week 25

K1.25 Methods of managing and controlling access to digital systems and their application within the design of network security architecture:

Network security architecture is the structure and strategy used to protect a digital system.
A key part of this is controlling who and what has access — ensuring only the right users, devices, and services are allowed through.

Authentication

Definition:
The process by which a system verifies the identity of a user before allowing access.

Application:

• Passwords, PINs, biometrics, multi-factor authentication (MFA)

• Used at login portals, VPN access, or system logins

Ensures only authorised users get into the system

Firewall

Definition:
A barrier between a trusted internal network and an untrusted external network, such as the internet.

Application:

• Can allow or block specific types of traffic (e.g. HTTP, FTP)

• Can be hardware-based (e.g. routers) or software-based

Controls which services are exposed, protecting against unauthorised external access

Intrusion Detection System (IDS)

Definition:
A system that monitors network or system activity for signs of suspicious behaviour or attacks.

Application:

• Detects brute-force attacks, unauthorised logins, malware activity

• Sends alerts to admins for further investigation

Helps identify threats in progress (but does not stop them)

Intrusion Prevention System (IPS)

Definition:
Like IDS, but it can also block malicious activity as it is happening.

Application:

• Works with firewalls to automatically prevent known threats

• Can stop malware or hacking attempts in real-time

Helps maintain system integrity and availability by blocking attacks

Network Access Control (NAC)

Definition:
Controls access to a network based on an organisation’s security policies.

Application:

• Devices must meet certain requirements (e.g. antivirus installed, updated OS)

• Used in business environments to prevent rogue or insecure devices connecting

Ensures only compliant devices connect to the network

Access Control Models

Access control defines who can access what, under what conditions.

Mandatory Access Control (MAC)

Definition:
Access is granted based on a strict classification and security level hierarchy.

Application:

• Common in military/government systems

• Users cannot change permissions

• Examples: Confidential, Secret, Top Secret levels

High-security environments where access must be centrally controlled

Discretionary Access Control (DAC)

Definition:
Access is controlled by the owner of the resource.

Application:

• The owner (e.g. file creator) decides who gets access

• Found in many operating systems (Windows, macOS)

More flexible, but less secure than MAC – suitable for collaborative environments

Attribute-Based Access Control (ABAC)

Definition:
Access is granted based on user attributes (e.g. job title, location, time of access).

Application:

• Complex environments needing dynamic, flexible control

• Example: A manager can access payroll systems during office hours from within the building

Allows fine-grained control based on multiple factors

Role-Based Access Control (RBAC)

Definition:
Access is granted based on a user's job role.

Application:

• Employees are grouped into roles (e.g. admin, HR, technician)

• Each role has specific permissions

• A technician may access service tickets, but not payroll

Simplifies management and enforces least privilege principle

Design a Secure Network Access Plan

Scenario:
You're designing access control for a school's network. Staff, students, and guests use the network daily.

Task:
1. For each group (staff, students, guests):
      - Choose 1 access control model (e.g. RBAC for staff)
      - Choose 1 supporting method (e.g. firewall, NAC)
2. Justify your decisions based on:
      - The level of access needed
      - The risks involved
      - How you'll protect against misuse

Extension:
Draw a diagram of how a device is authenticated and granted access through a firewall, NAC, and RBAC.

Class discussion: Discuss in small teams common vulnerabilities. Each team is to select 3 of the following and the impact of this, including any security control: 

Missing patches, firmware and security updates. 
Password vulnerabilities. 
Insecure BIOS/UEFI. 
Misconfigurations. 
Lack of protection software. 
Disposal of data/devices. 
Inadequate back up process. 
DHCP Spoofing. 
VLAN attacks. 
Misconfigured firewalls or ACL’s. 
Exposed services or ports. 
Ineffective network design. 
Unprotected devices.

Last Updated
2025-07-15 08:36:26