secure information sharing manager (sis-m) thesis 2007

1

Secure Information Sharing Manager (SIS-M) Thesis

2007

Stephen D. [email protected]

2

Agenda

• Background• Enterprise Management

Problem• Project Motivation• SIS-M Objectives• CIM/WBEM Standards• RBAC Standards• Architecture

Observations– WBEM Implementations– Authorization Manager

• SIS-M Architecture

• InformationAccess– Monitor Systems– Manage Users– Manage RBAC– RBAC Violations

• InformationSharing• Performance Observations• Lessons Learned• Future Research• Conclusions

3

Background• NISSC Grant For Secure Information Sharing (SIS)

– Purpose• Utilize Role Based Access Control (RBAC) Implemented With a

LDAP and Web Server Application, and RBAC Policies To Share Information Securely

– Project Objectives• Create Web-based Proof of Concept to Share Information

Securely using Public Key Certificates (PKC) and Attribute Certificates (AC)

• Develop Easy-to-Use Installer

• Develop Web-based Management Interface

The SIS-M Prototype Is A Web-based Management Capability

4

The Enterprise ManagementProblem

• The Expansion And Maturation Of Corporate Enterprises Is Increasing Corporate Overhead Costs Required To Manage Multiple Unique Systems And Applications

• System Administrators Are Responsible For…– User Administration, Security Policy, Performance

Monitoring, Problem Detection & Resolution, etc.

• These Tasks Are Typically Accomplished With Vendor Or Organically Built Proprietary Tools

5

Project Motivation• The System I Work On Contains Dozens Of

Servers And Hundreds Of Clients– Servers

• Solaris & Windows Based

– Clients• Solaris & Windows Based

• Multiple Vendor Products Are Required– Security Policy Enforcement– Monitor & Manage The Assets– Manage Users

6

SIS-M Objectives• The Research And Associated Prototype Are

To Demonstrate Web-based Management Capability For A Windows 2003 Server Enterprise To Include…– System Health And Status Monitoring– User Account Management– Role Based Access Control– Automated Client-side Certificate Distribution

7

CIM/WBEM Standards• Distributed Management Task Force (DMTF) Is

An Industry Organization Responsible For The Development Of Enterprise Management Standards

8

RBAC Standards• The Organization For The Advancement Of

Structured Information Standards (OASIS)– Extensible Access Control Markup Language

(XACML)– CORE RBAC Elements

• Users Implemented as XACML Subjects• Roles Expressed Using XACML Subject Attributes• Objects Expressed Using XACML Resources• Operations Expressed Using XACML Actions• Permission Expressed Using XACML Role Policy Sets

And Permission Policy Sets

9

Architecture Observations(WBEM)

•The CIM Client Is Used To Obtain Management Information By Querying CIM/WBEM Servers

•The CIM/WBEM Server Provides CIM Data, Upon Request, to CIM Clients

•The CIMOM Maintains A Repository of CIM Data On The CIM/WBEM Servers

•The Providers Implement Aspects Of The CIM Schema That Abstracts The Hardware And Software Implementation Away From The CIM Clients

The WMI Implementation Includes More Provider FidelityFor Windows 2003 Server

10

Architecture Observations(RBAC)

• Authorization Manager Components– Operation: A low-level permission that a resource manager uses to identify

security procedures– Task: A collection of low-level operations– Role Definition: A collection of permissions that are needed for a particular role,

where permissions can be tasks or operations– Role: The set of permissions that users must have to be able to do their job – BizRules: The set of rules / scripts that are attached to a task object that is run

at the time of the access request– Scope: A collection of objects or resources with a distinct authorization policy

11

SIS-M Architecture

12

Web-based Application• InformationAccess

– System Health And Status Monitoring

• Uses WMI And CIM Query Language (CQL) To Obtain Management Information From Each Server

• Evaluates The WMI Information To Determine Status Of Each Monitored Element

• Provides The Capability Through CQL To Retrieve Details About Elements That Fall Out Of Limits

13

Web-based Application

• InformationAccess– User Account Management

• Uses An ASP.Net CreateUserWizard Server Control To Create Accounts Within The SISMTHESIS Domain

• Uses Active Directory Membership Provider And The Membership Class In The System.Web.Security Namespace To Delete Accounts And Retrieve Account Details

14


• Certificate Services– Automated Client-side Certificate Distribution

• Uses Windows Server 2003 Server Components And Certificate Services To Distribute And Remotely Install Client-side Certificates Issued By The Server Named Secure

15


– RBAC Management• Uses Authorization Store Role

Provider And The Roles Class Contained Within The System.Web.Security Namespace To Manage RBAC Permissions

16


– RBAC Violations• Uses the EventLog classes in

the System.Diagnostics namespace. RBAC Policy Access Violation from InformationAccess and InformationSharing Write to the custom Event Log on the server SISDC

17


• InformationSharing

18


• InformationSharing RBAC Violation

19

Performance Observations

The Server Trend For Retrieving One WMI Object observation shows response time increase for querying one WMI Object relative to the number of WMI namespaces queried

Server Trend For Retrieving One WMI Object

Single WMI Object Response Time

0.000

2.000

4.000

6.000

8.000

10.000

Sec

on

ds

WMI 1X1 Avg 0 0.1127754 7.6887352 8.4533238

WMI 2X1 Avg 0 0.0428202 8.7084624 9.1088248

WMI 3X1 Avg 0 0.044565 8.4409724 9.1813026

Client RequestSSL Handshake

CompleteWMI Object

Request Client Response

Overall 7.9% Delay In HTTPS Response Time

20

Performance Observations

The Server Trend For Retrieving Five WMI Objects observation shows response time increase for querying five WMI Objects relative to the number of WMI namespaces queried

Server Trend For Retrieving Five WMI Objects

Overall 8.1% Delay In HTTPS Response Time

Five WMI Object Response Time

0.000

2.000

4.000

6.000

8.000

10.000

Sec

on

ds

WMI 1X5 Avg 0 0.0260516 7.7156208 8.2207732

WMI 2X5 Avg 0 0.02791 7.6518718 8.201081

WMI 3X5 Avg 0 0.0367282 8.3219428 8.953906


CompleteWMI Object

Request Client Response

21

Lessons Learned• System Health & Status

– Defining Appropriate User Credentials For WMI Namespace Access Is Critical

– The Information Value Contained Within The CIMOM Is Directly Related To The Provider Implementation Maturity Within WBEM

• User Account Management– User Account Management Within Windows 2003 Server Is

Primarily Accomplished By The Active Directory Users & Computers Management Console And ADSI

– The Win32_UserAccount Does Not Inherit From The CIM_UserAccount Defined In The CIM Schema

22

Lessons Learned• RBAC Management

– The AzMan Capability Is Not Completely Supported Through The ASP.Net Services And Some Membership Methods Throw A Not Supported Exception

– AzMan Policy Enforcement Requires User Principal Name (UPN) Formatted User Accounts, <username>@domain.com

• Client-side Certificate Distribution– PKI Best Practices State That Root CAs Should Never Be

Connected To The Network To Raise The Security Level Of The CAs Private Key

– A PKI In Most Cases Should Be Architected With An Offline Root CA, One Or More Offline Intermediate CAs, and One Or More Netoworked Issuing Enterprise CAs

23

Future Research

• Update SIS-M Architecture To Include A UNIX Server

• Update The SIS-M Prototype To The .Net 3.0 Framework

• Modify Certificate Authority Architecture

• Implement Client-side Certificate Mapping

24

Conclusion• The SIS-M Research And Prototype Enabled

– System Health And Status Monitoring Using WMI– User Account Management Using The Active Directory

Membership Provider– RBAC Management Using AzMan– Client-side Certificate Distribution Using Certificate Services

• The CIM / WBEM Standards Appear To Be More Mature Than The Vendor Products Attempting To Comply With The DMTF Standards– May Be Due To The Cost Of Integrating A New Standard Into An

Existing Vendor Product Line

25

Backup

Backup

26

DMTF• Distributed Management Task Force

Common Information ModelWeb Based Enterprise

Management

27

CIM1 2

3

28

CIM Schema Example

29

WBEM

URI XML CIM-XML CLP Discovery CQL

CLP – Command Line Protocol

CQL – CIM Query Language

30

WBEM Architecture

Proprietary Layer

CIM Repository

WBEM Server

Provider Abstraction

CIMOM

WBEM Client

CIM Client Application

CIM Query Language, CIM-XML

31

SIS-M Network Topology

SIS-MClient

SISClient

192.168.184.128

Secure SISDC

Manager

Virtual

Network

192.168.184.131192.168.184.130

192.168.184.129 192.168.184.132SISMThesis

Domain

32

System Health & Status

OperatingSystemStatus

CPUStatus

DiskStatus

Window2003

Server

WMI Win32 Class Class PropertyWin32_ComputerSystem Status

Win32_PerfFormattedData_PerfOS_Memory AvailableMBytes

WMI Win32 Class Class PropertyWin32_DiskDrive Status

Win32_PerfFormattedData_PerfDisk_PhysicalDisk Percent Idle Time

WMI Win32 Class Class PropertyWin32_Processor StatusWin32_Processor AvailabilityWin32_Processor Load Percentage

33

SIS-M Health & Status Rules

34

Login Pages

35

Backup

Code Backup

36

System Health & StatusMonitoring

WMI Namespace Connection WMI Queries

37

User Account Management

Active Directory Connection

Membership Class

38

RBAC Management

Authorization Manager Policy Store Connection

39

RBAC Management (Cont.)

Get Users In RoleCreate Role

40

RBAC Violation Archive

Write Violation

Create Archive

41

Backup

Performance Backup

42

RBAC Violation Log Access

The objective of this measurement is to observe the performance of the Windows Event Log during a custom archive data retrieval request

RBAC Archive Information Retrieval

0.000

0.500

1.000

1.500

2.000

2.500

3.000

3.500

Sec

on

ds

Run #1 0 0.142373 1.878325 3.029757

Run #2 0 0.039929 1.655951 2.232192

Run #3 0 0.015794 2.371433 2.633444

Run #4 0 0.079289 1.714269 2.687524

Run #5 0 0.015815 1.655792 2.295007

Average 0 0.05864 1.855154 2.5755848


Complete

RBAC Log Retrieval Complete

Client Response

43

RBAC Mgt Access(Authorization Manager)

The objective of this measurement is to observe the performance of Authorization Manager Accesses

RBAC Mgt Request Time

0.000

0.200

0.400

0.600

0.800

1.000

1.200

Sec

on

ds

Run #1 0 0.015862 0.197095 0.847619

Run #2 0 0.01724 0.174485 0.848788

Run #3 0 0.066693 0.295151 0.630357

Run #4 0 0.028176 0.196822 0.525366

Run #5 0 0.023659 0.199299 0.957544

Average 0 0.030326 0.2125704 0.7619348


Complete

RBAC Mgt Request

CompleteClient Response

44

WMI 1X1 Response Time

The One Server Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespace on SISDC


0.000

2.000

4.000

6.000

8.000

10.000

12.000

14.000

Sec

on

ds

Run #1 0 0.02201 6.91379 7.763398

Run #2 0 0.357341 11.762104 12.294849

Run #3 0 0.061387 6.807595 7.069001

Run #4 0 0.020213 6.014796 7.443219

Run #5 0 0.102926 6.945391 7.696152

Average 0 0.1127754 7.6887352 8.4533238


Complete

WMI Object Request


45


The Two Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers


0.000

2.000

4.000

6.000

8.000

10.000

12.000

Sec

on

ds

Run #1 0 0.029248 10.685066 10.903246

Run #2 0 0.014124 7.753585 8.077432

Run #3 0 0.078561 8.305449 8.716218

Run #4 0 0.043642 7.057637 7.825997

Run #5 0 0.048526 9.740575 10.021231

Average 0 0.0428202 8.7084624 9.1088248


Complete

WMI Object Request


46

WMI 3X1 Response TimeThe Three Servers Retrieving One WMI Object observation captures the time required for one WMI query requesting a single WMI object to execute against the WMI namespaces on the SISDC, Secure, and Manager servers


0.000

2.000

4.000

6.000

8.000

10.000

12.000

14.000

Sec

on

ds

Run #1 0 0.079186 10.587262 11.718099

Run #2 0 0.015713 8.886371 9.500771

Run #3 0 0.04537 7.200216 7.984139

Run #4 0 0.0214 7.053049 7.628529

Run #5 0 0.061156 8.477964 9.074975

Average 0 0.044565 8.4409724 9.1813026


Complete

WMI Object Request


47

WMI 1X5 Response TimeThe One Server Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespace on SISDC


0.000

2.000

4.000

6.000

8.000

10.000

Sec

on

ds

Run #1 0 0.042058 8.47447 8.917341

Run #2 0 0.010382 6.439772 6.835655

Run #3 0 0.030147 8.462035 9.430691

Run #4 0 0.014877 7.484855 7.951533

Run #5 0 0.032794 7.716972 7.968646

Average 0 0.0260516 7.7156208 8.2207732


Complete

WMI Object Request


48

WMI 2X5 Response TimeThe Two Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC and Secure servers


0.000

2.000

4.000

6.000

8.000

10.000

Sec

on

ds

Run #1 0 0.019284 8.119123 8.37916

Run #2 0 0.031845 7.852518 8.396238

Run #3 0 0.043652 7.560822 8.286355

Run #4 0 0.025252 7.851054 8.656812

Run #5 0 0.019517 6.875842 7.28684

Average 0 0.02791 7.6518718 8.201081


Complete

WMI Object Request


49

WMI 3X5 Response TimeThe Three Servers Retrieving Five WMI Objects observation captures the time required for five WMI queries requesting a single WMI object to execute against the WMI namespaces on SISDC, Secure, and Manager servers


0.000

2.000

4.000

6.000

8.000

10.000

12.000

14.000

Sec

on

ds

Run #1 0 0.062698 11.84065 13.021709

Run #2 0 0.014455 6.847666 8.026303

Run #3 0 0.040922 7.84767 8.019918

Run #4 0 0.021126 8.119083 8.692987

Run #5 0 0.04444 6.954645 7.008613

Average 0 0.0367282 8.3219428 8.953906


Complete

Monitor Systems Request


secure information sharing manager (sis-m) thesis 2007

Documents

management information

server enterprise

cim schema

web server application

xacml role policy sets

xacml subjectsroles

xacml actionspermission

xacml resourcesoperations