RBAC Defense in Depth Authors: Brad Ruppert & Russell Meyer RBAC defense in depth for GIAC Enterprises GIAC Enterprises is a small company that sells fortune cookies over the web The company is comprised of a CEO, CFO, Sales Manager, Product Manager, Developer, and System Admin Most of the every day work (producing, selling and marketing) will be done through external partners, which is why the headcount initially is rather low. Considering many partners and suppliers will need access to company resources, it becomes increasingly important for the perimeters to have tight security. The network consists of 14 servers DMZ (Web, MetaFrame, IPS, Email Gateway) Internal (Email, DC, DNS, Web, App, DB, Antivirus, File/Print, IPS, HR) Sales staff has access via MetaFrame to internal network Background on RBAC Role Based Access Control (RBAC) is a methodology of limiting access to objects based on permissions assigned to a specific role Roles can be synonymous with job duties or functions and can be associated with individual users or groups These roles can have permissions associated to systems, files, folders, and other objects within an enterprise The goal in role development is to determine all the permissions in advance that a user might require to perform a specific task or job function and bind these permissions to the specific role Scalability and efficiency gains are two significant benefits of rolebased administration, allowing fewer system administrators to manage higher volumes of users and resources RBAC for GIAC Enterprises The small scale of GIAC Enterprises is both a plus and minus for implementing RBAC Smaller companies will most likely mean users will be assuming multiple roles within the organization thus making it difficult to create static roles for each users or process. Example: initially the domain admin may be the DBA as well depending upon the size of the IT department. Once the company can support additional staff, roles should be defined that separate developer from production support. At first glance the implementation of RBAC in a company with under 10 employees may seem simple. If roles are not properly identified and categorized, scalability becomes a problem. The sooner you can implement principles of least privilege and segregation of duties, the more reliable your process will become. At a high level GIAC Enterprises can be broken into four divisions Business (CEO, CFO, Sales Manager, Product Manager) Development (Developer) Administration (System Administrator) Audit (External Resource) RBAC in the DMZ The DMZ houses the Email gateway, IPS, Web Server, and MetaFrame Presentation Server Windows systems (Email, MetaFrame) use Active Directory (AD) for maintaining rolebased access controls Linux systems (Web, App, IPS) use Vintela Authentication Services (VAS) which sits on the AD framework for administering role-based access controls Within AD, the following roles are defined specific to the DMZ: User - read-only access to web pages Administrator - read/write access to deploy changes made by developer Auditor – read-only access to specified systems Windows group policy security settings are used to lock down systems restricting access of to specific files/folders based on the role. Linux group policies and security scripts are deployed to multiple systems as well using the VAS interface through the AD management console Inbound access to systems from business partners and employees is via MetaFrame which uses role based access controls defined within AD & VAS group policies Access to the web interface utilizes Vintela’s Java based Single Sign On component which validates users and their access to confidential web pages RBAC for Internal Systems Access to the majority of GIAC Enterprise’s internal systems (Email, File, HR, Antivirus, DC, DNS) is governed by Windows Active Directory (AD) Access to the Linux/Apache web server and the Solaris/Weblogic App Server is controlled via Vintela Authentication Services (VAS) managed through AD Internally the following roles are defined: User - read-only access to web pages Administrator - read/write access to deploy changes to production after they’ve been made by a developer Developer – read/write access to development partitions of web/app/db servers Auditor – read-only access to specified systems Employees access the sales and HR database utilizing a web-to-app interface thereby abiding by a 3-tier architecture Systems are partitioned and segmented into development and production environments to facilitate configuration management practices RBAC for Network Devices Cisco’s Network Admission Control (NAC) is used to control workstations and laptop access to the internal network IBNS and 802.1x is integrated into NAC (next slide) 802.1x provides controls for both wired and wireless devices NAC Profiler is used to automatically identify and assess non-PC devices such as Voice over IP phones and printers Appropriate device roles are created. For example, business user, guest user, etc... NAC is used to isolate vender connections (i.e. visiting laptops), while still allowing Internet access Ensure that authorized endpoint devices have been patched (operating systems, critical applications, anti-virus, anti-spyware, etc..) via the policy server. If the device is not up-to-date, it is quarantined and allowed access only to the remediation server If the device can not be updated, treat device as a “guest”, restrict access to only the MetaFrame servers. GIAC Enterprises uses PGP’s “Whole Disk Encryption” solution to secure data on laptops and at-risk desktops and removable storage. RBAC for Infrastructure Use Cisco’s AAA & TACACS+ via Cisco Secure Access Control Server & Active Directory for centralized router and firewall Authentication, Authorization, and Accounting. Use Cisco's Identity-Based Networking Services (IBNS) identity management solution IBNS is based on 802.1x and offers authentication, access control, and user policies to secure the network 802.1X allows enforcement of port based network access control when devices attempt to access the network IBNS leverages Cisco's switches, Wireless APs, Cisco Secure ACS and Cisco Secure Services Client Cisco’s Role-Based CLI Access is used to define auditor and helpdesk views These views are configured to restrict access to Cisco IOS commands and configuration while allowing timely problem resolution and audit access to the IOS If SSH is needed, Quest OpenSSH provides password-less, secure, encrypted remote login and file transfer services for Vintela Authentication Services (VAS). The Cisco solution can also support VLANs and VPNs (if needed) RBAC for Separation of Duties GIAC Enterprises has developed roles to separate job duties User administration - The person authorizing the new user or access should not be the same one that establishes new user or access Accounting - The person approving the payment of an invoice should not be the same one that can create a company\vendor in the accounting system IT Administrator vs. IT auditor. While the auditor would need the same ‘read’ or access rights as an it administrator, they would not need ‘write’ or ‘modify’ rights The developer would require access to the development area but should not be allowed access to the production area Data Owner vs. Data Custodian, i.e. the IT administrator. In some cases, access to the data may need to be restricted to the data owner. IT would not be granted access, but would be required to ensure the security of it As mentioned, physical access can also be controlled via AD enabled key cards. This prevents access to unauthorized areas RBAC for Auditing RBAC will ease auditing of network and systems Enforces unique usernames; only one username per user Define ‘read’ or ‘view’ only access to auditing roles Auditors can then be granted access to audit roles Appropriate event logs from servers, Active Directory, IPS, routers, Vintela Authentication Services, NAC, key card system and other network infrastructure devices are stored in a centralized log server Access to the centralized log server data is restricted, IT can not access, modify or delete logs without audit’s permission An event correlation and reporting server is used by both IT and audit to correlate and review the data Conclusion GIAC Enterprises can benefit from Role Based Access Control by gaining scalability and efficiency By leveraging Active Directory and implementing the appropriate roles, GIAC Enterprises can increase security and reduce system administration costs While Role Based Access Control is considered a best practice at the system or application level, it becomes increasingly difficult to implement when scaling for large enterprises RBAC is not a product that can be implemented per se. Implementing RBAC involves careful planning for each systems and should involve users, management and policies for success Care should be taken when implementing RBAC in the Enterprise. If costs outweigh the benefits, RBAC implementation may need to be scaled back