Hi All,
I am starting to develop a security system, which is basically a big ACL (access control list) management system. I wonder if anyone could suggest any relevant standards or recommendations ?
Or suggest another place I should ask!
To describe the system...
The ACL list will be automatically maintained by some rules, and sometimes manually. The ACL is one way to control access to a large business system. There are other ways also. The list will be big, probably millions or entries.
Thanks!
JM
ok,
The moment I saw the word "millions" next to ACL, I got cold feet and ran away to a far away land.
Maintaining that level of access control in a list will in my opinion bring about a huge amount of problems.
How will you browse the list in order to find mistakes ?
How easy would it be to make a mistake if the system is both manual and automated ?
Also, it's unclear what you want the ACL for, or where it will be run (Switches ? FW's ? IPS ?)
So a bit more information would be helpful.
In general, that level of list is impossible to control as I see it.
Hi All,
Thanks Mike for your message.
As you point out, the ACL will be far too big for manual, visual inspection.
Basically, the ACL data is divided up, and owners of individual areas will browse. Each area will be a manageable size. Also, most entries will be automatically added and removed, based on business rules. Also, I plan to have an automated process which checks for anomalies. The ACL is there to control access to data in a large business system. That is, access to financial data etc. It’s based on Java, and runs in WebLogic. I think that’s about all the information I can give on a public forum!
I’m now at the point of figuring what anomalies to check for, and what error scenarios to anticipate.
Great if anyone knows relevant industry standards or recommendations. I’ll hit the NIST website anyway.
Thanks,
JM
@MikeGlassman wrote:
How will you browse the list in order to find mistakes ?
How easy would it be to make a mistake if the system is both manual and automated ?
Also, it's unclear what you want the ACL for, or where it will be run (Switches ? FW's ? IPS ?)
So a bit more information would be helpful.
In general, that level of list is impossible to control as I see it.
As Mike has stated, when I read your request, I also turned on my heals and ran to a safe place.
Maybe making your request clearer as per Mike's note might help us help you.
Are you doing this for your employer or for something you plan on selling?
ACLs are complicated and a number of folks prefer not to use them
Diana
>> Are you doing this for your employer or for something you plan on selling?
It's for employer. Objective is to control access to an existing system.
It is to control 'record-level access'. That is, allowing users to see some records, not others.
And as mentioned above-
The ACL will be far too big for manual, visual inspection. So, the ACL data is divided up, and owners of individual areas will browse. Each area will be a manageable size. Also, most entries will be automatically added and removed, based on business rules. Also, I plan to have an automated process which checks for anomalies. The ACL is there to control access to data in a large business system. That is, access to financial data etc. It’s based on Java, and runs in WebLogic.
I’m now at the point of figuring what anomalies to check for, and what error scenarios to anticipate
Sorry my description is minimal! I conscious of this being a public forum.
Great if anyone can just relevant standards I should look at, or specific problems to expect!
Thanks,
JM
ACL's how quaint! Is this 1990? Look into SELinux or other alternatives like AppArmor or grsecurity and implement mandatory access control. That is the best multi-layered defense for user privileges and processes.
The first thing I would do is check with your vendor regarding limits. A quick glance indicates that some routers only allow 128 entries in an ACL and only 10,000 entries across the entire router. Then, you need to consider processing requirements. Every connection will need to scan the entire ACL, which risks responsiveness issues as the list gets long and traffic volumes grow.
I also suggest that as compliance/security requirements grow, so does the thought that you should not be developing your own software. Primarily because as more people use a given software package, it lessens your odds of being patient zero. Also, the commercial tools generally offer certified compliance, whereas home-grown gets much closer auditor scrutiny and leaves the blame-game focused squarely on you when the inevitable breach hits the newspapers. For "free" router ACL management at the scale you propose, you might consider fwbuilder (poorly maintained) or capirca (no gui).
My final (for now) thought is that one needs "millions of entries", there might just be a better approach to solve the problem at hand. If nothing else, "millions of entries" risks auditing and troubleshooting both becoming difficult/expensive.
Why don't you use an application aware white listing approach? Or a full Role Base Access Control system, which you can manage centrally by policy?
Regards
Caute_cautim