yuri demchenko airg, university of amsterdam
DESCRIPTION
Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update. Yuri Demchenko AIRG, University of Amsterdam. Outline. Goals AIRG projects and Generic AAA Architecture development - PowerPoint PPT PresentationTRANSCRIPT
Policy Enforcement Framework for Web
Services and Grid Operational Security
Advanced Internet Research Group Update
Yuri Demchenko <[email protected]>
AIRG, University of Amsterdam
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_2
Outline
Goals AIRG projects and Generic AAA Architecture development Implementation in CNL project Access Control infrastructure Grid Operational Security and Grid Security Incident definition
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_3
Goals
Update TF-EMC2 on AIRG research and developments Discuss possible approaches for early detection of the security credentials
compromise
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_4
AIRG projects
Gigaport NG - NL Further development of the Generic AAA architecture for policy/token based
networking
Collaboratory.nl (CNL) Security Architecture for Open Collaborative Environment and RBAC Considered as a use case for EGEE and OGSA
EGEE and other Grid related projects - EU Grid operational security and WS/Grid security threats analysis Policy enforcement framework and Authorisation portType WS-Security and OGSA Security
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_5
Generic AAA Architecture by AIRG (UvA)
Policy based Authorization decision Req {AuthNtoken, Attr/Roles,
PolicyTypeId, ConditionExt} RBE (Req + Policy) =>
=> Decision {ResponseAAA, ActionExt}
ActionExt = {ReqAAAExt, ASMcontrol}
ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)}
Generic AAA
PolicyPolicyPolicy
Request/ResponseRequest/ResponseRequest/Response
ASMASMASM
•Translate logDecision => Action•Translate State => LogCondition
•Defined by Resource owner
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_6
Generic AAA implementations
Bandwidth-on-demand (BoD) for optical network Using driving policy approach for multidomain optical path building
Access control and privilege management for Collaborative environment Policy/role based access control to experimental equipment and resources
Authorisation Web Service and Authorisation portType for Grid applications Policy binding to Web/Grid service definition
Technology background AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format XML Web Services
– Attempting to use WSRF and trying to avoid OGSI and ProxyCert
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_7
Distributed Security Architecture for Collaborative environment
Based on the Job-centric security model Extended RBAC functionality including RBAC administration terminal (using
GAAA Toolkits) XACML based policy exchange and integration Uses WS-Security Framework and OGSA/WSRF
Policy binding to WSDL and AuthZ portType definition
VO functionality - policy based user and resource management Proxy-Certificate (Grid approach) vs SAML security credentials management
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_8
Security built around Job description
Job Description as a semantic object defining Job attributes and User attributes Requires document based or semantic oriented Security paradigm
Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI
OrderDescr
JobDescr•---------------•Job#•Job Attributes•Job Priority•---------------•User list•User roles/attr•Admin RBAC
Scheduler/JobMngr
AccessCtr(AuthN/Z)•UserDB•Policy
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_9
XACML implementation library for CNL
Contains specific modules for AAA services PEP, PDP, PAP and XACML messaging Implemented in Java
Policy editor in XACML XACML provides standard solution for RBAC with powerful policy combination
functionality Version 0.1 is available for policy construction and translating to AAA-policy format
Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_10
Main components and dataflow in RBAC/PMI
PEP (Policy Enforcement Point)/AEF (authorisation enforcement function)
PDP (Policy Decision Point)/ADF (authorisation decision function)
PIP (Policy Information Point)/AA (Attribute Authority)
PA – Policy Authority
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_11
GAAA API flow diagram (implements RBAC)
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_12
GAAAPI implementation – XACML Request message format (1)
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_13
GAAAPI implementation – XACML Request message format (2)
<?xml version="1.0" encoding="UTF-8"?><AAA:AAARequest xmlns:AAA="http://www.AAA.org/ns/AAA_BoD"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD http://146.50.22.64/CNLdemo1.xsd" version="0.1" type="CNLdemo1"><Subject>
<SubjectID>[email protected]</SubjectID><Role>Analyst</Role><JobID>JobID-XPS1-212</JobID><Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token>
</Subject><Resource><ResourceID>
http://resources.collaboratory.nl/Phillips_XPS1</ResourceID>
</Resource><Action><ActionID>ControlInstrument</AttributeID></Action>
</AAA:AAARequest>
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_14
GAAAPI implementation – XACML Response message format (1)
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_15
GAAAPI implementation – XACML Response message format (2)
<?xml version="1.0" encoding="UTF-8"?>
<AAA:AAAResponse xmlns:xsi="http://www.w3.org/2001/X_LSchema-instance" xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd" version="0.0">
<Result ResourceId="String">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="OK"/>
<StatusMessage>Request succes7ful</StatusMessage>
</Status>
</Result>
</AAA:AAAResponse>
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_16
Binding policy to WSDL service description
WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) wsp:PolicyRefs="URI | QName" <wsp:UsingPolicy wsdl:Required="true"/>
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_17
Binding policy to WSDL - Example
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust" xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd" targetNamespace="http://cnl.telin.nl/cnl"> <message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml"> <part name="JobID" type="xs:string"/> <part name="coordinateX" type="xs:string"/> <part name="coordinateY" type="xs:string"/> <part name="zoom" type="xs:int"/> </message>
<<< snip >>>>
<wsp:UsingPolicy wsdl:Required="true"/> </definitions>
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_18
Security related activities in EGEE - FYI
EGEE – Enabling Grids for E-sciencE JRA3 – Security MWSG – Middleware Security Group JSPG – Joint with LCG and OSG Security Policy Group
OSG Incident Handling Activity
Recent Security related deliverables Grid User/Site Security Requirements – MJRA3.1
(https://edms.cern.ch/document/485295/1) Global Security Architecture (GSA) rev. 1 - DJRA3.1 (
https://edms.cern.ch/document/487004/1.1) Grid Security Incident definition and exchange format – MJRA3.4
Ongoing development, current version - https://edms.cern.ch/document/501422/1 As a part of joint OSG/LCG/EGEE Operational Security activity
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_19
Grid Security Incident (GSInc) definition
GSInc definition Depends on the scope and range of the Security Policy, ULA, or SLA - TODO Should be based on threats analysis and vulnerabilities model – MJRA3.4 Should be based on Grid processes/workflow analysis - TODO
GSInc definition is a base for GSInc description format What information should be collected and how to exchange and handle it
Requirements to Events logging and Intrusion/compromise detection Common format is a basis for community wide statistics and coordinated
response Incident statistics provides feedback for the Security Policy improvement
Note. Grid Security model is based on delegation of security credentials to a service
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_20
Security credentials related GSInc and audit events
Security credentials compromise (e.g., private key, proxy credentials, etc.) patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from the default location sequent fault attempt to request action(s)
PDP/PEP logging/audit
Remaining problems and topics for discussion How to define at the early stage that a private key has been compromised? May require credentials storing (not caching) and adding history/evidence chain to
credentials format X.509 credentials are not capable of this Does SAML have required functionality
Note: Audit/log events together with related data can be also referred to as an Evidence
TF-EMC2. November 4, 2004. Amsterdam AIRG Update 2004 Slide_21
Discussion: security credentials compromise detection
How to define at the early stage that a private key or other security credentials have been compromised?
Will it require credentials storing (not caching) and adding history/evidence chain to credentials format?
X.509 credentials are not capable of this Does SAML have required functionality