Network Access Control and Cloud Security: Tran Song Dat Phuc Seoultech 2015
Network Access Control and Cloud Security: Tran Song Dat Phuc Seoultech 2015
Network Access Control and Cloud Security: Tran Song Dat Phuc Seoultech 2015
Cloud Computing
• NAC authenticates users logging into the network and determines what data
they can access and action they can perform.
• NAC examines the health of the user’s computer or mobile device (the
endpoints).
Network Access Control (NAC)
• Policy server: Based on the AR’s posture and an enterprise’s defined policy,
the policy server determines what access should be granted.
NAC Context
Network Access Enforcement Methods
• Enforcement methods are the actions that are applied to ARs to regulate access
to the enterprise network.
IEEE 802.1X: enforces authorization before a port is assigned an IP address.
IEEE 802.1X makes use of the Extensible Authentication Protocol for the
authentication process.
Virtual local area networks (VLANs): the enterprise network, consisting of
an interconnected set of LANs, is segmented logically into a number of virtual
LANs. The NAC system decides to which of the network’s VLANs it will
direct an AR.
Firewall: allow or deny network traffic between an enterprise host and an
external user.
DHCP management: DHCP enables dynamic allocation of IP addresses to
hosts. A DHCP server intercepts DHCP requests and assigns IP addresses.
Thus, NAC enforcement occurs at the IP layer based on subnet and IP
assignment.
Extensible Authentication Protocol
• The Extensible Authentication Protocol (EAP) acts as a framework for network
access and authentication protocols.
• EAP provides a set of protocol messages, encapsulate various authentication methods
to be used between a client and an authentication server.
• EAP can operate over a variety of network and link level facilities, including point-
to-point links, LANs, and other networks, and can accommodate the authentication
needs of the various links and networks.
EAP Message
Code
Identifier
Length
Data
EAP Exchanges
• EAPOL (EAP over LAN) protocol operates at the network layers and makes use of
an IEEE 802 LAN (Wifi or Ethernet), at the link layer.
• EAPOL enables a supplicant to communicate with an authenticator and support the
exchange of EAP packets for authentication.
EAPOL packet format fields:
Protocol version, Packet type,
Packet body length, Packet body
Cloud Computing
• “A model for enabling ubiquitous, convenient, on-demand network access to a shared
pool of configurable computing resources (networks, servers, storage, applications,
services) that can be released with minimal management effort or service provider
interaction.” – NIST SP-800-145.
Cloud Computing Characteristics
• Resources related to some aspects, such as storage, processing, memory,
network bandwidth, and virtual machine.
• Broad network access - available over the network and accessed through standard
mechanisms, use by client platforms or other cloud-based services.
• Rapid elasticity - ability to expand and reduce resources according to specific
requirements.
• Measured service - control and optimize resource suitable to the appropriate type
of service. Resource usage can be monitored, controlled, reported, provide clearly
utilized service.
• On-demand self-service - ability to provision resource capabilities automatically,
no need human interaction. The resources is temporary in IT infrastructure.
• Resource pooling - ability to serve multiple consumers using a multi-tenant model,
with different physical and virtual resources, dynamically assigned and reassigned
base on consumer demand.
Cloud Computing Service Models
• Software as a Service (SaaS) - the capability allows consumer to use the
provider’s application running on a cloud infrastructure. The applications are
accessible from various client devices by just a thin client interface (Web browser).
SaaS saves the complexity of software installation, maintenance, upgrades, patches.
• Platform as a Service (PaaS) - the capability allows consumer to deploy onto the
cloud infrastructure consumer or acquired applications - created. Also, PaaS provides
middleware-style services , such as database and component services use by apps.
PaaS is such like an operating system in the cloud.
• Hybrid cloud - is a composition of two or more clouds, remain unique entities but
are bound together by standardized or proprietary technology that enables data and
application portability (e.g., cloud bursting for load balancing between clouds).
Cloud Computing Reference Architecture
• Cloud consumer - a person or organization maintains a business relationship with,
and uses service from, cloud providers.
• Cloud broker - an entity manages the use, performance, and delivery of cloud
services, and negotiates relationships between CP and consumers.
• Insecure interfaces and APIs - CPs expose a set of software interfaces or APIs customers
use to manage and interact with cloud services. From authentication and access control, these
interfaces need to be resisted against accidental and malicious attempts.
Countermeasure: (1) analyzing the security model of CP interfaces, (2) ensuring that strong
authentication and access control are implemented with encrypted transmission, (3)
understanding the dependency chain associated with the API.
• Malicious insiders – risk of malicious insider activity. Cloud architectures necessitate roles
that extremely high risk.
Countermeasures: (1) enforce strict supply chain management and conduct a comprehensive
supplier assessment, (2) specify human resource requirements as part of legal contract, (3)
require transparency into overall infor. security and management practices, and compliance
reporting, (4) determine security breach notification processes.
Cloud Security Risks and Countermeasures
• Shared technology issues: IaaS vendors deliver services by sharing infrastructure which is
not strong enough in isolation properties for a multi-tenant architecture.
Countermeasures: implement security best practices for installation/ configuration, (2) monitor
environment for unauthorized changes/ activity, (3) promote strong authentication and access
control for administrative access and operation.
• Data loss and leakage - for clients. The most devastating from security breach is the loss or
leakage of data.
Countermeasures: (1) implement strong API access control, (2) encrypt, protect integrity of
data in transit, (3) analyze data protection at design and run-time, (4) implement strong keys
generation, , storage and management, destruction practices.
• Account or service hijacking - usually with stolen credentials, attackers can access critical
areas of cloud services, allowing to compromise the confidentiality, integrity, and availability
(CIA).
Countermeasures: (1) prohibit the sharing of account credentials between users and services,
(2) leverage strong two-factor authentication techniques, (3) employ proactive monitoring to
detect unauthorized activity, (4) understand CP security policies and SLAs.
Cloud Security Risks and Countermeasures
• Unknown risk profile - in using cloud infrastructure, client should cedes control to the CP
on a number of issues that may affect security, and pay attention, clearly define the roles and
responsibilities involved for managing risks.
Countermeasures: (1) disclosure of applicable logs and data, (2) partial/full disclosure of
infrastructure details (patch levels and firewalls), (3) monitoring and alerting on necessary infor.
Data Protection in the Cloud
Data Protection in the Cloud
Cloud Security as a Service (SecaaS)
• SecaaS is a segment of the SaaS, meant a package of security services offered by a
service provider that offloads much of the security responsibility from an enterprise
to the security service provider.
• SecaaS categories:
• Data loss prevention - monitoring, protecting, and verifying the data, implemented
by cloud client, make rules about what functions can be performed on data.
• Email security - provides control over inbound and outbound email, protects from
phishing, malicious attachments, offers corporate policies, spam prevention, digital
signatures and email encryption.
• Security assessments - third part audits of cloud services, provides tools and
access points to facilitate assessment activities.
Cloud Security as a Service (SecaaS)
• Intrusion management - intrusion detection, prevention, and response, the core is
intrusion detection systems (IDSs) and intrusion prevention systems (IPSs). IDS
detects unauthorized accesses to host system, while IPS block traffic from intruders.
• Security info. and event management - aggregates log and event data from
virtual and real networks, applications, and systems, provides real-time reporting and
info./event alarming.
• Encryption - provides for data, as email traffic, client-specific network management
info, and identifies info. Involves key management, application encryption, and data
content access.
• Business continuity and disaster recovery - measures and mechanisms to
ensure operational resiliency in the events or service interruptions. Includes flexible
infrastructure, redundancy of functions and hardware, monitored operations,
geographically distributed data centers, and network survivability.
• Network security - security services that allocate access, distribute, monitor, and
protect resource services. Includes perimeter, server firewalls, DOS protection, in the
network security service.
THANKS FOR WATCHING !!!
???