topic Re: suggest an appropriate security standard, for an ACL system ? in Tech Talk

suggest an appropriate security standard, for an ACL system ?

John_M — Tue, 02 Apr 2019 18:24:41 GMT

Hi All,

I am starting to develop a security system, which is basically a big ACL (access control list) management system. I wonder if anyone could suggest any relevant standards or recommendations ?

Or suggest another place I should ask!

To describe the system...

The ACL list will be automatically maintained by some rules, and sometimes manually. The ACL is one way to control access to a large business system. There are other ways also. The list will be big, probably millions or entries.

Thanks!

Re: suggest an appropriate security standard, for an ACL system ?

MikeGlassman — Wed, 03 Apr 2019 05:22:20 GMT

ok,

The moment I saw the word "millions" next to ACL, I got cold feet and ran away to a far away land.

Maintaining that level of access control in a list will in my opinion bring about a huge amount of problems.

How will you browse the list in order to find mistakes ?

How easy would it be to make a mistake if the system is both manual and automated ?

Also, it's unclear what you want the ACL for, or where it will be run (Switches ? FW's ? IPS ?)

So a bit more information would be helpful.

In general, that level of list is impossible to control as I see it.

Re: suggest an appropriate security standard, for an ACL system ?

John_M — Wed, 03 Apr 2019 14:01:15 GMT

Hi All,

Thanks Mike for your message.

As you point out, the ACL will be far too big for manual, visual inspection.

Basically, the ACL data is divided up, and owners of individual areas will browse. Each area will be a manageable size. Also, most entries will be automatically added and removed, based on business rules. Also, I plan to have an automated process which checks for anomalies. The ACL is there to control access to data in a large business system. That is, access to financial data etc. It’s based on Java, and runs in WebLogic. I think that’s about all the information I can give on a public forum!

I’m now at the point of figuring what anomalies to check for, and what error scenarios to anticipate.

Great if anyone knows relevant industry standards or recommendations. I’ll hit the NIST website anyway.

Thanks,

Re: suggest an appropriate security standard, for an ACL system ?

dcontesti — Wed, 03 Apr 2019 14:09:50 GMT

@MikeGlassman wrote:

How will you browse the list in order to find mistakes ?

How easy would it be to make a mistake if the system is both manual and automated ?

Also, it's unclear what you want the ACL for, or where it will be run (Switches ? FW's ? IPS ?)

So a bit more information would be helpful.

In general, that level of list is impossible to control as I see it.

As Mike has stated, when I read your request, I also turned on my heals and ran to a safe place.

Maybe making your request clearer as per Mike's note might help us help you.

Are you doing this for your employer or for something you plan on selling?

ACLs are complicated and a number of folks prefer not to use them

Diana

Re: suggest an appropriate security standard, for an ACL system ?

John_M — Wed, 03 Apr 2019 15:04:50 GMT

>> Are you doing this for your employer or for something you plan on selling?

It's for employer. Objective is to control access to an existing system.

It is to control 'record-level access'. That is, allowing users to see some records, not others.

And as mentioned above-

The ACL will be far too big for manual, visual inspection. So, the ACL data is divided up, and owners of individual areas will browse. Each area will be a manageable size. Also, most entries will be automatically added and removed, based on business rules. Also, I plan to have an automated process which checks for anomalies. The ACL is there to control access to data in a large business system. That is, access to financial data etc. It’s based on Java, and runs in WebLogic.

I’m now at the point of figuring what anomalies to check for, and what error scenarios to anticipate

Sorry my description is minimal! I conscious of this being a public forum.

Great if anyone can just relevant standards I should look at, or specific problems to expect!

Thanks,

Re: suggest an appropriate security standard, for an ACL system ?

AppDefects — Thu, 04 Apr 2019 13:57:16 GMT

ACL's how quaint! Is this 1990? Look into SELinux or other alternatives like AppArmor or grsecurity and implement mandatory access control. That is the best multi-layered defense for user privileges and processes.

Re: suggest an appropriate security standard, for an ACL system ?

denbesten — Thu, 04 Apr 2019 14:15:02 GMT

The first thing I would do is check with your vendor regarding limits. A quick glance indicates that some routers only allow 128 entries in an ACL and only 10,000 entries across the entire router. Then, you need to consider processing requirements. Every connection will need to scan the entire ACL, which risks responsiveness issues as the list gets long and traffic volumes grow.

I also suggest that as compliance/security requirements grow, so does the thought that you should not be developing your own software. Primarily because as more people use a given software package, it lessens your odds of being patient zero. Also, the commercial tools generally offer certified compliance, whereas home-grown gets much closer auditor scrutiny and leaves the blame-game focused squarely on you when the inevitable breach hits the newspapers. For "free" router ACL management at the scale you propose, you might consider fwbuilder (poorly maintained) or capirca (no gui).

My final (for now) thought is that one needs "millions of entries", there might just be a better approach to solve the problem at hand. If nothing else, "millions of entries" risks auditing and troubleshooting both becoming difficult/expensive.

Re: suggest an appropriate security standard, for an ACL system ?

Caute_cautim — Sat, 06 Apr 2019 07:04:31 GMT

Why don't you use an application aware white listing approach? Or a full Role Base Access Control system, which you can manage centrally by policy?

Regards

Caute_cautim