Access Control:
Network-Based Access Control
Today’s open environments require strong control over user access and information flowing over the network. Network-based access control adds another layer of protection to regulate access to the network. CA Access Control can manage access to network ports or network access programs and network security policies can manage bi-directional access by terminal ID, host name, network address, segments or other attributes.
User-Defined Classes
CA Access Control provides the ability to define custom enforcement classes to control business functions beyond existing CA Access Control objects. For example, fund transfers in a bank can be defined as a class, and various controls can be applied to a transfer based on the access authorization with business applications using CA Access Control Application
Programming Interfaces (APIs).
Trusted Program Execution
Applications with setuid capability are commonly used in UNIX systems. Because a setuid program can assume superuser functions, enforcing appropriate access rights on these applications is vital to system integrity. CA Access Control can tag specific applications, programs or files with unique signatures, designating that they can be safely executed or accessed. If the contents of these executables or files are compromised, failure to have a matching signature will lead CA Access Control to block the execution of the application.
Stack Overflow Protection (STOP) and Trojan Horse Prevention External threats that compromise critical services or damage the integrity of executables are a high risk factor in protecting production servers. These threats include worms that exploit program memory stack overflows or Trojan Horse attacks on normal executable programs.
CA Access Control’s STOP function can stop these malware attacks and prevent spreading of viruses to other servers on the network. Through the trusted file execution function, Trojan Horse-injected executables will be labeled as untrusted and execution will be blocked, preventing potential malware damages. By restricting use of relative PATH, CA Access Control also reduces the possibility of Trojan Horse programs being executed.
Application APIs, Exits and Scripting
CA Access Control provides an open and secure interface through a Software Development Kit (SDK) for external application integration. The SDK provides various functional APIs for different purposes:
• Authorization and Authentication APIs Provide policy decision information to third-party applications about whether a user can access a resource or not. This also provides an avenue to integrate external application authorization policies with CA Access Control system access policies.
• Exits APIs Allow additional applications to be executed during CA Access Control operations in a safe and secure manner. This allows CA Access Control capabilities to perform custom operations to be integrated with other applications.
• Audit Logging APIs Additional alerts can be added through the LogRoute API calls into audit logs. They also provide the necessary functions to external security information management applications to integrate CA Access Control logs as a log source.
