Policy Enforcement Framework for Web Services and Grid Operational Security
Download
1 / 21

Yuri Demchenko <[email protected]> AIRG, University of Amsterdam - PowerPoint PPT Presentation


  • 94 Views
  • Uploaded on

Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update. Yuri Demchenko <[email protected]> AIRG, University of Amsterdam. Outline. Goals AIRG projects and Generic AAA Architecture development

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Yuri Demchenko <[email protected]> AIRG, University of Amsterdam' - king


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

Policy Enforcement Framework for Web Services and Grid Operational SecurityAdvanced Internet Research Group Update

Yuri Demchenko <[email protected]>

AIRG, University of Amsterdam


Outline
Outline Operational Security

  • Goals

  • AIRG projects and Generic AAA Architecture development

  • Implementation in CNL project Access Control infrastructure

  • Grid Operational Security and Grid Security Incident definition

AIRG Update 2004


Goals
Goals Operational Security

  • Update TF-EMC2 on AIRG research and developments

  • Discuss possible approaches for early detection of the security credentials compromise

AIRG Update 2004


Airg projects
AIRG projects Operational Security

  • Gigaport NG - NL

    • Further development of the Generic AAA architecture for policy/token based networking

  • Collaboratory.nl (CNL)

    • Security Architecture for Open Collaborative Environment and RBAC

    • Considered as a use case for EGEE and OGSA

  • EGEE and other Grid related projects - EU

    • Grid operational security and WS/Grid security threats analysis

    • Policy enforcement framework and Authorisation portType

    • WS-Security and OGSA Security

AIRG Update 2004


Generic aaa architecture by airg uva

Request/Response Operational Security

Request/Response

Request/Response

Generic AAA

Policy

Policy

Policy

ASM

ASM

ASM

Generic AAA Architecture by AIRG (UvA)

  • Policy based Authorization decision

    • Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt}

    • RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt}

    • ActionExt = {ReqAAAExt, ASMcontrol}

    • ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}

  • Defined by Resource owner

  • Translate logDecision => Action

  • Translate State => LogCondition

AIRG Update 2004


Generic aaa implementations
Generic AAA implementations Operational Security

  • Bandwidth-on-demand (BoD) for optical network

    • Using driving policy approach for multidomain optical path building

  • Access control and privilege management for Collaborative environment

    • Policy/role based access control to experimental equipment and resources

  • Authorisation Web Service and Authorisation portType for Grid applications

    • Policy binding to Web/Grid service definition

  • Technology background

    • AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format

    • XML Web Services

      • Attempting to use WSRF and trying to avoid OGSI and ProxyCert

AIRG Update 2004


Distributed security architecture for collaborative environment
Distributed Security Architecture for Collaborative environment

  • Based on the Job-centric security model

  • Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits)

  • XACML based policy exchange and integration

  • Uses WS-Security Framework and OGSA/WSRF

    • Policy binding to WSDL and AuthZ portType definition

  • VO functionality - policy based user and resource management

  • Proxy-Certificate (Grid approach) vs SAML security credentials management

AIRG Update 2004


Security built around job description

Scheduler/ environment

JobMngr

  • JobDescr

  • ---------------

  • Job#

  • Job Attributes

  • Job Priority

  • ---------------

  • User list

  • User roles/attr

  • Admin RBAC

OrderDescr

  • AccessCtr

  • (AuthN/Z)

  • UserDB

  • Policy

Security built around Job description

  • Job Description as a semantic object defining Job attributes and User attributes

    • Requires document based or semantic oriented Security paradigm

  • Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI

AIRG Update 2004


Xacml implementation library for cnl
XACML implementation library for CNL environment

  • Contains specific modules for AAA services

    • PEP, PDP, PAP and XACML messaging

    • Implemented in Java

  • Policy editor in XACML

    • XACML provides standard solution for RBAC with powerful policy combination functionality

    • Version 0.1 is available for policy construction and translating to AAA-policy format

  • Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development

AIRG Update 2004


Main components and dataflow in rbac pmi
Main components and dataflow in environmentRBAC/PMI

  • PEP(Policy Enforcement Point)/AEF (authorisation enforcement function)

  • PDP (Policy Decision Point)/ADF (authorisation decision function)

  • PIP (Policy Information Point)/AA (Attribute Authority)

  • PA – Policy Authority

AIRG Update 2004


Gaaa api flow diagram implements rbac
GAAA API flow diagram (implements RBAC) environment

AIRG Update 2004


Gaaapi implementation xacml request message format 1
GAAAPI implementation – environmentXACML Request message format (1)

AIRG Update 2004


Gaaapi implementation xacml request message format 2
GAAAPI implementation – environmentXACML Request message format (2)

  • <?xmlversion="1.0"encoding="UTF-8"?>

  • <AAA:AAARequestxmlns:AAA="http://www.AAA.org/ns/AAA_BoD"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD http://146.50.22.64/CNLdemo1.xsd"version="0.1"type="CNLdemo1">

  • <Subject>

  • <SubjectID>[email protected]</SubjectID>

  • <Role>Analyst</Role>

  • <JobID>JobID-XPS1-212</JobID>

  • <Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token>

  • </Subject>

  • <Resource><ResourceID>

  • http://resources.collaboratory.nl/Phillips_XPS1

  • </ResourceID>

  • </Resource>

  • <Action>

  • <ActionID>ControlInstrument</AttributeID>

  • </Action>

  • </AAA:AAARequest>

AIRG Update 2004


Gaaapi implementation xacml response message format 1
GAAAPI implementation – environmentXACML Response message format (1)

AIRG Update 2004


Gaaapi implementation xacml response message format 2
GAAAPI implementation – environmentXACML Response message format (2)

  • <?xmlversion="1.0"encoding="UTF-8"?>

  • <AAA:AAAResponsexmlns:xsi="http://www.w3.org/2001/X_LSchema-instance"xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd"version="0.0">

  • <ResultResourceId="String">

  • <Decision>Permit</Decision>

  • <Status>

  • <StatusCodeValue="OK"/>

  • <StatusMessage>Request succes7ful</StatusMessage>

  • </Status>

  • </Result>

  • </AAA:AAAResponse>

AIRG Update 2004


Binding policy to wsdl service description
Binding policy to WSDL service description environment

  • WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message)

    • wsp:PolicyRefs="URI | QName"

    • <wsp:UsingPolicy wsdl:Required="true"/>

AIRG Update 2004


Binding policy to wsdl example
Binding policy to WSDL - Example environment

  • <definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd" targetNamespace="http://cnl.telin.nl/cnl">     <message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml">         <part name="JobID" type="xs:string"/>         <part name="coordinateX" type="xs:string"/>         <part name="coordinateY" type="xs:string"/>         <part name="zoom" type="xs:int"/>     </message> <<< snip >>>>  <wsp:UsingPolicy wsdl:Required="true"/></definitions>

AIRG Update 2004


Security related activities in egee fyi
Security related activities in EGEE - FYI environment

  • EGEE – Enabling Grids for E-sciencE

    • JRA3 – Security

    • MWSG – Middleware Security Group

    • JSPG – Joint with LCG and OSG Security Policy Group

      • OSG Incident Handling Activity

  • Recent Security related deliverables

    • Grid User/Site Security Requirements – MJRA3.1 (https://edms.cern.ch/document/485295/1)

    • Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1)

    • Grid Security Incident definition and exchange format – MJRA3.4

      • Ongoing development, current version - https://edms.cern.ch/document/501422/1

      • As a part of joint OSG/LCG/EGEE Operational Security activity

AIRG Update 2004


Grid security incident gsinc definition
Grid Security Incident (GSInc) definition environment

  • GSInc definition

    • Depends on the scope and range of the Security Policy, ULA, or SLA - TODO

    • Should be based on threats analysis and vulnerabilities model – MJRA3.4

    • Should be based on Grid processes/workflow analysis - TODO

  • GSInc definition is a base for GSInc description format

    • What information should be collected and how to exchange and handle it

      • Requirements to Events logging and Intrusion/compromise detection

    • Common format is a basis for community wide statistics and coordinated response

    • Incident statistics provides feedback for the Security Policy improvement

  • Note. Grid Security model is based on delegation of security credentials to a service

AIRG Update 2004


Security credentials related gsinc and audit events
Security credentials related GSInc and audit events environment

  • Security credentials compromise (e.g., private key, proxy credentials, etc.)

    • patterns of credential usage

    • broken chain of PKC/keys/credentials

    • copy is discovered in not a proper place

    • originated not from the default location

    • sequent fault attempt to request action(s)

      • PDP/PEP logging/audit

  • Remaining problems and topics for discussion

    • How to define at the early stage that a private key has been compromised?

    • May require credentials storing (not caching) and adding history/evidence chain to credentials format

      • X.509 credentials are not capable of this

      • Does SAML have required functionality

  • Note: Audit/log events together with related data can be also referred to as an Evidence

AIRG Update 2004


Discussion security credentials compromise detection
Discussion: security credentials compromise detection environment

  • How to define at the early stage that a private key or other security credentials have been compromised?

  • Will it require credentials storing (not caching) and adding history/evidence chain to credentials format?

    • X.509 credentials are not capable of this

    • Does SAML have required functionality

AIRG Update 2004


ad