Changes between Version 1 and Version 2 of PrivilegeSeparation
- Timestamp:
- 03/12/12 10:04:01 (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
PrivilegeSeparation
v1 v2 7 7 == Standalone workstations == 8 8 9 Standalone workstations and their VPN clients are controlled by the end-user. 9 Standalone workstations and their VPN clients are controlled by the end-user. 10 10 11 11 == Enterprise workstations == 12 12 13 Enterprise workstations and their VPN clients are controlled by the enterprise system administrator(s). The goal is to lock down client workstations as much as possible, so that a compromised client does not allow access to the enterprise network; this access could otherwise be exploited by malware or a remote, active human attacker.13 Enterprise workstations and their VPN clients are controlled by the enterprise system administrator(s). The goal is to lock down client workstations as much as possible, so that a compromised client does not allow malware or remote attackers to access the enterprise network. 14 14 15 For the VPN client this translates to a few important requirements15 For the VPN client this translates to the following requirements: 16 16 17 17 * Non-privileges users can't read, copy or modify the VPN configuration 18 18 * Workstations can't have simultaneous access to an untrusted network (e.g. the public Internet) and the VPN network. If they did, malware could spread from the untrusted network to the enterprise network 19 20 19 21 20 = Privilege separation in different contexts = … … 37 36 Depending on the use-case, different levels of privileges are needed to satisfy all the requirements: 38 37 39 ||'''Component'''||'''Standalone '''||'''Enterprise'''||38 ||'''Component'''||'''Standalone use-case'''||'''Enterprise use-case'''|| 40 39 ||TUN/TAP||Access by the interactive user||Accessed by the OpenVPN user|| 41 40 ||OpenVPN||Run by the interactive user||Run by the OpenVPN user|| 41 ||OpenVPN service||Fill me||Fill me|| 42 42 ||OpenVPN configuration||Read/write by the interactive user||Read by OpenVPN, read/write by administrator|| 43 43 ||Network utilities||Run by a privileged user||Run by a privileged user|| 44 44 ||OpenVPN GUI||Run by the interactive user||Run by the interactive user|| 45 45 46 Only minimal privileges should be allocated. 47 48 = Practical solutions = 49 50 == Client/service separation model == 51 52 This solution was suggested by James Yonan. According to him it's fairly common in enterprise VPN clients: 53 54 ||'''Component'''||'''Runs as'''|| 55 ||OpenVPN GUI||Interactive user|| 56 ||OpenVPN service||Privileged user|| 57 ||OpenVPN||Privileged user|| 58 59 Using this approach, ''OpenVPN service'' provides a simple API that the ''OpenVPN GUI'' uses to connect and disconnect. So, when the interactive user wants to connect, the following happens: 60 61 1. OpenVPN GUI makes an API call to the OpenVPN service 62 1. OpenVPN service asks OpenVPN to connect 63 1. OpenVPN connects 64 1. OpenVPN notifies OpenVPN service(?) 65 1. OpenVPN service notifies OpenVPN GUI(?) 66 67 This separation model should not require any changes to current OpenVPN code, provided that local user does not have administrator privileges. 68 69 == COM+ == 70 71 This approach was suggested by Alon Bar-Lev. 72 46 73 = External links = 47 74