Embed Size (px)
Citation preview
RBAC Defense in Depth
Authors: Brad Ruppert & Russell Meyer
RBAC defense in depth for GIAC Enterprises GIAC Enterprises is a small company that sells fortune cookies over
the web The company is comprised of a CEO, CFO, Sales Manager,
Product Manager, Developer, and System Admin Most of the every day work (producing, selling and marketing) will
be done through external partners, which is why the headcount initially is rather low. Considering many partners and suppliers will need access to company resources, it becomes increasingly important for the perimeters to have tight security.
The network consists of 14 servers DMZ (Web, MetaFrame, IPS, Email Gateway) Internal (Email, DC, DNS, Web, App, DB, Antivirus, File/Print, IPS, HR)
Sales staff has access via MetaFrame to internal network
Background on RBAC
Role Based Access Control (RBAC) is a methodology of limiting access to objects based on permissions assigned to a specific role
Roles can be synonymous with job duties or functions and can be associated with individual users or groups
These roles can have permissions associated to systems, files, folders, and other objects within an enterprise
The goal in role development is to determine all the permissions in advance that a user might require to perform a specific task or job function and bind these permissions to the specific role
Scalability and efficiency gains are two significant benefits of role-based administration, allowing fewer system administrators to manage higher volumes of users and resources
RBAC for GIAC Enterprises
The small scale of GIAC Enterprises is both a plus and minus for implementing RBAC
Smaller companies will most likely mean users will be assuming multiple roles within the organization thus making it difficult to create static roles for each users or process. Example: initially the domain admin may be the DBA as well depending upon the
size of the IT department. Once the company can support additional staff, roles should be defined that separate developer from production support.
At first glance the implementation of RBAC in a company with under 10 employees may seem simple. If roles are not properly identified and categorized, scalability becomes a problem. The sooner you can implement principles of least privilege and segregation of duties, the more reliable your process will become.
At a high level GIAC Enterprises can be broken into four divisions Business (CEO, CFO, Sales Manager, Product Manager) Development (Developer) Administration (System Administrator) Audit (External Resource)
RBAC in the DMZ The DMZ houses the Email gateway, IPS, Web Server, and MetaFrame Presentation
Server Windows systems (Email, MetaFrame) use Active Directory (AD) for maintaining role-
based access controls Linux systems (Web, App, IPS) use Vintela Authentication Services (VAS) which sits
on the AD framework for administering role-based access controls Within AD, the following roles are defined specific to the DMZ:
User - read-only access to web pages Administrator - read/write access to deploy changes made by developer Auditor – read-only access to specified systems
Windows group policy security settings are used to lock down systems restricting access of to specific files/folders based on the role. Linux group policies and security scripts are deployed to multiple systems as well using the VAS interface through the AD management console
Inbound access to systems from business partners and employees is via MetaFrame which uses role based access controls defined within AD & VAS group policies
Access to the web interface utilizes Vintela’s Java based Single Sign On component which validates users and their access to confidential web pages
RBAC for Internal Systems
Access to the majority of GIAC Enterprise’s internal systems (Email, File, HR, Antivirus, DC, DNS) is governed by Windows Active Directory (AD)
Access to the Linux/Apache web server and the Solaris/Weblogic App Server is controlled via Vintela Authentication Services (VAS) managed through AD
Internally the following roles are defined: User - read-only access to web pages Administrator - read/write access to deploy changes to production after they’ve been made by a developer Developer – read/write access to development partitions of web/app/db servers Auditor – read-only access to specified systems
Employees access the sales and HR database utilizing a web-to-app interface thereby abiding by a 3-tier architecture
Systems are partitioned and segmented into development and production environments to facilitate configuration management practices
RBAC for Network Devices Cisco’s Network Admission Control (NAC) is used to control workstations and laptop
access to the internal network IBNS and 802.1x is integrated into NAC (next slide) 802.1x provides controls for both wired and wireless devices NAC Profiler is used to automatically identify and assess non-PC devices such as
Voice over IP phones and printers Appropriate device roles are created. For example, business user, guest user, etc... NAC is used to isolate vender connections (i.e. visiting laptops), while still allowing
Internet access Ensure that authorized endpoint devices have been patched (operating systems,
critical applications, anti-virus, anti-spyware, etc..) via the policy server. If the device is not up-to-date, it is quarantined and allowed access only to the
remediation server If the device can not be updated, treat device as a “guest”, restrict access to only the
MetaFrame servers. GIAC Enterprises uses PGP’s “Whole Disk Encryption” solution to secure data on
laptops and at-risk desktops and removable storage.
RBAC for Infrastructure Use Cisco’s AAA & TACACS+ via Cisco Secure Access Control Server & Active
Directory for centralized router and firewall Authentication, Authorization, and Accounting.
Use Cisco's Identity-Based Networking Services (IBNS) identity management solution IBNS is based on 802.1x and offers authentication, access control, and user policies
to secure the network 802.1X allows enforcement of port based network access control when devices
attempt to access the network IBNS leverages Cisco's switches, Wireless APs, Cisco Secure ACS and Cisco
Secure Services Client Cisco’s Role-Based CLI Access is used to define auditor and helpdesk views These views are configured to restrict access to Cisco IOS commands and
configuration while allowing timely problem resolution and audit access to the IOS If SSH is needed, Quest OpenSSH provides password-less, secure, encrypted
remote login and file transfer services for Vintela Authentication Services (VAS). The Cisco solution can also support VLANs and VPNs (if needed)
RBAC for Separation of Duties
GIAC Enterprises has developed roles to separate job duties User administration - The person authorizing the new user or access should
not be the same one that establishes new user or access Accounting - The person approving the payment of an invoice should not be
the same one that can create a company\vendor in the accounting system IT Administrator vs. IT auditor. While the auditor would need the same
‘read’ or access rights as an it administrator, they would not need ‘write’ or ‘modify’ rights
The developer would require access to the development area but should not be allowed access to the production area
Data Owner vs. Data Custodian, i.e. the IT administrator. In some cases, access to the data may need to be restricted to the data owner. IT would not be granted access, but would be required to ensure the security of it
As mentioned, physical access can also be controlled via AD enabled key cards. This prevents access to unauthorized areas
RBAC for Auditing
RBAC will ease auditing of network and systems Enforces unique usernames; only one username per user Define ‘read’ or ‘view’ only access to auditing roles Auditors can then be granted access to audit roles Appropriate event logs from servers, Active Directory, IPS, routers,
Vintela Authentication Services, NAC, key card system and other network infrastructure devices are stored in a centralized log server
Access to the centralized log server data is restricted, IT can not access, modify or delete logs without audit’s permission
An event correlation and reporting server is used by both IT and audit to correlate and review the data
Conclusion
GIAC Enterprises can benefit from Role Based Access Control by gaining scalability and efficiency
By leveraging Active Directory and implementing the appropriate roles, GIAC Enterprises can increase security and reduce system administration costs
While Role Based Access Control is considered a best practice at the system or application level, it becomes increasingly difficult to implement when scaling for large enterprises
RBAC is not a product that can be implemented per se. Implementing RBAC involves careful planning for each systems and should involve users, management and policies for success
Care should be taken when implementing RBAC in the Enterprise. If costs outweigh the benefits, RBAC implementation may need to be scaled back
