2ND SEMESTER
A.Y. 2022 – 2023 |AIS 11
LESSON 5 AND 6
ACCESS CONTROL
is the method by which systems determine
whether and how to admit a user into a trusted.
AREA OF THE ORGANIZATION
that is, information systems, restricted areas such
as computer rooms, and the entire physical
location.
Access control can be:
MANDATORY ACCESS CONTROLS
(MACs)
 use data classification schemes; they
give users and data owners limited
control over access to information
resources.
 A variation of this form of access control
is called lattice-based access control, in
which users are assigned a matrix of
authorizations for particular areas of
access.
 With this type of control, the column of
attributes associated with a particular
object is referred to as an access control
list (ACL).
 The row of attributes associated with a
particular subject is referred to as a
capabilities table.
NONDISCRETIONARY CONTROLS
 are a strictly-enforced version of MACs
that are managed by a central authority
in the organization and can be based on
an individual’s role—role-based controls
—or a specified set of tasks (subject- or
object-based)—task-based controls.
DISCRETIONARY ACCESS CONTROLS
(DACs)
 are implemented at the discretion or
option of the data user.
In general, all access control approaches rely
on as the following mechanism:
1. IDENTIFICATION
Identification is a mechanism whereby an
unverified entity—called a supplicant—that seeks
access to a resource proposes a label by which
they are known to the system. The label applied
to the supplicant (or supplied by the supplicant) is
called an identifier (ID).
2. AUTHENTICATION
Authentication is the process of validating a
supplicant’s purported identity.
There are three widely used authentication
mechanisms, or authentication factors:
a. Something a Supplicant Knows
 This factor of authentication
relies upon what the supplicant
knows and can recall—for
example, a password,
passphrase, or other unique
authentication code, such as a
personal identification number
(PIN).
 A password is a private word
or combination of characters
that only the user should know.
 A passphrase is a series of
characters, typically longer
than a password, from which a
virtual password is derived.
b. Something a Supplicant Has
 This authentication factor relies
upon something a supplicant
has and can produce when
necessary. One example is
dumb cards, such as ID cards
or ATM cards with magnetic
stripes containing the digital
(and often encrypted) user PIN,
against which the number a
user input is compared.
 Another common device is the
token, a card or key fob with a
computer chip and a liquid
crystal display that shows a
computer-generated number
used to support remote login
authentication. Once
synchronous tokens are
synchronized with a server,
both devices (server and token)
use the same time or a time-
based database to generate a
number that must be entered
during the user login phase.
 Asynchronous tokens, which
don’t require that the server
and tokens all maintain the
same time setting, use a
challenge/response system, in
which the server challenges the
supplicant during login with a
numerical sequence.
c. Something a Supplicant Is or Can
Produce
 This authentication factor relies
upon individual characteristics,
such as fingerprints, palm
prints, hand topography, hand
geometry, or retina and iris
scans, or something a
supplicant can produce on
demand, such as voice
DACUSIN, SHAINA MAE R. | 1
AIS 11 2ND SEMESTER | LESSON 5 AND 6
patterns, signatures, or There are three subsets of packet-filtering
keyboard kinetic firewalls:
measurements. a. Static filtering requires that the filtering
rules be developed and installed with
3. AUTHORIZATION the firewall.
Authorization is the matching of an authenticated b. A dynamic filtering firewall can react
entity to a list of information assets and to an emergent event and update or
corresponding access levels. This list is usually create rules to deal with that event.
an ACL or access control matrix. c. Stateful inspection firewalls, also
called stateful firewalls, keep track of
In general, authorization can be handled in one of each network connection between
three ways: internal and external systems using a
a. Authorization for each authenticated state table. A state table tracks the state
user and context of each packet in the
b. Authorization for members of the conversation by recording which station
group sent what packet and when.
c. Authorization across multiple
systems Firewalls categorized by generation
Firewalls are also frequently categorized by their
Authorization credentials (sometimes called position on a developmental continuum—that is,
authorization tickets) are issued by an by generation. At present, there are five generally
authenticator and are honored by many or all recognized generations of firewalls, and these
systems within the authentication domain. generations

4. ACCOUNTABILITY 1. FIRST GENERATION FIREWALLS

Accountability, also known as auditability, firewalls are static packet-filtering firewalls—that
ensures that all actions on a system—authorized is, simple networking devices that filter packets
or unauthorized—can be attributed to an according to their headers as the packets travel
authenticated identity. to and from the organization’s networks.

FIREWALLS SECOND GENERATION FIREWALLS

are application-level firewalls or proxy servers—
A firewall in an information security program is
that is, dedicated systems that are separate from
similar to a building’s firewall in that it prevents
the filtering router and that provide intermediate
specific types of information from moving
services for requestors.
between the outside world, known as the
untrusted network (for example, the Internet), and
the inside world, known as the trusted network. THIRD GENERATION FIREWALLS
are stateful inspection firewalls, which, as
Firewalls can be categorized by: described previously, monitor network
connections between internal and external
systems using state tables.
FIREWALL PROCESSING MODES
 Firewalls fall into five major processing- FOURTH GENERATION FIREWALLS
mode categories. Hybrid firewalls use a which are also known as dynamic packet-filtering
combination of the other four modes, firewalls, allow only a particular packet with a
and in practice, most firewalls fall into particular source, destination, and port address to
this category, since most firewall enter.
implementations use multiple
approaches.
 The packet-filtering firewall, also simply
FIFTH GENERATION FIREWALLS
called a filtering firewall, examines the include the kernel proxy, a specialized form that
header information of data packets that works under Windows NT Executive, which is the
come into a network. kernel of Windows NT. This type of firewall
evaluates packets at multiple layers of the
 Packet-filtering firewalls scan network
protocol stack, by checking security in the kernel
data packets looking for compliance with
as data is passed up and down the stack.
or violation of the rules of the firewall’s
database. Filtering firewalls inspect
packets at the network layer, or Layer 3,
of the Open Systems Interconnect (OSI)
model, which represents the seven
layers of networking processes.

DACUSIN, SHAINA MAE R. | 2

AIS 11 2ND SEMESTER | LESSON 5 AND 6
FIREWALLS CATEGORIZED BY
STRUCTURE
Firewalls can also be categorized by the
structures used to implement them:
COMMERICAL-GRADE FIREWALL
APPLIANCES
Firewall appliances are stand-alone, self-
contained combinations of computing hardware
and software.
COMMERCIAL-GRADE FIREWALLS
SYSTEM
A commercial-grade firewall system consists of
application software that is configured for the
firewall application and run on a general-purpose
computer.
SMALL OFFICE/ HOMEOFFICE (SOHO)
FIREWALL APPLIANCES
These devices, also known as broadband
gateways or DSL/cable modem routers, connect
the user’s local area network or a specific
computer system to the Internetworking device—
in this case, the cable modem or DSL router
provided by the Internet service provider (ISP).
In recent years, the broadband router devices
that can function as packet-filtering firewalls have
been enhanced to combine the features of
Wireless Access Points (WAPs) as well as small
stackable LAN switches in a single device. These
convenient combination devices give the
residential/SOHO user the strong protection that
comes from the use of Network Address
Translation (NAT) services.
NAT assigns non-routing local addresses to the
computer systems in the local area network and
uses the single ISP-assigned address to
communicate with the Internet.
RESIDENTIAL-GRADE FIREWALL
SOFTWARE
Another method of protecting the residential user
is to install a software firewall directly on the
user’s
system. These applications claim to detect and
prevent intrusion into the user’s system without
affecting usability.
VIRTUAL PRIVATE NETWORKS
(VPNs)
A virtual private network (VPN) is a private and
secure network connection between systems that
uses the data communication capability of an
unsecured and public network.
There are three VPN Technologies:
1. A trusted VPN, also known as legacy
VPN, uses leased circuits from a service
provider and conducts packet switching
over these leased circuits.
2. Secure VPNs use security protocols
and encrypt traffic transmitted across
unsecured public networks like the
Internet.
3. A hybrid VPN combines the two,
providing encrypted transmissions (as in
secure VPN) over some or all of a
trusted VPN network.
CRYPTOLOGY
The science of encryption, known as cryptology,
encompasses cryptography and cryptanalysis.
Cryptography, which comes from the Greek
words kryptos, meaning “hidden,” and graphein,
meaning “to write,” is the process of making and
using codes to secure the transmission of
information.
CRYPTONALYSIS
is the process of obtaining the original message
(called the plaintext) from an encrypted message
(called the ciphertext) without knowing the
algorithms and keys used to perform the
encryption.
ENCRYPTION
is the process of converting an original message
into a form that is unreadable to unauthorized
individuals. Decryption is the process of
converting the ciphertext message back into
plaintext so that it can be readily understood.
TERMINOLOGIES
To understand the fundamentals of cryptography,
you must know the meanings of the following
terms:
ALGORITHM
The programmatic steps used to convert an
unencrypted message into an encrypted
sequence of bits that represent the message;
sometimes refers to the programs that enable the
cryptographic processes.
CIPHER OR CRYPTOSYSTEM
An encryption method or process encompassing
the algorithm, key(s) or cryptovariable(s), and
procedures used to perform encryption and
decryption.
CIPHERTEXT OR CRYPTOGRAM
The encoded message resulting from an
encryption.
DACUSIN, SHAINA MAE R. | 3
AIS 11 2ND SEMESTER | LESSON 5 AND 6

CODE
The process of converting components (words or
phrases) of an unencrypted message into
encrypted components.

DECIPHER
To decrypt, decode, or convert, ciphertext into the
equivalent plaintext

ENCIPHER
To encrypt, encode, or convert, plaintext into the
equivalent ciphertext

KEY OR CRYPTOVARIABLE
The information used in conjunction with an
algorithm to create the ciphertext from the
plaintext or derive the plaintext from the
ciphertext

KEYSPACE
The entire range of values that can be used to
construct an individual key.

LINK ENCRYPTION
A series of encryptions and decryptions between
a number of systems, wherein each system in a
network decrypts the message sent to it and then
reencrypts it using different keys and sends it to
the next neighbor, and this process continues
until the message reaches the final destination.

PLAINTEXT OR CLEARTEXT
The original unencrypted message, or a message
that has been successfully decrypted.

STEGANOGRAPHY
The hiding of messages—for example, within the
digital encoding of a picture or graphic.

WORK FACTOR
The amount of effort (usually in hours) required to
perform cryptanalysis to decode an encrypted
message when the key or algorithm (or both) are
unknown

DACUSIN, SHAINA MAE R. | 4