1 / 49

Secure Information Sharing Manager (SIS-M) Thesis 2007

Secure Information Sharing Manager (SIS-M) Thesis 2007. Stephen D. Wise swise@uccs.edu. Background Enterprise Management Problem Project Motivation SIS-M Objectives CIM/WBEM Standards RBAC Standards Architecture Observations WBEM Implementations Authorization Manager SIS-M Architecture.

dalit
Download Presentation

Secure Information Sharing Manager (SIS-M) Thesis 2007

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Information Sharing Manager (SIS-M) Thesis2007 Stephen D. Wise swise@uccs.edu

  2. Background Enterprise Management Problem Project Motivation SIS-M Objectives CIM/WBEM Standards RBAC Standards Architecture Observations WBEM Implementations Authorization Manager SIS-M Architecture InformationAccess Monitor Systems Manage Users Manage RBAC RBAC Violations InformationSharing Performance Observations Lessons Learned Future Research Conclusions Agenda

  3. Background • NISSC Grant For Secure Information Sharing (SIS) • Purpose • Utilize Role Based Access Control (RBAC) Implemented With a LDAP and Web Server Application, and RBAC Policies To Share Information Securely • Project Objectives • Create Web-based Proof of Concept to Share Information Securely using Public Key Certificates (PKC) and Attribute Certificates (AC) • Develop Easy-to-Use Installer • Develop Web-based Management Interface The SIS-M Prototype Is A Web-based Management Capability

  4. The Enterprise ManagementProblem • The Expansion And Maturation Of Corporate Enterprises Is Increasing Corporate Overhead Costs Required To Manage Multiple Unique Systems And Applications • System Administrators Are Responsible For… • User Administration, Security Policy, Performance Monitoring, Problem Detection & Resolution, etc. • These Tasks Are Typically Accomplished With Vendor Or Organically Built Proprietary Tools

  5. Project Motivation • The System I Work On Contains Dozens Of Servers And Hundreds Of Clients • Servers • Solaris & Windows Based • Clients • Solaris & Windows Based • Multiple Vendor Products Are Required • Security Policy Enforcement • Monitor & Manage The Assets • Manage Users

  6. SIS-M Objectives • The Research And Associated Prototype Are To Demonstrate Web-based Management Capability For A Windows 2003 Server Enterprise To Include… • System Health And Status Monitoring • User Account Management • Role Based Access Control • Automated Client-side Certificate Distribution

  7. CIM/WBEM Standards • Distributed Management Task Force (DMTF) Is An Industry Organization Responsible For The Development Of Enterprise Management Standards

  8. RBAC Standards • The Organization For The Advancement Of Structured Information Standards (OASIS) • Extensible Access Control Markup Language (XACML) • CORE RBAC Elements • Users Implemented as XACML Subjects • Roles Expressed Using XACML Subject Attributes • Objects Expressed Using XACML Resources • Operations Expressed Using XACML Actions • Permission Expressed Using XACML Role Policy Sets And Permission Policy Sets

  9. Architecture Observations(WBEM) • The CIM Client Is Used To Obtain Management Information By Querying CIM/WBEM Servers • The CIM/WBEM Server Provides CIM Data, Upon Request, to CIM Clients • The CIMOM Maintains A Repository of CIM Data On The CIM/WBEM Servers • The Providers Implement Aspects Of The CIM Schema That Abstracts The Hardware And Software Implementation Away From The CIM Clients The WMI Implementation Includes More Provider Fidelity For Windows 2003 Server

  10. Architecture Observations(RBAC) • Authorization Manager Components • Operation: A low-level permission that a resource manager uses to identify security procedures • Task: A collection of low-level operations • Role Definition: A collection of permissions that are needed for a particular role, where permissions can be tasks or operations • Role: The set of permissions that users must have to be able to do their job • BizRules: The set of rules / scripts that are attached to a task object that is run at the time of the access request • Scope: A collection of objects or resources with a distinct authorization policy

  11. SIS-M Architecture

  12. Web-based Application • InformationAccess • System Health And Status Monitoring • Uses WMI And CIM Query Language (CQL) To Obtain Management Information From Each Server • Evaluates The WMI Information To Determine Status Of Each Monitored Element • Provides The Capability Through CQL To Retrieve Details About Elements That Fall Out Of Limits

  13. Web-based Application • InformationAccess • User Account Management • Uses An ASP.Net CreateUserWizard Server Control To Create Accounts Within The SISMTHESIS Domain • Uses Active Directory Membership Provider And The Membership Class In The System.Web.Security Namespace To Delete Accounts And Retrieve Account Details

  14. Web-based Application • Certificate Services • Automated Client-side Certificate Distribution • Uses Windows Server 2003 Server Components And Certificate Services To Distribute And Remotely Install Client-side Certificates Issued By The Server Named Secure

  15. Web-based Application • InformationAccess • RBAC Management • Uses Authorization Store Role Provider And The Roles Class Contained Within The System.Web.Security Namespace To Manage RBAC Permissions

  16. Web-based Application • InformationAccess • RBAC Violations • Uses the EventLog classes in the System.Diagnostics namespace. RBAC Policy Access Violation from InformationAccess and InformationSharing Write to the custom Event Log on the server SISDC

  17. Web-based Application • InformationSharing

  18. Web-based Application • InformationSharing RBAC Violation

  19. Performance Observations Server Trend For Retrieving One WMI Object The Server Trend For Retrieving One WMI Object observation shows response time increase for querying one WMI Object relative to the number of WMI namespaces queried Overall 7.9% Delay In HTTPS Response Time

  20. Performance Observations Server Trend For Retrieving Five WMI Objects The Server Trend For Retrieving Five WMI Objects observation shows response time increase for querying five WMI Objects relative to the number of WMI namespaces queried Overall 8.1% Delay In HTTPS Response Time

  21. Lessons Learned • System Health & Status • Defining Appropriate User Credentials For WMI Namespace Access Is Critical • The Information Value Contained Within The CIMOM Is Directly Related To The Provider Implementation Maturity Within WBEM • User Account Management • User Account Management Within Windows 2003 Server Is Primarily Accomplished By The Active Directory Users & Computers Management Console And ADSI • The Win32_UserAccount Does Not Inherit From The CIM_UserAccount Defined In The CIM Schema

  22. Lessons Learned • RBAC Management • The AzMan Capability Is Not Completely Supported Through The ASP.Net Services And Some Membership Methods Throw A Not Supported Exception • AzMan Policy Enforcement Requires User Principal Name (UPN) Formatted User Accounts, <username>@domain.com • Client-side Certificate Distribution • PKI Best Practices State That Root CAs Should Never Be Connected To The Network To Raise The Security Level Of The CAs Private Key • A PKI In Most Cases Should Be Architected With An Offline Root CA, One Or More Offline Intermediate CAs, and One Or More Netoworked Issuing Enterprise CAs

  23. Future Research • Update SIS-M Architecture To Include A UNIX Server • Update The SIS-M Prototype To The .Net 3.0 Framework • Modify Certificate Authority Architecture • Implement Client-side Certificate Mapping

  24. Conclusion • The SIS-M Research And Prototype Enabled • System Health And Status Monitoring Using WMI • User Account Management Using The Active Directory Membership Provider • RBAC Management Using AzMan • Client-side Certificate Distribution Using Certificate Services • The CIM / WBEM Standards Appear To Be More Mature Than The Vendor Products Attempting To Comply With The DMTF Standards • May Be Due To The Cost Of Integrating A New Standard Into An Existing Vendor Product Line

  25. Backup Backup

  26. DMTF • Distributed Management Task Force Common Information Model Web Based Enterprise Management

  27. CIM 1 2 3

  28. CIM Schema Example

  29. WBEM URI XML CIM-XML CLP Discovery CQL CLP – Command Line Protocol CQL – CIM Query Language

  30. WBEM Architecture WBEM Client CIM Client Application CIM Query Language, CIM-XML WBEM Server CIM Repository CIMOM Provider Abstraction Proprietary Layer

  31. SIS-M Client SIS Client Secure SISDC Manager SIS-M Network Topology 192.168.184.129 192.168.184.132 SISMThesis Domain Virtual Network 192.168.184.130 192.168.184.131 192.168.184.128

  32. System Health & Status Window 2003 Server Operating System Status CPU Status Disk Status

  33. SIS-M Health & Status Rules

  34. Login Pages

  35. Backup Code Backup

  36. System Health & StatusMonitoring WMI Namespace Connection WMI Queries

  37. User Account Management Active Directory Connection Membership Class

  38. RBAC Management Authorization Manager Policy Store Connection

  39. RBAC Management (Cont.) Create Role Get Users In Role

  40. RBAC Violation Archive Create Archive Write Violation

  41. Backup Performance Backup

  42. RBAC Violation Log Access The objective of this measurement is to observe the performance of the Windows Event Log during a custom archive data retrieval request

  43. RBAC Mgt Access(Authorization Manager) The objective of this measurement is to observe the performance of Authorization Manager Accesses

  44. WMI 1X1 Response Time The One Server Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespace on SISDC

  45. WMI 2X1 Response Time The Two Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers

  46. WMI 3X1 Response Time The Three Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on the SISDC, Secure, and Manager servers

  47. WMI 1X5 Response Time The One Server Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespace on SISDC

  48. WMI 2X5 Response Time The Two Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers

  49. WMI 3X5 Response Time The Three Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers

More Related