The Semantic Firewall by NBtooY5

VIEWS: 0 PAGES: 15

									The Semantic Firewall

 EPSRC Pilot Projects Meeting
      26 March 2004
           NESC
                     Overview
•   Project goals
•   Motivation
•   Approach
•   Current status
•   Next steps
      The Semantic Firewall
• Started Oct’03
  – 24 months duration, 42 person-months effort
• Project team:
  – Mike Surridge, Darren Marvin, Steve Taylor (IT
    Innovation)
  – Terry Payne, Ron Ashri (IAM, Southampton)
  – support from NEC and U.Sheffield
• Goals
  – investigate an “adaptive” perimeter defence for
    Grids
  – evaluate against test cases from EC GEMSS
Damn Those Pesky Firewalls
     Permitted Access                          Managed Server
   to Restricted Services                        Resources

   Permitted Grid Access

                                New
            FIREWALL

                            Vulnerability




                                            User Managed
                                             Workstations
More Trouble with Firewalls
            Service Tunnel
GSI Delegation and Trust
       Proxy     Proxy


      Process   Process




       Proxy     Proxy


      Process   Process
        The Grid “Arms Race”
• Sysadmins (rightly) wish to retain control
   – firewalls block P2P/Grid connections with other sites
• Users (rightly) wish to get on with their work
   – develop sneaky ways around the firewalls
   – tunnelling over HTTP, SSH, etc
• Sysadmins close the tunnels
   – preventing crackers hopping on board
   – but reducing functionality of the network
• Result:
   – applications/grids may stop working within a year
   – everyone wastes time and effort
The Semantic Firewall
                 Project Tasks
• WP1:M01-06: Semantic representations
   – overall requirements analysis
   – evaluation and selection of ontology and standards
• WP2:M01-12: Platform design and implementation
   – service-oriented message-routing gateway
   – basic authentication and access control mechanisms
• WP3:M07-18: Semantic reasoning features
   – integrating adaptive reasoning into base platform
   – investigating adaptive/negotiated access control
• WP4:M19-24: Evaluation
   – using real-world application from U.Sheffield
   – contributed by EC GEMSS (Medical Simulation)
          Motivating Scenario
                                                                                           Grid Compute
               Grid Client                       (1b) Request Run                             Service
                                                        Job
                                                     HTTPS / SOAP




                                                     HTTPS / SOAP
                                                                                                             (3) Run Job
                                                  (4) Notify Client
                                                  Output Available




                                          (1a) Open
                                        Authorisation to




                                                                                AP
                                  HT




                                                                            SO
                                             Data
                                   TP




                                                                           S/
                                       S/




                                                                                 (2) Get Input




                                                                       TP
                                        SO




Semantic Firewall authorises




                                                                      HT
                                            AP




requests initiated from outside                                                      Data
the client site based on the
combination of sys admin policy
and process definition                                                                       Semantic Firewall uses
                                                                                             a process-based
                                                                                             authorisation
                                                                                             to identify valid
                                                                                             incoming messages

           Traditional
            Firewall
            Semantic
             Firewall



                                                    Data Service
                          System Design
                                                       • Inputs:
                                                          – site policies
SFW Knowledge Base           SFW Reasoner
      Site policies
  Service descriptions
                           Policy conflict detection
                             Workflow analysis
                                                          – service descriptions
  Application workflows    Message interpretation
                                                          – application workflows
                                                       • Reasoner:
                                                          – detects conflicts
                                                          – derives access rules
                                                       • Communications:
 SFW Administration
   Static configuration
                          SFW Communications
                              Event handling
                                                          – enforces access rules
    Logging system
   Administration GUI
                           Message enforcement
                                                          – uses PBAC approach
                                                       • Administration:
                                                          – configuration and logging
                                                          – network admin GUI
Process Based Access Control
• Dynamic approach to Grid authorisation
  –   applied at service provider on a “per-site” basis
  –   controls access to resources (cf WS-RF)
  –   access rights managed by authenticated clients
  –   actions constrained by allowed processes
• Process-based access control
  – does not use mapping to local user id
  – does not use centralised authorisation services
  – need not use role-based access control
• Process semantics are core to security
       Semantic Representations
• Focused on process-oriented languages
   – for expression of workflows
   – for expression of domain policies
• Several candidate languages investigated
   –   DAML-S process model
   –   BPEL4WS workflow language
   –   ebXML business process models
   –   WS-Choreography
• Preliminary conclusions:
   – platform should use WS-Security and WS-Policy
   – service models are likely to use DAML-S
   – no decision yet on application workflows
             Current Status
• Semantics investigation almost complete
  – still investigating WS-Choreography
• Platform design almost complete
  – reusing existing security components
• Dissemination started
  – paper at AAAI Symposium 2004
  – website up (just) and discussion list open
• SFW is attracting considerable interest
  – Grit Denker @ SRI and Jeff Bradshaw @ IHMC
  – growing industrial interest and input
                Next Steps
• Finish selection of process representations
• Implement base platform
  – PBAC and WS-Security infrastructure
  – administration interfaces
• Introduce semantics technology
  – policy conflict detection
  – derivation of low-level PBAC rules
• Evaluation (in 2005)
• Continue to expand the community of interest
  – scenarios especially welcome!

								
To top