Presentation is loading. Please wait.

Presentation is loading. Please wait.

4/26/2007okhaleel/Enforce1 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Osama Khaleel Thesis Defense May.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "4/26/2007okhaleel/Enforce1 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Osama Khaleel Thesis Defense May."— Presentation transcript:

1 4/26/2007okhaleel/Enforce1 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Osama Khaleel Thesis Defense May 2007 Master of Science in Computer Science University of Colorado, Colorado Springs

2 4/26/2007okhaleel/Enforce2 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Committee Members: Dr. Edward Chow, Chair Dr. Terry Boult Dr. Xiaobo Zhou

3 4/26/2007okhaleel/Enforce3 Thesis Defense Outlines Intro & Background Intro & Background Design Design Implementation Implementation Performance Analysis Performance Analysis Future Work Future Work Contribution Contribution Demo Demo Q & A Q & A

4 4/26/2007okhaleel/Enforce4 Introduction Roles in any organization are Hierarchical by their nature. Roles in any organization are Hierarchical by their nature. Resources in any organization vary: Resources in any organization vary: From a simple HTML web page, From a simple HTML web page, To RDP/SSH access in which a user can gain full control. To RDP/SSH access in which a user can gain full control. Mission becomes more complicated when users should access resources: Mission becomes more complicated when users should access resources: Securely Securely And based on their ROLES. And based on their ROLES. Password-based protection is way far from satisfying high-level security requirements. Password-based protection is way far from satisfying high-level security requirements.

5 4/26/2007okhaleel/Enforce5 Background Authentication Authentication Public Key Certificate (PKC) Public Key Certificate (PKC) Certificate Authority (CA) Certificate Authority (CA) Certificate Revocation List (CRL) Certificate Revocation List (CRL) Authorization Authorization Attribute Certificate (AC) Attribute Certificate (AC) Attribute Authority (AA) Attribute Authority (AA) Role-Based Access Control (RBAC) Role-Based Access Control (RBAC) Core Core Hierarchical Hierarchical eXtensible Access Control Markup Language (XACML) eXtensible Access Control Markup Language (XACML) Policy Enforcement Point (PEP) Policy Enforcement Point (PEP) Policy Decision Point (PDP) Policy Decision Point (PDP) Active Directory (AD) Active Directory (AD) ISAPI Filter ISAPI Filter ASP.NET Application File (Global.asax) ASP.NET Application File (Global.asax) Iptables Iptables Public Key Infrastructure (PKI) Privilege Management Infrastructure (PMI)

6 4/26/2007okhaleel/Enforce6 Authentication: the process in which someone provides some kind of credentials to prove his or her identity. Authentication: the process in which someone provides some kind of credentials to prove his or her identity. CA: a trusted third party that issues digital certificates to be used by other parties. It guarantees that the individual granted the certificate is really who claims to be. CA: a trusted third party that issues digital certificates to be used by other parties. It guarantees that the individual granted the certificate is really who claims to be. PKC: a digitally signed document that binds a public key to a subject (identity). This binding is asserted by a trusted CA. PKC: a digitally signed document that binds a public key to a subject (identity). This binding is asserted by a trusted CA. CRL: a list signed by the issuing CA that contains the serial numbers of the revoked certificates. CRL: a list signed by the issuing CA that contains the serial numbers of the revoked certificates. Authorization: the process that is used to determine whether the subject has the required permissions to access some protected resources. Authorization: the process that is used to determine whether the subject has the required permissions to access some protected resources. AC: a digitally signed document that binds a set of attributes like membership, role, or security clearance to the AC holder. AC: a digitally signed document that binds a set of attributes like membership, role, or security clearance to the AC holder. AA: a trusted third party that is responsible for issuing, maintaining, and revoking ACs. AA: a trusted third party that is responsible for issuing, maintaining, and revoking ACs.

7 4/26/2007okhaleel/Enforce7 AD: a distributed directory service included in the Windows server 2000/2003 AD: a distributed directory service included in the Windows server 2000/2003 The Microsoft's implementation of LDAP The Microsoft's implementation of LDAP Used to store and manage all information about network resources across the domain: computers, groups, users, … Used to store and manage all information about network resources across the domain: computers, groups, users, … ISAPI filters: DLLs that can be used to enhance and modify the functionality of IIS. ISAPI filters: DLLs that can be used to enhance and modify the functionality of IIS. Powerful -> they can modify both incoming and outgoing DataStream for EVERY request. Powerful -> they can modify both incoming and outgoing DataStream for EVERY request. Global.asax: a file resides in the root directory of the ASP.NET application. Global.asax: a file resides in the root directory of the ASP.NET application. Contains code to handle application-level and session-level events raised by ASP.NET. Contains code to handle application-level and session-level events raised by ASP.NET. Iptables: a generic table structure for defining a set of rules to deal with network packets. Iptables: a generic table structure for defining a set of rules to deal with network packets. Rules are grouped into chains. Rules are grouped into chains. Chains are grouped into tables Chains are grouped into tables Each table is associated with a different kind of packet processing. Each table is associated with a different kind of packet processing.

8 4/26/2007okhaleel/Enforce8 RBAC: a mechanism/model for restricting access based on the role of authorized users. RBAC: a mechanism/model for restricting access based on the role of authorized users. Core: roles are assigned to users, and permissions are associated with roles – not directly with users. Core: roles are assigned to users, and permissions are associated with roles – not directly with users. Hierarchical: an enhancement to the core, in which senior roles inherit permissions from more junior roles. Hierarchical: an enhancement to the core, in which senior roles inherit permissions from more junior roles. XACML: an XML-based OASIS standard that describes: XACML: an XML-based OASIS standard that describes: A policy language A policy language A request/response language A request/response language The main three components in XACML are Rule, Policy, and PolicySet The main three components in XACML are Rule, Policy, and PolicySet XACML RBAC profile has two main components: XACML RBAC profile has two main components: Permission PolicySet (PPS) Permission PolicySet (PPS) Role PolicySet (RPS). Role PolicySet (RPS). One PPS and one RPS for each defined Role. One PPS and one RPS for each defined Role.

9 4/26/2007okhaleel/Enforce9 PPS: PPS: defines Policies and Rules needed to the Permissions associated with a certain Role. defines Policies and Rules needed to the Permissions associated with a certain Role. Contains a set of PPS references using " " to inherit permissions from a junior role associated with this PPS reference Contains a set of PPS references using " " to inherit permissions from a junior role associated with this PPS reference Define What is a Junior role. Before using it. Define What is a Junior role. Before using it. RPS: RPS: defines the Role name defines the Role name includes ONLY one PPS to associate this Role with its permissions defined in the corresponding PPS. includes ONLY one PPS to associate this Role with its permissions defined in the corresponding PPS. https://ncdcrx3.uccs.edu/financial/finMgmt.aspx SalesMgrPermissions AccMgrPermissions <SubjectAttributeDesignator DataType="string" AttributeId="role"/> CFO CFOPermissions

10 4/26/2007okhaleel/Enforce10 Design By taking advantage of the concepts & technologies just mentioned, the goal is to build a structure/engine that provides: By taking advantage of the concepts & technologies just mentioned, the goal is to build a structure/engine that provides: Authentication Authentication Authorization Authorization Secure access based on users ROLES Secure access based on users ROLES Protection for ANY type of resources Protection for ANY type of resources Fine grained control based on active sessions Fine grained control based on active sessions PKI & PMI management tool PKI & PMI management tool

11 4/26/2007okhaleel/Enforce11 ENforCE “Big Picture” Policy Enforcement Point Policy Enforcement Point Global.asax ASP.NET Application FC4 machine (Firewall) Iptables Control Service Network- resource Access IIS Authentication ISAPI Protected web resources Http request XML response Session policy source Get User's AC RPS PPS Domain Controller Active Directory Http request User Request Protected Network resources XML response Policy Decision Point Policy Decision Point Open/Close commands Get Decision Check session policy

12 4/26/2007okhaleel/Enforce12 ENforCE Test-Bed Windows XP Win2003 IIS Win2003 DC 10.0.0.11 10.0.0.13 10.0.0.1210.0.0.10 Local switch FedoraCore4 Gateway/Firewall 10.0.0.1 128.198.162.53 128.198.162.52 128.198.162.51 128.198.162.50 Main switch

13 4/26/2007okhaleel/Enforce13 Implementation: Two types of access: Two types of access: Web-based resources (http://ncdcrx3.uccs.edu) Web-based resources (http://ncdcrx3.uccs.edu)http://ncdcrx3.uccs.edu Network-based resources (http://ncdcrx4.uccs.edu) Network-based resources (http://ncdcrx4.uccs.edu)http://ncdcrx4.uccs.edu Web resources: accessed directly through IIS using https (port 443) Web resources: accessed directly through IIS using https (port 443) Network resources: Network resources: Activate a web-session first Activate a web-session first ENforCE will open the firewall for the specified service ENforCE will open the firewall for the specified service Physically access the service through the firewall. Physically access the service through the firewall. Service port varies (e.g. SSH:22, RDP:3389) Service port varies (e.g. SSH:22, RDP:3389) ISAPI Filter  web-access entry point (C/C++ - MFC) ISAPI Filter  web-access entry point (C/C++ - MFC) Global.asax  Manage web sessions (C#/ASP.NET) Global.asax  Manage web sessions (C#/ASP.NET) Policy Engine  PEP, PDP, Policy, RBAC (XACML - Java) Policy Engine  PEP, PDP, Policy, RBAC (XACML - Java) Firewall Daemon  Update Iptables Rules (Java - JSSE) Firewall Daemon  Update Iptables Rules (Java - JSSE)

14 4/26/2007okhaleel/Enforce14 Web resources (ISAPI) ISAPI IIS 1) Web request IIS Authentication Protected web resources Policy Enforcement Point Policy Enforcement Point 2) Http request with attributes 5) XML response with decision Policy Decision Point Policy Decision Point 4) Get Decision 6) Permit/Deny access Domain Controller Active Directory 3) Get User's AC

15 4/26/2007okhaleel/Enforce15 Network resources (Global.asax) Session policy source IIS 1) Request a session IIS Authentication Protected Network resources Policy Enforcement Point Policy Enforcement Point 2) Http request with attributes 7) XML response with decision PDP FC4 machine (Firewall) Global.asax ASP.NET Application Iptables Control Daemon 6) Open/Close commands 8) Physically access the services 4) Get decision DC AD 3) Get User's AC 5) Check session policy

16 4/26/2007okhaleel/Enforce16 Requests to PEP 1) From ISAPI (Access a web resource): http://localhost:8080/sispep/servlets/sispep ? http://localhost:8080/sispep/servlets/sispep ? http://localhost:8080/sispep/servlets/sispep subject= CN=Edward Chow, C=US, S=CO,...., E=chow@sis.uccs.edu, OU=Computer Science & subject= CN=Edward Chow, C=US, S=CO,...., E=chow@sis.uccs.edu, OU=Computer Science & URL=https://ncdcrx3.uccs.edu/it/img.jpg & URL=https://ncdcrx3.uccs.edu/it/img.jpg & method=GET & method=GET & service=web service=web 2) From Global.asax (Open a network resource): http://localhost:8080/sispep/servlets/sispep ? http://localhost:8080/sispep/servlets/sispep subject= CN=Edward Chow, C=US, S=CO, …., E=chow@sis.uccs.edu, OU=Computer Science & subject= CN=Edward Chow, C=US, S=CO, …., E=chow@sis.uccs.edu, OU=Computer Science & URL=https://ncdcrx4.uccs.edu/ssh/session.aspx & URL=https://ncdcrx4.uccs.edu/ssh/session.aspx & service=ssh & service=ssh & IP=128.198.55.11 & IP=128.198.55.11 & sessionID=23hjhY43 & sessionID=23hjhY43 & action=open action=open 3) From Global.asax (Close a network resource): http://localhost:8080/sispep/servlets/sispep ? http://localhost:8080/sispep/servlets/sispep subject= CN=Edward Chow, C=US, S=CO, …., E=chow@sis.uccs.edu, OU=Computer Science & subject= CN=Edward Chow, C=US, S=CO, …., E=chow@sis.uccs.edu, OU=Computer Science & URL=https://ncdcrx4.uccs.edu/ssh/session.aspx & URL=https://ncdcrx4.uccs.edu/ssh/session.aspx & service=ssh & service=ssh & IP=128.198.55.11 & IP=128.198.55.11 & sessionID=23hjf73G2 & sessionID=23hjf73G2 & action=close action=close

17 4/26/2007okhaleel/Enforce17 Conditional Active-Session Access (CASA) Idea : Junior role can ONLY access a network resource IF its Senior role has an active session for that resource. Idea : Junior role can ONLY access a network resource IF its Senior role has an active session for that resource. Why? To add finer access control Why? To add finer access control How? PEP maintains a table. An entry looks like: How? PEP maintains a table. An entry looks like: 29gY3k0*sshEngineerSubjecthttps://ncdcrx4.uccs.edu/ssh/net.aspx128.198.162.50 PEP reads an XML policy file (session policy). The session policy file supports 3 cases: 1) A CERTAIN Senior Role is required 2) ANY Senior Role is required (including itself?) 3) N-Senior Roles are required ProjectMngr Developer ANY Accountant ITManager DB Admin CEO DB Admin

18 4/26/2007okhaleel/Enforce18 CASA (cont’d) PEP reads the session policy file and creates two things: PEP reads the session policy file and creates two things: 1) Hierarchical-Role tree To answer: Is Role A senior to Role B ? 2) Session Policy Table To decide: For the requested service, Is Junior’s access constrained by Senior’s ? SSH CFO : Sales Mngr ANY : Developer RDP CEO : DB Admin ITMngr : DB Admin Senior : Junior

19 4/26/2007okhaleel/Enforce19 Performance Analysis ResourceRetrieve AC from ADPDP decisionTotal request time Finance Mgmnt5.47503.034510.3476 Sales Write6.28644.387213.7203 Posting orders6.98204.9234513.8433 View orders5.17344.109311.7390 ResourceRetrieve AC from AD PDP decision CASA decision Firewall update Total request time SSH5.87303.82642.365415.509329.4374 RDP5.76394.92763.109317.120432.2841 MySQL6.19273.10432.583114.762730.6392 ResourceRetrieve AC from AD PDP decisionCASA decisionTotal request time SSH6.80934.32983.948520.5912 RDP7.76023.87492.203720.5382 MySQL6.31753.78292.558219.7045 Web resources (ISAPI) Network resource (Global.asax) – new session Network resource (Global.asax) – session refresh Unit: ms

20 4/26/2007okhaleel/Enforce20 Future Work Extend the system to work in a multi-agency environment. Extend the system to work in a multi-agency environment. Develop more services that can take advantage of the existing RBAC architecture. For instance: Develop more services that can take advantage of the existing RBAC architecture. For instance: RBAC E-Voting: users can vote based on their roles. RBAC E-Voting: users can vote based on their roles. RBAC Instant Messenger: users can chat based on their roles. RBAC Instant Messenger: users can chat based on their roles. RBAC E-Mail: users can send e-mails based on their roles. RBAC E-Mail: users can send e-mails based on their roles. RBAC XXX and so on… RBAC XXX and so on… Support more Operating systems (Mac, Solaris …) Support more Operating systems (Mac, Solaris …) Improve the Admin tool to initialize and modify Active Directory, and to be able to generate XACML policies. Improve the Admin tool to initialize and modify Active Directory, and to be able to generate XACML policies. Support Wireless access. Support Wireless access.

21 4/26/2007okhaleel/Enforce21 Thesis Contributions Provide a robust architecture for large-scale companies to address accessing sensitive resources securely according to hierarchical role-based access policy. Provide a robust architecture for large-scale companies to address accessing sensitive resources securely according to hierarchical role-based access policy. Extend XACML to handle Hierarchical Role-Based Access Control (HRBAC) model. Extend XACML to handle Hierarchical Role-Based Access Control (HRBAC) model. Add a totally new concept of secure access in which a Senior Role can restrict its Junior Role's access using active session's management. Add a totally new concept of secure access in which a Senior Role can restrict its Junior Role's access using active session's management. Enhance IIS 6.0 with two components, ISAPI filter and Global.asax. Enhance IIS 6.0 with two components, ISAPI filter and Global.asax. Simplify PKI and PMI management, therefore, reducing management cost and errors. Simplify PKI and PMI management, therefore, reducing management cost and errors.

22 4/26/2007okhaleel/Enforce22 ENforCE Demo Q & A

Download ppt "4/26/2007okhaleel/Enforce1 EN gine FOR C ontrolling E mergent H ierarchical R ole- B ased A ccess (ENforCE HRBAccess) Osama Khaleel Thesis Defense May."

Similar presentations

Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.

Secure Information Sharing Using Attribute Certificates and Role Based Access Control Ganesh Godavari, C. Edward Chow 06/22/2005 University of Colorado.
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.

Access Control Patterns & Practices with WSO2 Middleware Prabath Siriwardena.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.

Make Secure Information Sharing (SIS) Easy and an Reality C. Edward Chow, PI Osama Khaleel Bill Kretschmer C. Edward Chow, PI Osama Khaleel Bill Kretschmer.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.

12/2/2003chow1 Network and System Support for Multi-Level Security C. Edward Chow Department of Computer Science University of Colorado At Colorado Springs.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Understanding Active Directory

Understanding Active Directory
SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.

SIS: Secure Information Sharing for Windows Systems Osama Khaleel CS526 Semester Project.
1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise

1 Secure Information Sharing Manager (SIS-M) Thesis 2007 Stephen D. Wise
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Local switch NIC1 128.198.162.50 FC4 NIC2 10.0.0.1 Main switch Win-XP 10.0.0.12 IIS 10.0.0.11 Domain-controller 10.0.0.10 128.198.162.51 128.198.162.52.

Local switch NIC FC4 NIC Main switch Win-XP IIS Domain-controller
95-804 Applied Cryptography Week 13 SAML 1 95-804 Applied Cryptography SAML and XACML Mike McCarthy Week 13.

Applied Cryptography Week 13 SAML Applied Cryptography SAML and XACML Mike McCarthy Week 13.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

21 June 2006Copyright 2006 University of Kent1 Delegation of Authority (DyVOSE project) David Chadwick University of Kent.

Similar presentations

Ads by Google