Welcome to our second article in Information Security series. Today’s topic is the AAA Security (Triple A) principle. An important topic that you should never miss. So, stay here and bear with us.
What is AAA?
The AAA we mean is not that thin battery you use for your TV or Air condition’s remote. AAA Security (pronounced triple A) is a security framework that derived its name from its three main services: Authentication, Authorization, and Accounting. The AAA Security is an essential security concept for the protection of your organization’s information systems.
In simple words, the AAA Security framework checks and authenticates the identity of the subject attempting to access a resource (object). If authenticated, it next checks the access policy to verify whether that subject is authorized to access the requested object or not. In all cases, the entire process is being monitored and audited, so that the subject (or user) is accountable for his actions.
This is the AAA Security concept in brief. Now, let’s discuss it in some detail.
To learn about the differences between subject and object, and the relation between both, refer to the previous article Introduction to Information Security.
What are the components of AAA Security ?
Although it is called triple A as abbreviation to the three words Authentication, Authorization, and Accounting, the AAA Security consists of five components. Each component represents a phase (step) in the access control process. The five phases are: Identification, Authentication, Authorization, Auditing, and Accounting. Let’s take them step by step.
Identification
The Identification process is the first step that occurs when a subject initiates an attempt to access an object (data, computer, or network resource). The process requires the subject to present his/its identity. The identity could be a username, a fingerprint, a smart card, an IP address, or a computer process (program) ID.
Authentication
The identity presented by the subject is just a claim. Anybody can type any username, spoof a MAC address, IP address, or steal a smart card. So, this claimed identity must be verified before granting the subject the required access to the object. This verification process is called Authentication.
In simpler words, Authentication is the process of verifying that you are truly the one who you claim that you are. The most popular authentication method is password authentication, where the user requesting access is prompted (after typing his username) to enter his “secret” password. Once entered, this password is compared with a privately-stored database of (users & passwords).
Password authentication is an example of what we call “Something you know”. Other authentication mechanisms are “Something you have” (like smart cards and tokens) and “Something you are” (like fingerprints and face recognition). More about these authentication types will be discussed in detail in a later article).
Authorization
After successful authentication, it is supposed that the subject will be granted the required access. Access is granted only if the subject has the rights to access the object. This process is called Authorization. Authorization can be decided based on: files and directories permission (in Windows, UNIX and Linux), SELinux security contexts (in Linux), and may be a mix of both permissions and security contexts.
Auditing
Starting from the moment when a subject identifies himself/itself and before even proving his identity with authentication, the system starts to audit (record or log) all subject’s actions. So, Auditing can be defined as the process of logging or recording subject activities and access attempts (either successful or not) to objects. Usually, audits are written in a log files and / or forwarded to a centralized log server (like Syslog).
Accountability
Accountability is to guarantee that subjects are accountable (responsible) for their actions. Accountability is dependent on both Authentication and Auditing. Authentication verifies the identity of the subject, while auditing presents the proofs that this specific subject had been involved in an activity and hence is accountable for.
Technical Implementations of AAA
There are two main protocols that implement the AAA Security services in computer networks: RADIUS and TACACS+
RADIUS
The Remote Access Dial-In User Service or RADIUS is a network security protocol for controlling access to networks. RADIUS provides Authentication, Authorization and Accounting services.
This is done by maintaining a single database of user accounts. RADIUS authenticates a user, then provides information about the type of service this user is allowed (Authorization). Upon granting access to the user, the accounting process starts.
The RADIUS server collects information about the user: his username, when he logged in & logged out, and his IP address.
TACACS+
The Terminal Access Control Access-Control System Plus is a network protocol used to manage and provide access control to network devices (switches, routers, firewalls, and IPS devices).
The TACACS+ server provides the AAA security services to his clients (network devices). It “authenticates” users, and controls what privileges each user has, the maximum session duration for a user, and what commands the user is “authorized” to run/execute.
It also collects information for auditing and “accounting” purposes, such as: username, session start and stop times, and commands executed.
Defense in Depth
Defense in Depth?! What is it? Is it a football tactic?!
“Oh, that is funny!! But a good point really!! Why don’t we take the analogy from football tactic?”
The Layered Defense, or Defense in Depth concept is much like a football game when team A loses the ball. First, the striker(s) of team A should make some pressure on the opponent team’s (team B) defender having the ball.
The target of making such pressure is to make an early defense line in order to make it difficult for that defender to either move forward, or pass the ball to another player.
The result of the team A striker’s pressure on the team B defender would be: cutting the ball and making a dangerous counter attack, or bad pass to another team B player who can hardly get the ball, or a correct pass to team B midfielder.
If the defender could beat the pressure and pass the ball forward to his midfielder, then team A would activate his second defense line “the midfielders”. The midfielders should now press on the player having the ball to prevent him from going further. If they succeed, it would be fine.
If failed to get the ball back, and team B becomes close to the 18-yards area of team A, then the last defense line (the defenders) will come into scene.
So, Defense in Depth or Multi-layered Defense can be defined as implementing multiple security countermeasures (controls, or safeguards) in sequence.
Let’s take the football example into the computer and information systems world and see how it applies. Consider an organization’s network that consists of the following components:
- First layer: a perimeter (edge) firewall that filters incoming traffic from the outside (untrusted) networks. As most firewalls do, it builds its decision based on: source IP address, destination IP address, and destination port.
- Second layer: Intrusion Prevention System IPS that is installed in serial just after the perimeter firewall. Its function is to make deep packet inspection and compare network traffic packet(s) against a list of signatures (rules). If it detects any sign of attack attempts, it drops the malicious packet(s), and sends alert to the network security administrators.
- Third layer: the organization’s core (backbone) switch that receives traffic and decides to which VLAN it should be directed. The core switch may contain firewall and IPS modules for more inspection of the incoming traffic.
- Fourth layer: the attack target host itself. Each host (server, laptop, or PC) should be able to defend itself. The possible host defenses include but are not limited to: host operating system firewall (like Microsoft Windows Defender, Linux iptables / firewalld, and AIX ipsec), installing Antivirus software and keeping its definitions’ database up to date, installing security patches, using strong authentication, using host IPS (HIPS) software, regular backups, and encrypting critical data.
- Last and most important layer: the user, the human itself. We should raise the awareness of staff using regular and continuous security awareness trainings, awareness emails, and workshops.
“Wow, with all these security countermeasures implemented, the organization’s information system must be very secure.”
Don’t want to be silly or disappointing, but an important principle to know about security is that nothing is secure 100%. All the above safeguards will be useless if a careless employee opens a suspicious email attachment (containing a virus or malware) from an unknown source, or if the physical security of the organization’s premises was breached.
Multi-layered Defense in Physical Security
Another example is the physical security of a building. Security guards with guns do exist in front of the building entrances. The entrance itself may be a strong iron gate that is difficult to pass or break.
An authorized person (like an employee) must use an access card or fingerprint to enter the building. Cameras exist everywhere in the building to record all actions on 24×7 basis.
Motion detectors should also exist in the restricted areas to detect and fire an alert if a suspicious motion is seen. Access control machines should also exist on the entry points of each floor. Mantraps with different access methods (one door with access card and the other with fingerprint) could be also used before allowing a person to enter a restricted area.
A clean disk policy should be in place to prevent employees from leaving important documents on their desks. Old or obsolete documents should never be just thrown carelessly in the trash. They should be shredded using a paper shredder.
Why Defense in Depth?
The power of implementing multi-layered defense strategy is that if a layer of security is compromised, the next line (layer) of defense will mitigate the threat and stop it or at least detect it and warns the security / admin in charge so that he could take the necessary actions to stop the threat.
If that second layer defense was also beaten, the next defense line in sequence would hopefully stop, quarantine, slows down, or detect the attack. So, a series of defenses are implemented to make sure if one countermeasure is penetrated, the next is ready to defend, and so on.
In the next article, we are going to talk about Due Care and Due Diligence.
Another interesting topic that worth waiting for. So, stay tuned.
