Kelly Whitacre, Kunal Bele, and Mike Gerschefske
Secure Role Based IM Create an IM to cut down on excess chatting Restrict users to chat only with people with similar roles within department Provide Mechanism to allow users to request chat outside specific role Leverage ENforCE 2
Policy Enforcement Point Global.asax ASP.NET Application FC4 machine (Firewall) Iptables Control Service B8) Network- resource Access IIS Authentication ISAPI Protected web resources A2) Http request A5) XML response Session policy source A3/ B3) Get User's AC RPS PPS Domain Controller Active Directory B2) Http request A1/B1) User Request Protected Network resources B7) XML response Policy Decision Point Policy Decision Point B6) Open or Close service commands A4/B4) Get Decision The ENforCE System 3
Role Based Hierarchy 4
What ENforCE Provides Ability to determine if a user has access to a resource i.e. user changed jobs, or was fired Users’ management chains Yet, Our Policy Enforcement is in our Server rather then Enforce 5
Server Algorithm Check if user 1 can communicate with user 2 via XACML request to ENforCE If not, ENforCE determines highest manager of user 1 required to get authorization to user 2 Send request to that manager and wait for acceptance If authorized allow user 1 to send data to user 2 for some period of time Obtain Public Key of Receiver by AD of ENforCE for Client of Sender Note: One way communication Message sent to manager requiring token to be sent back to acknowledge acceptance 6
(Two) One Way Communication Request(s) 7
Conceptual Design ENforCE Server BobAlice Bob’s Boss Alice’s Boss AD XACML 8 IIS
Clients Very Simple Send messages containing Message To Buddy List/Active Directory Browsing could be added Clients encrypt via destinations public key Could look into asymmetric crypto 9
Progress Extracted IIS and DC of ENforCE Recreated FW Problems with Windows Activation Problems with VMware Converter removing hardware Problems with physical Unix machine 10
Questions?? 11