In Sammlung (en) In der gespeicherten
  1. Ingenieurwissenschaft
  2. Informatik
  3. Datenbank

ArcGIS for Server

Werbung 
Sicherheit bei Diensten:
ArcGIS Server und ArcGIS Online
Matthias Schenker, Esri Schweiz AG
Basics
& Strategy
2
© 2014 Esri Schweiz AG
3
© 2014 Esri Schweiz AG
Where are the vulnerabilities?
SANS Relative Vulnerabilities
4
© 2014 Esri Schweiz AG
Vulnerabilities in Applications
5
© 2014 Esri Schweiz AG
7
© 2014 Esri Schweiz AG
8
© 2014 Esri Schweiz AG
Mechanisms
9
© 2014 Esri Schweiz AG
10
© 2014 Esri Schweiz AG
Authentication
+ GIS Tier (Default)
> Built-in User store
> Enterprise (AD / LDAP /
SAML)
> oAuth
> ArcGIS Tokens
+ Web Tier (Add web adaptor)
> Enterprise (AD / LDAP)
> Any authentication supported
by web server
> HTTP Basic / Digest
> PKI
> Windows Integrated
11
© 2014 Esri Schweiz AG
Authorization – Role based access control
+ Esri COTS
> Assign access with ArcGIS Manager
> Service Level Authorization across web interfaces
> Services grouped in folders utilizing inheritance
+ 3rd Party
> Web Services – Conterra’s Security Manager (more granular)
> RDBMS – Row Level or Feature Class Level
> Versioning with Row Level degrades RDBM performance
> Alternative - SDE Views
+ Custom - Limit GUI
> Rich Clients via ArcObjects
> Web Applications
> Sample code Links in ERC
> Microsoft’s AzMan (Authorization Manager) tool
13
© 2014 Esri Schweiz AG
Filters– 3rd Party Options
+ Firewalls
+ Reverse Proxy
+ Web Application Firewall
> Open Source option ModSecurity
+ Anti-Virus Software
+ Intrusion Detection / Prevention Systems
+ Limit applications able to access geodatabase
14
© 2014 Esri Schweiz AG
Filters – WAF
+ High availability ArcGIS
infrastructure
+ Traffic filtered before
accessed by web servers
+ Internal users
> Access GIS servers via port
6080 directly
+ If need more encryption
> Configure SSL across
backend systems
+ If want no web tier
> Loadbalancer can hit GIS
Servers directly
15
© 2014 Esri Schweiz AG
Encryption – 3rd Party Options
+ Network
> IPSec (VPN, Internal Systems)
> SSL (Internal and External System)
> Cloud Encryption Gateways
> Only encrypted datasets sent to cloud
+ File Based
> Operating System – BitLocker
> GeoSpatially enabled PDF’s combined with Certificates
> Hardware (Disk)
+ RDBMS
> Transparent Data Encryption (TDE)
> Low Cost Portable Solution - SQL Express 2012 w/TDE
16
© 2014 Esri Schweiz AG
Logging / Auditing
+ Esri COTS
> Geodatabase history
> May be utilized for tracking changes
> ArcGIS Workflow Manager
> Track Feature based activities
> ArcGIS Server 10+ Logging
> “User” tag tracks user requests
+ 3rd Party
> Web Server, RDBMS, OS, Firewall
> Consolidate with a SIEM
+ Geospatial service monitors
> Vestra’s GeoSystems Monitor
> Geocortex Optimizer
17
© 2014 Esri Schweiz AG
Logging / Auditing
+ Vestra GeoSystems Monitor
> ArcGIS Platform access and availability awareness
> New - User consumption metrics
> SDE Table/Feature class (Who & Frequency)
> ArcGIS Server Services & Apps (Who & Action)
18
© 2014 Esri Schweiz AG
ArcGIS Server
19
© 2014 Esri Schweiz AG
ArcGIS for Server Security
•
Protecting your ArcGIS Server site and its web services
•
Control who has access
-
•
Integrate with your organization’s IT infrastructure
Define what valid users can do
-
Permissions
Server
ArcGIS for Server Access: Authorization
•
User – Valid login to access Server site
•
Role – Grouping of users
1. Administrators – Full admin control
2. Publishers – Publish web services
3. Users – view web services
•
Identity Store – Repository for user and role
information
Server
ArcGIS for Server: User considerations
•
Where are you users coming from?
-
Determines which type of identity store you
should use
•
Internal : Windows Active Directory or LDAP
•
External : Built-in or custom
Organizations IT network
Identity store
External
Server
Internal
ArcGIS for Server: Role considerations
How much control do I have on my ArcGIS Server site?
Managed by me, within my Dept? or
- Managed by my organization’s IT Dept
-
May affect where you define your roles
ArcGIS for Server: Identity store
•
Identity store – Defines your users and roles
•
3 different options
1.
Built-in (default)
2.
Register with an enterprise identity store
-
Windows Active Directory
-
LDAP
Mixed mode
3.
-
Users from enterprise identity store
-
Roles from built-in store
Securing GIS Web Services
•
Set permissions for roles on
-
A Folder
-
Individual services
Server
•
Administrators / Publishers grant permissions
•
All new services are public by default
-
Anonymous access
•
Can specify whether folders require HTTPs
Authentication Tier / Method
•
Authentication
•
•
Check and verify user identity
Authentication options
1.
GIS Tier
-
2.
Uses ArcGIS Tokens to authenticate
Web Tier
-
Uses Integrated Windows authentication, Client certificates, Basic, Digest, etc
GIS Tier vs. Web Tier Authentication
GIS Tier / Token
Web Tier / HTTP Auth
Default
Yes
No
Public /
anonymous
possible
Yes
No
Clients
Supporting
Esri
All, including OGC
Requirements
Enable SSL
Web Adaptor(s)
required
Basic – require SSL
Digest – special setup
IWA – Windows only
Protecting
Against
Attacks
36
Preventing Snooping
•
•
HTTPS
-
Between Server and web adaptor/proxy
-
Between web adaptor/proxy and client
-
Easy to configure
Lock down your directories
-
Config-store
-
Output directories
-
No permissions to anyone except ArcGIS Server account
Enabling HTTPS – Click by click
1
4
2
3
5
Preventing Cross-Site Scripting Attacks
•
Bad Guy gets you to click on a link for reputable site
•
Bad Guy gets you to do bad things with your credentials
•
Four recommendations
-
Use latest software
-
Disable Services Directory in Server
-
Disable Portal directory in Portal
-
Log out when done
Preventing Cross-Site Request Forgery (CSRF)
•
Bad Guy gets you to go to their site
•
Bad Guy gets you to do bad things with your credentials
•
ArcGIS Server (10.1 SP1+) automatically protects against CSRF admin
operations
•
Recommendations
-
Upgrade to 10.1 SP1 or later
-
Configure cross-domain access (http://bit.ly/1fnhj29)
-
Configure shorter-lived tokens
Disabling Services Directory
Navigation Path in Admin Directory
Enabling/disabling – easy as a click
Bonus: limit which web servers can access
Your services
Preventing SQL Injection Attacks
•
Bad guy uses normal access to find holes in your database
-
To modify data
-
Grant greater permissions to himself
-
Execute code on your machine
•
If you use an enterprise database, you’re at risk
•
Recommendation:
-
Latest DBMS upgrade
-
Follow DBMS vendor best practices
-
Upgrade to ArcGIS Server 10.2 or greater
-
Validate inputs in custom apps
Standardized queries
•
Prior to 10.2, query syntax unique for each database
•
Led to two problems
•
Software passes through queries directly to database scanning for malicious
attacks.
-
Hard to prevent many creative SQL injection attacks.
-
Hard for developers to write query code.
Standardized queries
•
10.2 introduces standardized queries
-
Same syntax against all databases (FGDB syntax)
-
Each query parsed and prepared before sending to the database.
-
Stronger defense against SQL injection attacks.
-
Easier to write queries.
Standardized queries
•
What can you do if things break?
-
Recommended: update your applications to use new syntax.
-
Disable standardized queries. Not recommended for security reasons. Puts your
Server at risk.
Escalation of Privileges Attacks
•
•
Bad guy is able to upgrade his privileges
-
In ArcGIS Server
-
In your domain
Recommendations
-
Using enterprise groups (not built-in groups)
-
10.2+, use admin API to list admins/publishers to detect changes
Checking Privileges
Navigation Path
Home > security > roles >
getRolesByPrivilege
Check to see which roles have
administer privilege
Uh oh!
Denial-of-Service Attacks
•
Bad guy is able to shut your ArcGIS Server down by sending lots of requests
•
Most attacks observed in wild are still through low-level network protocols
•
Recommendations
-
Secure services
-
Set wait and usage time outs
Setting Time-outs
Web
Applications
51
© 2014 Esri Schweiz AG
Common use cases for secured services
How service
URLs authenticate
Application
Web server
(server & portal tokens)
(e.g., IIS)
User login
AGOL via
OAuth
AGS service
AGOL item via
Impersonated
Single sign on
or User login
Secured app with
tokens stored
Browser-based
Authentication via
Application Level
Web
app
Mobile
app
Esri UC2013 . Technical Workshop .
Identity
Mgr
In the
Code
In a
Proxy
IWA
PKI
Application level authentication
•
Implementation
Web server MUST be configure for anonymous access
- Token-based
-
ArcGIS Server uses server tokens
 ArcGIS Online uses portal tokens

Requires server or portal token service
- GIS server tier authentication in ArcGIS Server
-
•
Login using ArcGIS Identity manager
Handles all login and token processing
- Supported in all Web APIs
-
Esri UC2013 . Technical Workshop . Building Secure Applications
What is OAuth?
•
Industry standard enterprise authentication system
Login redirected to enterprise security server
- Application NEVER see credentials
-
•
Works with SAML
Server based mechanism that handles login requests
- Supported by AGOL for enterprise authentication
- More in final section…
-
Esri UC2013 . Technical Workshop . Building Secure Applications
Identity Manager
•
Why should I use it?
Handles all login and token processing
- Works with default token security model AGS & AGOL
- Available in all Web API’s & viewer apps
-
•
What should I watch out for?
Only works for token secured services
- Prompts multiple times rather than ignoring services
-
Esri UC2013 . Technical Workshop . Building Secure Applications
Cloud
56
57
Datenschutz und Sicherheit
Standards
Sicherer
Betrieb
Verfügbarkeit
Datenmanagement
Anwendungssicherheit
Onpremise
58
Standards betreffend ArcGIS Online
Internationales Public Cloud Angebot
Sicherheit? Audits? Privacy?
+ ISO 27001
> Betrifft nicht die Software, sondern die Maßnahmen zur IT-Sicherheit
> Genügt den Anforderungen des BDSG
+ SSAE 16
> regelt detailliert welche Anforderungen und welche Form die Prüfung
eines dienstleistungsbezogenen internen Kontrollsystems zu erfüllen
hat und wie und mit welchen Inhalten die Berichterstattung zu
erfolgen hat.
+ TRUSTe Certified Privacy Seal
+ Safe Harbor
> Festlegung von Maßnahmen zum Datenschutz
59
Standards
Standards – Authentifizierung und Transfer
Standards
Standards für Anmeldung der Nutzer
60
+
SAML
> Einbindung von Unternehmens Logins
> Active Directory Federation Service, NetIQ Access, Shibboleth, SimpleSAMLphp
+
OAuth2
> Offenes Protokoll zur standardisierten Autorisierung von Desktop-, Web- oder Mobilen
Anwendungen
> Die Anwendung selbst bekommt keine Anmeldeinformationen, sondern nur einen Token
+
SSL
> Verschlüsselte Übertragung von Informationen
> Anmeldeinformationen sollte immer verschlüsselt übertragen werden
+
PKI
> Public Key Infrastructure
> Extra Verschlüsselung für eigene Infrastruktur
Sicherer Betrieb
Sicherer
Betrieb
Wer darf wann auf was zugreifen?
+ Sicherheitsüberprüfung der Mitarbeiter.
+ Der Zugriff auf Kundendatenbankinformationen ist auf
ausgewählte und erforderliche Zahl an Mitarbeiter beschränkt.
+ Weniger als 10 spezialisierte ArcGIS Online Administratoren haben
Zugang zu Kundendaten. Es werden hierfür X.509 Zertifikate für
Autorisierung benutzt (ISO 27001; A11.2.1, etal)
61
Datenmanagement - ArcGIS Online
Wer darf was mit den (Geo) Daten machen?
Besitz
Die Daten gehören dem Einsteller
Mandantenfähigkeit
Datensatz mit Subskriptions ID gekennzeichnet
Extraktion
gesteuert über Rechte für Nutzer.
Löschen
Aufgabe des Einstellers
62
Datenmanagement
Anwendungssicherheit
Anwendungs
Sicherheit
Inhalte sind per se privat. D.h. nur für den Einsteller sichtbar.
Inhalte können explizit für Gruppen (und die Anwender die
Zugang zu diesen Gruppen haben) freigegeben werden
Öffentlicher Zugang zu Inhalten kann vom Administrator
ausgeschaltet werden
Rollenkonzept: Zugehörigkeit zu Rolle steuert Rechte
63
OnPremise
Cloud und On Premise Konzepte
Apps
SaaS
On-Premise
64
Portal
GIS Servers
Ready to use
Content
ArcGIS Online
ArcGIS Online
(Portal)
(Hosted Servers)
ArcGIS Online
Services
Portal
for ArcGIS
ArcGIS
Server
ArcGIS Data
Appliance
65
© 2014 Esri Schweiz AG
66
© 2014 Esri Schweiz AG
67
© 2014 Esri Schweiz AG
68
© 2014 Esri Schweiz AG
Summary
69
© 2014 Esri Schweiz AG
Zusammenfassung
+ Security is NOT about just a technology
> Understand your organizations GIS risk level
> Realize the game has changed and prioritize efforts accordingly
> Don’t just add components, simplify!
+ Secure Best Practice Guidance is Available
> Check out the ArcGIS for Professionals site!
> Drill into details by mechanism or application
> Trust.arcgis.com
70
© 2014 Esri Schweiz AG
Zugehörige Unterlagen
ELM-GPR - HFT Stuttgart
ELM-GPR - HFT Stuttgart
Year_7_German_Spring_Term_Programme_of_Study
Year_7_German_Spring_Term_Programme_of_Study
Overview Pitch Deck To Partner Server Upgrade
Overview Pitch Deck To Partner Server Upgrade
Muster GmbH. Business Plan
Muster GmbH. Business Plan
DBT: Database Technology - dima.tu
DBT: Database Technology - dima.tu
Zeitschrift fu¨r Ethnologie
Zeitschrift fu¨r Ethnologie
Ph.D. fellow "The influence of host social systems and local co
Ph.D. fellow "The influence of host social systems and local co
the civil wars
the civil wars
Martina Fürst (Graz) - Universität Innsbruck
Martina Fürst (Graz) - Universität Innsbruck
Zeitschrift fu¨r Ethnologie
Zeitschrift fu¨r Ethnologie
Design and engineering of synthetic gene networks for the treatment
Design and engineering of synthetic gene networks for the treatment
Die Fakultät für Chemie
Die Fakultät für Chemie
Herunterladen
Werbung