1 / 21

Yuri Demchenko <demch@science.uva.nl> AIRG, University of Amsterdam

Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update. Yuri Demchenko <demch@science.uva.nl> AIRG, University of Amsterdam. Outline. Goals AIRG projects and Generic AAA Architecture development

king
Download Presentation

Yuri Demchenko <demch@science.uva.nl> AIRG, University of Amsterdam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Policy Enforcement Framework for Web Services and Grid Operational SecurityAdvanced Internet Research Group Update Yuri Demchenko <demch@science.uva.nl> AIRG, University of Amsterdam

  2. Outline • Goals • AIRG projects and Generic AAA Architecture development • Implementation in CNL project Access Control infrastructure • Grid Operational Security and Grid Security Incident definition AIRG Update 2004

  3. Goals • Update TF-EMC2 on AIRG research and developments • Discuss possible approaches for early detection of the security credentials compromise AIRG Update 2004

  4. AIRG projects • Gigaport NG - NL • Further development of the Generic AAA architecture for policy/token based networking • Collaboratory.nl (CNL) • Security Architecture for Open Collaborative Environment and RBAC • Considered as a use case for EGEE and OGSA • EGEE and other Grid related projects - EU • Grid operational security and WS/Grid security threats analysis • Policy enforcement framework and Authorisation portType • WS-Security and OGSA Security AIRG Update 2004

  5. Request/Response Request/Response Request/Response Generic AAA Policy Policy Policy ASM ASM ASM Generic AAA Architecture by AIRG (UvA) • Policy based Authorization decision • Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt} • RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt} • ActionExt = {ReqAAAExt, ASMcontrol} • ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)} • Defined by Resource owner • Translate logDecision => Action • Translate State => LogCondition AIRG Update 2004

  6. Generic AAA implementations • Bandwidth-on-demand (BoD) for optical network • Using driving policy approach for multidomain optical path building • Access control and privilege management for Collaborative environment • Policy/role based access control to experimental equipment and resources • Authorisation Web Service and Authorisation portType for Grid applications • Policy binding to Web/Grid service definition • Technology background • AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format • XML Web Services • Attempting to use WSRF and trying to avoid OGSI and ProxyCert AIRG Update 2004

  7. Distributed Security Architecture for Collaborative environment • Based on the Job-centric security model • Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits) • XACML based policy exchange and integration • Uses WS-Security Framework and OGSA/WSRF • Policy binding to WSDL and AuthZ portType definition • VO functionality - policy based user and resource management • Proxy-Certificate (Grid approach) vs SAML security credentials management AIRG Update 2004

  8. Scheduler/ JobMngr • JobDescr • --------------- • Job# • Job Attributes • Job Priority • --------------- • User list • User roles/attr • Admin RBAC OrderDescr • AccessCtr • (AuthN/Z) • UserDB • Policy Security built around Job description • Job Description as a semantic object defining Job attributes and User attributes • Requires document based or semantic oriented Security paradigm • Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI AIRG Update 2004

  9. XACML implementation library for CNL • Contains specific modules for AAA services • PEP, PDP, PAP and XACML messaging • Implemented in Java • Policy editor in XACML • XACML provides standard solution for RBAC with powerful policy combination functionality • Version 0.1 is available for policy construction and translating to AAA-policy format • Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development AIRG Update 2004

  10. Main components and dataflow inRBAC/PMI • PEP(Policy Enforcement Point)/AEF (authorisation enforcement function) • PDP (Policy Decision Point)/ADF (authorisation decision function) • PIP (Policy Information Point)/AA (Attribute Authority) • PA – Policy Authority AIRG Update 2004

  11. GAAA API flow diagram (implements RBAC) AIRG Update 2004

  12. GAAAPI implementation – XACML Request message format (1) AIRG Update 2004

  13. GAAAPI implementation – XACML Request message format (2) • <?xmlversion="1.0"encoding="UTF-8"?> • <AAA:AAARequestxmlns:AAA="http://www.AAA.org/ns/AAA_BoD"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD http://146.50.22.64/CNLdemo1.xsd"version="0.1"type="CNLdemo1"> • <Subject> • <SubjectID>WHO740@users.collaboratory.nl</SubjectID> • <Role>Analyst</Role> • <JobID>JobID-XPS1-212</JobID> • <Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token> • </Subject> • <Resource><ResourceID> • http://resources.collaboratory.nl/Phillips_XPS1 • </ResourceID> • </Resource> • <Action> • <ActionID>ControlInstrument</AttributeID> • </Action> • </AAA:AAARequest> AIRG Update 2004

  14. GAAAPI implementation – XACML Response message format (1) AIRG Update 2004

  15. GAAAPI implementation – XACML Response message format (2) • <?xmlversion="1.0"encoding="UTF-8"?> • <AAA:AAAResponsexmlns:xsi="http://www.w3.org/2001/X_LSchema-instance"xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd"version="0.0"> • <ResultResourceId="String"> • <Decision>Permit</Decision> • <Status> • <StatusCodeValue="OK"/> • <StatusMessage>Request succes7ful</StatusMessage> • </Status> • </Result> • </AAA:AAAResponse> AIRG Update 2004

  16. Binding policy to WSDL service description • WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) • wsp:PolicyRefs="URI | QName" • <wsp:UsingPolicy wsdl:Required="true"/> AIRG Update 2004

  17. Binding policy to WSDL - Example • <definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd" targetNamespace="http://cnl.telin.nl/cnl">     <message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml">         <part name="JobID" type="xs:string"/>         <part name="coordinateX" type="xs:string"/>         <part name="coordinateY" type="xs:string"/>         <part name="zoom" type="xs:int"/>     </message> <<< snip >>>>  <wsp:UsingPolicy wsdl:Required="true"/></definitions> AIRG Update 2004

  18. Security related activities in EGEE - FYI • EGEE – Enabling Grids for E-sciencE • JRA3 – Security • MWSG – Middleware Security Group • JSPG – Joint with LCG and OSG Security Policy Group • OSG Incident Handling Activity • Recent Security related deliverables • Grid User/Site Security Requirements – MJRA3.1 (https://edms.cern.ch/document/485295/1) • Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1) • Grid Security Incident definition and exchange format – MJRA3.4 • Ongoing development, current version - https://edms.cern.ch/document/501422/1 • As a part of joint OSG/LCG/EGEE Operational Security activity AIRG Update 2004

  19. Grid Security Incident (GSInc) definition • GSInc definition • Depends on the scope and range of the Security Policy, ULA, or SLA - TODO • Should be based on threats analysis and vulnerabilities model – MJRA3.4 • Should be based on Grid processes/workflow analysis - TODO • GSInc definition is a base for GSInc description format • What information should be collected and how to exchange and handle it • Requirements to Events logging and Intrusion/compromise detection • Common format is a basis for community wide statistics and coordinated response • Incident statistics provides feedback for the Security Policy improvement • Note. Grid Security model is based on delegation of security credentials to a service AIRG Update 2004

  20. Security credentials related GSInc and audit events • Security credentials compromise (e.g., private key, proxy credentials, etc.) • patterns of credential usage • broken chain of PKC/keys/credentials • copy is discovered in not a proper place • originated not from the default location • sequent fault attempt to request action(s) • PDP/PEP logging/audit • Remaining problems and topics for discussion • How to define at the early stage that a private key has been compromised? • May require credentials storing (not caching) and adding history/evidence chain to credentials format • X.509 credentials are not capable of this • Does SAML have required functionality • Note: Audit/log events together with related data can be also referred to as an Evidence AIRG Update 2004

  21. Discussion: security credentials compromise detection • How to define at the early stage that a private key or other security credentials have been compromised? • Will it require credentials storing (not caching) and adding history/evidence chain to credentials format? • X.509 credentials are not capable of this • Does SAML have required functionality AIRG Update 2004

More Related