https://www.infra-repository.org/oiar-2013/index.php?action=history&feed=atom&title=PAT.Access_SecurityPAT.Access Security - Revision history2026-05-06T13:53:01ZRevision history for this page on the wikiMediaWiki 1.40.0https://www.infra-repository.org/oiar-2013/index.php?title=PAT.Access_Security&diff=544&oldid=prevJan Schoonderbeek: start2012-11-11T23:22:21Z<p>start</p>
<p><b>New page</b></p><div>{{Maturity|3}}<br />
{{Pageheaderbox4PatternType<br />
|PATname=Access Security<br />
|summary=Controls and secures (external) user connections with back-end facilities and applications<br />
|version=0.2<br />
|owner=J.A.H. Schoonderbeek<br />
|sector=Infrastructure Sector Business Support<br />
}}<br />
Instances of this facility are used to secure access to back-end facilities.<br><br />
Protection can be needed for either (or both) of two reasons:<br />
* to shield the protected facilities against unauthorized access;<br />
* to shield the protected facilities from malicious or malformed traffic.<br />
This pattern is often combined with [[PAT.Access Distribution|Access Distribution]]; such a combination may be realized as an "access path"<br />
{{PAgraphic<br />
|graphic=PAT.Access Security.png<br />
|source=Pattern Types.vsd<br />
|size=500px<br />
|title=Access Security Pattern<br />
}}<br />
{{Pattern Type Composition}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Traffic Filtering<br />
|choice=must<br />
|reason=This facility provides the pattern with a means to reduce the attack surface of a protected facility (or a set thereof), by filtering data traffic towards and from the protected facility. Note that when filtering is ''not'' limited to traffic characteristics, then encryption and/or compression of the data transported may require the Traffic Filtering facility to use the Session Handling facility to access the data transported.<br />
}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Data Scanning<br />
|choice=may<br />
|reason=This facility provides extra capability to Traffic Filtering by scanning the data transported. Thus, Traffic Filtering can also filter traffic on data characteristics.<br />
}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Connection Handling<br />
|choice=must<br />
|reason=This facility terminates the user's (or client's) connection to the protected facility, and sets up its own session to that facility. This provides the Access Security pattern with the following security-related abilities:<br />
* can access the content of encrypted sessions (e.g. SSL sessions) for inspection purposes;<br />
* can gracefully filter session requests/answers that are malformed or deemed inappropriate for the particular protected facility (e.g. HTTP POST).<br />
}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Encryption<br />
|choice=may<br />
|reason=Allows encrypted communication between the end user and this pattern (necessary for private communication), even when the protected facility may not be able to do this. On the other hand, allows for decrypting encrypted traffic from the end user for inspection purposes before it enters the protected facility (or vice versa).<br />
}}<br />
{{Pattern Type Composition Row<br />
|facility=BT.Compression<br />
|choice=may<br />
|reason=Allows compressed communication between the end user and this pattern (advisable for efficient data transfer), even when the protected facility may not be able to do this. On the other hand, allows for decompressing compressed traffic from the end user for inspection purposes before it enters the protected facility (or vice versa).<br />
}}<br />
{{Table Ending}}<br />
{{Pattern Type Neighbors}}<br />
{{Pattern_Type_Adjacent_PAT_Row<br />
|pattern=PAT.Authentication+Authorization<br />
|choice=may<br />
|reason=The Authentication & Authorization pattern can contain either a Permission Register, an Identity Store, or both; Access Security may use the identity store to authenticate users (usually at the location where Session Handling takes place) and/or to authorize access to the protected facilities.<br />
<br />
Authentication can be performed at the Session Handling facility.<br />
<br />
Authorization can take place on traffic characteristics ("firewall rules") and/or on data characteristics (e.g. "access control lists") and or other conditions (e.g. the presence of up-to-date antivirus on the client's machine).<br />
}}<br />
{{Pattern_Type_Adjacent_PAT_Row<br />
|pattern=PAT.Security Management + Auditing<br />
|choice=must<br />
|reason=Any Access Security facility must be connected to Security Management & Auditing for central management of the security measures implemented in the Access Facility itself, but also to report security incidents to a suitable central location.<br />
}}<br />
{{Table Ending}}<br />
{{PATfooter}}</div>Jan Schoonderbeek