220 likes | 329 Views
ESnet RADIUS Authentication Fabric. Michael Helm ESnet/LBNL Cybersecurity Summit 27 Sep 2004. ESnet Provides Full Internet Service to DOE Facilities and Collaborators with High-Speed Access to Major Science Collaborators. GEANT - Germany, France, Italy, UK, etc. SInet (Japan)
E N D
ESnet RADIUS Authentication Fabric Michael Helm ESnet/LBNL Cybersecurity Summit 27 Sep 2004
ESnet Provides Full Internet Serviceto DOE Facilities and Collaborators with High-Speed Access to Major Science Collaborators GEANT - Germany, France, Italy, UK, etc SInet (Japan) Japan – Russia(BINP) CA*net4 KDDI (Japan) France Switzerland Taiwan (TANet2) Australia CA*net4 Taiwan (TANet2) Singaren CERN (DOE link) CA*net4 MREN Netherlands Russia StarTap Taiwan (ASCC) PNNL SLAC NERSC PNWG ANL BNL MIT INEEL LIGO LLNL LBNL SNLL TWC JGI Starlight GTN&NNSA 4xLAB-DC ANL-DC INEEL-DC ORAU-DC LLNL/LANL-DC Chi NAP JLAB FNAL AMES PPPL ORNL SRS SNLA LANL DOE-ALB PANTEX SDSC ORAU NOAA OSTI ARM ALB HUB YUCCA MT BECHTEL GA Abilene Abilene Abilene Abilene MAN LANAbilene Allied Signal KCP ELP HUB NYC HUB CHI HUB ATL HUB DC HUB NREL SEA HUB ESnet mid-2004 Japan NY-NAP QWEST ATM MAE-E SNV HUB PAIX-E MAE-W Fix-W PAIX-W Euqinix 42 end user sites Office Of Science Sponsored (22) International (high speed) OC192 (10G/s optical) OC48 (2.5 Gb/s optical) Gigabit Ethernet (1 Gb/s) OC12 ATM (622 Mb/s) OC12 OC3 (155 Mb/s) T3 (45 Mb/s) T1-T3 T1 (1 Mb/s) NNSA Sponsored (12) Joint Sponsored (3) Other Sponsored (NSF LIGO, NOAA) Laboratory Sponsored (6) peering points ESnet core: Packet over SONET Optical Ring and Hubs hubs SNV HUB high-speed peering points
A New ESnet Architecture:Science Data Network + IP Core CERN Asia-Pacific GEANT (Europe) ESnet Science Data Network (2nd Core) Chicago (CHI) New York(AOA) MetropolitanAreaRings Washington, DC (DC) Sunnyvale(SNV) ESnetIP Core Atlanta (ATL) Existing hubs El Paso (ELP) New hubs DOE/OSC Labs Possible new hubs
ESnet ATF Project Authentication, Trust & Federation Services for DOE Office of Science • Certification Authorities • ESnet Root CA • DOEGrids CA • NERSC CA – NERSC’s “myProxy-NIM” integration • ESnet SSL Server CA – soon to expand • Scope – X.509/PKIX certificates for Office of Science supported research and collaborations • Grids ; TLS ; Experimental uses • Rigorous security • Industry best practices • Hardware Security Modules (HSM) • Services • People, host, and service certificates • Key lifecycle management • User interface development and automation • Grid integration
DOEGrids Security Offline Vaulted Root CA Grid User PKI Systems Hardware Security Modules HSM Fire Wall Internet Access controlled racks Secure Data Center Building Security LBNL Site security Intrusion Detection
ESnet PKI Project (2) • Federation and Standards • DOEGrids supports 15 distinct “Registration Authorities” • Two are in progress for addition (LCG and EPA-NCC) • Regional peering – “Americas” PMA, TERENA, Asia-Pacific • Global Grid Forum • CAOPS (TG chair) • PGP Key server New Initiatives: • GIRAF – Grid Integrated RADIUS Authentication Fabric • Fusion Grid PKI – support “myProxy” integration • Remote Hardware Security Module operation • Response to ESnet’s challenge to provide redundant CA services • Mozilla browser integration • SIRS – Security Incident Response Services
r RADIUS What Does the RAF Do? ORNL PNNL OTP Service OTP Service r r • anl.gov • nersc.gov • pnnl.gov • ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov Realms • anl.gov • nersc.gov • pnnl.gov • ornl.gov • es.net R ESnet RAF Federation ANL NERSC OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov r • anl.gov • nersc.gov • pnnl.gov • ornl.gov r App
What Is the Grid Integrated RAF? ESnet Root CA OTP Services Sign Subordinate CA 3 OTP verification HSM Subordinate CA Engine OCSP 4 Sign Proxy 2 Ask AuthN; hint OTP ESnet Radius PAM 4. Auth OK; Namestring Manage myProxy MyProxy Credentials SIPS Auth DB 1 Log in 5 Receive Proxy Cert Proposal Apr 2004 Special case of GridLogon 7 Execute 6 (Opt) Store Proxy
RAF Benefits & Features • O(n) peering • Authorization decision controlled by site Sound familiar? • Single token per person • Interoperability on an open, standard, industry-supported AAA protocol • WAN use of RADIUS (RFC 2865) • Federation
AuthN Authority (OTP) AuthN Authority (OTP) AuthN Authority (OTP) Appli- cation 1 Appli- cation 1 Appli- cation 1 Rc Rc Rc Site 1 RADIUS Site 2 RADIUS Site n RADIUS ESnet RAF Architecture Site Repli- cation ESnet RAF RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router RADIUS Proxy router VPN (IPsec) ESnet Network (IP)
RAF Current Issues • Reliability – Replication • Currently RAF issue, but also applies to site RADIUS/OTP • * Federation • * Application Integration • Where’s our “Grid Integration” solution? • PAM – more layers! • * Name management: (Fed/App Integration) • Essential issue for Grid integration • *? OTP Service Reliability • “Transit time” ; resync ; loss • * Federation • *? Integrity & Security • VPN • See later • Market research – size/scope of deployment * Grid issue Current: 6 – 18 mos
RAF Current Issues OTP/C&R Integrity/Security ORNL PNNL OTP Service OTP Service r r • anl.gov • nersc.gov • pnnl.gov • ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov R Reliability/Replication Transit time ESnet RAF Federation ANL NERSC OTP Service OTP Service anl.gov nersc.gov pnnl.gov ornl.gov • anl.gov • nersc.gov • pnnl.gov • ornl.gov r • anl.gov • nersc.gov • pnnl.gov • ornl.gov r Application Integration Federation
RAF Long Term* Issues • RAF support for other protocols • Kerberos • Web services • EAP/TLS • Myproxy Protocol • End to End integrity • “AuthA” protocol • Session hijacking (client) • Application integration • Always an issue • Architecture: fan-out/gateway • Firewalls • RADIUS * 12 – 48 mos
AuthA • An OTP-based key-exchange technology that offers protection against: • capture of the user’s password • capture of the server’s password-database • dictionary attacks on the user’s password • denial-of-service attacks • An OTP-based DH key-exchange technology that allows users to connect from an un-trusted terminal and still preserve the privacy of data transmitted on the wire: • confidentially, authenticity, and integrity of the data • mutual authentication of the user and the server • Technology publication: • M. Abdalla, O. Chevassut, and D. Pointcheval, “One-time Verifier-based Encrypted key Exchange” ,submitted for publication to the 8th International Workshop on Practice in Public-Key Cryptography, Feb 2005.
EduROAM • TERENA Mobility TF http://www.terena.nl/tech/task-forces/tf-mobility • Initiative to support _roaming_ • Hence, 802.1x support • Wireless • Motivation is a little different • Roaming vs Collaboration • Architecture is similar • Key difference: DOE lab OTP • Beginning interoperability discussion
Cross-domain 802.1X with VLAN assignment Supplicant Authenticator (AP or switch) RADIUS server Institution A RADIUS server Institution B User DB User DB Guest piet@institution_b.nl Internet Guest VLAN Employee VLAN Central RADIUS Proxy server Student VLAN signalling data
Conclusion • Successful RAF demonstration project • Engineering and User experience issues • Ready to proceed to pilot • Need Grid Integration • European Liaison possible • First step toward Auth Fabric • Support more protocols • Federation • Successor to RADIUS • http://www.es.net/raf • http://www.doegrids.org
Demo • http://topaz.es.net/secure/index.html • http://panda.ccs.ornl.gov/radius/index.html
Fusion Grid Firewall Issues Michael Helm ESnet/LBNL GGF-12 Sec Workshop 18 Sep 2004
Comments Each site is protected by a firewall Different firewall technology OTP is probably a feature Need single sign-on, delegation, autonomous processes….
Fusion Grid • Use case comes from Dave Schissel • Evolved from discussion of OTP • 2 of 3 labs in FusionGrid already have a SecurID infrastructure • Need direct support • Need to identify path to solution