RBAC Defense in
Depth
Authors: Brad Ruppert &
Russell Meyer
RBAC defense in depth for GIAC
Enterprises




GIAC Enterprises is a small company that sells fortune cookies over
the web
The company is comprised of a CEO, CFO, Sales Manager, Product
Manager, Developer, and System Admin
Most of the every day work (producing, selling and marketing) will be
done through external partners, which is why the headcount initially
is rather low. Considering many partners and suppliers will need
access to company resources, it becomes increasingly important for
the perimeters to have tight security.
The network consists of 14 servers



DMZ (Web, MetaFrame, IPS, Email Gateway)
Internal (Email, DC, DNS, Web, App, DB, Antivirus, File/Print, IPS, HR)
Sales staff has access via MetaFrame to internal network
Background on RBAC





Role Based Access Control (RBAC) is a methodology of limiting
access to objects based on permissions assigned to a specific role
Roles can be synonymous with job duties or functions and can be
associated with individual users or groups
These roles can have permissions associated to systems, files,
folders, and other objects within an enterprise
The goal in role development is to determine all the permissions in
advance that a user might require to perform a specific task or job
function and bind these permissions to the specific role
Scalability and efficiency gains are two significant benefits of rolebased administration, allowing fewer system administrators to
manage higher volumes of users and resources
RBAC for GIAC Enterprises


The small scale of GIAC Enterprises is both a plus and minus for
implementing RBAC
Smaller companies will most likely mean users will be assuming multiple
roles within the organization thus making it difficult to create static roles for
each users or process.



Example: initially the domain admin may be the DBA as well depending upon the
size of the IT department. Once the company can support additional staff, roles
should be defined that separate developer from production support.
At first glance the implementation of RBAC in a company with under 10
employees may seem simple. If roles are not properly identified and
categorized, scalability becomes a problem. The sooner you can implement
principles of least privilege and segregation of duties, the more reliable your
process will become.
At a high level GIAC Enterprises can be broken into four divisions




Business (CEO, CFO, Sales Manager, Product Manager)
Development (Developer)
Administration (System Administrator)
Audit (External Resource)
RBAC in the DMZ




The DMZ houses the Email gateway, IPS, Web Server, and MetaFrame Presentation
Server
Windows systems (Email, MetaFrame) use Active Directory (AD) for maintaining rolebased access controls
Linux systems (Web, App, IPS) use Vintela Authentication Services (VAS) which sits
on the AD framework for administering role-based access controls
Within AD, the following roles are defined specific to the DMZ:






User - read-only access to web pages
Administrator - read/write access to deploy changes made by developer
Auditor – read-only access to specified systems
Windows group policy security settings are used to lock down systems restricting
access of to specific files/folders based on the role. Linux group policies and security
scripts are deployed to multiple systems as well using the VAS interface through the
AD management console
Inbound access to systems from business partners and employees is via MetaFrame
which uses role based access controls defined within AD & VAS group policies
Access to the web interface utilizes Vintela’s Java based Single Sign On component
which validates users and their access to confidential web pages
RBAC for Internal Systems



Access to the majority of GIAC Enterprise’s internal systems (Email, File,
HR, Antivirus, DC, DNS) is governed by Windows Active Directory (AD)
Access to the Linux/Apache web server and the Solaris/Weblogic App
Server is controlled via Vintela Authentication Services (VAS) managed
through AD
Internally the following roles are defined:






User - read-only access to web pages
Administrator - read/write access to deploy changes to production after they’ve been made by a developer
Developer – read/write access to development partitions of web/app/db servers
Auditor – read-only access to specified systems
Employees access the sales and HR database utilizing a web-to-app
interface thereby abiding by a 3-tier architecture
Systems are partitioned and segmented into development and production
environments to facilitate configuration management practices
RBAC for Network Devices










Cisco’s Network Admission Control (NAC) is used to control workstations and laptop
access to the internal network
IBNS and 802.1x is integrated into NAC (next slide)
802.1x provides controls for both wired and wireless devices
NAC Profiler is used to automatically identify and assess non-PC devices such as
Voice over IP phones and printers
Appropriate device roles are created. For example, business user, guest user, etc...
NAC is used to isolate vender connections (i.e. visiting laptops), while still allowing
Internet access
Ensure that authorized endpoint devices have been patched (operating systems,
critical applications, anti-virus, anti-spyware, etc..) via the policy server.
If the device is not up-to-date, it is quarantined and allowed access only to the
remediation server
If the device can not be updated, treat device as a “guest”, restrict access to only the
MetaFrame servers.
GIAC Enterprises uses PGP’s “Whole Disk Encryption” solution to secure data on
laptops and at-risk desktops and removable storage.
RBAC for Infrastructure









Use Cisco’s AAA & TACACS+ via Cisco Secure Access Control Server & Active
Directory for centralized router and firewall Authentication, Authorization, and
Accounting.
Use Cisco's Identity-Based Networking Services (IBNS) identity management solution
IBNS is based on 802.1x and offers authentication, access control, and user policies
to secure the network
802.1X allows enforcement of port based network access control when devices
attempt to access the network
IBNS leverages Cisco's switches, Wireless APs, Cisco Secure ACS and Cisco
Secure Services Client
Cisco’s Role-Based CLI Access is used to define auditor and helpdesk views
These views are configured to restrict access to Cisco IOS commands and
configuration while allowing timely problem resolution and audit access to the IOS
If SSH is needed, Quest OpenSSH provides password-less, secure, encrypted
remote login and file transfer services for Vintela Authentication Services (VAS).
The Cisco solution can also support VLANs and VPNs (if needed)
RBAC for Separation of Duties







GIAC Enterprises has developed roles to separate job duties
User administration - The person authorizing the new user or access should
not be the same one that establishes new user or access
Accounting - The person approving the payment of an invoice should not be
the same one that can create a company\vendor in the accounting system
IT Administrator vs. IT auditor. While the auditor would need the same
‘read’ or access rights as an it administrator, they would not need ‘write’ or
‘modify’ rights
The developer would require access to the development area but should not
be allowed access to the production area
Data Owner vs. Data Custodian, i.e. the IT administrator. In some cases,
access to the data may need to be restricted to the data owner. IT would
not be granted access, but would be required to ensure the security of it
As mentioned, physical access can also be controlled via AD enabled key
cards. This prevents access to unauthorized areas
RBAC for Auditing







RBAC will ease auditing of network and systems
Enforces unique usernames; only one username per user
Define ‘read’ or ‘view’ only access to auditing roles
Auditors can then be granted access to audit roles
Appropriate event logs from servers, Active Directory, IPS, routers,
Vintela Authentication Services, NAC, key card system and other
network infrastructure devices are stored in a centralized log server
Access to the centralized log server data is restricted, IT can not
access, modify or delete logs without audit’s permission
An event correlation and reporting server is used by both IT and
audit to correlate and review the data
Conclusion





GIAC Enterprises can benefit from Role Based Access Control by
gaining scalability and efficiency
By leveraging Active Directory and implementing the appropriate
roles, GIAC Enterprises can increase security and reduce system
administration costs
While Role Based Access Control is considered a best practice at
the system or application level, it becomes increasingly difficult to
implement when scaling for large enterprises
RBAC is not a product that can be implemented per se.
Implementing RBAC involves careful planning for each systems and
should involve users, management and policies for success
Care should be taken when implementing RBAC in the Enterprise.
If costs outweigh the benefits, RBAC implementation may need to
be scaled back