Access Control: Let the enterprise network remove the hats of "Public Places"

Host-Based Access Control Principle

Network-Based Access Control mainly includes EAPOL and EAPOU, while Host-Based Access Control mainly includes application access control and client access control, because network-based access control requires a relatively large amount of time for deployment and management, enterprise users' network devices do not necessarily support network access. Therefore, host-Based Access Control, which is easy to deploy, is the first choice for many enterprises. This type of deployment is adaptive and has a wide coverage, and does not rely on large configurations like other network devices, it has no significant impact on network performance, and can also implement process-based access control and process-based bandwidth management.

1. Application access control

Egress access control is the most easily implemented terminal security management technology in deployment. The idea is to first access and then control, allow users to use the network, and deploy security control devices (such as firewalls and behavior control gateways) at the exit ).

Application access control

When you access the Internet, you must perform identity authentication and security check on the security device at the exit before you can access the Internet.

Server Control

The advantage of exit access control is that it is easy to deploy and does not need to install clients. It also has features such as traffic control and Internet content audit, so it is widely used. Its disadvantage is that it cannot identify whether a user's identity is fake (such as IP, MAC, and account) and cannot control the spread of viruses over the Intranet, in addition, it is impossible to control the behavior of external users to secretly access the Intranet (such as USB flash disk copying), and terminal security cannot be controlled from the source. It must be combined with other terminal security control technologies, in order to provide a complete terminal security management solution.

Features of Client Access Control

System and Application access control software is installed on the operating system of the server. When the computer terminal accesses the server, the access control software checks the security status of the other party. If the access control software meets the policy, access is permitted, otherwise, access from the other party will be rejected and a prompt will be given. Client Access control checks the security status of the software installed on the terminal when terminals access each other. Host-Based Access Control Points are generally installed on proxy servers, email servers, Intranet Web servers, DNS servers, or DHCP servers. These servers are the most frequently accessed servers within the enterprise. Therefore, the entrance effect is good and the coverage is wide. In actual deployment, you only need to deploy control points on one or two servers to implement global access control.

2. Client Access Control

Client Access control is the most common terminal security management technology, which is often combined with anti-virus software and personal firewalls. The principle of client access control is that the visitor is not reliable, so the client security software must be installed on the terminal, the security status (such as process, registry, boot area, network connection status, and webpage access status) is monitored at all times. If an exception occurs, the user is prompted or handled according to the preset policy.

End User Control

The advantage of client access control is its strong control capability, which can check the security issues of the operating system, network, and application layer. The disadvantage is that users often need to judge by themselves, which requires high security knowledge and occupies a large amount of system resources. At the same time, the client running status cannot be guaranteed, such as when the client is used ), therefore, when used within an enterprise, the client cannot be uninstalled, reinstalled, or not running.

Other terminal security management technologies

Host-Based Access Control has a weak control intensity and is unavoidable. In addition, according to the implementation of security policies, terminal security management technologies currently used in the industry include:

1. Server Access Control

The principle of server access control technology is to install the access control software on the application server, which is generally installed on the DHCP server, DNS server, or proxy server. When the computer terminal accesses the server, the access control software will pop up a page asking the user to log on and check the security status of the other party. If the policy is met, access is allowed. Otherwise, access from the other party is rejected, and give related tips.

Server access control is easy to deploy and has no requirements on the network device environment, but is vulnerable to security attacks (such as DHCP attacks) and is difficult to control the spread of viruses on the source client, the problem of unauthorized access by external users cannot be solved.

2. Network Access Control

The principle of network access control technology is to control the network entry and enforce security policies at the access port through network devices. When a user accesses the network, the client software must be run, and the network can only be used after authentication and security check. As network devices cannot be bypassed, once the client is detached or the operating system is reinstalled, users cannot access the client.

The advantage of network access control is that it works closely with network devices based on user identities, and security policies can be enforced. Its disadvantage is its complicated deployment and high cost, which is widely used in large and medium-sized enterprises.

Different levels of access control

The access control technology has its own advantages and disadvantages. However, from the perspective of security policy implementation, the network-based access control technology is highly secure because network devices can implement mandatory security decisions, however, the management and deployment thresholds are also high.