distributed security policies for service-oriented architectures over tactical networks
TRANSCRIPT
1
Distributed Security Policies for Service-Oriented Architectures over Tactical Networks
Roberto Rigolin F. Lopes1 and Stephen D. Wolthusen1,2
1. Norwegian Information Security Laboratory, Gjøvik, Norway2. School of Mathematics and Information Security, University of London, UK
{roberto.lopes, stephen.wolthusen}@hig.no
22
Introduction• Using rich semantics to state security policies
– Combining cross-layer and multi-domain security• Layers: NATO Information Assurance (IA) Layer• Domains: Protection, Detection, Response, Attack, Diligence
and Planning• Restrictions: nodes’ specialization and connectivity
C3 Taxonomy
Communication Services
Core Enterprise Services
COI Services
User-Facing Capabilities
IA
TSIDetection
Protection
Response
Diligence
Security
(x) Planning
WLAN
UHF
VHF
SatCom
HQ
Dismounted
Mobile
Relay
Cross-layers Multi-domain Restrictions
Policy ≡ (cross-layer U multi-domain) ∩ restrictions
33
Introduction• Example of services
– Tactical Ground Report System
Node C
Node A
Soldier localizationAdversary localization
Vehicle localizationLive camera
Aerial photos
Node B
J. Evans, B. Ewy, M. Swink, S. Pennington, D. Siquieros, and S. Earp, “TIGR: the tactical ground reporting system,” IEEE Communications Magazine, vol. 51, no. 10, pp. 42–49, October 2013.
Observe
OrientDecide
Act
Observe, Orient, Decide and Act
Observe and Act
44
Example of Service-Oriented Architecture
Packet Handler
Message Handler
Service Mediator
Controller
1
2
3
4
Policy management
Security handling
55
Example of Service-Oriented Architecture
SOA PlatformController
Service Mediator
Message Handler
Packet Handler
Operating System
<Policy Management>
<Security Handling>
1
2
Cryptography
Tactical Platform Guard
Tactical Support Guard
Policy Manager
Privilege Management Policy Manager
Policy Enforcement Point
Policy Decision Point
Policy Administration Point
DetectionDiligenceProtectionPlanningResponseQoS
<dom
ains
>
TSI Node
PEP
PEP
PEPa
b
c<a,b,c>
66
Structured Security Policies• Security Domains
• Planning, Detection, Protection, Diligence, Response and Attack• NATO Information Assurance
• Communication, Core, Application and Inter-domain
• Rule structure• Conditions implying in Actions• OODA-loop
C3 Taxonomy
Communication Services
Core Enterprise Services
COI Services
User-Facing Capabilities
IA
TSIDetection
Protection
Response
Diligence
Security
(x) PlanningObserve
OrientDecide
Act
77
The nodes:
Node A
<Dismounted>
UHF WLAN
Node C
<Mobile>
VHFUHFWLAN SatCom
Node B
<Relay>
SatComVHF
HQ Node D
<Deployed>
SatComVHF UHFWLAN
88
Structured Security Policies– Nodes (N), Policies (P) and Security Domains (S)
Node A
<Dismounted>
UHF WLAN
Node C
<Mobile>
VHFUHFWLAN SatCom
Node B
<Relay>
SatComVHF
HQ Node D
<Deployed>
SatComVHF UHFWLAN
N1:P1(N1:S1)
N2:P2(N2:S2), N2:P’1(N1:R1)
Ni:Pi(Ni:Si),…, Ni:P’i-1(Ni-1:Ri-1)
Resources and # domains
99
Structured Security Policies– Nodes (N), Policies (P) and Security Domains (S)
SecurityCore
Planning Detection Diligence Response
is is is is
Protection
is
Node A Node B Node C
1 2 3 4 5
2 3 43 4 2 3 41 5
OWL DL OWL DLOWL MicroRDFS
OWL DLOWL MicroRDFS
OWL DLOWL Micro
OWL DL
Using rich semantics…
1010
Rich Semantics for Policies - Web Services
MessageSecBinding
TokenProtection
has
SecurityBinding
is
SecurityToken
SymmetricBinding AsymmetricBinding
is is
SecurityHeaderLayout
TransportBinding
AlgorithmSuite
Timestamp
has
hashas
is
hasSignatureTokenhasEncryptionTokenhasProtectionToken
hasInitiatorTokenhasRecipientSignatureTokenhasRecipientTokenhasInitiatorEncryptionTokenhasInitiatorSignatureToken
has
SignatureProtectionhas
isWeakerThanisStrongerThanisEquivalentTo
isWeakerThanisStrongerThanisEquivalentTo
isWeakerThanisStrongerThanisEquivalentTo
isMoreGeneralThanisMoreSpecificThanhasTechDiffWith
hasTechDiffWith
isMoreGeneralThanisMoreSpecificThanhasTechDiffWithisWeakerThanisStrongerThanisEuivalentTo
isWeakerThanisStrongerThanisEquivalentTo
QoS requirements
Information sensitivity
Conditions:
Network status
1111
Security Policies• Attribute-based
• Rich semantics
Allow access to resource <Service> with attribute <Sensitivity> if <Service> match BlueForceTracking and action is read
MessageSecBinding
TokenProtection
has
SecurityBinding
is
SecurityToken
SymmetricBinding AsymmetricBinding
is is
SecurityHeaderLayout
TransportBinding
AlgorithmSuitehashas
is
hasSignatureTokenhasEncryptionTokenhasProtectionToken
hasInitiatorTokenhasRecipientSignatureTokenhasRecipientTokenhasInitiatorEncryptionTokenhasInitiatorSignatureTokenhas
SignatureProtectionhas
isWeakerThanisStrongerThanisEquivalentTo
isWeakerThanisStrongerThanisEquivalentTo
isWeakerThanisStrongerThanisEquivalentTo
isMoreGeneralThanisMoreSpecificThanhasTechDiffWith
isMoreGeneralThanisMoreSpecificThanhasTechDiffWithisWeakerThanisStrongerThanisEuivalentTo
2
2.1 2.2
1
Allow or Deny
Stronger, Equal or Weaker
1212
Distributed Security Policies – Security Core• (1) Multi-Domain, (2) Cross-layer and (3) Rules
SecurityCore
Action
Condition
has
has
TSI Common
Rule
Planning
Diligence
usesProtection
<inverse property>
<Foundational ontologies><Core reference ontologies>
<Task ontologies>
NewCondition
3 NewAction
NewDomain
Capability
Inter-domainCommunication Core
Domain
NewCapability <NATO’s C3 Taxonomy>
1
2
Application
Attack
Detection
Response
1313
owl:thingowl:intersectionOFowl:unionOfowl:equivalentClass
owl:thingowl:intersectionOFowl:unionOfowl:equivalentClassowl:equivalentPropertyowl:inverseOfowl:functionalPropertyowl:inverseFunctionalPropertyowl:symmetricPropertyowl:transitivePropertyowl:hasValueowl:disjointWithowl:sameAsowl:differentFromowl:distinctMembersowl:someValuesFromowl:allValuesFromowl:cardinalityowl:minCardinalityowl:maxCardinality
OWL-lite20 axioms
2
OWL-DL25 axioms
1
Structured Security Policies - Performance
AllowDeny
Validate
Is valid? YesNo
loop
1414
Distributed Security Policies
Preparation Mission
SecurityCore<OWL DL>
Node C
Detection<OWL lite>
Diligence<OWL lite>
Protection<OWL lite>
Diligence<RDFS>
Protection<RDFS>
Node B
Node A
1 2
Version Alpha
Version Bravo
Version Charlie
• Pre-distribution of policy statements– The system can keep versions of the policies
1515
Distributed Security Policies
Planning
Detection
Protection
Diligence
Response
Attack
Communication
Core
Application
Inter-domain
ActionCondition
NewCondition
Cross-layer
Multi-domain
• Examples of policies:
1616
Distributed Security Policies• Multi-domain• Cross-layer
Packet Handler
Message Handler
Service Mediator
1
2
3
ActionCondition
1717
Distributed Security Policies• Scenario: three types of nodes moving
Ni-1
Ni
Ni+1
Multi-hop network
T0
T1
...
Pi-1
Pi(P’i-1)Pi+1(P’i-1, (P’i))
Nodes’ type
Service request
Union of security domains
HQ Node D
<Deployed>
SatComVHF UHFWLAN
1818
Distributed Security Policies• Connectivity Graph and Security Domains
UHF, VHF, SatCom
Observe, Act Orient, Act Decide
1 Detection2 Protection3 Attack4 Diligence5 Response6 Planning
Ni-1 Ni Ni+1
Security domains
{1,2,3} {1,2,3,4,5} {1,2,3,4,5,6}
UHF, WLAN UHF, VHF,
WLAN
SatCom
UHF, WLAN
Observe, Act Orient, Decide, Act -Observe, Orient, Act Orient, Decide, Act -
L1,n
L2,n
L3,n
<Dismounted> <Mobile> <Deployed>
1919
Distributed Security Policies• Security domains and the OODA-loop
– This mapping is done during the preparation
Observe
OrientDecide
Act
DetectionProtection
Attack
Diligence
Response
Planning
Attack
Diligence
Planning
Response Response
Preparation<standard SOA>
Mission<distributed SOA>
1 2Dynamic
Pre-load keys and policies
2020
Distributed Security Policies – OODA-loop
Handheld
<Dismounted>
Laptop
<Mobile>HQ Laptop
<Deployed>
2121
In short
decreases
Specialization
Ded
uctio
n ca
pabi
litie
s
General SpecializedLow
High
Node B
Node C
Node A
DetectionDiligencePlanningProtectionResponse
DetectionDiligenceProtectionResponse
DetectionDiligence
Protection
# policy domains increase
Server(s)Battalion
Sensor network(s)
increases
# classes, instances and axioms
<OWL-DL>
<OWL-Lite>
<RDFS>
2222
Distributed Security Policies
2323
Conclusion• OWL-DL might be suitable for security policies in
tactical networks; – Nodes’ type demands careful design and deployment – But the language is flexible and distributed by design
• Critical points on policy design and deployment: – Policy structure and distribution over tactical networks
• The policy distribution uses the security domains and the mission context in an attempt to connect Cyber and Kinetic domains. – Security policies can adapt to the mission’s profile
• The nodes rely on the network connectivity to complement its security capabilities
24
Distributed Security Policies for Service-Oriented Architectures over Tactical Networks
Roberto Rigolin F. Lopes1 and Stephen D. Wolthusen1,2
1. Norwegian Information Security Laboratory, Gjøvik, Norway2. School of Mathematics and Information Security, University of London, UK
{roberto.lopes, stephen.wolthusen}@hig.no