1 secure information sharing manager (sis-m) thesis 2007 stephen d. wise [email protected]
Post on 19-Dec-2015
212 views
TRANSCRIPT
2
Agenda
• Background• Enterprise Management
Problem• Project Motivation• SIS-M Objectives• CIM/WBEM Standards• RBAC Standards• Architecture
Observations– WBEM Implementations– Authorization Manager
• SIS-M Architecture
• InformationAccess– Monitor Systems– Manage Users– Manage RBAC– RBAC Violations
• InformationSharing• Performance Observations• Lessons Learned• Future Research• Conclusions
3
Background• NISSC Grant For Secure Information Sharing (SIS)
– Purpose• Utilize Role Based Access Control (RBAC) Implemented With a
LDAP and Web Server Application, and RBAC Policies To Share Information Securely
– Project Objectives• Create Web-based Proof of Concept to Share Information
Securely using Public Key Certificates (PKC) and Attribute Certificates (AC)
• Develop Easy-to-Use Installer
• Develop Web-based Management Interface
The SIS-M Prototype Is A Web-based Management Capability
4
The Enterprise ManagementProblem
• The Expansion And Maturation Of Corporate Enterprises Is Increasing Corporate Overhead Costs Required To Manage Multiple Unique Systems And Applications
• System Administrators Are Responsible For…– User Administration, Security Policy, Performance
Monitoring, Problem Detection & Resolution, etc.
• These Tasks Are Typically Accomplished With Vendor Or Organically Built Proprietary Tools
5
Project Motivation• The System I Work On Contains Dozens Of
Servers And Hundreds Of Clients– Servers
• Solaris & Windows Based
– Clients• Solaris & Windows Based
• Multiple Vendor Products Are Required– Security Policy Enforcement– Monitor & Manage The Assets– Manage Users
6
SIS-M Objectives• The Research And Associated Prototype Are
To Demonstrate Web-based Management Capability For A Windows 2003 Server Enterprise To Include…– System Health And Status Monitoring– User Account Management– Role Based Access Control– Automated Client-side Certificate Distribution
7
CIM/WBEM Standards• Distributed Management Task Force (DMTF) Is
An Industry Organization Responsible For The Development Of Enterprise Management Standards
8
RBAC Standards• The Organization For The Advancement Of
Structured Information Standards (OASIS)– Extensible Access Control Markup Language
(XACML)– CORE RBAC Elements
• Users Implemented as XACML Subjects• Roles Expressed Using XACML Subject Attributes• Objects Expressed Using XACML Resources• Operations Expressed Using XACML Actions• Permission Expressed Using XACML Role Policy Sets
And Permission Policy Sets
9
Architecture Observations(WBEM)
•The CIM Client Is Used To Obtain Management Information By Querying CIM/WBEM Servers
•The CIM/WBEM Server Provides CIM Data, Upon Request, to CIM Clients
•The CIMOM Maintains A Repository of CIM Data On The CIM/WBEM Servers
•The Providers Implement Aspects Of The CIM Schema That Abstracts The Hardware And Software Implementation Away From The CIM Clients
The WMI Implementation Includes More Provider FidelityFor Windows 2003 Server
10
Architecture Observations(RBAC)
• Authorization Manager Components– Operation: A low-level permission that a resource manager uses to identify
security procedures– Task: A collection of low-level operations– Role Definition: A collection of permissions that are needed for a particular role,
where permissions can be tasks or operations– Role: The set of permissions that users must have to be able to do their job – BizRules: The set of rules / scripts that are attached to a task object that is run
at the time of the access request– Scope: A collection of objects or resources with a distinct authorization policy
11
SIS-M Architecture
12
Web-based Application• InformationAccess
– System Health And Status Monitoring
• Uses WMI And CIM Query Language (CQL) To Obtain Management Information From Each Server
• Evaluates The WMI Information To Determine Status Of Each Monitored Element
• Provides The Capability Through CQL To Retrieve Details About Elements That Fall Out Of Limits
13
Web-based Application
• InformationAccess– User Account Management
• Uses An ASP.Net CreateUserWizard Server Control To Create Accounts Within The SISMTHESIS Domain
• Uses Active Directory Membership Provider And The Membership Class In The System.Web.Security Namespace To Delete Accounts And Retrieve Account Details
14
Web-based Application
• Certificate Services– Automated Client-side Certificate Distribution
• Uses Windows Server 2003 Server Components And Certificate Services To Distribute And Remotely Install Client-side Certificates Issued By The Server Named Secure
15
Web-based Application• InformationAccess
– RBAC Management• Uses Authorization Store Role
Provider And The Roles Class Contained Within The System.Web.Security Namespace To Manage RBAC Permissions
16
Web-based Application• InformationAccess
– RBAC Violations• Uses the EventLog classes in
the System.Diagnostics namespace. RBAC Policy Access Violation from InformationAccess and InformationSharing Write to the custom Event Log on the server SISDC
17
Web-based Application
• InformationSharing
18
Web-based Application
• InformationSharing RBAC Violation
19
Performance Observations
The Server Trend For Retrieving One WMI Object observation shows response time increase for querying one WMI Object relative to the number of WMI namespaces queried
Server Trend For Retrieving One WMI Object
Single WMI Object Response Time
0.000
2.000
4.000
6.000
8.000
10.000
Sec
on
ds
WMI 1X1 Avg 0 0.1127754 7.6887352 8.4533238
WMI 2X1 Avg 0 0.0428202 8.7084624 9.1088248
WMI 3X1 Avg 0 0.044565 8.4409724 9.1813026
Client RequestSSL Handshake
CompleteWMI Object
Request Client Response
Overall 7.9% Delay In HTTPS Response Time
20
Performance Observations
The Server Trend For Retrieving Five WMI Objects observation shows response time increase for querying five WMI Objects relative to the number of WMI namespaces queried
Server Trend For Retrieving Five WMI Objects
Overall 8.1% Delay In HTTPS Response Time
Five WMI Object Response Time
0.000
2.000
4.000
6.000
8.000
10.000
Sec
on
ds
WMI 1X5 Avg 0 0.0260516 7.7156208 8.2207732
WMI 2X5 Avg 0 0.02791 7.6518718 8.201081
WMI 3X5 Avg 0 0.0367282 8.3219428 8.953906
Client RequestSSL Handshake
CompleteWMI Object
Request Client Response
21
Lessons Learned• System Health & Status
– Defining Appropriate User Credentials For WMI Namespace Access Is Critical
– The Information Value Contained Within The CIMOM Is Directly Related To The Provider Implementation Maturity Within WBEM
• User Account Management– User Account Management Within Windows 2003 Server Is
Primarily Accomplished By The Active Directory Users & Computers Management Console And ADSI
– The Win32_UserAccount Does Not Inherit From The CIM_UserAccount Defined In The CIM Schema
22
Lessons Learned• RBAC Management
– The AzMan Capability Is Not Completely Supported Through The ASP.Net Services And Some Membership Methods Throw A Not Supported Exception
– AzMan Policy Enforcement Requires User Principal Name (UPN) Formatted User Accounts, <username>@domain.com
• Client-side Certificate Distribution– PKI Best Practices State That Root CAs Should Never Be
Connected To The Network To Raise The Security Level Of The CAs Private Key
– A PKI In Most Cases Should Be Architected With An Offline Root CA, One Or More Offline Intermediate CAs, and One Or More Netoworked Issuing Enterprise CAs
23
Future Research
• Update SIS-M Architecture To Include A UNIX Server
• Update The SIS-M Prototype To The .Net 3.0 Framework
• Modify Certificate Authority Architecture
• Implement Client-side Certificate Mapping
24
Conclusion• The SIS-M Research And Prototype Enabled
– System Health And Status Monitoring Using WMI– User Account Management Using The Active Directory
Membership Provider– RBAC Management Using AzMan– Client-side Certificate Distribution Using Certificate Services
• The CIM / WBEM Standards Appear To Be More Mature Than The Vendor Products Attempting To Comply With The DMTF Standards– May Be Due To The Cost Of Integrating A New Standard Into An
Existing Vendor Product Line
25
Backup
Backup
26
DMTF• Distributed Management Task Force
Common Information ModelWeb Based Enterprise
Management
27
CIM1 2
3
28
CIM Schema Example
29
WBEM
URI XML CIM-XML CLP Discovery CQL
CLP – Command Line Protocol
CQL – CIM Query Language
30
WBEM Architecture
Proprietary Layer
CIM Repository
WBEM Server
Provider Abstraction
CIMOM
WBEM Client
CIM Client Application
CIM Query Language, CIM-XML
31
SIS-M Network Topology
SIS-MClient
SISClient
192.168.184.128
Secure SISDC
Manager
Virtual
Network
192.168.184.131192.168.184.130
192.168.184.129 192.168.184.132SISMThesis
Domain
32
System Health & Status
OperatingSystemStatus
CPUStatus
DiskStatus
Window2003
Server
WMI Win32 Class Class PropertyWin32_ComputerSystem Status
Win32_PerfFormattedData_PerfOS_Memory AvailableMBytes
WMI Win32 Class Class PropertyWin32_DiskDrive Status
Win32_PerfFormattedData_PerfDisk_PhysicalDisk Percent Idle Time
WMI Win32 Class Class PropertyWin32_Processor StatusWin32_Processor AvailabilityWin32_Processor Load Percentage
33
SIS-M Health & Status Rules
34
Login Pages
35
Backup
Code Backup
36
System Health & StatusMonitoring
WMI Namespace Connection WMI Queries
37
User Account Management
Active Directory Connection
Membership Class
38
RBAC Management
Authorization Manager Policy Store Connection
39
RBAC Management (Cont.)
Get Users In RoleCreate Role
40
RBAC Violation Archive
Write Violation
Create Archive
41
Backup
Performance Backup
42
RBAC Violation Log Access
The objective of this measurement is to observe the performance of the Windows Event Log during a custom archive data retrieval request
RBAC Archive Information Retrieval
0.000
0.500
1.000
1.500
2.000
2.500
3.000
3.500
Sec
on
ds
Run #1 0 0.142373 1.878325 3.029757
Run #2 0 0.039929 1.655951 2.232192
Run #3 0 0.015794 2.371433 2.633444
Run #4 0 0.079289 1.714269 2.687524
Run #5 0 0.015815 1.655792 2.295007
Average 0 0.05864 1.855154 2.5755848
Client RequestSSL Handshake
Complete
RBAC Log Retrieval Complete
Client Response
43
RBAC Mgt Access(Authorization Manager)
The objective of this measurement is to observe the performance of Authorization Manager Accesses
RBAC Mgt Request Time
0.000
0.200
0.400
0.600
0.800
1.000
1.200
Sec
on
ds
Run #1 0 0.015862 0.197095 0.847619
Run #2 0 0.01724 0.174485 0.848788
Run #3 0 0.066693 0.295151 0.630357
Run #4 0 0.028176 0.196822 0.525366
Run #5 0 0.023659 0.199299 0.957544
Average 0 0.030326 0.2125704 0.7619348
Client RequestSSL Handshake
Complete
RBAC Mgt Request
CompleteClient Response
44
WMI 1X1 Response Time
The One Server Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespace on SISDC
WMI 1X1 Response Time
0.000
2.000
4.000
6.000
8.000
10.000
12.000
14.000
Sec
on
ds
Run #1 0 0.02201 6.91379 7.763398
Run #2 0 0.357341 11.762104 12.294849
Run #3 0 0.061387 6.807595 7.069001
Run #4 0 0.020213 6.014796 7.443219
Run #5 0 0.102926 6.945391 7.696152
Average 0 0.1127754 7.6887352 8.4533238
Client RequestSSL Handshake
Complete
WMI Object Request
CompleteClient Response
45
WMI 2X1 Response Time
The Two Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers
WMI 2X1 Response Time
0.000
2.000
4.000
6.000
8.000
10.000
12.000
Sec
on
ds
Run #1 0 0.029248 10.685066 10.903246
Run #2 0 0.014124 7.753585 8.077432
Run #3 0 0.078561 8.305449 8.716218
Run #4 0 0.043642 7.057637 7.825997
Run #5 0 0.048526 9.740575 10.021231
Average 0 0.0428202 8.7084624 9.1088248
Client RequestSSL Handshake
Complete
WMI Object Request
CompleteClient Response
46
WMI 3X1 Response TimeThe Three Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on the SISDC, Secure, and Manager servers
WMI 3X1 Response Time
0.000
2.000
4.000
6.000
8.000
10.000
12.000
14.000
Sec
on
ds
Run #1 0 0.079186 10.587262 11.718099
Run #2 0 0.015713 8.886371 9.500771
Run #3 0 0.04537 7.200216 7.984139
Run #4 0 0.0214 7.053049 7.628529
Run #5 0 0.061156 8.477964 9.074975
Average 0 0.044565 8.4409724 9.1813026
Client RequestSSL Handshake
Complete
WMI Object Request
CompleteClient Response
47
WMI 1X5 Response TimeThe One Server Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespace on SISDC
WMI 1X5 Response Time
0.000
2.000
4.000
6.000
8.000
10.000
Sec
on
ds
Run #1 0 0.042058 8.47447 8.917341
Run #2 0 0.010382 6.439772 6.835655
Run #3 0 0.030147 8.462035 9.430691
Run #4 0 0.014877 7.484855 7.951533
Run #5 0 0.032794 7.716972 7.968646
Average 0 0.0260516 7.7156208 8.2207732
Client RequestSSL Handshake
Complete
WMI Object Request
CompleteClient Response
48
WMI 2X5 Response TimeThe Two Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers
WMI 2X5 Response Time
0.000
2.000
4.000
6.000
8.000
10.000
Sec
on
ds
Run #1 0 0.019284 8.119123 8.37916
Run #2 0 0.031845 7.852518 8.396238
Run #3 0 0.043652 7.560822 8.286355
Run #4 0 0.025252 7.851054 8.656812
Run #5 0 0.019517 6.875842 7.28684
Average 0 0.02791 7.6518718 8.201081
Client RequestSSL Handshake
Complete
WMI Object Request
CompleteClient Response
49
WMI 3X5 Response TimeThe Three Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers
WMI 3X5 Response Time
0.000
2.000
4.000
6.000
8.000
10.000
12.000
14.000
Sec
on
ds
Run #1 0 0.062698 11.84065 13.021709
Run #2 0 0.014455 6.847666 8.026303
Run #3 0 0.040922 7.84767 8.019918
Run #4 0 0.021126 8.119083 8.692987
Run #5 0 0.04444 6.954645 7.008613
Average 0 0.0367282 8.3219428 8.953906
Client RequestSSL Handshake
Complete
Monitor Systems Request
CompleteClient Response