What Is Discretionary Access Control?
Access control is to give a set of methods to identify all functions in the system, organize them, host them, organize all data, identify them and host them, and then provide a simple and unique interface. One end of this interface is the application At one end of the system is the permissions engine. The permission engine only answers: Who has the right to perform a certain action (movement, calculation) on a resource. The returned results are only: yes, no, the permission engine is abnormal.
- The main ones are:
- First, prevent illegal subjects from entering protected network resources.
- Second, allow legitimate users to access protected network resources.
- Third, prevent unauthorized users from unauthorized access to protected network resources.
- Access control
- 2. Network permission restrictions
- 3. Directory-level security controls
- 4. Attribute Security Control
- 5.
- Access control can be divided into
- Implementation Mechanism
- The implementation mechanism of access control Establishing an access control model and implementing access control are both abstract and complex behaviors. To implement access control, we must not only ensure that the permissions used by authorized users correspond to the permissions they have, and stop the unauthorized behavior of unauthorized users; To ensure cross-infection of sensitive information. In order to facilitate the discussion of this issue, we take the access control of files as an example to make a detailed description of the implementation of access control. Usually users access information resources (files or databases). Possible behaviors are reading, writing, and managing. For convenience, we use Read or R for read operations, Write or W for write operations, and Own or O for management operations. The reason why we separate management operations from reading and writing is because the administrator may modify the control rules themselves or the attributes of the files, that is, modify the access control list we mentioned below.
- Access control list
- Access control lists (ACLs: Access Control Lists) are file-centric access permission lists, which are abbreviated as ACLs. Currently, most PCs, servers, and hosts use ACLs as an implementation mechanism for access control. The advantage of the access control table is that the implementation is simple. Any authorized subject can have an access table. For example, the access control rules of the authorized user A1 are stored in the file File1. The access rules of A1 can be determined by the permission table ACLsA1 below A1. The permission table restricts the access permissions of the user UserA1.
- Access control matrix
- The Access Control Matrix (ACM: Access Control Matrix) is a method for representing access control rules and authorizing user rights in a matrix form; that is, for each subject, which objects have which access rights; and for the subject, In other words, what subjects can visit him? Explaining this relationship, a control matrix is formed. Among them, the privileged user or privileged user group can modify the principal's access control permissions. The implementation of the access control matrix is easy to understand, but it is difficult to find and implement. Moreover, if there are many files to be managed by the user and the file system, the control matrix will grow in a geometric progression, so for the growing matrix , There will be a lot of free space.
- Access control capability list
- Capability is an important concept in access control. It refers to a valid ticket owned by the originator of the request for access. It authorizes the label to indicate the type of access that the holder can use to access a specific object. Access control capability lists (ACCLs: Access Control Capabilitis Lists) are user-centered access permission lists. For example, the access control permission table ACCLsF1 indicates that the authorized user UserA has access to the file File1, and UserAF indicates that UserA has an access control rule set to the file system. Therefore, the implementation of ACCLs is exactly the opposite of ACLs. The important role of defining competence lies in the particularity of competence. If a subject is given a competence, it actually indicates that the subject has certain corresponding authority. There are two ways to achieve capabilities, transitive and non-transitive. Some capabilities can be passed on to other subjects for use, while others cannot. The transfer of capabilities involves the realization of authorization. We will elaborate on the authorization management of access control later.
- Security label
- A security label is a set of security attribute information that is restricted and attached to a subject or object. The meaning of a security label is broader and stricter than capabilities because it actually establishes a strict set of security levels. Access Control Label Lists (ACSLLs: Access Control Security Labels Lists) are a collection of security attributes that restrict a user's access to an object target. Security labels can distinguish sensitive information, which can enforce security policies on user and object resources. Therefore, mandatory access control often uses this implementation mechanism.
- Specific category
- The specific category of access control is an important means of network security prevention and protection. Its main task is to maintain the security of the network system and ensure that network resources are not used illegally and are not accessed. Generally, the technical implementation includes the following parts:
- (1) Access control: Access control provides the first layer of access control for network access. It is the first barrier to network access. It controls which users can log in to the server and obtain network resources, and controls when users are allowed to access the network. And on which workstations they are allowed to access the network. For example, ISP service providers implement access services. The user's access control is the authentication of legal users, usually using the username and password authentication methods. Generally, it can be divided into three steps: identification and verification of user names, identification and verification of user passwords, and checking of default restrictions on user accounts.
(2) Resource access control: It is the access control management of the overall resource information of the object. These include file system access control (file directory access control and system access control), file attribute access control, and information content access control. File and directory access control means that users and user groups are given certain permissions. Under the permission control rules, which users and user groups can access which directories, subdirectories, files, and other resources, and which users can access which files. , Directories, subdirectories, devices, and so on. System access control means that a network system administrator should assign appropriate access rights to users. These access rights control user access to the server. A password should be set to lock the server console to prevent unauthorized users from modifying, deleting important information, or destroying data. Should set the server login time limit, the time interval between detection and shutdown of illegal visitors; monitor the network, record the user's access to network resources, access to illegal network, can use graphics or text or sound and other forms of alarm. File attribute access control: When using files, directories, and network devices, you should specify access attributes for files, directories, and so on. Attribute security controls can associate a given attribute with the files, directories, and network devices to be accessed.
(3) Network port and node access control: The nodes and ports in the network are often encrypted to transmit data. The management of these important locations must prevent attacks launched by hackers. For managing and modifying data, visitors should be required to provide a validator (such as a smart card) to prove their identity [3]
- Network Access Control (NAC) has a bad reputation and we have to change it. Over the past decade, access control has experienced problems such as deployment failures and overly rigorous security policies, which has led many CEOs to find that their laptops cannot access the network in accordance with the access controls implemented by the IT department.
- But things have changed. Experts point out that access control is no longer just access control; it provides terminal visibility and security of the perceived environment. Research by Enterprise Strategy Group shows that access control is evolving into a new platform product called Terminal Monitoring, Access, and Security (EVAS). It can realize the security of the environment and can provide information to other security platforms and apply these at the same time. Platform-specific strategies.
- Early access control solutions checked the status of user devices to ensure they were not infected with the virus, and installed the correct endpoint security software before allowing them to connect to the network. Later, access control added software patches and configuration checks. Now, access control solutions have further evolved into Evas platforms, which meets corporate needs for perceived environmental security. [4]