RBAC Defense in Depth

1
RBAC Defense in Depth

• Authors Brad Ruppert Russell Meyer

2
RBAC defense in depth for GIAC Enterprises

• GIAC Enterprises is a small company that sells
  fortune cookies over the web
• The company is comprised of a CEO, CFO, Sales
  Manager, Product Manager, Developer, and System
  Admin
• Most of the every day work (producing, selling
  and marketing) will be done through external
  partners, which is why the headcount initially is
  rather low. Considering many partners and
  suppliers will need access to company resources,
  it becomes increasingly important for the
  perimeters to have tight security.
• The network consists of 14 servers
• DMZ (Web, MetaFrame, IPS, Email Gateway)
• Internal (Email, DC, DNS, Web, App, DB,
  Antivirus, File/Print, IPS, HR)
• Sales staff has access via MetaFrame to internal
  network

3
Background on RBAC

• Role Based Access Control (RBAC) is a methodology
  of limiting access to objects based on
  permissions assigned to a specific role
• Roles can be synonymous with job duties or
  functions and can be associated with individual
  users or groups
• These roles can have permissions associated to
  systems, files, folders, and other objects within
  an enterprise
• The goal in role development is to determine all
  the permissions in advance that a user might
  require to perform a specific task or job
  function and bind these permissions to the
  specific role
• Scalability and efficiency gains are two
  significant benefits of role-based
  administration, allowing fewer system
  administrators to manage higher volumes of users
  and resources

4
RBAC for GIAC Enterprises

• The small scale of GIAC Enterprises is both a
  plus and minus for implementing RBAC
• Smaller companies will most likely mean users
  will be assuming multiple roles within the
  organization thus making it difficult to create
  static roles for each users or process.
• Example initially the domain admin may be the
  DBA as well depending upon the size of the IT
  department. Once the company can support
  additional staff, roles should be defined that
  separate developer from production support.
• At first glance the implementation of RBAC in a
  company with under 10 employees may seem simple.
  If roles are not properly identified and
  categorized, scalability becomes a problem. The
  sooner you can implement principles of least
  privilege and segregation of duties, the more
  reliable your process will become.
• At a high level GIAC Enterprises can be broken
  into four divisions
• Business (CEO, CFO, Sales Manager, Product
  Manager)
• Development (Developer)
• Administration (System Administrator)
• Audit (External Resource)

5
RBAC in the DMZ

• The DMZ houses the Email gateway, IPS, Web
  Server, and MetaFrame Presentation Server
• Windows systems (Email, MetaFrame) use Active
  Directory (AD) for maintaining role-based access
  controls
• Linux systems (Web, App, IPS) use Vintela
  Authentication Services (VAS) which sits on the
  AD framework for administering role-based access
  controls
• Within AD, the following roles are defined
  specific to the DMZ
• User - read-only access to web pages
• Administrator - read/write access to deploy
  changes made by developer
• Auditor read-only access to specified systems
• Windows group policy security settings are used
  to lock down systems restricting access of to
  specific files/folders based on the role. Linux
  group policies and security scripts are deployed
  to multiple systems as well using the VAS
  interface through the AD management console
• Inbound access to systems from business partners
  and employees is via MetaFrame which uses role
  based access controls defined within AD VAS
  group policies
• Access to the web interface utilizes Vintelas
  Java based Single Sign On component which
  validates users and their access to confidential
  web pages

6
RBAC for Internal Systems

• Access to the majority of GIAC Enterprises
  internal systems (Email, File, HR, Antivirus, DC,
  DNS) is governed by Windows Active Directory (AD)
• Access to the Linux/Apache web server and the
  Solaris/Weblogic App Server is controlled via
  Vintela Authentication Services (VAS) managed
  through AD
• Internally the following roles are defined
• User - read-only access to web pages
• Administrator - read/write access to deploy
  changes to production after theyve been made by
  a developer
• Developer read/write access to development
  partitions of web/app/db servers
• Auditor read-only access to specified systems
• Employees access the sales and HR database
  utilizing a web-to-app interface thereby abiding
  by a 3-tier architecture
• Systems are partitioned and segmented into
  development and production environments to
  facilitate configuration management practices

7
RBAC for Network Devices

• Ciscos Network Admission Control (NAC) is used
  to control workstations and laptop access to the
  internal network
• IBNS and 802.1x is integrated into NAC (next
  slide)
• 802.1x provides controls for both wired and
  wireless devices
• NAC Profiler is used to automatically identify
  and assess non-PC devices such as Voice over IP
  phones and printers
• Appropriate device roles are created. For
  example, business user, guest user, etc...
• NAC is used to isolate vender connections (i.e.
  visiting laptops), while still allowing Internet
  access
• Ensure that authorized endpoint devices have been
  patched (operating systems, critical
  applications, anti-virus, anti-spyware, etc..)
  via the policy server.
• If the device is not up-to-date, it is
  quarantined and allowed access only to the
  remediation server
• If the device can not be updated, treat device as
  a guest, restrict access to only the MetaFrame
  servers.
• GIAC Enterprises uses PGPs Whole Disk
  Encryption solution to secure data on laptops
  and at-risk desktops and removable storage.

8
RBAC for Infrastructure

• Use Ciscos AAA TACACS via Cisco Secure Access
  Control Server Active Directory for centralized
  router and firewall Authentication,
  Authorization, and Accounting.
• Use Cisco's Identity-Based Networking Services
  (IBNS) identity management solution
• IBNS is based on 802.1x and offers
  authentication, access control, and user policies
  to secure the network
• 802.1X allows enforcement of port based network
  access control when devices attempt to access the
  network
• IBNS leverages Cisco's switches, Wireless APs,
  Cisco Secure ACS and Cisco Secure Services Client
• Ciscos Role-Based CLI Access is used to define
  auditor and helpdesk views
• These views are configured to restrict access to
  Cisco IOS commands and configuration while
  allowing timely problem resolution and audit
  access to the IOS
• If SSH is needed, Quest OpenSSH provides
  password-less, secure, encrypted remote login and
  file transfer services for Vintela Authentication
  Services (VAS).
• The Cisco solution can also support VLANs and
  VPNs (if needed)

9
RBAC for Separation of Duties

• GIAC Enterprises has developed roles to separate
  job duties
• User administration - The person authorizing the
  new user or access should not be the same one
  that establishes new user or access
• Accounting - The person approving the payment of
  an invoice should not be the same one that can
  create a company\vendor in the accounting system
• IT Administrator vs. IT auditor. While the
  auditor would need the same read or access
  rights as an it administrator, they would not
  need write or modify rights
• The developer would require access to the
  development area but should not be allowed access
  to the production area
• Data Owner vs. Data Custodian, i.e. the IT
  administrator. In some cases, access to the data
  may need to be restricted to the data owner. IT
  would not be granted access, but would be
  required to ensure the security of it
• As mentioned, physical access can also be
  controlled via AD enabled key cards. This
  prevents access to unauthorized areas

10
RBAC for Auditing

• RBAC will ease auditing of network and systems
• Enforces unique usernames only one username per
  user
• Define read or view only access to auditing
  roles
• Auditors can then be granted access to audit
  roles
• Appropriate event logs from servers, Active
  Directory, IPS, routers, Vintela Authentication
  Services, NAC, key card system and other network
  infrastructure devices are stored in a
  centralized log server
• Access to the centralized log server data is
  restricted, IT can not access, modify or delete
  logs without audits permission
• An event correlation and reporting server is used
  by both IT and audit to correlate and review the
  data

11
Conclusion

• GIAC Enterprises can benefit from Role Based
  Access Control by gaining scalability and
  efficiency
• By leveraging Active Directory and implementing
  the appropriate roles, GIAC Enterprises can
  increase security and reduce system
  administration costs
• While Role Based Access Control is considered a
  best practice at the system or application level,
  it becomes increasingly difficult to implement
  when scaling for large enterprises
• RBAC is not a product that can be implemented per
  se. Implementing RBAC involves careful planning
  for each systems and should involve users,
  management and policies for success
• Care should be taken when implementing RBAC in
  the Enterprise. If costs outweigh the benefits,
  RBAC implementation may need to be scaled back