Access Controls: What is it and how can it be undermined?
I used to have a rather unique workplace not so long ago. It felt like a Get Smart episode at times. In that I would walk through a guard shack, and then on to the main building. From there I would have to access various doors controlled by a variety of security mechanisms. That workplace was all safe and secure, as it should be. Not really different then from many large corporations who have the same security measures in place. What these measures do is restrict access to specific physical areas. In essence they are simply access controls, and in this case a physical access control. Very much like the badge I also had to wear with a picture of me on it. This also helped further restrict access to that building, as not everyone had ready access to such a pass. Though these measures may not seem impressive, they are in fact layered on top of one another. That is what makes them effective. Any one access control mentioned above could be bypassed.
Think how easy it would be to simply shoulder surf your way past a PIN protected door. It wouldn't be very hard at all, and especially not in a busy workplace environment. More so in a large corporate setting where not everyone knows everyone else. It is only courtesy after all to hold the door for someone who is about to enter. The same can be said for that building pass. If you have a minute or so to observe what one looks like it would not be overly hard to recreate one. With the availability of high end graphics software, and paper supplies it would be a relatively trivial matter to manufacture one. So with the simple measures listed above in place it is unlikely that anyone other then a determined intruder would get in undetected. So far so good, these access controls have worked as they were intended to. While you may think it unnecessary to apply these measures to your small workplace I would highly encourage you to do so. Pretty much every computer network, or company has data they want to keep private. The same goes for the cleaning company you have hired to tidy your office after hours. You would be wise to make sure that these cleaners are bonded and trustworthy.
Access denied and access gained
Now we covered some of the physical access controls that one might encounter. How about some internal access controls that you would typically see or not see for that matter. Ideally in a computer network environment the security applied to it should be transparent to the end user. After all it is the job of the system administrator or security person to make the life of the end user as simple and secure as possible. That is after all what many of us are paid for. We cannot simply shrug off security as being an end user problem.
To that end there is a plethora of measures that can be put into place to safeguard the often soft internal network. Some of them are obvious, and some of them not so obvious. One of the most commonly used access controls is the simple username and password combination. This method has all of the well chronicled issues affecting it such as brute forcing and poor password policies. A far better method is to use what is called "two factor authentication". This doubles the security of the access control method, as it requires two separate factors. One of the physical ie: the card, and the second still being a password. While this method is still not foolproof it does have advantages over a simple username and password combination.
Both external and internal
It is not only amidst the internal network that access controls should be considered for implementation. One of the first places that should be considered is the corporate gateway, edge router, or any other term that you know it by. A tremendous amount of hostile traffic aimed at your network can be stopped dead in its tracks if your router ACL's are properly written. For those of you unfamiliar with router access control lists, they are simply text strings entered on a router to deny or allow traffic. This can be done on either a port basis or IP address basis. If you properly leverage your router's ACL's then you can setup a fairly strong first layer of defense or access control.
Secondly, and typically right behind the router in a corporate setup is the firewall. High end corporate firewalls like the ones offered by Cisco are very configurable. These PIX firewalls for example can be configured for VPN traffic and more so restrict what IP addresses access the VPN. A great deal of functionality exists in such enterprise class firewalls. It will act as a very powerful access control mechanism if properly configured. You must remember though that it will not protect running services as that port must be open. What you may also require to further restrict access is an application layer firewall or device. This will further help restrict access ie: an attacker gaining system level access on your IIS server, by parsing incoming traffic and dealing with hostile content are a few examples.
Back to the internal
One of the biggest security risks to the internal network right now is portable devices. These can range from usb sticks to live cd distro's like WHAX. These live cd distributions come filled with a treasure chest of hacking tools. These range from password crackers like John the Ripper, to advanced scanning devices and other potentially hostile programs. In other words the last kind of thing you want running around on your network. So how do you restrict access to these types of threats? Well in the win32 world there is the wonder that is GPO. There are many various ones that could be implemented to help safe guard against this portable threat. You could also simply take the low tech route and disable USB via the BIOS settings and make sure you have the BIOS password protected!
While I have touched on some of the access controls that could exist on the typical corporate network, my list has been far from exhaustive. What is really required is an organised and coherent approach to securing your network. Once you have defined the boundaries and scope of your network you can then put in place measures to help safe guard that network. You also need to keep in mind that one of the most often overlooked areas of access control is indeed the physical one. No sense in having your wiring closet open to the world for all and sundry to play with right? Securing physical access to your computer network assets is indeed a critical step one must ensure they take. After all once you have given physical access to a potential attacker that system will inevitably fall to them. Well I hope this article was of interest to you, and as always I welcome your feedback. Till next time!