View
216
Download
0
Tags:
Embed Size (px)
Citation preview
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 11
ENENginegine FORFOR CControllingontrolling EEmergent mergent HHierarchicalierarchical RRole-ole-BBasedased AAccessccess
(ENforCE (ENforCE HRBAccess)HRBAccess)
Osama KhaleelOsama Khaleel
Thesis DefenseThesis DefenseMay 2007May 2007
Master of Science in Computer ScienceMaster of Science in Computer ScienceUniversity of Colorado, Colorado SpringsUniversity of Colorado, Colorado Springs
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 22
ENENginegine FORFOR CControllingontrolling EEmergent mergent HHierarchicalierarchical RRole-ole-BBasedased AAccessccess
(ENforCE (ENforCE HRBAccess)HRBAccess)
Committee Members:Committee Members:
Dr. Edward Chow, ChairDr. Edward Chow, Chair
Dr. Terry BoultDr. Terry Boult
Dr. Xiaobo ZhouDr. Xiaobo Zhou
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 33
Thesis Defense OutlinesThesis Defense Outlines
Intro & BackgroundIntro & Background DesignDesign ImplementationImplementation Performance AnalysisPerformance Analysis Future WorkFuture Work Contribution Contribution DemoDemo Q & AQ & A
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 44
Introduction Introduction Roles in any organization are Hierarchical by their Roles in any organization are Hierarchical by their
nature.nature.
Resources in any organization vary:Resources in any organization vary: From a simple HTML web page,From a simple HTML web page, To RDP/SSH access in which a user can gain full control.To RDP/SSH access in which a user can gain full control.
Mission becomes more complicated when users Mission becomes more complicated when users should access resources: should access resources: Securely Securely And based on their ROLES.And based on their ROLES.
Password-based protection is way far from Password-based protection is way far from satisfying high-level security requirements.satisfying high-level security requirements.
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 55
Background Background AuthenticationAuthentication
Public Key Certificate (PKC)Public Key Certificate (PKC) Certificate Authority (CA)Certificate Authority (CA) Certificate Revocation List (CRL)Certificate Revocation List (CRL)
AuthorizationAuthorization Attribute Certificate (AC)Attribute Certificate (AC) Attribute Authority (AA)Attribute Authority (AA)
Role-Based Access Control (RBAC)Role-Based Access Control (RBAC) CoreCore HierarchicalHierarchical
eXtensible Access Control Markup Language (XACML)eXtensible Access Control Markup Language (XACML) Policy Enforcement Point (PEP)Policy Enforcement Point (PEP) Policy Decision Point (PDP)Policy Decision Point (PDP)
Active Directory (AD)Active Directory (AD) ISAPI FilterISAPI Filter ASP.NET Application File (Global.asax)ASP.NET Application File (Global.asax) IptablesIptables
Public Key Infrastructure (PKI)
Privilege Management Infrastructure (PMI)
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 66
Authentication:Authentication: the process in which someone provides some the process in which someone provides some kind of credentials to prove his or her identity.kind of credentials to prove his or her identity.
CA:CA: a trusted third party that issues digital certificates to be used a trusted third party that issues digital certificates to be used by other parties. It guarantees that the individual granted the by other parties. It guarantees that the individual granted the certificate is really who claims to be.certificate is really who claims to be.
PKC:PKC: a digitally signed document that binds a public key to a a digitally signed document that binds a public key to a subject (identity). This binding is asserted by a trusted CA.subject (identity). This binding is asserted by a trusted CA.
CRL:CRL: a list signed by the issuing CA that contains the serial a list signed by the issuing CA that contains the serial numbers of the revoked certificates. numbers of the revoked certificates.
Authorization:Authorization: the process that is used to determine whether the the process that is used to determine whether the subject has the required permissions to access some protected subject has the required permissions to access some protected resources. resources.
AC:AC: a digitally signed document that binds a set of attributes like a digitally signed document that binds a set of attributes like membership, role, or security clearance to the AC holder.membership, role, or security clearance to the AC holder.
AA:AA: a trusted third party that is responsible for issuing, a trusted third party that is responsible for issuing, maintaining, and revoking ACs. maintaining, and revoking ACs.
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 77
AD:AD: a distributed directory service included in the Windows a distributed directory service included in the Windows server 2000/2003 server 2000/2003 The Microsoft's implementation of LDAPThe Microsoft's implementation of LDAP Used to store and manage all information about network resources Used to store and manage all information about network resources
across the domain: computers, groups, users, …across the domain: computers, groups, users, …
ISAPI filters:ISAPI filters: DLLs that can be used to enhance and modify the DLLs that can be used to enhance and modify the functionality of IIS. functionality of IIS. Powerful -> they can modify both incoming and outgoing Powerful -> they can modify both incoming and outgoing
DataStream for EVERY request.DataStream for EVERY request.
Global.asax:Global.asax: a file resides in the root directory of the ASP.NET a file resides in the root directory of the ASP.NET application.application. Contains code to handle application-level and session-level events Contains code to handle application-level and session-level events
raised by ASP.NET. raised by ASP.NET.
Iptables:Iptables: a generic table structure for defining a set of rules to a generic table structure for defining a set of rules to deal with network packets. deal with network packets. Rules are grouped into chains. Rules are grouped into chains. Chains are grouped into tablesChains are grouped into tables Each table is associated with a different kind of packet processing.Each table is associated with a different kind of packet processing.
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 88
RBAC:RBAC: a mechanism/model for restricting access a mechanism/model for restricting access based on the role of authorized users. based on the role of authorized users. Core: roles are assigned to users, and permissions are Core: roles are assigned to users, and permissions are
associated with roles – not directly with users.associated with roles – not directly with users. Hierarchical: an enhancement to the core, in which senior Hierarchical: an enhancement to the core, in which senior
roles inherit permissions from more junior roles. roles inherit permissions from more junior roles.
XACML:XACML: an XML-based OASIS standard that an XML-based OASIS standard that describes:describes: A policy language A policy language A request/response language A request/response language
The main three components in XACML are Rule, The main three components in XACML are Rule, Policy, and PolicySet Policy, and PolicySet
XACML RBAC profile has two main components:XACML RBAC profile has two main components: Permission PolicySet (PPS) Permission PolicySet (PPS) Role PolicySet (RPS). Role PolicySet (RPS).
One PPS and one RPS for each defined Role .One PPS and one RPS for each defined Role .
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 99
PPS:PPS: defines Policies and Rules needed to the defines Policies and Rules needed to the
Permissions associated with a certain Role. Permissions associated with a certain Role. Contains a set of PPS references using Contains a set of PPS references using
"<PolicySetIdReference>" to inherit permissions "<PolicySetIdReference>" to inherit permissions from a from a junior rolejunior role associated with this PPS associated with this PPS referencereference
Define What is a Junior role. Before using it.Define What is a Junior role. Before using it.
RPS:RPS: defines the Role namedefines the Role name includes ONLY one PPS to includes ONLY one PPS to associate this Role with its associate this Role with its permissions defined in the permissions defined in the corresponding PPS.corresponding PPS.
<PolicySet PolicySetId="CFOPermissions"> <Policy PolicyId="PolicyForCFORole"> <Rule RuleId="FinanceManagementRule" Effect="Permit"> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <Resource> <ResourceMatch MatchId="function: regexp-string-match"> <AttributeValue DataType=“string">
https://ncdcrx3.uccs.edu/financial/finMgmt.aspx </AttributeValue> </ResourceMatch> </Resource> </Resources> </Target> </Rule> </Policy>
<PolicySetIdReference>SalesMgrPermissions</PolicySetIdReference><PolicySetIdReference>AccMgrPermissions</PolicySetIdReference>
</PolicySet>
<PolicySet PolicySetId="RPS:CFO"> <Target> <Subjects> <Subject> <SubjectMatch MatchId="function: string-equal"> <SubjectAttributeDesignator DataType="string" AttributeId="role"/> <AttributeValue DataType="string"> CFO </AttributeValue> </SubjectMatch> </Subject> </Subjects> </Target>
<PolicySetIdReference>CFOPermissions</PolicySetIdReference>
</PolicySet>
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1010
Design Design
By taking advantage of the concepts & By taking advantage of the concepts & technologies just mentioned, the goal is technologies just mentioned, the goal is to build a structure/engine that to build a structure/engine that provides:provides: AuthenticationAuthentication AuthorizationAuthorization Secure access based on users ROLESSecure access based on users ROLES Protection for ANY type of resourcesProtection for ANY type of resources Fine grained control based on active Fine grained control based on active
sessionssessions PKI & PMI management toolPKI & PMI management tool
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1111
ENforCE “Big Picture”ENforCE “Big Picture”
Policy Enforcement
Point
Policy Enforcement
Point
Global.asaxASP.NET
Application
FC4 machine (Firewall)FC4 machine (Firewall)
Iptables Control ServiceNetwork- resourceAccess
IIS Authentication
ISAPI
Protected web resources
Protected web resources
Http request
XML response
Session policy source
Session policy source
Get User's AC
RPS
PPS
Domain ControllerDomain Controller
Active DirectoryActive
Directory
Http request
User Request
Protected Network resources
Protected Network resources
XML response Policy
DecisionPoint
Policy Decision
Point
Open/Close commands
GetDecision Check
session policy
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1212
ENforCE Test-BedENforCE Test-Bed
Windows XPWin2003 IIS Win2003 DC
10.0.0.1110.0.0.13 10.0.0.12 10.0.0.10
Local switch
FedoraCore4 Gateway/Firewall
10.0.0.1
128.198.162.53 128.198.162.52 128.198.162.51128.198.162.50
Main switch
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1313
Implementation:Implementation: Two types of access:Two types of access:
Web-based resources (Web-based resources (http://ncdcrx3.uccs.eduhttp://ncdcrx3.uccs.edu)) Network-based resources (Network-based resources (http://ncdcrx4.uccs.eduhttp://ncdcrx4.uccs.edu))
Web resources: accessed directly through IIS using https (port Web resources: accessed directly through IIS using https (port 443)443)
Network resources: Network resources: Activate a web-session firstActivate a web-session first ENforCE will open the firewall for the specified service ENforCE will open the firewall for the specified service Physically access the service through the firewall.Physically access the service through the firewall. Service port varies (e.g. SSH:22, RDP:3389)Service port varies (e.g. SSH:22, RDP:3389)
ISAPI FilterISAPI Filter web-access entry pointweb-access entry point (C/C++ - MFC) (C/C++ - MFC) Global.asaxGlobal.asax Manage web sessionsManage web sessions (C#/ASP.NET) (C#/ASP.NET) Policy EnginePolicy Engine PEP, PDP, Policy, RBACPEP, PDP, Policy, RBAC (XACML - Java) (XACML - Java) Firewall DaemonFirewall Daemon Update Iptables RulesUpdate Iptables Rules (Java - JSSE) (Java - JSSE)
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1414
Web resources (ISAPI)Web resources (ISAPI)
ISAPI
IIS
1) Web request
IIS Authentication
Protected web resources
Protected web resources
Policy Enforcement
Point
Policy Enforcement
Point
2) Http request with attributes
5) XML response with decision
Policy Decision
Point
Policy Decision
Point
4) Get Decision6) Permit/Deny access
Domain ControllerDomain Controller
Active DirectoryActive
Directory
3) Get User's AC
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1515
Network resources Network resources (Global.asax)(Global.asax)
Session policy source
Session policy source
IIS1) Request a session
IIS Authentication
Protected Network resources
Protected Network resources
Policy Enforcement
Point
Policy Enforcement
Point
2) Http request with attributes
7) XML response with decision
PDPPDP
FC4 machine (Firewall)FC4 machine (Firewall)
Global.asax
ASP.NET Application
Iptables Control Daemon
6) Open/Close commands
8) Physically access the services
4) Get decision
DCDC
ADAD
3) Get User's AC
5) Check session policy
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1616
Requests to PEPRequests to PEP
1)1) From ISAPI (Access a web resource): From ISAPI (Access a web resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?
• subjectsubject= CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer Science Science &&
• URLURL=https://ncdcrx3.uccs.edu/it/img.jpg =https://ncdcrx3.uccs.edu/it/img.jpg && • methodmethod=GET =GET && • serviceservice=web=web
2)2) From Global.asax (Open a network resource): From Global.asax (Open a network resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?
• subjectsubject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science Science &&
• URLURL=https://ncdcrx4.uccs.edu/ssh/session.aspx =https://ncdcrx4.uccs.edu/ssh/session.aspx && • serviceservice=ssh =ssh && • IPIP=128.198.55.11 =128.198.55.11 && • sessionIDsessionID=23hjhY43=23hjhY43 && • actionaction==openopen
3)3) From Global.asax (Close a network resource): From Global.asax (Close a network resource): http://localhost:8080/sispep/servlets/sispephttp://localhost:8080/sispep/servlets/sispep ? ?
• subjectsubject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer = CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science Science &&
• URLURL=https://ncdcrx4.uccs.edu/ssh/session.aspx =https://ncdcrx4.uccs.edu/ssh/session.aspx && • serviceservice=ssh =ssh && • IPIP=128.198.55.11 =128.198.55.11 && • sessionIDsessionID=23hjf73G2=23hjf73G2 && • actionaction==closeclose
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1717
Conditional Active-Session Access Conditional Active-Session Access (CASA)(CASA)
Idea : Junior role can ONLY access a network resource IF its Senior role Idea : Junior role can ONLY access a network resource IF its Senior role has an active session for that resource.has an active session for that resource.
Why? To add finer access control Why? To add finer access control How? PEP maintains a table. An entry looks like: How? PEP maintains a table. An entry looks like:
29gY3k0*ss29gY3k0*sshh
EngineeEngineerr
SubjecSubjectt
https://ncdcrx4.uccs.edu/ssh/https://ncdcrx4.uccs.edu/ssh/net.aspxnet.aspx
128.198.162.128.198.162.5050
PEP reads an XML policy file (session PEP reads an XML policy file (session policy). policy). The session policy file supports 3 cases:The session policy file supports 3 cases:
1) A 1) A CERTAINCERTAIN Senior Role is Senior Role is requiredrequired
2) 2) ANYANY Senior Role is required Senior Role is required(including itself?)(including itself?)
3) 3) N-SeniorN-Senior Roles are required Roles are required
<Service name “SSH”> <Senior>ProjectMngr </Senior> <Junior>Developer </Junior> </Service>
<Service name=“ MySQL”> <Senior>ANY</Senior> <Junior>Accountant </Junior> </Service>
<Service name=“SSH”> <Senior>ITManager </Senior> <Junior>DB Admin </Junior> </Service>
<Service name=“SSH”> <Senior>CEO </Senior> <Junior>DB Admin </Junior> </Service>
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1818
CASA (cont’d)CASA (cont’d) PEP reads the session policy file and creates two things:PEP reads the session policy file and creates two things:
1) Hierarchical-Role tree
To answer: Is Role A senior to Role B ?
2) Session Policy Table
To decide: For the requested service, Is Junior’s access constrained by Senior’s ?
SSHCFO : Sales MngrANY : Developer
RDPCEO : DB AdminITMngr : DB Admin
Senior : Junior
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 1919
Performance Analysis Performance Analysis ResourceRetrieve AC from
ADPDP decisionTotal request
time
Finance Mgmnt5.47503.034510.3476
Sales Write6.28644.387213.7203
Posting orders6.98204.9234513.8433
View orders5.17344.109311.7390
Resource
Retrieve AC from AD
PDP decisio
n
CASA decisio
n
Firewall updat
e
Total request
time
SSH5.87303.82642.365415.509329.4374
RDP5.76394.92763.109317.120432.2841
MySQL6.19273.10432.583114.762730.6392
ResourceRetrieve AC from AD
PDP decisionCASA decision
Total request
time
SSH6.80934.32983.948520.5912
RDP7.76023.87492.203720.5382
MySQL6.31753.78292.558219.7045
Web resources (ISAPI)
Network resource (Global.asax) – new session
Network resource (Global.asax) – session refresh
Unit: ms
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 2020
Future WorkFuture Work Extend the system to work in a multi-agency Extend the system to work in a multi-agency
environment. environment.
Develop more services that can take advantage of Develop more services that can take advantage of the existing RBAC architecture. For instance:the existing RBAC architecture. For instance: RBAC E-Voting: users can vote based on their roles.RBAC E-Voting: users can vote based on their roles. RBAC Instant Messenger: users can chat based on their roles.RBAC Instant Messenger: users can chat based on their roles. RBAC E-Mail: users can send e-mails based on their roles.RBAC E-Mail: users can send e-mails based on their roles. RBAC XXX and so on…RBAC XXX and so on…
Support more Operating systems (Mac, Solaris …)Support more Operating systems (Mac, Solaris …)
Improve the Admin tool to initialize and modify Active Improve the Admin tool to initialize and modify Active Directory, and to be able to generate XACML policies.Directory, and to be able to generate XACML policies.
Support Wireless access.Support Wireless access.
4/26/20074/26/2007 okhaleel/Enforceokhaleel/Enforce 2121
Thesis ContributionsThesis Contributions Provide a robust architecture for large-scale Provide a robust architecture for large-scale
companies to address companies to address accessing sensitive resources accessing sensitive resources securely according to hierarchical role-based access securely according to hierarchical role-based access policy.policy.
Extend XACML to handle Hierarchical Role-Based Extend XACML to handle Hierarchical Role-Based Access Control (HRBAC) model.Access Control (HRBAC) model.
Add a totally new concept of secure access in which Add a totally new concept of secure access in which a a Senior Role can restrict its Junior Role's access using Senior Role can restrict its Junior Role's access using active session's management.active session's management.
Enhance IIS 6.0 with two components, Enhance IIS 6.0 with two components, ISAPI filterISAPI filter and and Global.asaxGlobal.asax..
Simplify Simplify PKIPKI and and PMIPMI management, therefore, reducing management, therefore, reducing management cost and errors.management cost and errors.