Changes between Version 6 and Version 7 of PrivilegeSeparation

Timestamp:

03/12/12 13:52:47 (12 years ago)

Author:

Samuli Seppänen

Comment:

--

PrivilegeSeparation

@@ -1 @@
-= Introduction =
-
-Much of this text is adapted from Alon Bar-Lev's [http://thread.gmane.org/gmane.network.openvpn.devel/5755 emails] to the openvpn-devel list, with many useful additions from James Yonan and other people.
-
-= Use-cases =
+= OpenVPN use-cases =
 
 == Standalone workstations ==
 
-Standalone workstations and their VPN clients are controlled by the end-user.
+Standalone workstations and their VPN clients are controlled by the end-user. As such, attempts to control the VPN client by the VPN server administrator are guaranteed to fail. The ''goals'' of privilege separation in this use-case are:
+
+ * Minimize damage a VPN client can do to the workstation if it's compromised
+ * What else?
 
 == Enterprise workstations ==
 
-Enterprise workstations and their VPN clients are controlled by the enterprise system administrator(s). The goal is to lock down client workstations as much as possible, so that a compromised client does not allow malware or remote attackers to access the enterprise network.
+Enterprise workstations and their VPN clients are controlled by the enterprise system administrator(s). The system administrator's goal is to lock down client workstations as much as possible. The ''goals'' of privilege separation in this use-case are:
 
-For the VPN client this translates to the following requirements:
+ * Prevent a compromised VPN client being used by malware or remote attackers to access the enterprise network.
+ * What else?
 
- * Non-privileges users can't read, copy or modify the VPN configuration
+For the VPN client this translates to the following ''requirements'':
+
+ * Non-privileged users can't read, copy or modify the VPN configuration
  * Workstations can't have simultaneous access to an untrusted network (e.g. the public Internet) and the VPN network. If they did, malware could spread from the untrusted network to the enterprise network
 
@@ -22 +24 @@
 OpenVPN consists of several different, interacting components:
 
- * ''TUN/TAP device:'' a virtual Ethernet interface
- * ''OpenVPN:'' a tunneling daemon
- * ''OpenVPN service:'' a system service wrapper for OpenVPN
- * ''OpenVPN configuration files'' 
- * ''Network utilities:'' ifconfig, route, etc.
- * ''OpenVPN GUI'': used by the interactive user to control OpenVPN
+||'''Component'''||'''Description'''||'''Executable?'''||
+||Network utilities||ifconfig, route, etc.||Yes||
+||OpenVPN||Tunneling daemon||Yes||
+||OpenVPN service||System service wrapper||Yes||
+||OpenVPN GUI||GUI for interactive users||Yes||
+||OpenVPN configuration||Config files, keys, certificates, etc.||No||
+||TUN/TAP interface||Virtual Ethernet interface||No||
 
 Each executable component runs as an ''operating system user'' with varying levels of privileges. Here we use the following terms:
 
- * ''Interactive user''. This is the user account used to log in to the operating system. Most end-user applications run as this user, so it should be granted as few privileges as possible.
- * ''Unprivileged user''. Any unprivileged user account. For example, on many Linuxes OpenVPN runs as such, usually ''nobody::nogroup'' after initialization.
+ * ''Interactive user''. This is the user account ''the end user'' uses to log in to the operating system. Most end-user applications run as this user, so it should be granted as few privileges as possible.
+ * ''Unprivileged user''. Any unprivileged user account. ''Not'' the same as the interactive user. For example, on many Linuxes OpenVPN runs as such, usually ''nobody::nogroup'', after initialization.
  * ''Privileged user''. Any user account that can do privileged operations. In OpenVPN context these operations are things such as adding routes or bringing up the TUN/TAP interface. 
 
 Depending on the use-case, different levels of privileges are needed to satisfy all the requirements:
 
-||'''Component'''||'''Executable?'''||'''Standalone use-case'''||'''Enterprise use-case'''||
-||Network utilities||Yes||Run by a privileged user||Run by a privileged user||
-||OpenVPN||Yes||Run by the interactive user||Run by the OpenVPN user||
-||OpenVPN service||Yes||Fill me||Fill me||
-||OpenVPN GUI||Yes||Run by the interactive user||Run by the interactive user||
-||OpenVPN configuration||No||Read/write by the interactive user||Read by OpenVPN, read/write by administrator|| 
-||TUN/TAP||No||Access by the interactive user||Accessed by the OpenVPN user||
+= Practical privilege separation models (enterprise use-case) =
 
-Only minimal privileges should be allocated.
-
-= Practical solutions =
-
-== Client/service separation model ==
+== GUI/service ==
 
 This solution was suggested by James Yonan. According to him it's fairly common in enterprise VPN clients:
@@ -55 +48 @@
 ||'''Component'''||'''Runs as'''||'''Tasks/capabilities'''||
 ||OpenVPN GUI||Interactive user||Initiate connections and disconnections||
-||OpenVPN service||Privileged user||Accept requests from the GUI and control OpenVPN||
+||OpenVPN service||Privileged user||Accept connect/disconnect requests from the GUI. Control OpenVPN||
 ||OpenVPN||Privileged user||Setting up TUN/TAP interfaces, routes, making connections, etc.||
 
-Using this approach, ''OpenVPN service'' provides a simple API that the ''OpenVPN GUI'' uses to connect and disconnect. So, when the interactive user wants to connect, the following happens:
+Using this approach, ''OpenVPN service'' provides a simple API that the ''OpenVPN GUI'' uses to connect and disconnect. The privilege separation is handled by Windows Services. To clarify, this is what happens when the interactive user wants to connect:
 
  1. OpenVPN GUI makes an API call to the OpenVPN service
  1. OpenVPN service asks OpenVPN to connect
  1. OpenVPN connects
- 1. OpenVPN notifies OpenVPN service(?)
- 1. OpenVPN service notifies OpenVPN GUI(?)
+ 1. OpenVPN notifies OpenVPN service that connection has been established(?)
+ 1. OpenVPN service notifies OpenVPN GUI that connection has been established(?)
 
-This separation model should not require any changes to current OpenVPN code, provided that local user does not have administrator privileges.
+This separation model should not require any changes to current OpenVPN code, provided that local user does ''not'' have administrator privileges.
 
 == Interactive service ==
 
-This approach [http://thread.gmane.org/gmane.network.openvpn.devel/5685/focus=5728 was suggested] by Heiko.
+This approach [http://thread.gmane.org/gmane.network.openvpn.devel/5685/focus=5728 was suggested] by Heiko. At the moment the implementation is Windows-specific.
 
 ||'''Component'''||'''Runs as'''||'''Tasks/capabilities'''||
-||OpenVPN||Interactive user||Connect to the interactive service (for privileged operations)||
-||Interactive service||Privileged user(?)||Fill me||
 ||OpenVPN GUI||Interactive user||||
+||Interactive service||Privileged user||Act as a proxy between OpenVPN GUI and OpenVPN. Handles privileged operations on behalf of OpenVPN.||
+||OpenVPN||Interactive user||Tunneling. Connect to the interactive service for privileged operations.||
 
-The interactive service is a new component that allows running privileged operations such changing routes from unprivileged OpenVPN/OpenVPN process. It's essentially a proxy the unprivileged OpenVPN/OpenVPN GUI application uses to do privileged operations.
+The interactive service is a new component that allows running privileged operations such changing routes by the unprivileged OpenVPN process. It's essentially a proxy the unprivileged OpenVPN/OpenVPN GUI application uses to do privileged operations.
+
+Implementation details:
 
 == COM+ ==
@@ -83 +78 @@
 This approach [http://thread.gmane.org/gmane.network.openvpn.devel/5755/focus=5869 was suggested] by Alon Bar-Lev. See the [http://thread.gmane.org/gmane.network.openvpn.devel/5755/focus=5869 original email] for more detailed information. In a nutshell, privilege separation would be achieved using [http://en.wikipedia.org/wiki/COM%2B#COM.2B COM+] objects:
 
- * OpenVPNUI.Network
- * OpenVPNUI.Tunnel
+||'''Component'''||'''COM+ object'''||'''Runs as'''||'''Tasks/capabilities'''||
+||OpenVPN GUI||-||Interactive user||Initiate connections and disconnections. Run OpenVPN connect/disconnect scripts||
+||OpenVPN service||OpenVPNUI.Network||Privileged user||Create and remove routes||
+||OpenVPN||OpenVPN.Tunnel||An unprivileged user account||Access OpenVPNUI.Network object||
 
-The identity and access to these objects is controlled using the COM+ infrastructure. This means COM+ does all the work and no communication or security check within code are required.
+The identity and access to the COM+ objects would be controlled by the COM+ infrastructure. This means COM+ would do all the work and no communication or security check within code are required. Each component of OpenVPN could be started in a different security context, e.g. ''OpenVPN service'' would run within a context that allows ''Network configuration.
 
-||'''Component'''||'''Runs as'''||'''Tasks/capabilities'''||
-||OpenVPN||It's own unprivileged user account||Access OpenVPNUI.Network object||
-||OpenVPN GUI||Interactive user||Initiate connections and disconnections. Run OpenVPN connect/disconnect scripts||
+Implementation details:
 
-OpenVPNUI.Network COM+ object runs as a user belonging to the ''Network Configuration Operators'' group. The OpenVPNUI.Tunnel COM+ object has access to the OpenVPNUI.Network object, so that it can delegate privileged network operations to it.
-
-In this configuration, only the administrator can modify OpenVPN configuration files.
+ * Something similar to Linux "ip" utility is needed for Windows (OpenVPNUI.Tunnel object)
 
 = External links =