WEBVTT

00:00.270 --> 00:06.510
When you think about all of the many many types of resources we have on our networks and on the internet

00:06.510 --> 00:12.580
in general the idea of giving people access to different types of resources can be boggling.

00:12.630 --> 00:18.900
I mean I've got some little cameras at my house that I can get people to have access to just by typing

00:18.900 --> 00:20.840
in a username and password.

00:20.850 --> 00:26.250
But I have Windows file servers that require people to be members of domains that have all types of

00:26.520 --> 00:28.950
authentication and authorization controls to it.

00:28.950 --> 00:36.310
So the idea of controlling access to resources is a really really big deal.

00:36.330 --> 00:41.610
Now the first thing I want to do is make sure we're aware of the three types of access control that

00:41.610 --> 00:47.430
you're going to see on the exam when we talk about authorization models what we're talking about is

00:47.790 --> 00:55.070
how over time have we developed the concept of how we apply authorization mainly to resources more than

00:55.070 --> 00:55.570
anything else.

00:55.570 --> 00:59.150
So this is almost more of a permissions issue than anything else.

00:59.150 --> 01:05.790
Now back in if you go way back in time like in the 50s or so we would use what was known as a mandatory

01:05.790 --> 01:10.860
access control a mandatory access control worked by taking some chunk o resource.

01:10.860 --> 01:17.550
Keep in mind a lot of this predates computers and labeling it in some fashion and based on what type

01:17.550 --> 01:20.790
of permission you had to determine what type of labels you can read.

01:20.790 --> 01:27.300
Probably the most classic example here in the U.S. is top secret secret confidential or public where

01:27.300 --> 01:34.080
we separate based on the type of clearance somebody has and they back in the old days they would physically

01:34.080 --> 01:36.310
label different types of documents.

01:36.330 --> 01:42.750
Now that actually did tie into the computer world a little bit but mandatory access control is a concept

01:43.050 --> 01:46.130
doesn't really work that perfectly in the computer world.

01:46.290 --> 01:52.650
Instead what we have are what are known as discretionary access controls a discretionary access control

01:52.650 --> 01:59.940
simply means that whoever created the resource whoever wrote the word document whoever set up that Excel

01:59.940 --> 02:06.540
database is the creator owner and as the creator owner they have discretion about who they can apply

02:06.840 --> 02:08.070
that type of access to.

02:08.070 --> 02:13.890
So if I create this database I is the creator owner can say you get this type of permission you get

02:13.890 --> 02:15.140
that type of permission.

02:16.050 --> 02:21.270
There's nothing wrong with discretionary access controls but it missed one really really important feature

02:21.270 --> 02:23.280
and that is the concept of roles.

02:23.340 --> 02:26.220
People have different roles when it comes to data.

02:26.220 --> 02:30.740
They might just be a user they might be a supervisor or they might be the creator or owner of it.

02:30.900 --> 02:36.600
So the third type of strategy and the one we see more commonly than anything else is known as a role

02:36.600 --> 02:38.340
based access control.

02:38.460 --> 02:45.420
Most modern operating systems subscribe to the concept a role based access control allows you to apply

02:45.480 --> 02:52.020
access controls to a resource by your role in the Windows world that manifests beautifully in groups.

02:52.020 --> 02:58.050
So we have a group called bosses or we'll have a group called administrators or we can have a group

02:58.050 --> 03:04.200
called accountants and based on that role we can apply different types of rights and permissions so

03:04.200 --> 03:09.330
that the people can do the job that they need to do in order to make access control work.

03:09.330 --> 03:12.930
We have to have access control lists now.

03:12.990 --> 03:18.480
Anything that means access control is going to have some kind of access control list and access control

03:18.480 --> 03:23.130
list could just be a list of usernames and passwords it could be a big complicated database.

03:23.130 --> 03:26.640
It could be anything and it manifests in a lot of different ways.

03:26.640 --> 03:31.560
So what I want to do is kind of march through some different types of access control as you might run

03:31.560 --> 03:32.850
into in the real world.

03:32.850 --> 03:37.380
So one of the first place I'd like to start is with a little old Cisco router that I have up and running

03:37.380 --> 03:39.450
as my VPN.

03:40.000 --> 03:45.090
So right over here I've got a putty connection to this old Cisco router that does nothing more than

03:45.090 --> 03:47.090
X as a VPN endpoint for me.

03:47.100 --> 03:52.510
So what I'm going to do I'm going to run in a little command here.

04:01.520 --> 04:06.530
And if you take a look right here you're going to see that I have certain types of permission I'm permitting

04:06.530 --> 04:09.890
particular IP addresses to do certain things.

04:09.890 --> 04:14.930
Now if you look really close you're going to see it says permit permit permit permit permit and there's

04:14.930 --> 04:21.230
a reason for that and that's because any good Access Control List is going to have what we call an implicit

04:21.230 --> 04:21.880
deny.

04:21.890 --> 04:27.940
Which basically means unless you specifically allow something to happen it's not going to happen.

04:27.940 --> 04:33.950
So implicit deny is an important point that we see with pretty much any form of access list.

04:33.950 --> 04:34.210
All right.

04:34.220 --> 04:38.170
So that is actually a very simple ACL on a Cisco router.

04:38.360 --> 04:39.570
Let me show you another one.

04:39.590 --> 04:46.130
I happen to have let's see I've got a little S-sh server running here so I've got this S-sh server running.

04:46.130 --> 04:51.260
Now if we come over here to users you're going to see that I have three different users right here.

04:51.260 --> 04:52.990
This is the ACL for this.

04:53.120 --> 05:00.860
And not only does it have user name and pass words but also defines what that user can do within that

05:00.860 --> 05:01.880
particular function.

05:01.880 --> 05:04.770
In this case just logging into an S-sh server.

05:05.900 --> 05:09.670
Now we see this type of access control list all over the place.

05:09.740 --> 05:10.900
So let me minimize this.

05:10.910 --> 05:16.340
So in this case what I want to do is I've just got a regular window system up here and let's take a

05:16.340 --> 05:19.970
look at NTFS permission permissions so in this case I've already got it typed.

05:20.150 --> 05:28.610
I'm going to run a command called I cackles and you can see exactly who has what rights to this one

05:28.610 --> 05:35.000
particular folder so you can see there's administrators and users and system and a few other things

05:35.000 --> 05:36.450
in there as well.

05:36.890 --> 05:41.460
So that's really the only serious secret when it comes to access control list.

05:41.480 --> 05:46.430
Make sure you understand that pretty much anything that needs to control access is going to have some

05:46.430 --> 05:47.550
kind of access control.

05:47.570 --> 05:53.150
There's no way we can tell you the 10000 different ways that manifest the type of access controls are

05:53.150 --> 05:56.640
going to be controlled very much by the resource itself.

05:56.870 --> 06:03.770
And also remember that in any given case an implicit deny is always going to be there which means unless

06:03.770 --> 06:19.100
you specifically say something can happen It's not going to take place.