DISTRIBUTING ACCESS CONTROL

TEST CENTER-NEW PRODUCTS TESTED IN REAL-WORLD ENVIRONMENTS

BY JOEL SNYDER
Information Security, October 2001

Original Article on Information Security Web Site

Computer Associates' eTAC boasts multi-platform access control policy management.

When your Windows 2000 systems aren't all in the same domain and don't have trust relationships, products like Computer Associates' eTrust Access Control (eTAC) can help unify security policy. Released earlier this year, eTAC v5.1 adds support for new Unix platforms (Linux, Compaq TruUnix 64 and Dynix), extends password synchronization to IBM mainframes, and adds a host of smaller enhancements for usability and auditing.

eTAC v5.1 provides a central policy management console to control resource access and synchronize passwords across multiple systems. With a simple interface, system users can be divided into various groups. eTAC then gives the security manager both graphical and command-line interfaces to control which group has access to which resources. For example, eTAC allows security managers to lock down, control and audit access to Windows registry values across hundreds of servers from a single central console.

eTAC manages a variety of system resources, including NT and Unix file systems and running applications. The granularity of the product is quite fine: In addition to 10 different access privileges, it allows you to define other useful access rules. For example, you can specify that only Microsoft Word can access files with a .doc extension. eTAC will enforce this, as well as monitor Word to ensure that it's not modified--and if it is modified, it will no longer allow it to access .doc files.

Centralized File Access Control

When I installed eTAC on a small network of Windows 2000 and Solaris systems, I had three questions. First, is it easy to use? Second, does it work? And third, what's its impact on the system?

eTAC is generally identical on all platforms, but there are differences for each OS. For example, I found that the Unix versions had additional features specifically aimed at controlling TCP/IP access to and from the local system which weren't present in the Windows NT/2000 version. In Windows, eTAC also had capabilities to manage NT-specific resources, such as registry keys and domains.

Although CA says eTAC supports other Unix platforms (including Linux and Digital/Compaq TruUnix 64), the package I received only included kits for AIX, HP/UX and Solaris on SPARC. The Windows version only works on NT/2000.

Ease of Use

Ease of use is an important criterion and I'm happy to report that it wasn't difficult to manage the local Windows 2000 system. Anyone familiar with the idea of access control lists (ACLs) and user groups will find it simple to build a file access control policy in eTAC.

The GUI, available on both Windows NT/2000 and Unix, isn't the only management tool. Everything you can do from the GUI, you can do with the command-line interface (CLI) as well. While the GUI handles most of the tasks, there are some very rough edges. For example, when I tried to build a network-wide policy database, I discovered that the GUI simply couldn't link all of the workstations together--but the CLI could. When I tried to add everyone into the policy database, the GUI just wouldn't accept the members, but doing it with the CLI was easy. This isn't a problem as long as you're willing to use a CLI some of the time. To complete the task, I had to use another tool I'd rather avoid: REGEDIT. On Windows, certain parameters (such as directory names) are stored in the Registry, and nowhere else. That's strange, because eTAC keeps almost everything else in a text initialization file.

Most of the day-to-day operations performed in the GUI, though, were very smooth, albeit a little slow. I set up the network with the policy database on the Solaris system and the GUI on Windows 2000. In eTAC, this means building a policy database, adding all of the systems in the network as "subscribers" and then manipulating the policy database from a central point.

One of the nice features of eTAC is its ability to get at the policy database of different systems. For example, while I mostly worked with the Windows 2000 GUI, I also used CLI access to the policy database on the Solaris systems when I wanted to add 1,000 users to the system with a script. That exercise highlighted one of the weak spots of eTAC: It's hard to change your network configuration after you've started. If you do choose to implement eTAC in your network, you'll want to deploy it all at once so that all systems are kept in synchronization. Otherwise, there's no easy way to two-way synchronize a system into the policy database. This can be a drawback if your environment is very dynamic and you plan to add and remove systems--particularly ones that aren't freshly installed--to the eTAC databases.

Operations are generally intuitive. For example, I wanted to protect the Web server's configuration file so the only thing the Web-user ID could do is read the configuration, not modify it. That was easy to do. In fact, I even restricted files so that only the Web server application, running as the Web user, could read the configuration file.

Other, more complex access controls were less predictable than I'd hoped. eTAC is sufficiently powerful that there are multiple ways of saying the same thing; you just have to get used to which ones do what you want and which ones don't. Fortunately, every time I had configuration confusion, eTAC erred on the side of safety: access wasn't permitted, even though I thought it should've been. One nice feature of the CLI is that you determine access permissions to a file without actually executing them. This would be a nice feature for CA to add to the GUI.

Distributed Control

When I moved from management of the local system to managing a heterogeneous network of Solaris and Windows systems, the product didn't really live up to my expectations. For example, although file paths can be easily translated between OSes (/foo.txt in Unix is \foo.txt in Windows), eTAC doesn't do that automatically. Even though eTAC has a single interface, I often had to do the same thing twice to make it stick on both Solaris and Windows, defeating the purpose of centralized control. However, because the semantics of files on Unix and Windows are so different (for example, there's no Microsoft Word for Linux), most security managers won't notice this.

While it's nice to be able to manage security on NT and Unix at the same time and with the same GUI, many of the capabilities of eTAC won't extend cleanly in both directions. However, some functions--such as user-password synchronization and user account and group management on multiple platforms--worked fairly well across systems once I manually defined groups and basic users on all systems.

Some features of the product also didn't match up to the information listed in CA's marketing material. For instance, I was very interested in STOP, which the company advertises as a stack overflow protection tool. Since Code Red was on the loose, I thought this would be a great test--one in which eTAC (without STOP) failed miserably. Code Red hit the machine without notice.

Auditing and Reporting

One of the critical issues in any security product is logging and reporting. eTAC has extensive auditing capabilities that are largely separate from system admin capabilities. Although it's always possible for a sysadmin to erase logs of his or her own misdeeds, eTAC tries to make that fairly difficult. For example, if the audit logs are properly protected, the admin would have to boot into single-user mode (Unix) or VGA recovery mode (NT) to completely bypass the eTAC protections.

At any access control point (a file, directory, registry entry, etc.), you can specify whether logs are made of successful accesses, failed accesses or both. Auditors do have delegated management control, which lets them enable and disable auditing on any object without having full administrative privileges. This is an excellent feature, bringing computer security more in line with the way the rest of the business world works.

Unfortunately, eTAC doesn't include any report-analysis tools, so you would have to write or build your own reporting tools to make sense of what comes out of the system. You do get a filtering tool that can be used to pre-filter logs, but the reporting capabilities are generally weak. At the same time, alerting capabilities are non-existent: If suspicious activities are happening, you have to build your own tools to filter logs in real time if you want to know about it immediately. With all the focus on intrusion detection these days, CA has really missed the boat on this one.

One of the elegant features of eTAC is its "warning" mode for all control elements. This enables logging without actually enabling access control. For example, I wanted to see what applications were being used to read and write to a particular file on the Web server. To find out, I put a control on the file in warning mode and turned on logging. That told me the date and time of each access, user name, type of access, which application was used and why eTAC was going to permit or deny the operation. Anyone who wants to use a product like this in a production environment will find this type of feature absolutely critical. Firewall admins often use a feature like this when installing a new firewall into a network that previously hasn't had one. Without the warning mode, every access control entry would have to be right the first time to avoid interrupting vital services. This is a good example of "real world" awareness in CA's product line.

Performance

System impact on my test systems was measurable. I used system and Web stress tools provided on the Windows 2000 Resource Kit to generate before and after statistics. Since eTAC hooks into the file system, I wanted to see if there was any measurable degradation in the performance of file-based operations. I created a fairly simple security policy with only a few rules, specifically limiting access on a set of about 40,000 files. System degradation varied depending on the benchmark I ran, with a minimum loss in performance of about 1.5 percent in file open/close performance and a maximum loss of about 15 percent in actual data transfer performance.

In addition to a slight slowdown in system performance, I also noticed system CPU loads increased dramatically. For example, when I offered a benchmark load of 200 file operations per second, the CPU was 38 percent busy before installing eTAC. After installing eTAC, the same test load pegged the CPU at 100 percent. I saw no significant changes in memory usage.

Bottom Line

Some of the Windows NT/2000 and various Unix flavors have cross-system security functions similar to eTAC. However, these generally don't work across management domains and don't have the same breadth of heterogeneous control provided by eTAC.

eTAC is a fairly specialized application. Although the idea of a centralized policy management tool for users, applications, files, passwords, registry keys and TCP/IP filtering rules sounds nice, eTAC's need for specific conditions restricts it to certain environments. If you've got a bunch of nearly identical servers running a Web farm, or handling disk and printer services, or spread across multiple time zones, eTAC could be a valuable tool in managing security policies.

Even without those restrictions, individual features of the product may be worth the price of admission. For example, if you want a single console to create and delete users on dozens of systems and to keep passwords synchronized, eTAC does very well. It would be nice, however, if you could just enable user management and omit the overhead of file access controls.

In reviewing eTAC, I found it to be a reasonably specialized tool that can help the security manager who has slowly changing requirements and lots of servers in his or her charge. Features such as reporting and alerting are weak, but in other areas, such as multi-platform user management and highly specific access control environments, eTAC excels.

It's not for everyone, but if you've got the requirements for a tool like this, eTrust Access Control certainly fits the bill.


Caption: eTrust Admin Access Control Wizard provides step-by-step guidance for creating
user and login accounts, setting up security rules and managing data import.


SNAPSHOT

eTrust Access Control v5.1 for Windows and Unix
Computer Associates
www3.ca.com/solutions/product.asp?ID=154
Pricing: Starts at $3,000 per server

PROS

Granular, multi-platform management of files and users.
Single GUI to centrally control Windows and Unix servers.
Minimal overhead.
Includes kernel-level hooks, self-monitoring and application integrity checks to ensure robust control.

CONS

GUI less capable than command-line interface.
Doesn't merge existing security configuration into the policy database.
Alerting and reporting functions are weak.
Some controls are counterintuitive.
Documentation is weak.

VERDICT

eTrust Access Control is a generic tool that fits into very specialized environments. If you have many Windows or Unix servers, a fairly static security infrastructure and no built-in tools to manage file ACLs, users and passwords, this product may be worth a look.