Role module and LDAP
Brought to you by:
maghu
Menu
▾
▴
#4 Role module and LDAP
It would be very nice if I were able to use something
like roles in the policy. I know it's almost possible
but I would like to see a new decision layer and
authentication mechanism.
I would like to be able to define roles something like
that:
role1 = [available_services,allowed_ips,
allowed_role_groups, auth_mechanism]
role_privileges = [current_role,available_roles_to_change]
Lets say that role1 gives me the permission to use
HttpProxy class, MyHttpProxyClass, AnonFtp class etc.
If I want to access SecureHttp class/service and I came
from the allowed_ips (could be a zone, or
192.168.1.10:20) I'm not refused but asked to
authenticate myself. The authentication mechanism
depends on the auth_mechanism variable. auth_mechanism
should be agent/token/password etc.
So, after successful authentication Zorp should look at
role_privileges and examine wheter I'm allowed to
change from role1 to role2 and what services are
enabled? Why this is important? Let me give you an example:
role1 =
["HttpProxyDMZ:FtpRoxyDMZ:SSHProxy","192.168.1.0/24","role2,role3","password"]
role2 =
["HttpProxyNet:HttpsProxyNet:SSHProxy","192.168.1.0/24","role1,role3","password"]
John Doe doing his regular job and connects to the
webserver in the DMZ. Later he wants to visit his
favourite site, userfriendly.org. Ok, he allowed to do
this because he got the rights to use HttpProxyNet
class. But, to ensure that no one can get important
data from the webserver because of the buggy browser he
no longer able to connect to the internal webserver.
When he wants to get back and work on his regular job
he reconnects to webserver and asked his password
again. Then he is no longer able to access the public
webservers. So, public webservers can't send him
malicious code. But if he wants to access his postgreql
server trough firewall - let's name it role3 - all
other connections are cut and later he couldn't fall
back to role2 or role1. It assumes that there is a
storage where I can keep the users current roles. LDAP
would be wonderful as there is a lot of tools that are
able to manage LDAP trees. So, the users attributes -
or the whole Zorp config: roles, proxy classes - could
be stored in LDAP.
Something like that:
currentRole: role3
defaultRole: role1
userPassword: {crypt}dfgfdgfg (if password auth enabled)
Maybe that would be better to store everything in LDAP
but that's another ticket :-)
Maybe that would not be the best feature but I think it
would be useful. Just give me a notice wheter it is an
overshot or not :-) I know that Service does almost the
same thing as role but it's "static". I know it would
brings a new config file format and some other and it
weakenns the iptables rules and gives more overhead in
performance but I think - again - it would be good to
have this as a feature (so I can use hardened iptables
scripts if I want)
Maybe it - role module - could be extended to use it as
simple nameing mechanism.
Bye,
Ago
Logged In: YES
user_id=674941
Using user roles assumes authentication. The problem will be
approached from the other side: labels wil be assigned to
network objects (which can be changed by a succesful
authentication), and policy decisions will be based on these
labels.
To do this, we need a better Zone paradigm, which can
address objects at least in the ip/port level.