Hierachical Role-based Access - University of Colorado Colorado
Download
Report
Transcript Hierachical Role-based Access - University of Colorado Colorado
ENgine FOR Controlling Emergent
Hierarchical Role-Based Access
(ENforCE HRBAccess)
Osama Khaleel
Thesis Defense
May 2007
Master of Science in Computer Science
University of Colorado, Colorado Springs
4/26/2007
okhaleel/Enforce
1
ENgine FOR Controlling Emergent
Hierarchical Role-Based Access
(ENforCE HRBAccess)
Committee Members:
Dr. Edward Chow, Chair
Dr. Terry Boult
Dr. Xiaobo Zhou
4/26/2007
okhaleel/Enforce
2
Thesis Defense Outlines
Intro & Background
Design
Implementation
Performance Analysis
Future Work
Contribution
Demo
Q&A
4/26/2007
okhaleel/Enforce
3
Introduction
Roles in any organization are Hierarchical by their nature.
Resources in any organization vary:
Mission becomes more complicated when users should
access resources:
From a simple HTML web page,
To RDP/SSH access in which a user can gain full control.
Securely
And based on their ROLES.
Password-based protection is way far from satisfying
high-level security requirements.
4/26/2007
okhaleel/Enforce
4
Background
Authentication
Privilege Management Infrastructure
(PMI)
Core
Hierarchical
eXtensible Access Control Markup Language (XACML)
Attribute Certificate (AC)
Attribute Authority (AA)
Role-Based Access Control (RBAC)
Public Key Infrastructure
(PKI)
Authorization
Public Key Certificate (PKC)
Certificate Authority (CA)
Certificate Revocation List (CRL)
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Active Directory (AD)
ISAPI Filter
ASP.NET Application File (Global.asax)
Iptables
4/26/2007
okhaleel/Enforce
5
Authentication: the process in which someone provides some kind of
credentials to prove his or her identity.
CA: a trusted third party that issues digital certificates to be used by other
parties. It guarantees that the individual granted the certificate is really who
claims to be.
PKC: a digitally signed document that binds a public key to a subject
(identity). This binding is asserted by a trusted CA.
CRL: a list signed by the issuing CA that contains the serial numbers of the
revoked certificates.
Authorization: the process that is used to determine whether the subject
has the required permissions to access some protected resources.
AC: a digitally signed document that binds a set of attributes like
membership, role, or security clearance to the AC holder.
AA: a trusted third party that is responsible for issuing, maintaining, and
revoking ACs.
4/26/2007
okhaleel/Enforce
6
AD: a distributed directory service included in the Windows server
2000/2003
ISAPI filters: DLLs that can be used to enhance and modify the
functionality of IIS.
Powerful -> they can modify both incoming and outgoing DataStream for
EVERY request.
Global.asax: a file resides in the root directory of the ASP.NET
application.
The Microsoft's implementation of LDAP
Used to store and manage all information about network resources across the
domain: computers, groups, users, …
Contains code to handle application-level and session-level events raised by
ASP.NET.
Iptables: a generic table structure for defining a set of rules to deal with
network packets.
Rules are grouped into chains.
Chains are grouped into tables
Each table is associated with a different kind of packet processing.
4/26/2007
okhaleel/Enforce
7
RBAC: a mechanism/model for restricting access based on
the role of authorized users.
Core: roles are assigned to users, and permissions are associated with
roles – not directly with users.
Hierarchical: an enhancement to the core, in which senior roles inherit
permissions from more junior roles.
XACML: an XML-based OASIS standard that describes:
A policy language
A request/response language
The main three components in XACML are Rule, Policy, and
PolicySet
XACML RBAC profile has two main components:
Permission PolicySet (PPS)
Role PolicySet (RPS).
One PPS and one RPS for each defined Role .
4/26/2007
okhaleel/Enforce
8
PPS:
defines Policies and Rules needed to the Permissions
associated with a certain Role.
Contains a set of PPS references using
"<PolicySetIdReference>" to inherit permissions from a
junior role associated with this PPS reference
Define What is a Junior role. Before using it.
RPS:
defines the Role name
includes ONLY one PPS to
associate this Role with its
permissions defined in the
corresponding PPS.
<PolicySet PolicySetId="CFOPermissions">
<PolicySet PolicySetId="RPS:CFO">
<Policy PolicyId="PolicyForCFORole">
<Target>
<Rule RuleId="FinanceManagementRule" Effect="Permit">
<Subjects>
<Target>
<Subject>
<Subjects> <AnySubject/> </Subjects>
<SubjectMatch MatchId="function: string-equal">
<Resources>
<SubjectAttributeDesignator
<Resource>
DataType="string" AttributeId="role"/>
<ResourceMatch MatchId="function: regexp-string-match">
<AttributeValue DataType="string">
<AttributeValue DataType=“string">
CFO
https://ncdcrx3.uccs.edu/financial/finMgmt.aspx
</AttributeValue>
</AttributeValue>
</SubjectMatch>
</ResourceMatch>
</Subject>
</Resource>
</Subjects>
</Resources>
</Target>
</Target>
</Rule>
<PolicySetIdReference>CFOPermissions</PolicySetIdReference>
</Policy>
</PolicySet>
<PolicySetIdReference>SalesMgrPermissions</PolicySetIdReference>
<PolicySetIdReference>AccMgrPermissions</PolicySetIdReference>
</PolicySet>
4/26/2007
okhaleel/Enforce
9
Design
By taking advantage of the concepts &
technologies just mentioned, the goal is to
build a structure/engine that provides:
Authentication
Authorization
Secure access based on users ROLES
Protection for ANY type of resources
Fine grained control based on active sessions
PKI & PMI management tool
4/26/2007
okhaleel/Enforce
10
ENforCE “Big Picture”
User
Request
Protected web
resources
IIS Authentication
ISAPI
ASP.NET
Global.asax
Application
Http request
Http request
XML response
RPS
PPS
Networkresource
Access
XML response
Policy
Decision
Point
Get
Decision
Policy
Enforcement
Point
Open/Close
commands
Check
session
policy
Session
policy
source
Get User's AC
Iptables Control Service
FC4 machine (Firewall)
Active
Directory
Domain Controller
Protected Network
resources
4/26/2007
okhaleel/Enforce
11
ENforCE Test-Bed
128.198.162.53
128.198.162.52
128.198.162.51
128.198.162.50
Main switch
FedoraCore4
Gateway/Firewall
10.0.0.1
Local
switch
10.0.0.11
10.0.0.13
Win2003 IIS
4/26/2007
10.0.0.12
Windows XP
okhaleel/Enforce
10.0.0.10
Win2003 DC
12
Implementation:
Two types of access:
Web-based resources (http://ncdcrx3.uccs.edu)
Network-based resources (http://ncdcrx4.uccs.edu)
Web resources: accessed directly through IIS using https (port 443)
Network resources:
Activate a web-session first
ENforCE will open the firewall for the specified service
Physically access the service through the firewall.
Service port varies (e.g. SSH:22, RDP:3389)
ISAPI Filter web-access entry point (C/C++ - MFC)
Global.asax Manage web sessions (C#/ASP.NET)
Policy Engine PEP, PDP, Policy, RBAC (XACML - Java)
Firewall Daemon Update Iptables Rules (Java - JSSE)
4/26/2007
okhaleel/Enforce
13
Web resources (ISAPI)
1) Web request
IIS
IIS Authentication
2) Http request with attributes
ISAPI
5) XML response with decision
Policy
Enforcement
Point
6) Permit/Deny access
4) Get Decision
Protected web
resources
Policy
Decision
Point
3) Get User's
AC
Active
Directory
Domain Controller
4/26/2007
okhaleel/Enforce
14
Network resources (Global.asax)
IIS
1) Request a
session
ASP.NET
Application
IIS Authentication
Global.asax
2) Http request
with attributes
8) Physically
access the
services
7) XML response
with decision
FC4 machine (Firewall)
6) Open/Close
commands
Iptables Control Daemon
3) Get
User's AC
Protected
Network
resources
AD
DC
4/26/2007
okhaleel/Enforce
Policy
Enforcement
Point
4) Get decision
PDP
5) Check
session
policy
Session
policy
source
15
Requests to PEP
1)
From ISAPI (Access a web resource):
http://localhost:8080/sispep/servlets/sispep ?
•
•
•
•
2)
From Global.asax (Open a network resource):
http://localhost:8080/sispep/servlets/sispep ?
•
•
•
•
•
•
3)
subject= CN=Edward Chow, C=US, S=CO, ...., [email protected], OU=Computer Science &
URL=https://ncdcrx3.uccs.edu/it/img.jpg &
method=GET &
service=web
subject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science &
URL=https://ncdcrx4.uccs.edu/ssh/session.aspx &
service=ssh &
IP=128.198.55.11 &
sessionID=23hjhY43 &
action=open
From Global.asax (Close a network resource):
http://localhost:8080/sispep/servlets/sispep ?
•
subject= CN=Edward Chow, C=US, S=CO, …., [email protected], OU=Computer Science &
•
URL=https://ncdcrx4.uccs.edu/ssh/session.aspx &
•
service=ssh &
•
IP=128.198.55.11 &
•
sessionID=23hjf73G2 &
•
action=close
4/26/2007
okhaleel/Enforce
16
Conditional Active-Session Access (CASA)
Idea : Junior role can ONLY access a network resource IF its Senior role has an
active session for that resource.
Why? To add finer access control
How? PEP maintains a table. An entry looks like:
29gY3k0*ssh
Engineer
Subject
https://ncdcrx4.uccs.edu/ssh/net.aspx
PEP reads an XML policy file (session policy).
The session policy file supports 3 cases:
1) A CERTAIN Senior Role is required
2) ANY Senior Role is required
(including itself?)
<Service name “SSH”>
<Senior>ProjectMngr </Senior>
<Junior>Developer </Junior>
</Service>
<Service name=“ MySQL”>
<Senior>ANY</Senior>
<Junior>Accountant </Junior>
</Service>
<Service name=“SSH”>
<Senior>ITManager </Senior>
<Junior>DB Admin </Junior>
</Service>
3) N-Senior Roles are required
4/26/2007
128.198.162.50
okhaleel/Enforce
<Service name=“SSH”>
<Senior>CEO </Senior>
<Junior>DB Admin </Junior>
</Service>
17
CASA (cont’d)
PEP reads the session policy file and creates two things:
1) Hierarchical-Role tree
2) Session Policy Table
To answer: Is Role A senior to Role B ?
To decide: For the requested service, Is
Junior’s access constrained by Senior’s ?
SSH
CFO : Sales Mngr
ANY : Developer
RDP
CEO : DB Admin
ITMngr : DB Admin
Senior : Junior
4/26/2007
okhaleel/Enforce
18
Performance Analysis
Web resources (ISAPI)
Unit: ms
Resource
Retrieve AC from AD
PDP decision
Total request time
Finance Mgmnt
5.4750
3.0345
10.3476
Sales Write
6.2864
4.3872
13.7203
Posting orders
6.9820
4.92345
13.8433
View orders
5.1734
4.1093
11.7390
Network resource (Global.asax) – new session
Resource
Retrieve AC
from AD
SSH
5.8730
RDP
MySQL
PDP
decision
CASA
decision
Firewall
update
Total request
time
3.8264
2.3654
15.5093
29.4374
5.7639
4.9276
3.1093
17.1204
32.2841
6.1927
3.1043
2.5831
14.7627
30.6392
Network resource (Global.asax) – session refresh
Resource
Retrieve AC
from AD
PDP decision
CASA decision
Total request
time
SSH
6.8093
4.3298
3.9485
20.5912
RDP
7.7602
3.8749
2.2037
20.5382
MySQL
6.3175
3.7829
2.5582
19.7045
4/26/2007
okhaleel/Enforce
19
Future Work
Extend the system to work in a multi-agency environment.
Develop more services that can take advantage of the
existing RBAC architecture. For instance:
RBAC
RBAC
RBAC
RBAC
E-Voting: users can vote based on their roles.
Instant Messenger: users can chat based on their roles.
E-Mail: users can send e-mails based on their roles.
XXX and so on…
Support more Operating systems (Mac, Solaris …)
Improve the Admin tool to initialize and modify Active
Directory, and to be able to generate XACML policies.
Support Wireless access.
4/26/2007
okhaleel/Enforce
20
Thesis Contributions
Provide a robust architecture for large-scale companies to
address accessing sensitive resources securely according to
hierarchical role-based access policy.
Extend XACML to handle Hierarchical Role-Based Access
Control (HRBAC) model.
Add a totally new concept of secure access in which a Senior
Role can restrict its Junior Role's access using active session's
management.
Enhance IIS 6.0 with two components, ISAPI filter and
Global.asax.
Simplify PKI and PMI management, therefore, reducing
management cost and errors.
4/26/2007
okhaleel/Enforce
21
ENforCE Demo
Q&A
4/26/2007
okhaleel/Enforce
22