Policy Enforcement Framework for Web Services and by kwd15566

VIEWS: 6 PAGES: 21

									Policy Enforcement Framework for Web
Services and Grid Operational Security

  Advanced Internet Research Group Update



   Yuri Demchenko <demch@science.uva.nl>
        AIRG, University of Amsterdam
         Outline

        Goals
        AIRG projects and Generic AAA Architecture development
        Implementation in CNL project Access Control infrastructure
        Grid Operational Security and Grid Security Incident definition




TF-EMC2. November 4, 2004. Amsterdam     AIRG Update 2004                  Slide_2
          Goals

       Update TF-EMC2 on AIRG research and developments
       Discuss possible approaches for early detection of the security credentials
        compromise




TF-EMC2. November 4, 2004. Amsterdam    AIRG Update 2004                              Slide_3
          AIRG projects

       Gigaport NG - NL
                Further development of the Generic AAA architecture for policy/token based
                 networking
       Collaboratory.nl (CNL)
              Security Architecture for Open Collaborative Environment and RBAC
              Considered as a use case for EGEE and OGSA

       EGEE and other Grid related projects - EU
              Grid operational security and WS/Grid security threats analysis
              Policy enforcement framework and Authorisation portType

              WS-Security and OGSA Security




TF-EMC2. November 4, 2004. Amsterdam          AIRG Update 2004                                Slide_4
          Generic AAA Architecture by AIRG (UvA)

                                                           Policy based Authorization decision
             Request/Response
            Request/Response
            Request/Response
                                                                  Req {AuthNtoken, Attr/Roles,
                                                                   PolicyTypeId, ConditionExt}
                                                                  RBE (Req + Policy) =>
                                                                     => Decision {ResponseAAA,
                                                                   ActionExt}
                                                                  ActionExt = {ReqAAAExt,
                  Generic AAA                                      ASMcontrol}
                                                                  ResponseAAA =
                                                                   {AckAAA/RejectAAA, ReqAttr,
Policy                                   ASM                       ReqAuthN, BindAAA (Resource,
Policy
 Policy                                  ASM
                                          ASM                      Id/Attr)}
•Defined by                       •Translate logDecision => Action
Resource owner                    •Translate State => LogCondition

TF-EMC2. November 4, 2004. Amsterdam                  AIRG Update 2004                            Slide_5
          Generic AAA implementations

       Bandwidth-on-demand (BoD) for optical network
                Using driving policy approach for multidomain optical path building

       Access control and privilege management for Collaborative environment
                Policy/role based access control to experimental equipment and resources


       Authorisation Web Service and Authorisation portType for Grid applications
                Policy binding to Web/Grid service definition


       Technology background
              AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format
              XML Web Services

                    – Attempting to use WSRF and trying to avoid OGSI and ProxyCert


TF-EMC2. November 4, 2004. Amsterdam             AIRG Update 2004                           Slide_6
          Distributed Security Architecture for Collaborative
          environment
       Based on the Job-centric security model
       Extended RBAC functionality including RBAC administration terminal (using
        GAAA Toolkits)
       XACML based policy exchange and integration
       Uses WS-Security Framework and OGSA/WSRF
                Policy binding to WSDL and AuthZ portType definition
       VO functionality - policy based user and resource management
       Proxy-Certificate (Grid approach) vs SAML security credentials management




TF-EMC2. November 4, 2004. Amsterdam         AIRG Update 2004                  Slide_7
          Security built around Job description


                                       JobDescr                          Scheduler/
                                       •---------------                  JobMngr
    Order
    Descr                              •Job#
                                       •Job Attributes
                                       •Job Priority
                                       •---------------                  AccessCtr
                                       •User list                        (AuthN/Z)
                                       •User roles/attr                  •UserDB
                                       •Admin RBAC                       •Policy



 Job Description as a semantic object defining Job attributes and User attributes
         Requires document based or semantic oriented Security paradigm
 Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via
    PKI

TF-EMC2. November 4, 2004. Amsterdam                  AIRG Update 2004                Slide_8
          XACML implementation library for CNL

       Contains specific modules for AAA services
              PEP, PDP, PAP and XACML messaging
              Implemented in Java

       Policy editor in XACML
              XACML provides standard solution for RBAC with powerful policy combination
               functionality
              Version 0.1 is available for policy construction and translating to AAA-policy format

       Set of typical policy profiles in XACML (with correspondent profiles in AAA)
        are under development




TF-EMC2. November 4, 2004. Amsterdam          AIRG Update 2004                                Slide_9
          Main components and dataflow in RBAC/PMI

                                                          PEP (Policy Enforcement
                                                               Point)/
                                                               AEF (authorisation
                                                               enforcement function)
                                                          PDP (Policy Decision
                                                               Point)/ADF
                                                               (authorisation decision
                                                               function)
                                                          PIP (Policy Information
                                                               Point)/AA (Attribute
                                                               Authority)
                                                          PA – Policy Authority




TF-EMC2. November 4, 2004. Amsterdam   AIRG Update 2004                         Slide_10
          GAAA API flow diagram (implements RBAC)




TF-EMC2. November 4, 2004. Amsterdam   AIRG Update 2004   Slide_11
          GAAAPI implementation –
          XACML Request message format (1)




TF-EMC2. November 4, 2004. Amsterdam   AIRG Update 2004   Slide_12
          GAAAPI implementation –
          XACML Request message format (2)
<?xml version="1.0" encoding="UTF-8"?>
<AAA:AAARequest xmlns:AAA="http://www.AAA.org/ns/AAA_BoD"
   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xsi:schemaLocation="http://www.AAA.org/ns/AAA_BoD
   http://146.50.22.64/CNLdemo1.xsd" version="0.1" type="CNLdemo1">
   <Subject>
    <SubjectID>WHO740@users.collaboratory.nl</SubjectID>
    <Role>Analyst</Role>
    <JobID>JobID-XPS1-212</JobID>
    <Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token>
   </Subject>
   <Resource><ResourceID>
http://resources.collaboratory.nl/Phillips_XPS1
</ResourceID>
   </Resource>
   <Action>
   <ActionID>ControlInstrument</AttributeID>
   </Action>
</AAA:AAARequest>

TF-EMC2. November 4, 2004. Amsterdam   AIRG Update 2004               Slide_13
          GAAAPI implementation –
          XACML Response message format (1)




TF-EMC2. November 4, 2004. Amsterdam   AIRG Update 2004   Slide_14
          GAAAPI implementation –
          XACML Response message format (2)
<?xml version="1.0" encoding="UTF-8"?>
<AAA:AAAResponse xmlns:xsi="http://www.w3.org/2001/X_LSchema-instance"
   xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd" version="0.0">
   <Result ResourceId="String">
        <Decision>Permit</Decision>
        <Status>
               <StatusCode Value="OK"/>
               <StatusMessage>Request succes7ful</StatusMessage>
        </Status>
   </Result>
</AAA:AAAResponse>




TF-EMC2. November 4, 2004. Amsterdam   AIRG Update 2004                 Slide_15
          Binding policy to WSDL service description

WS-PolicyAttachment defines two mechanisms that together allow to bind
 policy to the WSDL components (portType, Operation, Message)
       wsp:PolicyRefs="URI | QName"
       <wsp:UsingPolicy wsdl:Required="true"/>




TF-EMC2. November 4, 2004. Amsterdam   AIRG Update 2004                  Slide_16
          Binding policy to WSDL - Example

<definitions xmlns="http://schemas.xmlsoap.org/wsdl/"
   xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"
   xmlns:xs="http://www.w3.org/2001/XMLSchema"
   xmlns:wsa="http://schemas.xmlsoap.org/ws/2003/03/addressing"
   xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy"
   xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext"
   xmlns:wst="http://schemas.xmlsoap.org/ws/2004/04/trust"
   xmlns:cnl="http://cnl.telin.nl/cnl" xmlns:policy="cnl-policy-schema.xsd"
   targetNamespace="http://cnl.telin.nl/cnl">
      <message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml">
         <part name="JobID" type="xs:string"/>
         <part name="coordinateX" type="xs:string"/>
         <part name="coordinateY" type="xs:string"/>
         <part name="zoom" type="xs:int"/>
      </message>

    <<< snip >>>>

      <wsp:UsingPolicy wsdl:Required="true"/>
    </definitions>


TF-EMC2. November 4, 2004. Amsterdam     AIRG Update 2004                                Slide_17
          Security related activities in EGEE - FYI

EGEE – Enabling Grids for E-sciencE
       JRA3 – Security
       MWSG – Middleware Security Group
       JSPG – Joint with LCG and OSG Security Policy Group
                OSG Incident Handling Activity

Recent Security related deliverables
       Grid User/Site Security Requirements – MJRA3.1
        (https://edms.cern.ch/document/485295/1)
       Global Security Architecture (GSA) rev. 1 - DJRA3.1
        (https://edms.cern.ch/document/487004/1.1)
       Grid Security Incident definition and exchange format – MJRA3.4
              Ongoing development, current version - https://edms.cern.ch/document/501422/1
              As a part of joint OSG/LCG/EGEE Operational Security activity



TF-EMC2. November 4, 2004. Amsterdam         AIRG Update 2004                            Slide_18
          Grid Security Incident (GSInc) definition

GSInc definition
       Depends on the scope and range of the Security Policy, ULA, or SLA - TODO
       Should be based on threats analysis and vulnerabilities model – MJRA3.4
       Should be based on Grid processes/workflow analysis - TODO

GSInc definition is a base for GSInc description format
       What information should be collected and how to exchange and handle it
                Requirements to Events logging and Intrusion/compromise detection
       Common format is a basis for community wide statistics and coordinated
        response
       Incident statistics provides feedback for the Security Policy improvement

Note. Grid Security model is based on delegation of security credentials to a
  service
TF-EMC2. November 4, 2004. Amsterdam         AIRG Update 2004                        Slide_19
          Security credentials related GSInc and audit events

Security credentials compromise (e.g., private key, proxy credentials, etc.)
         patterns of credential usage
         broken chain of PKC/keys/credentials
         copy is discovered in not a proper place
         originated not from the default location
         sequent fault attempt to request action(s)
                PDP/PEP logging/audit


Remaining problems and topics for discussion
       How to define at the early stage that a private key has been compromised?
       May require credentials storing (not caching) and adding history/evidence chain to
        credentials format
                X.509 credentials are not capable of this
                Does SAML have required functionality

Note: Audit/log events together with related data can be also referred to as an Evidence
TF-EMC2. November 4, 2004. Amsterdam                AIRG Update 2004                         Slide_20
          Discussion: security credentials compromise detection

       How to define at the early stage that a private key or other security credentials
        have been compromised?

       Will it require credentials storing (not caching) and adding history/evidence
        chain to credentials format?
              X.509 credentials are not capable of this
              Does SAML have required functionality




TF-EMC2. November 4, 2004. Amsterdam          AIRG Update 2004                        Slide_21

								
To top