Finished Projects
Security Architecture and Modeling
Administration for Remote Trusted Systems
Security Management and Administration, particularly as it applies to distributed heterogeneous systems, is a critical problem. As more security services are introduced and applied to a multitude of heterogeneous components, properly configuring and maintaining the services consistently becomes increasingly difficult. An error by an administrator in maintaining a consistent configuration of security services can easily lead to a security vulnerability. We are developing a new, integrated security management component that allows many disparate security components of large networked environments to be remotely managed collectively in a coherent and comprehensible manner.
Overview:
A variety of network and systems security components are required for
use with the systems targeted by the AITS Reference Architecture. Use of
more than a small number of distinct security components has been
hindered by separate management and administrative functions for each
security component, and disparate interfaces to those functions. The
tasks proposed herein will develop an integrated security management
capability that unifies the administration of the configurations of
various different security components. Without such a capability, the
value of security mechanisms in the architecture are diminished by the
increasing complexity of security management as an increasing number and
variety of security components are used. The difficulty of managing a
large number of disparate security configurations increase the
likelihood that misconfiguration will introduce a vulnerability. In
addition to the risk of vulnerabilities, the cost of security management
increases as the complexity of the tasks requires more time of more
technically adept staff.
The Security Management & Administrator component we are developing will be based on a framework for the representation, storage, display, and manipulation of the operational parameters of a variety of security components. Each distinct set-up or maintenance function will be implemented in a user interface that allows SM&A staff to get a coherent view of related parameters and to modify the display of the parameters values. Modified parameters are distributed over the network to the various effected remote security components using a uniform mechanism for representation, transport, conversion to the native format of the security component, and insertion into the operational configuration of the component. Communication security services are required to ensure that such update operations are performed accurately and only by authorized personnel. To the greatest extent practical, we will use existing or emerging standards-based approaches. Our approach fits within the concepts of the Internet Simple Network Management Protocol and the associated Management Information Base structure though it is not clear if the security-related attributes will be available. In addition to basing our work on standards, we will provide inputs to standards bodies particularly the IETF, to achieve standardization for appropriate portions of the results from this task.
One difficulty in presenting a uniform view of different security components is that the different components may have a different lexicon for representing a common concept. For example, a concept common to many security services is that of a host system in a network. Some components may refer to a host system by a host name, others by a fully qualified domain name, and still others by an IP address. To maintain a uniform view, administration of hosts should be in terms of one of these representations, and the SM&A system should automatically perform the necessary conversion when communicating with individual components. A related difficulty is that concepts present in one component may not be present in another component even though it may be meaningful to that other component. For example, one component may deal only in individual host systems whereas others may collect host systems into groups. It may be desirable to be able to use the concept of a group of host systems when configuring the router, and the SM&A system should permit this.
Another difficulty is the need to enforce security requirements that involve more than one security component, e.g., the need to keep security components consistent with each other. Adding a user to an operating system user database may also necessitate issuing a certificate for that user. Perhaps more importantly from a security perspective are the activities of removing a user from an OS user database that may also require revoking a certificate. There is also the case that a coordinated action may be initiated by one component that impacts other components. For example, an intrusion detection component may detect that a particular user account has been compromised and initiate action to disable the user and revoke his or her certificates.
We envision the SM&A service to be implemented as an object oriented database. Each SM&A concept (e.g., user, host, certificate) is represented as an object. Some standard methods on the objects will be defined for getting, setting, and displaying values of the objects. For those objects that are instantiated in multiple security components, the object implementation will have extensions that deal with how the object is represented and managed for each security component, i.e., the extensions serve as the glue between the SM&A system and the security components. For example, the concept of a user will involve both an OS and a firewall. If the user's name is changed, then this change will need to be reflected in both the OS and the firewall. The object implementation will need to invoke both extensions to accomplish this change. Library routines will be developed to support dealing with multiple extensions and with conversion between representations. This scheme can easily be extended to add new concepts and new security components by adding new objects and new extensions. This technique is attractive because it allows for incremental development.
We plan to develop a collection of middleware services that provide a unified abstract view of the security management aspects of underlying security components. The unifying abstractions will be extensible to provide for new security components and new features in existing components. The abstractions will translate requests from administrators and ultimately automated decisions systems into operations on the security components. We will also develop an administrative GUI to demonstrate the increased ease and simplicity of use that our services provide.
The Quad Chart provides an architecture diagram, explanatory text, and a schedule.
