Page 66 - DCAP516_COMPUTER_SECURITY
P. 66
Computer Security
Notes When wireless access enters the picture, the identity of the user becomes crucial. Since multiple
users can connect through a single wireless access point, the assumption of one user per port is
no longer valid, and port-based access policies do not work. All sorts of users – visitors, temporary
workers, system administrators, the CFO – may all happen to access the network via the same
access point, sharing the same port. A single set of access rights for that port would be too
permissive for some users and too restrictive for others. Therefore, the system must be able to
distinguish between the users on a port, and apply policy based on each user’s identity.
Further, given the range of wireless access point signals, physical barriers become meaningless;
given the mobility of wireless devices, users are no longer constrained to connect only through
specific ports. In a wireless network, therefore, it is important both to determine who the user is
when he attempts to connect and to track the user throughout his entire session on the network.
The system must be able to track the user if he or she physically moves (from desk to conference
room, for example, roaming to a different access point and thus appearing on a different port) in
order to enforce the appropriate policy for that user.
6.2 Authentication vs. Authorization
In most networks, the user’s authenticated identity is not the only factor used to determine a
user’s access rights – access authorization is often based upon an individual’s role within the
organization. Employees in Finance may have access to restricted data and applications, for
example, while system and network administrators typically have access to network equipment
denied to other employees.
Authentication and authorization may be tightly integrated, where the same mechanism that
provides authentication services also provides information about a user’s authorization level –
often implemented through group membership, where a user’s group affiliations denote what
sort of permissions he has relative to the organization’s information resources.
Authentication means that users are who they claim to be. Authenticity refers to the constant
checks you have to run on the system to make sure sensitive areas are protected and working
properly. Authorization refers to the power you have over distinguishing authorized users
from unauthorized users, and levels of access in-between.
Networks commonly employ two complementary and related mechanisms for determining
who can access information resources over the network – authentication and authorization.
Authentication is the process of determining the identity of a network user by verifying a set of
user credentials, typically a user ID and password.
Authorization is the process of determining what resources on the network – services, printers,
servers, network devices, etc. – a given user is allowed to access. Authorization is often determined
by a combination of a group affiliation, restricted destinations (e.g., applications, servers, or
intranet sites that require their own login) and physical barriers.
Task Differentiate between authentication and authorization.
6.3 Passwords as Authenticators
The front line of defense against intruders is the password system. Passwords act as useful tool
for authentication. Virtually all multi-user systems require that a user provide not only a name
or identifier (ID) but also a password. The password serves to authenticate the ID provides
security in the following ways:
60 LOVELY PROFESSIONAL UNIVERSITY
