4/26/2007 4/26/2007 okhaleel/Enforce okhaleel/Enforce 1 1 EN EN gine gine FOR FOR C C ontrolling ontrolling E E mergent mergent H H ierarchical ierarchical R R ole- ole- B B ased ased A A ccess ccess (ENforCE HRBAccess) (ENforCE HRBAccess) Osama Khaleel Osama Khaleel Thesis Defense Thesis Defense May 2007 May 2007 Master of Science in Computer Science Master of Science in Computer Science University of Colorado, Colorado University of Colorado, Colorado Springs Springs
22
Embed
EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess)
EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess). Osama Khaleel Thesis Defense May 2007 Master of Science in Computer Science University of Colorado, Colorado Springs. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Master of Science in Computer ScienceMaster of Science in Computer ScienceUniversity of Colorado, Colorado SpringsUniversity of Colorado, Colorado Springs
Introduction Introduction Roles in any organization are Hierarchical by their Roles in any organization are Hierarchical by their
nature.nature.
Resources in any organization vary:Resources in any organization vary: From a simple HTML web page,From a simple HTML web page, To RDP/SSH access in which a user can gain full control.To RDP/SSH access in which a user can gain full control.
Mission becomes more complicated when users Mission becomes more complicated when users should access resources: should access resources: Securely Securely And based on their ROLES.And based on their ROLES.
Password-based protection is way far from Password-based protection is way far from satisfying high-level security requirements.satisfying high-level security requirements.
Role-Based Access Control (RBAC)Role-Based Access Control (RBAC) CoreCore HierarchicalHierarchical
eXtensible Access Control Markup Language (XACML)eXtensible Access Control Markup Language (XACML) Policy Enforcement Point (PEP)Policy Enforcement Point (PEP) Policy Decision Point (PDP)Policy Decision Point (PDP)
Active Directory (AD)Active Directory (AD) ISAPI FilterISAPI Filter ASP.NET Application File (Global.asax)ASP.NET Application File (Global.asax) IptablesIptables
Authentication:Authentication: the process in which someone provides some the process in which someone provides some kind of credentials to prove his or her identity.kind of credentials to prove his or her identity.
CA:CA: a trusted third party that issues digital certificates to be used a trusted third party that issues digital certificates to be used by other parties. It guarantees that the individual granted the by other parties. It guarantees that the individual granted the certificate is really who claims to be.certificate is really who claims to be.
PKC:PKC: a digitally signed document that binds a public key to a a digitally signed document that binds a public key to a subject (identity). This binding is asserted by a trusted CA.subject (identity). This binding is asserted by a trusted CA.
CRL:CRL: a list signed by the issuing CA that contains the serial a list signed by the issuing CA that contains the serial numbers of the revoked certificates. numbers of the revoked certificates.
Authorization:Authorization: the process that is used to determine whether the the process that is used to determine whether the subject has the required permissions to access some protected subject has the required permissions to access some protected resources. resources.
AC:AC: a digitally signed document that binds a set of attributes like a digitally signed document that binds a set of attributes like membership, role, or security clearance to the AC holder.membership, role, or security clearance to the AC holder.
AA:AA: a trusted third party that is responsible for issuing, a trusted third party that is responsible for issuing, maintaining, and revoking ACs. maintaining, and revoking ACs.
AD:AD: a distributed directory service included in the Windows a distributed directory service included in the Windows server 2000/2003 server 2000/2003 The Microsoft's implementation of LDAPThe Microsoft's implementation of LDAP Used to store and manage all information about network resources Used to store and manage all information about network resources
across the domain: computers, groups, users, …across the domain: computers, groups, users, …
ISAPI filters:ISAPI filters: DLLs that can be used to enhance and modify the DLLs that can be used to enhance and modify the functionality of IIS. functionality of IIS. Powerful -> they can modify both incoming and outgoing Powerful -> they can modify both incoming and outgoing
DataStream for EVERY request.DataStream for EVERY request.
Global.asax:Global.asax: a file resides in the root directory of the ASP.NET a file resides in the root directory of the ASP.NET application.application. Contains code to handle application-level and session-level events Contains code to handle application-level and session-level events
raised by ASP.NET. raised by ASP.NET.
Iptables:Iptables: a generic table structure for defining a set of rules to a generic table structure for defining a set of rules to deal with network packets. deal with network packets. Rules are grouped into chains. Rules are grouped into chains. Chains are grouped into tablesChains are grouped into tables Each table is associated with a different kind of packet processing.Each table is associated with a different kind of packet processing.
RBAC:RBAC: a mechanism/model for restricting access a mechanism/model for restricting access based on the role of authorized users. based on the role of authorized users. Core: roles are assigned to users, and permissions are Core: roles are assigned to users, and permissions are
associated with roles – not directly with users.associated with roles – not directly with users. Hierarchical: an enhancement to the core, in which senior Hierarchical: an enhancement to the core, in which senior
roles inherit permissions from more junior roles. roles inherit permissions from more junior roles.
XACML:XACML: an XML-based OASIS standard that an XML-based OASIS standard that describes:describes: A policy language A policy language A request/response language A request/response language
The main three components in XACML are Rule, The main three components in XACML are Rule, Policy, and PolicySet Policy, and PolicySet
XACML RBAC profile has two main components:XACML RBAC profile has two main components: Permission PolicySet (PPS) Permission PolicySet (PPS) Role PolicySet (RPS). Role PolicySet (RPS).
One PPS and one RPS for each defined Role .One PPS and one RPS for each defined Role .
PPS:PPS: defines Policies and Rules needed to the defines Policies and Rules needed to the
Permissions associated with a certain Role. Permissions associated with a certain Role. Contains a set of PPS references using Contains a set of PPS references using
"<PolicySetIdReference>" to inherit permissions "<PolicySetIdReference>" to inherit permissions from a from a junior rolejunior role associated with this PPS associated with this PPS referencereference
Define What is a Junior role. Before using it.Define What is a Junior role. Before using it.
RPS:RPS: defines the Role namedefines the Role name includes ONLY one PPS to includes ONLY one PPS to associate this Role with its associate this Role with its permissions defined in the permissions defined in the corresponding PPS.corresponding PPS.
By taking advantage of the concepts & By taking advantage of the concepts & technologies just mentioned, the goal is technologies just mentioned, the goal is to build a structure/engine that to build a structure/engine that provides:provides: AuthenticationAuthentication AuthorizationAuthorization Secure access based on users ROLESSecure access based on users ROLES Protection for ANY type of resourcesProtection for ANY type of resources Fine grained control based on active Fine grained control based on active
Web resources: accessed directly through IIS using https (port Web resources: accessed directly through IIS using https (port 443)443)
Network resources: Network resources: Activate a web-session firstActivate a web-session first ENforCE will open the firewall for the specified service ENforCE will open the firewall for the specified service Physically access the service through the firewall.Physically access the service through the firewall. Service port varies (e.g. SSH:22, RDP:3389)Service port varies (e.g. SSH:22, RDP:3389)
1)1) From ISAPI (Access a web resource): From ISAPI (Access a web resource): http://localhost:8080/sispep/servlets/sispep ?http://localhost:8080/sispep/servlets/sispep ?
2)2) From Global.asax (Open a network resource): From Global.asax (Open a network resource): http://localhost:8080/sispep/servlets/sispep ?http://localhost:8080/sispep/servlets/sispep ?
3)3) From Global.asax (Close a network resource): From Global.asax (Close a network resource): http://localhost:8080/sispep/servlets/sispep ? http://localhost:8080/sispep/servlets/sispep ?
Idea : Junior role can ONLY access a network resource IF its Senior role Idea : Junior role can ONLY access a network resource IF its Senior role has an active session for that resource.has an active session for that resource.
Why? To add finer access control Why? To add finer access control How? PEP maintains a table. An entry looks like: How? PEP maintains a table. An entry looks like:
PEP reads an XML policy file (session PEP reads an XML policy file (session policy). policy). The session policy file supports 3 cases:The session policy file supports 3 cases:
1) A 1) A CERTAINCERTAIN Senior Role is Senior Role is requiredrequired
2) 2) ANYANY Senior Role is required Senior Role is required(including itself?)(including itself?)
3) 3) N-SeniorN-Senior Roles are required Roles are required
<Service name “SSH”> <Senior>ProjectMngr </Senior> <Junior>Developer </Junior> </Service>
Future WorkFuture Work Extend the system to work in a multi-agency Extend the system to work in a multi-agency
environment. environment.
Develop more services that can take advantage of Develop more services that can take advantage of the existing RBAC architecture. For instance:the existing RBAC architecture. For instance: RBAC E-Voting: users can vote based on their roles.RBAC E-Voting: users can vote based on their roles. RBAC Instant Messenger: users can chat based on their roles.RBAC Instant Messenger: users can chat based on their roles. RBAC E-Mail: users can send e-mails based on their roles.RBAC E-Mail: users can send e-mails based on their roles. RBAC XXX and so on…RBAC XXX and so on…
Support more Operating systems (Mac, Solaris …)Support more Operating systems (Mac, Solaris …)
Improve the Admin tool to initialize and modify Active Improve the Admin tool to initialize and modify Active Directory, and to be able to generate XACML policies.Directory, and to be able to generate XACML policies.
Thesis ContributionsThesis Contributions Provide a robust architecture for large-scale Provide a robust architecture for large-scale
companies to address companies to address accessing sensitive resources accessing sensitive resources securely according to hierarchical role-based access securely according to hierarchical role-based access policy.policy.
Extend XACML to handle Hierarchical Role-Based Extend XACML to handle Hierarchical Role-Based Access Control (HRBAC) model.Access Control (HRBAC) model.
Add a totally new concept of secure access in which Add a totally new concept of secure access in which a a Senior Role can restrict its Junior Role's access using Senior Role can restrict its Junior Role's access using active session's management.active session's management.
Enhance IIS 6.0 with two components, Enhance IIS 6.0 with two components, ISAPI filterISAPI filter and and Global.asaxGlobal.asax..
Simplify Simplify PKIPKI and and PMIPMI management, therefore, reducing management, therefore, reducing management cost and errors.management cost and errors.