Once an organization develops a security policy, supporting procedures, standards, and guidelines, it must choose the type of access control model: DAC, MAC, or role-based. After choosing a model, the organization must select and implement different access control technologies and techniques. Access control matrices, restricted interfaces, and content-dependent, context-dependent, and rule-based controls are just a few of the choices.
Centralized Access Control Administration
AAA protocol is the authentication protocol used, AAA stands for authentication, authorization, and auditing.Depending upon the protocol, there are different ways to authenticate a user in this client/server architecture. The traditional authentication protocols are Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), and a newer method referred to as Extensible Authentication Protocol (EAP).
Remote Authentication Dial-In User Service (RADIUS) is a network protocol and provides client/server authentication and authorization, and audits remote users. RADIUS uses UPD. Terminal Access Controller Access Control System (TACACS) provide same functionality as RADIUS with a few differences
in some of its characteristics.TACACS uses TCP. RADIUS encrypts the user’s password only as it is being transmitted from the RADIUS client to the RADIUS server. Other information, as in the username, accounting, and authorized services, is passed in cleartext. TACACS+ encrypts all of this data between the client and server and thus does not have the vulnerabilities inherent in the RADIUS protocol.
RADIUS is the appropriate protocol when simplistic username/password authentication can take place and users only need an Accept or Deny for obtaining access, as in ISPs. TACACS+ is the better choice for environments that require more sophisticated authentication steps and tighter control over more complex authorization activities, as in corporate networks.
Diameter is another AAA protocol that provides the same type of functionality as RADIUS and TACACS+ but also provides more flexibility and capabilities to meet the new demands of today’s complex and diverse networks. RADIUS and TACACS+ are client/server protocols, which means the server portion cannot send unsolicited commands to the client portion.Diameter is a peer-based protocol that allows either end to initiate communication.
Decentralized Access Control Administration
A decentralized access control administration method gives control of access to the people closer to the resources—the people who may better understand who should and should not have access to certain files, data, and resources. But centralized Access Control Administration is recommended in implementations to maintain the privacy of the system.
No comments:
Post a Comment