<>** access control **

Access control is to give a set of methods , Identify all functions in the system , Organize , Trusteeship , Organize all data, identify it, and manage it ,
Then provide a simple and unique interface , One end of this interface is the application system and the other is the permission engine . What the permission engine answers is : Who has implementation for a resource
An action ( motion , calculation ) Permissions for . The returned result is : Yes , No, , The permission engine is abnormal .

Access control is almost all systems ( Including computer system and non computer system ) All need to be used
A technology . Access control is to restrict users' access to certain information items according to their identities and certain defined groups to which they belong , Or a technique that limits the use of certain control functions . Access control is usually used by system administrators to control users' access to servers , catalog , Access to network resources such as files .

<> Access control model

<>1. Autonomous access control DAC

Authorized users can transfer permissions to others independently , Permission modification is performed by privileged users .linux,unix ,windows They all take this form .
Permission information storage ( Access table ):
(1) Access control table (ACL): Take the object as the core , Then contact all subjects and their corresponding authorities to the object .
(2) Access control form (ACCL): Taking the subject as the core , List all its allowed objects and permissions .
(3) Access control matrix (ACM): Binary matrix expresses authority relation , There will be redundancy .

characteristic : Flexible data access , Allow free transfer of permissions , But at the same time, it will bring security problems , Low data protection .

<>2. mandatory access control MAC

More stringent rights management , Give subject and object a certain level of security , Each user according to their own security level , You will have all your own access , This permission is strictly linked to the security level , Transfer not allowed , It is also not allowed to change for a single user .

Read write permission instance :( Two strict mechanisms commonly used in the army )
(1) Write up , Read down : Effectively prevent information leakage to low security level , Protect confidentiality .
(2) Write down , Read up : Effectively prevent the lower level from tampering with information , Protect integrity .

<>3. Role based access control RBAC

Users are no longer considered individually , It's organized into groups , And set the permissions of the object as roles , A role will have its own specific abilities , In this way, the user can obtain the permission in the way of role , Instead of getting permission directly .

such , That is, the flexibility of freedom is preserved , That is, users can take different roles to obtain different permissions , It also ensures the strictness of access , That is, the role is fixed , No free combination of characters , And role acquisition is controllable .
The administrator decides to obtain, add or delete roles , Not free access . This is RBAC and DAC The difference between .
Permissions are organized by roles , A role may obtain permissions at different security levels , So there is no concept of security level , Add roles on demand . This is RBAC and DAC The difference between .

<> Basic principles of access control model :

(1) Principle of least privilege : According to the minimum distribution of power required by the subject , Not much .
(2) Minimum leakage principle : During the exercise of authority , Minimize the information it gets .
(3) Multilevel security policy : Consider the level of information security , Avoid high-level information leaking to low-level subjects .

<> Implementation strategy

Access control

Network permission restriction

Directory level security control

Property security control

Network server security control

Network monitoring and lock-in control

Security control of network port and node

Firewall Control

©2019-2020 Toolsou All rights reserved,
( Essence )2020 year 8 month 9 day C# Basic knowledge reflex Map---Java judge Map Contains a keymysql Recursively finds all child nodes of the parent class Maximum security risk of cloud computing : Unclear safety responsibility ( Essence )2020 year 6 month 29 day C# Class library Interface signature verification ( Essence 2020 year 6 month 2 Daily update ) TypeScript Function explanation Map judge key Corresponding value Does the value exist -containsKey()Hack Bar 2.1.2 Press F9 No response python read , write in txt Text content The project followed for a year , The customer finally said no