud Computing Reference
Architecture
• NIST SP 500-292 (NIST Cloud Computing Reference Architecture )
establishes a reference architecture, described as follows:

“The NIST cloud computing reference architecture focuses on the

requirements of “what” cloud services provide, not a “how to”
design solution and implementation. The reference architecture is
intended to facilitate the understanding of the operational
intricacies in cloud computing. It does not represent the system
architecture of a specific cloud computing system; instead it is a
tool for describing, discussing, and developing a system-specific
architecture using a common framework of reference.”

Vietnam – Korea University

of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Cloud provider (CP)

Cloud Provider

For each of the three service

models (SaaS, PaaS, IaaS), the
Can provide one or more of the
CP provides the storage and
cloud services to meet IT and
processing facilities needed to
business requirements of cloud
support that service model,
consumers
together with a cloud interface for
cloud service consumers

For SaaS, the CP deploys, For PaaS, the CP manages the

configures, maintains, and computing infrastructure for the
For IaaS, the CP acquires the
updates the operation of the platform and runs the cloud
physical computing resources
software applications on a cloud software that provides the
underlying the service, including
infrastructure so that the services components of the platform, such
the servers, networks, storage,
are provisioned at the expected as runtime software execution
and hosting infrastructure
service levels to cloud stack, databases, and other
consumers middleware components
Vietnam – Korea University
of Information and Communication Technology
 Roles and Responsibilities
Cloud carrier Cloud auditor
• A networking facility that • An independent entity that
provides connectivity and can assure that the CP
transport of cloud services conforms to a set of
between cloud consumers standards
and CPs

Cloud broker
• Useful when cloud services are too complex for a cloud
consumer to easily manage
• Three areas of support can be offered by a cloud broker:
• Service intermediation
• Value-added services such as identity management,
performance reporting, and enhanced security
• Service aggregation
• The broker combines multiple could services to meet
consumer needs not specifically addressed by a single
CP, or to optimize performance or minimize cost
• Service arbitrage
• A broker has the flexibility to choose services from
multiple agencies
Vietnam – Korea University
of Information and Communication Technology
 Cloud Security Risks and
Countermeasures
• The Cloud Security Alliance [CSA10] lists the following
as the top cloud specific security threats, together with
suggested countermeasures:

Abuse and nefarious use of cloud

computing
• Countermeasures: stricter initial registration and validation processes;
enhanced credit card fraud monitoring and coordination;
comprehensive introspection of customer network traffic; monitoring
public blacklists for one’s own network blocks

Malicious insiders
• Countermeasures: enforce strict supply chain management and
conduct a comprehensive supplier assessment; specify human
resource requirements as part of legal contract; require transparency
into overall information security and management practices, as well as
Vietnam –compliance
Korea University reporting; determine security breach notification processes
of Information and Communication Technology
Risks and Countermeasures (continued)

Insecure Shared
Data loss or
interfaces technology
leakage
and APIs issues
Countermeasures:
implement security best
practices for
Countermeasures: installation/configuration; Countermeasures:
analyzing the security monitor environment for implement strong API
model of CP interfaces; unauthorized access control; encrypt
ensuring that strong changes/activity; and protect integrity of
authentication and promote strong data in transit; analyze
access controls are authentication and data protection at both
implemented in concert access control for design and run time;
with encryption administrative access implement strong key
machines; understanding and operations; enforce generation, storage and
the dependency chain SLAs for patching and management, and
associated with the API vulnerability remediation; destruction practices
conduct vulnerability
scanning and
configuration audits

Vietnam – Korea University

of Information and Communication Technology
Risks and Countermeasures (continued)

• Account or service hijacking

– Countermeasures: prohibit the sharing of account
credentials between users and services; leverage strong
two-factor authentication techniques where possible;
employ proactive monitoring to detect unauthorized
activity; understand CP security policies and SLAs
• Unknown risk profile
– Countermeasures: disclosure of applicable logs and data;
partial/full disclosure of infrastructure details; monitoring
and alerting on necessary information

Vietnam – Korea University

of Information and Communication Technology
 Table 16.3

NIST Guidelines
on Security and
Privacy Issues
and
Recommendation
s
(page 1 of 2)

(Table can be found on

Vietnam – Korea University Pages 514 – 515 in textbook)
of Information and Communication Technology
 Table 16.3

NIST Guidelines
on Security and
Privacy Issues
and
Recommendation
s
(page 2 of 2)

(Table can be found on

Vietnam – Korea University Pages 514 – 515 in textbook)
of Information and Communication Technology
 Data Protection in the Cloud

• The threat of data compromise increases in the cloud

• Database environments used in cloud computing can
vary significantly
– Multi-instance model
• Provides a unique DBMS running on a virtual machine instance
for each cloud subscriber
• This gives the subscriber complete control over role definition,
user authorization, and other administrative tasks related to
security
– Multi-tenant model
• Provides a predefined environment for the cloud subscriber that
is shared with other tenants, typically through tagging data with a
subscriber identifier
• Tagging gives the appearance of exclusive use of the instance,
but relies on the CP to establish and maintain a sound secure
database environment
Vietnam – Korea University
of Information and Communication Technology
 Data Protection in the Cloud

• Data must be secured while at rest, in transit, and in use, and

access to the data must be controlled
• The client can employ encryption to protect data in transit,
though this involves key management responsibilities for the CP
• For data at rest the ideal security measure is for the client to
encrypt the database and only store encrypted data in the cloud,
with the CP having no access to the encryption key
• A straightforward solution to the security problem in this context
is to encrypt the entire database and not provide the
encryption/decryption keys to the service provider
– The user has little ability to access individual data items based on
searches or indexing on key parameters
– The user would have to download entire tables from the database,
decrypt the tables, and work with the results
– To provide more flexibility it must be possible to work with the
database in its encrypted form
Vietnam – Korea University
of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Cloud Security as a Service (SecaaS)

• The Cloud Security Alliance defines SecaaS as the provision of

security applications and services via the cloud either to cloud-
based infrastructure and software or from the cloud to the
customers’ on-premise systems
• The Cloud Security Alliance has identified the following SecaaS
categories of service:
– Identity and access management
– Data loss prevention
– Web security
– E-mail security
– Security assessments
– Intrusion management
– Security information and event management
– Encryption
– Business continuity and disaster recovery
– – Korea
Vietnam
Network
University
security
of Information and Communication Technology
 Vietnam – Korea University
of Information and Communication Technology
 Summary

• Network access • IEEE 802.1X port-

control based network
• Elements of a network access control
access control system
• Network access
• Cloud computing
enforcement methods • Elements
• Extensible • Reference
authentication protocol architecture
• Authentication • Cloud security risks
methods and
• EAP exchanges countermeasures
• Cloud security as a • Data protection in
service
Vietnam – Korea University the cloud
of Information and Communication Technology