标签:
This chapter presents the following:
• Identification methods and technologies
• Authentication methods, models, and technologies
• Discretionary, mandatory, and nondiscretionary models
• Accountability, monitoring, and auditing practices
• Emanation security and technologies
• Intrusion detection systems
• Threats to access control practices and technologies
本章主要涉及如下内容:
l 身份标志方法和技术
l 身份认证方法、模型和技术
l 自主访问控制、强制访问控制和非自主访问控制
l 可问责性、监控、和审计实践
l 发射(?)安全和技术
l 入侵检测
l 访问控制实践和技术的威胁
A cornerstone in the foundation of information security is controlling how resources are accessed so they can be protected from unauthorized modification or disclosure. The controls that enforce access control can be technical, physical, or administrative in nature. These control types need to be integrated into policy-based documentation, software and technology, network design, and physical security components.
信息安全的一个基础是控制资源如何被访问,以保护它们不被未授权修改或泄漏。访问控制可以是技术的、物理的或管理的。这些控制类型必须融合进基于策略的文档、软件和技术、网络涉及、物理安全组件。
Access is one of the most exploited aspects of security, because it is the gateway that leads to critical assets. Access controls need to be applied in a layered defense-in-depth method, and an understanding of how these controls are exploited is extremely important. In this chapter we will explore access control conceptually and then dig into the technologies the industry puts in place to enforce these concepts. We will also look at the common methods the bad guys use to attack these technologies.
访问是安全最需要实施控制的方面,因为它是通往关键资产的门户。访问控制需要以纵深防御的方式实行,理解这些控制如何实施是非常重要的。本章中我们讲述访问控制的概念,以及实际中用来保证这些概念的技术,此外还会涉及到攻击这些技术的方法。
Access controls are security features that control how users and systems communicate and interact with other systems and resources. They protect the systems and resources from unauthorized access and can be components that participate in determining the level of authorization after an authentication procedure has successfully completed. Although we usually think of a user as the entity that requires access to a network resource or information, there are many other types of entities that require access to other network entities and resources that are subject to access control. It is important to understand the definition of a subject and an object when working in the context of access control.
访问控制是控制用户和系统和其他系统及资源如何通信和交互的安全技术。它保护系统和资源不被未授权的访问,并在认证成功后确定授权的等级。虽然一般认为用户是访问网络资源或信息的实体,其实还有其他不同种类的实体。在访问控制相关工作中,理解主体和客体的概念十分重要。
Access is the flow of information between a subject and an object. A subject is an active entity that requests access to an object or the data within an object. A subject can be a user, program, or process that accesses an object to accomplish a task. When a program accesses a file, the program is the subject and the file is the object. An object is a passive entity that contains information or needed functionality. An object can be a computer, database, file, computer program, directory, or field contained in a table within a database. When you look up information in a database, you are the active subject and the database is the passive object. Figure 3-1 illustrates subjects and objects.
访问是信息在主体和客体之间的流动。主体是需要访问客体或客体中数据的活动实体。主体可能是用户、程序、进程。当一个程序访问文件时,程序是主体,而文件是客体。客体是包含有信息或所需要功能的被动实体。客体可能是计算机、数据库、文件、计算机程序、目录或数据库表中的域。当你在数据库中查询信息时,你是活动的主体,数据库是被动的客体。
Access control is a broad term that covers several different types of mechanisms that enforce access control features on computer systems, networks, and information. Access control is extremely important because it is one of the first lines of defense in battling unauthorized access to systems and network resources. When a user is prompted for a username and password to use a computer, this is access control. Once the user logs in and later attempts to access a file, that file may have a list of users and groups that have the right to access it. If the user is not on this list, the user is denied. This is another form of access control. The users’ permissions and rights may be based on their identity, clearance, and/or group membership. Access controls give organizations the ability to control, restrict, monitor, and protect resource availability, integrity, and confidentiality.
访问控制是一个宽泛的概念,包含了几种应用在计算机系统、网络和信息上的机制。访问控制非常重要,因为它是防御未授权访问系统和网络资源的第一道屏障。当用户键入用户名和口令以使用计算机时,这是访问控制。一旦用户登录成功并随后试图访问一个文件,那个文件可能包含有一个允许访问它的用户或组的列表,如果该用户不在这个列表中,访问会被拒绝,这是访问控制的另一种形式。用户的权限可能基于其身份、许可等级、和/或组关系。访问控制给予组织以控制、限制、监控和保护资源CIA的能力。
未完待续
标签:
原文地址:http://www.cnblogs.com/likefrank/p/CISSP_AIO_3th.html
