HTTP и CGI - UAZone.org
Download
Report
Transcript HTTP и CGI - UAZone.org
Policy Enforcement Framework for Web
Services and Grid Operational Security
Advanced Internet Research Group Update
Yuri Demchenko <[email protected]>
AIRG, University of Amsterdam
Outline
Goals
AIRG projects and Generic AAA Architecture development
Implementation in CNL project Access Control infrastructure
Grid Operational Security and Grid Security Incident definition
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_2
Goals
Update TF-EMC2 on AIRG research and developments
Discuss possible approaches for early detection of the security credentials
compromise
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_3
AIRG projects
Gigaport NG - NL
Further development of the Generic AAA architecture for policy/token based
networking
Collaboratory.nl (CNL)
Security Architecture for Open Collaborative Environment and RBAC
Considered as a use case for EGEE and OGSA
EGEE and other Grid related projects - EU
Grid operational security and WS/Grid security threats analysis
Policy enforcement framework and Authorisation portType
WS-Security and OGSA Security
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_4
Generic AAA Architecture by AIRG (UvA)
Policy based Authorization decision
Request/Response
Request/Response
Request/Response
Generic AAA
Policy
Policy
Policy
•Defined by
Resource owner
ASM
ASM
ASM
Req {AuthNtoken, Attr/Roles,
PolicyTypeId, ConditionExt}
RBE (Req + Policy) =>
=> Decision {ResponseAAA,
ActionExt}
ActionExt = {ReqAAAExt,
ASMcontrol}
ResponseAAA =
{AckAAA/RejectAAA, ReqAttr,
ReqAuthN, BindAAA (Resource,
Id/Attr)}
•Translate logDecision => Action
•Translate State => LogCondition
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_5
Generic AAA implementations
Bandwidth-on-demand (BoD) for optical network
Using driving policy approach for multidomain optical path building
Access control and privilege management for Collaborative environment
Policy/role based access control to experimental equipment and resources
Authorisation Web Service and Authorisation portType for Grid applications
Policy binding to Web/Grid service definition
Technology background
AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format
XML Web Services
– Attempting to use WSRF and trying to avoid OGSI and ProxyCert
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_6
Distributed Security Architecture for Collaborative
environment
Based on the Job-centric security model
Extended RBAC functionality including RBAC administration terminal (using
GAAA Toolkits)
XACML based policy exchange and integration
Uses WS-Security Framework and OGSA/WSRF
Policy binding to WSDL and AuthZ portType definition
VO functionality - policy based user and resource management
Proxy-Certificate (Grid approach) vs SAML security credentials management
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_7
Security built around Job description
Order
Descr
JobDescr
•--------------•Job#
•Job Attributes
•Job Priority
•--------------•User list
•User roles/attr
•Admin RBAC
Scheduler/
JobMngr
AccessCtr
(AuthN/Z)
•UserDB
•Policy
Job Description as a semantic object defining Job attributes and User attributes
Requires document based or semantic oriented Security paradigm
Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via
PKI
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_8
XACML implementation library for CNL
Contains specific modules for AAA services
PEP, PDP, PAP and XACML messaging
Implemented in Java
Policy editor in XACML
XACML provides standard solution for RBAC with powerful policy combination
functionality
Version 0.1 is available for policy construction and translating to AAA-policy format
Set of typical policy profiles in XACML (with correspondent profiles in AAA)
are under development
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_9
Main components and dataflow in RBAC/PMI
PEP (Policy Enforcement
Point)/
AEF (authorisation
enforcement function)
PDP (Policy Decision
Point)/ADF
(authorisation decision
function)
PIP (Policy Information
Point)/AA (Attribute
Authority)
PA – Policy Authority
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_10
GAAA API flow diagram (implements RBAC)
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_11
GAAAPI implementation –
XACML Request message format (1)
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_12
GAAAPI implementation –
XACML Request message format (2)
<?xml version="1.0" encoding="UTF-8"?>
<AAA:AAARequest xmlns:AAA="http://www.AAA.org/ns/AAA_BoD"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD
http://146.50.22.64/CNLdemo1.xsd" version="0.1" type="CNLdemo1">
<Subject>
<SubjectID>[email protected]</SubjectID>
<Role>Analyst</Role>
<JobID>JobID-XPS1-212</JobID>
<Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token>
</Subject>
<Resource><ResourceID>
http://resources.collaboratory.nl/Phillips_XPS1
</ResourceID>
</Resource>
<Action>
<ActionID>ControlInstrument</AttributeID>
</Action>
</AAA:AAARequest>
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_13
GAAAPI implementation –
XACML Response message format (1)
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_14
GAAAPI implementation –
XACML Response message format (2)
<?xml version="1.0" encoding="UTF-8"?>
<AAA:AAAResponse xmlns:xsi="http://www.w3.org/2001/X_LSchema-instance"
xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd" version="0.0">
<Result ResourceId="String">
<Decision>Permit</Decision>
<Status>
<StatusCode Value="OK"/>
<StatusMessage>Request succes7ful</StatusMessage>
</Status>
</Result>
</AAA:AAAResponse>
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_15
Binding policy to WSDL service description
WS-PolicyAttachment defines two mechanisms that together allow to bind
policy to the WSDL components (portType, Operation, Message)
wsp:PolicyRefs="URI | QName"
<wsp:UsingPolicy wsdl:Required="true"/>
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_16
Binding policy to WSDL - Example
<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing"
xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"
xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd"
targetNamespace="http://cnl.telin.nl/cnl">
<message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml">
<part name="JobID" type="xs:string"/>
<part name="coordinateX" type="xs:string"/>
<part name="coordinateY" type="xs:string"/>
<part name="zoom" type="xs:int"/>
</message>
<<< snip >>>>
<wsp:UsingPolicy wsdl:Required="true"/>
</definitions>
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_17
Security related activities in EGEE - FYI
EGEE – Enabling Grids for E-sciencE
JRA3 – Security
MWSG – Middleware Security Group
JSPG – Joint with LCG and OSG Security Policy Group
OSG Incident Handling Activity
Recent Security related deliverables
Grid User/Site Security Requirements – MJRA3.1
(https://edms.cern.ch/document/485295/1)
Global Security Architecture (GSA) rev. 1 - DJRA3.1
(https://edms.cern.ch/document/487004/1.1)
Grid Security Incident definition and exchange format – MJRA3.4
Ongoing development, current version - https://edms.cern.ch/document/501422/1
As a part of joint OSG/LCG/EGEE Operational Security activity
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_18
Grid Security Incident (GSInc) definition
GSInc definition
Depends on the scope and range of the Security Policy, ULA, or SLA - TODO
Should be based on threats analysis and vulnerabilities model – MJRA3.4
Should be based on Grid processes/workflow analysis - TODO
GSInc definition is a base for GSInc description format
What information should be collected and how to exchange and handle it
Requirements to Events logging and Intrusion/compromise detection
Common format is a basis for community wide statistics and coordinated
response
Incident statistics provides feedback for the Security Policy improvement
Note. Grid Security model is based on delegation of security credentials to a
service
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_19
Security credentials related GSInc and audit events
Security credentials compromise (e.g., private key, proxy credentials, etc.)
patterns of credential usage
broken chain of PKC/keys/credentials
copy is discovered in not a proper place
originated not from the default location
sequent fault attempt to request action(s)
PDP/PEP logging/audit
Remaining problems and topics for discussion
How to define at the early stage that a private key has been compromised?
May require credentials storing (not caching) and adding history/evidence chain to
credentials format
X.509 credentials are not capable of this
Does SAML have required functionality
Note: Audit/log events together with related data can be also referred to as an Evidence
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_20
Discussion: security credentials compromise detection
How to define at the early stage that a private key or other security credentials
have been compromised?
Will it require credentials storing (not caching) and adding history/evidence
chain to credentials format?
X.509 credentials are not capable of this
Does SAML have required functionality
TF-EMC2. November 4, 2004. Amsterdam
AIRG Update 2004
Slide_21