资源描述
xiENgine FOR Controlling Emergent Hierarchical Role-Based Access(ENforCE HRBAccess)ByOsama M. KhaleelB.Sc., Information Technology, Al-Balqa Applied University, Jordan, 2004A thesis submitted to the Faculty of Graduate School of theUniversity of Colorado at Colorado Springsin Partial Fulfillment of the Requirementsfor the Degree ofMaster of Science in Computer ScienceDepartment of Computer Science2007 Copyright by Osama M. Khaleel 2007All Rights ReservedThis thesis for the Master of Science degree byOsama M. Khaleelhas been approved for theDepartment of Computer Scienceby_Dr. C. Edward Chow, Chair_Dr. Terry E. Boult_Dr. Xiaobo ZhouDateOsama M. Khaleel (M.S., Computer Science)ENgine for Controlling Emergent Hierarchical Role-Based Access(ENforCE HRBAccess)Thesis directed by Professor Edward ChowTraditional simple access to sensitive resources does not satisfy todays high-level security requirements. Hierarchical employee system structure in most, if not all, of large-sized companies makes managing and controlling their resources even more complicated. By taking advantage of existing technologies such as PKI, PMI, RBAC, ISAPI filters, Iptables, and XACML, plus, implementing new techniques for session management and conditional access-based on active sessions, this thesis not only provides a generic engine for managing secure hierarchical role based access, but also achieves fine-grained access needed in some critical tasks. A 4-machine test-bed has been built to simulate a generic ENgine for Controlling Emergent Hierarchical Role Based Access (ENforCE HRBAccess) environment. Test-bed results have proved the efficiency, flexibility, and robustness of such an engine, and demonstrated the ability of protecting web-based resources (i.e. accessed through https port 443), in addition to other network-based services such as SSH, RDP, and MySQL.I honorably dedicate this thesis to my parents in my home country Jordan. I have not seen them for about two years since Ive come to the US to pursue my graduate studies. I have to admit that I couldnt have achieved this without their support. Thank you so muck!ContentsChapter 1 Introduction .11.1 Related work .21.2 The base architecture .41.3 Proposed ENforCE HRBAccess .5Chapter 2 ENforCE Concepts & Definitions .92.1 Authentication.92.1.1 Public Key Certificate .92.1.2 Certification Authority .122.1.3 Certificate Revocation List .122.1.4 Public Key Infrastructure .132.2 Authorization.132.2.1 Attribute Certificate .132.2.2 Attribute Authority .142.2.3 Privilege Management Infrastructure .152.3 Role-Based Access Control (RBAC).152.3.1 What is RBAC? .162.3.1.1 Core RBAC .162.3.1.2 Hierarchical RBAC .17 2.3.1.3 Static Separation of Duty (SSD) .17 2.3.1.4 Dynamic Separation of Duty (DSD) .182.4 eXtensible Access Control Markup Language (XACML) .192.4.1 XACML Architecture .202.4.2 XACML Language Components .212.4.3 XACML RBAC Profile .232.5 Windows related technology242.5.1 Windows Server 2003 Active Directory .252.5.2 Internet Information Server (IIS 6.0) 272.5.3 Internet Server API (ISAPI) filters 272.5.4 Global.asax (ASP.NET Application file) .302.6 Iptables32Chapter 3 ENforCE Design 363.1 ENforCE Big Picture 373.2 ENforCEs Test-bed 413.3 ENforCEs PEP .433.3.1 Session Management & Tracking .443.3.2 PEPs Design & Functionality 453.4 ENforCEs PDP .473.5 Iptables Control Service (ICS) 483.6 ENforCEs Entry Points .493.6.1 ISAPI Filter .493.6.2 Global.asax .51Chapter 4 ENforCE Implementation .534.1 Specifications.534.1.1 Hardware.534.1.2 Operating System.544.1.3 Software and Packages544.2 main components544.2.1 ISAPI filter.544.2.2 Global.asax.564.2.3 Iptables Control Service (ICS)584.2.4 PDP594.2.5 PEP.604.2.6 Admin tool.644.2.7 XACML policy files highlights.69Chapter 5 Performance Analysis.745.1 Web-based resources755.2 Network-based resources.765.3 Performance Analysis.77Chapter 6 Problems and Lessons Learned796.1 Admin Tool.796.2 CASA policy.806.3 Network-based resource access.806.4 Learned Lessons.81Chapter 7 Future Work and Conclusion837.1 Future work837.2 Conclusion.84Appendix A: Installation & Configuration of ENforCE85- Fedora Core machine.85- Domain Controller machine.87- IIS machine.90Appendix B: ENforCE Demo.98References104List of FiguresFigure 2.1: PKC vs. AC .12Figure 2.2: Core RBAC .14Figure 2.3: Hierarchical RBAC .15Figure 2.4: SSD RBAC .16Figure 2.5: DSD RBAC .16Figure 2.6: General XACML Architecture 17Figure 2.7: XACML Language Model .19Figure 2.8: AD role in Windows 2003 .24Figure 2.9: Iptables packet flow 31Figure 3.1: ENforCE Big Picture .35Figure 3.2: Companys Role Hierarchy .36Figure 3.3: ENforCEs Test-bed .41Figure 3.4: ISAPI Entry Point .48Figure 3.5: Global.asax Entry Point .50Figure 4.1: Admin Tool PKI/PMI setup.62Figure 4.2: Admin tool cert management.63Figure 4.3: AC validation report64List of TablesTable 2.1: ISAPI Filter vs. Extension .27Table 2.2: tables and chains in Iptables .30Table 2.3: Iptables Rules Target .32Table 2.4: Iptables matching options .33Table 3.1: Role-Identity-Resource Assignment .37Table 5.1: Web-based resource performance results71Table 5.2: Network-based resource performance results (new session).72Table 5.3: Network-based resource performance results (refresh active session)73Table5.4: SIS performance results73114Chapter 1IntroductionSecurity is one of the most critical requirements for any company. Trying to satisfy this requirement is not trivial, and becomes even more complicated when dealing with a very large and open network (i.e. the Internet), and big LANs. The other concern will arise when a company has a hierarchical employee system, and users should access resources based on their ROLES (e.g. what a MANAGER can access CANNOT be accessed by a TEAM-LEADER). Password-based access is way far from satisfying such high-level security requirements. On the other hand, Public Key Certificate (PKC) 14 does the job, but managing Public Key Infrastructure (PKI) 5, 14, 15 is a big deal. Similar to PKC and PKI, a relatively new Internet standard called Attribute Certificate (AC) 9 has been proposed since early 2000, and the Privilege Management Infrastructure (PMI) 2, 4 was also introduced in the 2000 edition of X509 24. As PKC holds the public key to prove the identity of the subject, AC holds a set of attributes to prove what security clearance, permissions, or roles, the entity has.A well known access control scheme called Role Based Access Control (RBAC) 3, 6, 7, 10, 11, 13 has been widely accepted as a best practice to restricting system access to authorized users. The basic concept of RBAC is that users are assigned to roles, and permissions are assigned to roles; so users dont acquire permissions directly, rather, they gain permissions by having certain role (or roles). This will greatly simplify security administration and role assigning management.In such a hierarchical role-based employee structure, a very important and effective component that a secure system usually needs is a policy engine that takes advantage of the RBAC model. An open XML-based language called eXtensible Access Control Markup Language (XACML) 8 has shown to be flexible enough to accommodate most access control policy needs. XACML has been standardized in OASIS 25. A JAVA open source implementation of the OASIS XACML standard is available from Sun 26. However, currently it only supports the core RBAC feature.Another thing that we definitely need in such a secure system is a firewall. A standard part of all modern Linux distributions is a NetFilter 27 package which includes Iptables 21, 28 for defining rules on how to deal with network packets, to control system ports, and to restrict access based on certain attribute such as the IP address. The rules of Iptables are grouped into chains (INPUT, OUTPUT, and FORWARD), which gives us more control and flexibility of managing the firewall tables.1.1 Related WorkAs we can see, we are dealing with two main issues here: providing secure access to some sensitive resources, and enforcing/restricting this access according to peoples IDENTITES and ROLES. Some of the related works to this thesis are AKENTI 5, PERMIS 12, and PRIMA 29, 30. The proposed system in this thesis has many essential benefits over these systems, and its the first work that combines standards like Public Key Infrastructure (PKI), Privilege Management Infrastructure (PMI), Role Based Access Control (RBAC), and eXtensible Access Control Markup Language (XACML). Here are brief comparisons:- AKENTI and PERMIS dont use a standard policy language such as XACML. AKENTI uses a non-standard format for Attribute Certificates (ACs), and the access control is a classic Access Control List (ACL). In PERMIS, the authentication is agnostic; it is left up to the application, whereas this work uses the standard XACML and X509 Public Key Certificates (PKCs) for access control and authenticating users respectively.- PRIMA focuses more on PMI and managing privilege authorities. It does use XACML, but it is a C+ implementation with fewer features than the Javas implementation. In addition, PRIMA enforces web-based access only using SAML authorization. In contrast, this thesis uses the Java implementation of XACML, and has a full dynamic Policy Enforcement Point that communicates with a firewall updater daemon to control any network service.- Finally, this thesis has a unique feature called Conditional Active Sessions Access (CASA). CASA provides finer control on the systems policy by allowing a junior role to access a service ONLY IF a senior role (or roles) has an active session for that service.- Other systems relating to Hierarchical Role Based Access Control (HRBAC) model 16, 17 are Park et al 22 and Keirre et al 23. 1.2 The Base ArchitectureIts important to mention here that the original basic idea was taken from a previous work done by Ganesh Godavari at UCCS 1. His architecture was intended to provide a multi-agency Secure Information Sharing (SIS) system. Ganesh developed SIS prototype on UNIX platform, and it was studied and analyzed as the base for this work. Note that when we say the base, we are not talking about a simple porting from Unix to Windows; rather, it means that the basic/core idea, that we want to provide a secure access to some important resources using role based access control, will be the same. But as for the techniques, standards, and capabilities, there is big amount of differences. The proposed ENforCE HRBAccess system provides significant improvements.SIS v0.1 uses X509 PKCs for authentication, this will still be used. On the other hand, SIS v0.1 doesnt use Attribute Certificates in its standard format; the implementation was done by using X509 digital certificates with adding the attributes as an extension. This thesis uses the standard ACs as a signed document that has the holder instead of the subject field, and a set of attributes instead of the public key. SIS v0.1 has an admin tool for generating certificates and building PKI. However, its a command-line based tool in which one has to manually enter the required info for every single certificate s/he wants to generate. In this work, an admin/management tool has been implemented to provide an easy-to-use GUI for controlling both PKI and PMI.The last thing and the most important one is that, SIS v0.1 neither has a standard policy language, nor supports Hierarchical RBAC, nor supports non-web-based services; it depends on using IF-ELSE statements in the source code to say if this person has this Role, then grant access. Else deny! Of course this means that the system admin/coordinator must know C/C+ to be able to modify the source code of this file. In contrast, this thesis uses the standard XACML policy language, and implements both the core and hierarchical RBAC. Plus, works with any network service with additional active session based access control. Needless to say that, the proposed ENforCE system will be flexible and easy to manage and deploy.1.3 Proposed ENforCE HRBAccessFor simplicity, Ill use ENforCE as a name for the system. ENforCE investigates the design and implementation of sharing resources securely based on the Hierarchical Role Based Access Control (HRBAC) model. It utilizes some of the existing tools and technologies, in addition to adding some new features and enhancing others. The other goal is to simplify the management needed for such a system, and therefore reducing the cost. In a high level language we have different types of RESOURCES, a set of ROLES, and a set of OPERATIONS that a role can apply on a resource. Each role may access certain resources, and roles are hierarchical.ENforCE will provide the following:a) Authentication. By implementing a Public Key Infrastructure (PKI), a Certificate Authority (CA) will issue, maintain, and revoke X509 Public Key Certificates (PKC). PKCs hold the identity and the public key of its holder. Users will use them to authenticate and prove their identities. b) Authorization. By implementing a Privileged Management Infrastructure (PMI), an Attribute Authority (AA) or the root Source Of Authority (SOA) will issue, maintain, and revoke Attribute Certificates (AC) 9. ACs hold users role(s) and are stored in the Active Directory (AD) 18, 19, 20 of the systems Domain Controller. The system will use ACs to identify users roles and then use them in the authorization process.c) Management tool. A C#-JAVA based tool is used to provide PKI and PMI functionality in a very efficient and easy-to-use way. The word Emergent in the thesis title comes from this tool due to its ability to initialize PKI and PMI very quickly.d) Policy language. eXtensible Access Control Markup Language (XACML) is used to implement the RBAC model that provides access control policy engine and defines the actual policy files. e) Policy Enforcement Point (PEP). ENforCEs PEP is a crucial component that receives requests, pulls out the users AC, consults Policy Decision Point, and returns the final decision. In addition, it communicates with the systems firewall to apply rules depending on the decision.f) Policy Decision Point (PDP). This component receives XACML requests from the PEP, does the actual evaluation of the request based on defined policy files, and returns a partial decision back to the PEP. Moreover, this component has been enhanced to handle Hierarchical RBAC that is lacked in current Suns XACML implementation.g) Internet Server API (ISAPI) filter. ENforCEs ISAPI filter 31, 32 is used to enforce access for all web-based access, including any file type accessed through https, by intercepting users PKC, submitting the required information to the PEP, and based on the decision from PEP access is granted or rejected.h) ASP.NET Application file (Global.asax) 33, 34. This C# based file is used to enforce access control to all non-web-based resources ,network services, by intercepting users PKC, submitting the required attributes to the PEP, and managing web sessions based on the PEPs decision. Global.asaxs implementation in the ENforCE system is event-driven, so it continuously communicates with the PEP based on sessions start, end, and refresh events in order to maintain their states.i) Dynamic Firewalling: an Iptables-based 21 firewall has been implemented under FedoraCore4, and controlled by a java-based daemon that updates the Iptables rules according to certain commands received from the PEP. The communication between the PEP and the Java firewall updater daemon is protected with mutual certificate-based authentication as we will see later in Chapter 3 and 4.The following chapters are organized as follows; Chapter 2 presents a background knowledge that defines most of the concepts that ENforCE relies on. Chapter 3 discusses the design of the entire system. In Chapter 4 I will explain the actual implementation, tools, and packages used in ENforCE. Performance analysis is presented in Chapter 5. Problems and lessons learned are summarized in Chapter 6. And finally, future work and conclusion are in Chapter 7.A user guide and system configuration can be found in the Appendix.Keywords: Secure Access, RBAC, Hierarchical RBAC, PKI, PMI, PKC, AC, XACML, Iptables, PDP, PEP, ISAPI Filters, Global.asax, Conditional Active Session Access (CASA), policy language.Chapter 2ENforCE: Concepts & DefinitionsENforCE uses many existing technologies and techniques. It also adds and enhances a few ones. So, this chapter serves as a background to define and explain the main concepts and terminologies involved in this thesis. By reading this chapter, a reader will become familiar with knowledge necessary to understand later chapters.2.1 AuthenticationAuthentication is the process in which someone provides credentials to prove his or her identity. Basic authentication is usually done by using passwords. Strong authentication can be done by using Public Key Certificates (PKC). In ENforCE, users use PKCs to authenticate with the IIS server.2.1.1 Public Key CertificatePKC is a digitally signed document that binds a public key to a subject (identity). This binding is verified and asserted by a trusted Certification Authority (CA). The CA signed certific
展开阅读全文