Policy Enforcement Framework for Web Services and Grid Operational Security
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

Yuri Demchenko AIRG, University of Amsterdam PowerPoint PPT Presentation


  • 62 Views
  • Uploaded on
  • Presentation posted in: General

Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update. Yuri Demchenko <[email protected]> AIRG, University of Amsterdam. Outline. Goals AIRG projects and Generic AAA Architecture development

Download Presentation

Yuri Demchenko AIRG, University of Amsterdam

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Yuri demchenko demch science uva nl airg university of amsterdam

Policy Enforcement Framework for Web Services and Grid Operational SecurityAdvanced Internet Research Group Update

Yuri Demchenko <[email protected]>

AIRG, University of Amsterdam


Outline

Outline

  • Goals

  • AIRG projects and Generic AAA Architecture development

  • Implementation in CNL project Access Control infrastructure

  • Grid Operational Security and Grid Security Incident definition

AIRG Update 2004


Goals

Goals

  • Update TF-EMC2 on AIRG research and developments

  • Discuss possible approaches for early detection of the security credentials compromise

AIRG Update 2004


Airg projects

AIRG projects

  • Gigaport NG - NL

    • Further development of the Generic AAA architecture for policy/token based networking

  • Collaboratory.nl (CNL)

    • Security Architecture for Open Collaborative Environment and RBAC

    • Considered as a use case for EGEE and OGSA

  • EGEE and other Grid related projects - EU

    • Grid operational security and WS/Grid security threats analysis

    • Policy enforcement framework and Authorisation portType

    • WS-Security and OGSA Security

AIRG Update 2004


Generic aaa architecture by airg uva

Request/Response

Request/Response

Request/Response

Generic AAA

Policy

Policy

Policy

ASM

ASM

ASM

Generic AAA Architecture by AIRG (UvA)

  • Policy based Authorization decision

    • Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt}

    • RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt}

    • ActionExt = {ReqAAAExt, ASMcontrol}

    • ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}

  • Defined by Resource owner

  • Translate logDecision => Action

  • Translate State => LogCondition

AIRG Update 2004


Generic aaa implementations

Generic AAA implementations

  • Bandwidth-on-demand (BoD) for optical network

    • Using driving policy approach for multidomain optical path building

  • Access control and privilege management for Collaborative environment

    • Policy/role based access control to experimental equipment and resources

  • Authorisation Web Service and Authorisation portType for Grid applications

    • Policy binding to Web/Grid service definition

  • Technology background

    • AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format

    • XML Web Services

      • Attempting to use WSRF and trying to avoid OGSI and ProxyCert

AIRG Update 2004


Distributed security architecture for collaborative environment

Distributed Security Architecture for Collaborative environment

  • Based on the Job-centric security model

  • Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits)

  • XACML based policy exchange and integration

  • Uses WS-Security Framework and OGSA/WSRF

    • Policy binding to WSDL and AuthZ portType definition

  • VO functionality - policy based user and resource management

  • Proxy-Certificate (Grid approach) vs SAML security credentials management

AIRG Update 2004


Security built around job description

Scheduler/

JobMngr

  • JobDescr

  • ---------------

  • Job#

  • Job Attributes

  • Job Priority

  • ---------------

  • User list

  • User roles/attr

  • Admin RBAC

OrderDescr

  • AccessCtr

  • (AuthN/Z)

  • UserDB

  • Policy

Security built around Job description

  • Job Description as a semantic object defining Job attributes and User attributes

    • Requires document based or semantic oriented Security paradigm

  • Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI

AIRG Update 2004


Xacml implementation library for cnl

XACML implementation library for CNL

  • Contains specific modules for AAA services

    • PEP, PDP, PAP and XACML messaging

    • Implemented in Java

  • Policy editor in XACML

    • XACML provides standard solution for RBAC with powerful policy combination functionality

    • Version 0.1 is available for policy construction and translating to AAA-policy format

  • Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development

AIRG Update 2004


Main components and dataflow in rbac pmi

Main components and dataflow inRBAC/PMI

  • PEP(Policy Enforcement Point)/AEF (authorisation enforcement function)

  • PDP (Policy Decision Point)/ADF (authorisation decision function)

  • PIP (Policy Information Point)/AA (Attribute Authority)

  • PA – Policy Authority

AIRG Update 2004


Gaaa api flow diagram implements rbac

GAAA API flow diagram (implements RBAC)

AIRG Update 2004


Gaaapi implementation xacml request message format 1

GAAAPI implementation – XACML Request message format (1)

AIRG Update 2004


Gaaapi implementation xacml request message format 2

GAAAPI implementation – XACML Request message format (2)

  • <?xmlversion="1.0"encoding="UTF-8"?>

  • <AAA:AAARequestxmlns:AAA="http://www.AAA.org/ns/AAA_BoD"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD http://146.50.22.64/CNLdemo1.xsd"version="0.1"type="CNLdemo1">

  • <Subject>

  • <SubjectID>[email protected]</SubjectID>

  • <Role>Analyst</Role>

  • <JobID>JobID-XPS1-212</JobID>

  • <Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token>

  • </Subject>

  • <Resource><ResourceID>

  • http://resources.collaboratory.nl/Phillips_XPS1

  • </ResourceID>

  • </Resource>

  • <Action>

  • <ActionID>ControlInstrument</AttributeID>

  • </Action>

  • </AAA:AAARequest>

AIRG Update 2004


Gaaapi implementation xacml response message format 1

GAAAPI implementation – XACML Response message format (1)

AIRG Update 2004


Gaaapi implementation xacml response message format 2

GAAAPI implementation – XACML Response message format (2)

  • <?xmlversion="1.0"encoding="UTF-8"?>

  • <AAA:AAAResponsexmlns:xsi="http://www.w3.org/2001/X_LSchema-instance"xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd"version="0.0">

  • <ResultResourceId="String">

  • <Decision>Permit</Decision>

  • <Status>

  • <StatusCodeValue="OK"/>

  • <StatusMessage>Request succes7ful</StatusMessage>

  • </Status>

  • </Result>

  • </AAA:AAAResponse>

AIRG Update 2004


Binding policy to wsdl service description

Binding policy to WSDL service description

  • WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message)

    • wsp:PolicyRefs="URI | QName"

    • <wsp:UsingPolicy wsdl:Required="true"/>

AIRG Update 2004


Binding policy to wsdl example

Binding policy to WSDL - Example

  • <definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd" targetNamespace="http://cnl.telin.nl/cnl">     <message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml">         <part name="JobID" type="xs:string"/>         <part name="coordinateX" type="xs:string"/>         <part name="coordinateY" type="xs:string"/>         <part name="zoom" type="xs:int"/>     </message> <<< snip >>>>  <wsp:UsingPolicy wsdl:Required="true"/></definitions>

AIRG Update 2004


Security related activities in egee fyi

Security related activities in EGEE - FYI

  • EGEE – Enabling Grids for E-sciencE

    • JRA3 – Security

    • MWSG – Middleware Security Group

    • JSPG – Joint with LCG and OSG Security Policy Group

      • OSG Incident Handling Activity

  • Recent Security related deliverables

    • Grid User/Site Security Requirements – MJRA3.1 (https://edms.cern.ch/document/485295/1)

    • Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1)

    • Grid Security Incident definition and exchange format – MJRA3.4

      • Ongoing development, current version - https://edms.cern.ch/document/501422/1

      • As a part of joint OSG/LCG/EGEE Operational Security activity

AIRG Update 2004


Grid security incident gsinc definition

Grid Security Incident (GSInc) definition

  • GSInc definition

    • Depends on the scope and range of the Security Policy, ULA, or SLA - TODO

    • Should be based on threats analysis and vulnerabilities model – MJRA3.4

    • Should be based on Grid processes/workflow analysis - TODO

  • GSInc definition is a base for GSInc description format

    • What information should be collected and how to exchange and handle it

      • Requirements to Events logging and Intrusion/compromise detection

    • Common format is a basis for community wide statistics and coordinated response

    • Incident statistics provides feedback for the Security Policy improvement

  • Note. Grid Security model is based on delegation of security credentials to a service

AIRG Update 2004


Security credentials related gsinc and audit events

Security credentials related GSInc and audit events

  • Security credentials compromise (e.g., private key, proxy credentials, etc.)

    • patterns of credential usage

    • broken chain of PKC/keys/credentials

    • copy is discovered in not a proper place

    • originated not from the default location

    • sequent fault attempt to request action(s)

      • PDP/PEP logging/audit

  • Remaining problems and topics for discussion

    • How to define at the early stage that a private key has been compromised?

    • May require credentials storing (not caching) and adding history/evidence chain to credentials format

      • X.509 credentials are not capable of this

      • Does SAML have required functionality

  • Note: Audit/log events together with related data can be also referred to as an Evidence

AIRG Update 2004


Discussion security credentials compromise detection

Discussion: security credentials compromise detection

  • How to define at the early stage that a private key or other security credentials have been compromised?

  • Will it require credentials storing (not caching) and adding history/evidence chain to credentials format?

    • X.509 credentials are not capable of this

    • Does SAML have required functionality

AIRG Update 2004


  • Login