210 likes | 332 Views
Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update. Yuri Demchenko <demch@science.uva.nl> AIRG, University of Amsterdam. Outline. Goals AIRG projects and Generic AAA Architecture development
E N D
Policy Enforcement Framework for Web Services and Grid Operational SecurityAdvanced Internet Research Group Update Yuri Demchenko <demch@science.uva.nl> AIRG, University of Amsterdam
Outline • Goals • AIRG projects and Generic AAA Architecture development • Implementation in CNL project Access Control infrastructure • Grid Operational Security and Grid Security Incident definition AIRG Update 2004
Goals • Update TF-EMC2 on AIRG research and developments • Discuss possible approaches for early detection of the security credentials compromise AIRG Update 2004
AIRG projects • Gigaport NG - NL • Further development of the Generic AAA architecture for policy/token based networking • Collaboratory.nl (CNL) • Security Architecture for Open Collaborative Environment and RBAC • Considered as a use case for EGEE and OGSA • EGEE and other Grid related projects - EU • Grid operational security and WS/Grid security threats analysis • Policy enforcement framework and Authorisation portType • WS-Security and OGSA Security AIRG Update 2004
Request/Response Request/Response Request/Response Generic AAA Policy Policy Policy ASM ASM ASM Generic AAA Architecture by AIRG (UvA) • Policy based Authorization decision • Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt} • RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt} • ActionExt = {ReqAAAExt, ASMcontrol} • ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)} • Defined by Resource owner • Translate logDecision => Action • Translate State => LogCondition AIRG Update 2004
Generic AAA implementations • Bandwidth-on-demand (BoD) for optical network • Using driving policy approach for multidomain optical path building • Access control and privilege management for Collaborative environment • Policy/role based access control to experimental equipment and resources • Authorisation Web Service and Authorisation portType for Grid applications • Policy binding to Web/Grid service definition • Technology background • AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format • XML Web Services • Attempting to use WSRF and trying to avoid OGSI and ProxyCert AIRG Update 2004
Distributed Security Architecture for Collaborative environment • Based on the Job-centric security model • Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits) • XACML based policy exchange and integration • Uses WS-Security Framework and OGSA/WSRF • Policy binding to WSDL and AuthZ portType definition • VO functionality - policy based user and resource management • Proxy-Certificate (Grid approach) vs SAML security credentials management AIRG Update 2004
Scheduler/ JobMngr • JobDescr • --------------- • Job# • Job Attributes • Job Priority • --------------- • User list • User roles/attr • Admin RBAC OrderDescr • AccessCtr • (AuthN/Z) • UserDB • Policy Security built around Job description • Job Description as a semantic object defining Job attributes and User attributes • Requires document based or semantic oriented Security paradigm • Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI AIRG Update 2004
XACML implementation library for CNL • Contains specific modules for AAA services • PEP, PDP, PAP and XACML messaging • Implemented in Java • Policy editor in XACML • XACML provides standard solution for RBAC with powerful policy combination functionality • Version 0.1 is available for policy construction and translating to AAA-policy format • Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development AIRG Update 2004
Main components and dataflow inRBAC/PMI • PEP(Policy Enforcement Point)/AEF (authorisation enforcement function) • PDP (Policy Decision Point)/ADF (authorisation decision function) • PIP (Policy Information Point)/AA (Attribute Authority) • PA – Policy Authority AIRG Update 2004
GAAA API flow diagram (implements RBAC) AIRG Update 2004
GAAAPI implementation – XACML Request message format (1) AIRG Update 2004
GAAAPI implementation – XACML Request message format (2) • <?xmlversion="1.0"encoding="UTF-8"?> • <AAA:AAARequestxmlns:AAA="http://www.AAA.org/ns/AAA_BoD"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD http://146.50.22.64/CNLdemo1.xsd"version="0.1"type="CNLdemo1"> • <Subject> • <SubjectID>WHO740@users.collaboratory.nl</SubjectID> • <Role>Analyst</Role> • <JobID>JobID-XPS1-212</JobID> • <Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token> • </Subject> • <Resource><ResourceID> • http://resources.collaboratory.nl/Phillips_XPS1 • </ResourceID> • </Resource> • <Action> • <ActionID>ControlInstrument</AttributeID> • </Action> • </AAA:AAARequest> AIRG Update 2004
GAAAPI implementation – XACML Response message format (1) AIRG Update 2004
GAAAPI implementation – XACML Response message format (2) • <?xmlversion="1.0"encoding="UTF-8"?> • <AAA:AAAResponsexmlns:xsi="http://www.w3.org/2001/X_LSchema-instance"xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd"version="0.0"> • <ResultResourceId="String"> • <Decision>Permit</Decision> • <Status> • <StatusCodeValue="OK"/> • <StatusMessage>Request succes7ful</StatusMessage> • </Status> • </Result> • </AAA:AAAResponse> AIRG Update 2004
Binding policy to WSDL service description • WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) • wsp:PolicyRefs="URI | QName" • <wsp:UsingPolicy wsdl:Required="true"/> AIRG Update 2004
Binding policy to WSDL - Example • <definitions xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext" xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd" targetNamespace="http://cnl.telin.nl/cnl"> <message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml"> <part name="JobID" type="xs:string"/> <part name="coordinateX" type="xs:string"/> <part name="coordinateY" type="xs:string"/> <part name="zoom" type="xs:int"/> </message> <<< snip >>>> <wsp:UsingPolicy wsdl:Required="true"/></definitions> AIRG Update 2004
Security related activities in EGEE - FYI • EGEE – Enabling Grids for E-sciencE • JRA3 – Security • MWSG – Middleware Security Group • JSPG – Joint with LCG and OSG Security Policy Group • OSG Incident Handling Activity • Recent Security related deliverables • Grid User/Site Security Requirements – MJRA3.1 (https://edms.cern.ch/document/485295/1) • Global Security Architecture (GSA) rev. 1 - DJRA3.1 (https://edms.cern.ch/document/487004/1.1) • Grid Security Incident definition and exchange format – MJRA3.4 • Ongoing development, current version - https://edms.cern.ch/document/501422/1 • As a part of joint OSG/LCG/EGEE Operational Security activity AIRG Update 2004
Grid Security Incident (GSInc) definition • GSInc definition • Depends on the scope and range of the Security Policy, ULA, or SLA - TODO • Should be based on threats analysis and vulnerabilities model – MJRA3.4 • Should be based on Grid processes/workflow analysis - TODO • GSInc definition is a base for GSInc description format • What information should be collected and how to exchange and handle it • Requirements to Events logging and Intrusion/compromise detection • Common format is a basis for community wide statistics and coordinated response • Incident statistics provides feedback for the Security Policy improvement • Note. Grid Security model is based on delegation of security credentials to a service AIRG Update 2004
Security credentials related GSInc and audit events • Security credentials compromise (e.g., private key, proxy credentials, etc.) • patterns of credential usage • broken chain of PKC/keys/credentials • copy is discovered in not a proper place • originated not from the default location • sequent fault attempt to request action(s) • PDP/PEP logging/audit • Remaining problems and topics for discussion • How to define at the early stage that a private key has been compromised? • May require credentials storing (not caching) and adding history/evidence chain to credentials format • X.509 credentials are not capable of this • Does SAML have required functionality • Note: Audit/log events together with related data can be also referred to as an Evidence AIRG Update 2004
Discussion: security credentials compromise detection • How to define at the early stage that a private key or other security credentials have been compromised? • Will it require credentials storing (not caching) and adding history/evidence chain to credentials format? • X.509 credentials are not capable of this • Does SAML have required functionality AIRG Update 2004