Presentation is loading. Please wait.

Presentation is loading. Please wait.

Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update Yuri Demchenko <demch@science.uva.nl>

Published byKrisztina Kerekesné Modified over 5 years ago

Similar presentations

Presentation on theme: "Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update Yuri Demchenko <demch@science.uva.nl>"— Presentation transcript:

1 Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update Yuri Demchenko AIRG, University of Amsterdam

2 Outline Goals AIRG projects and Generic AAA Architecture development
Implementation in CNL project Access Control infrastructure Grid Operational Security and Grid Security Incident definition TF-EMC2. November 4, Amsterdam AIRG Update 2004

3 Goals Update TF-EMC2 on AIRG research and developments
Discuss possible approaches for early detection of the security credentials compromise TF-EMC2. November 4, Amsterdam AIRG Update 2004

4 AIRG projects Gigaport NG - NL Collaboratory.nl (CNL)
Further development of the Generic AAA architecture for policy/token based networking Collaboratory.nl (CNL) Security Architecture for Open Collaborative Environment and RBAC Considered as a use case for EGEE and OGSA EGEE and other Grid related projects - EU Grid operational security and WS/Grid security threats analysis Policy enforcement framework and Authorisation portType WS-Security and OGSA Security TF-EMC2. November 4, Amsterdam AIRG Update 2004

5 Generic AAA Architecture by AIRG (UvA)
Policy based Authorization decision Req {AuthNtoken, Attr/Roles, PolicyTypeId, ConditionExt} RBE (Req + Policy) => => Decision {ResponseAAA, ActionExt} ActionExt = {ReqAAAExt, ASMcontrol} ResponseAAA = {AckAAA/RejectAAA, ReqAttr, ReqAuthN, BindAAA (Resource, Id/Attr)} Request/Response Generic AAA Policy ASM Defined by Resource owner Translate logDecision => Action Translate State => LogCondition TF-EMC2. November 4, Amsterdam AIRG Update 2004

6 Generic AAA implementations
Bandwidth-on-demand (BoD) for optical network Using driving policy approach for multidomain optical path building Access control and privilege management for Collaborative environment Policy/role based access control to experimental equipment and resources Authorisation Web Service and Authorisation portType for Grid applications Policy binding to Web/Grid service definition Technology background AAA Policy Rule Based Engine (RBE) and XACML based policy exchange format XML Web Services Attempting to use WSRF and trying to avoid OGSI and ProxyCert TF-EMC2. November 4, Amsterdam AIRG Update 2004

7 Distributed Security Architecture for Collaborative environment
Based on the Job-centric security model Extended RBAC functionality including RBAC administration terminal (using GAAA Toolkits) XACML based policy exchange and integration Uses WS-Security Framework and OGSA/WSRF Policy binding to WSDL and AuthZ portType definition VO functionality - policy based user and resource management Proxy-Certificate (Grid approach) vs SAML security credentials management TF-EMC2. November 4, Amsterdam AIRG Update 2004

8 Security built around Job description
Job# Job Attributes Job Priority User list User roles/attr Admin RBAC Scheduler/ JobMngr Order Descr AccessCtr (AuthN/Z) UserDB Policy Job Description as a semantic object defining Job attributes and User attributes Requires document based or semantic oriented Security paradigm Trust domain based on Business Agreement (BA) or Trust Agreement (TA) via PKI TF-EMC2. November 4, Amsterdam AIRG Update 2004

9 XACML implementation library for CNL
Contains specific modules for AAA services PEP, PDP, PAP and XACML messaging Implemented in Java Policy editor in XACML XACML provides standard solution for RBAC with powerful policy combination functionality Version 0.1 is available for policy construction and translating to AAA-policy format Set of typical policy profiles in XACML (with correspondent profiles in AAA) are under development TF-EMC2. November 4, Amsterdam AIRG Update 2004

10 Main components and dataflow in RBAC/PMI
PEP (Policy Enforcement Point)/ AEF (authorisation enforcement function) PDP (Policy Decision Point)/ADF (authorisation decision function) PIP (Policy Information Point)/AA (Attribute Authority) PA – Policy Authority TF-EMC2. November 4, Amsterdam AIRG Update 2004

11 GAAA API flow diagram (implements RBAC)
TF-EMC2. November 4, Amsterdam AIRG Update 2004

12 GAAAPI implementation – XACML Request message format (1)
TF-EMC2. November 4, Amsterdam AIRG Update 2004

13 GAAAPI implementation – XACML Request message format (2)
<?xml version="1.0" encoding="UTF-8"?> <AAA:AAARequest xmlns:AAA=" xmlns:xsi=" xsi:schemaLocation=" version="0.1" type="CNLdemo1"> <Subject> <Role>Analyst</Role> <JobID>JobID-XPS1-212</JobID> <Token>2SeDFGVHYTY83ZXxEdsweOP8Iok)yGHxVfHom90</Token> </Subject> <Resource><ResourceID> </ResourceID> </Resource> <Action> <ActionID>ControlInstrument</AttributeID> </Action> </AAA:AAARequest> TF-EMC2. November 4, Amsterdam AIRG Update 2004

14 GAAAPI implementation – XACML Response message format (1)
TF-EMC2. November 4, Amsterdam AIRG Update 2004

15 GAAAPI implementation – XACML Response message format (2)
<?xml version="1.0" encoding="UTF-8"?> <AAA:AAAResponse xmlns:xsi=" xsi:noNamespaceSchemaLocation="aaa-cnl-response-00.xsd" version="0.0"> <Result ResourceId="String"> <Decision>Permit</Decision> <Status> <StatusCode Value="OK"/> <StatusMessage>Request succes7ful</StatusMessage> </Status> </Result> </AAA:AAAResponse> TF-EMC2. November 4, Amsterdam AIRG Update 2004

16 Binding policy to WSDL service description
WS-PolicyAttachment defines two mechanisms that together allow to bind policy to the WSDL components (portType, Operation, Message) wsp:PolicyRefs="URI | QName" <wsp:UsingPolicy wsdl:Required="true"/> TF-EMC2. November 4, Amsterdam AIRG Update 2004

17 Binding policy to WSDL - Example
<definitions xmlns=" xmlns:soap=" xmlns:xs=" xmlns:wsa=" xmlns:wsp=" xmlns:wsse=" xmlns:wst=" xmlns:cnl=" xmlns:policy="cnl-policy-schema.xsd" targetNamespace="     <message name="ViewExperimentRequest" wsp:PolicyRefs="cnl-policy-02example.xml">         <part name="JobID" type="xs:string"/>         <part name="coordinateX" type="xs:string"/>         <part name="coordinateY" type="xs:string"/>         <part name="zoom" type="xs:int"/>     </message> <<< snip >>>>     <wsp:UsingPolicy wsdl:Required="true"/> </definitions> TF-EMC2. November 4, Amsterdam AIRG Update 2004

18 Security related activities in EGEE - FYI
EGEE – Enabling Grids for E-sciencE JRA3 – Security MWSG – Middleware Security Group JSPG – Joint with LCG and OSG Security Policy Group OSG Incident Handling Activity Recent Security related deliverables Grid User/Site Security Requirements – MJRA3.1 ( Global Security Architecture (GSA) rev. 1 - DJRA3.1 ( Grid Security Incident definition and exchange format – MJRA3.4 Ongoing development, current version - As a part of joint OSG/LCG/EGEE Operational Security activity TF-EMC2. November 4, Amsterdam AIRG Update 2004

19 Grid Security Incident (GSInc) definition
Depends on the scope and range of the Security Policy, ULA, or SLA - TODO Should be based on threats analysis and vulnerabilities model – MJRA3.4 Should be based on Grid processes/workflow analysis - TODO GSInc definition is a base for GSInc description format What information should be collected and how to exchange and handle it Requirements to Events logging and Intrusion/compromise detection Common format is a basis for community wide statistics and coordinated response Incident statistics provides feedback for the Security Policy improvement Note. Grid Security model is based on delegation of security credentials to a service TF-EMC2. November 4, Amsterdam AIRG Update 2004

20 Security credentials related GSInc and audit events
Security credentials compromise (e.g., private key, proxy credentials, etc.)  patterns of credential usage broken chain of PKC/keys/credentials copy is discovered in not a proper place originated not from the default location sequent fault attempt to request action(s) PDP/PEP logging/audit Remaining problems and topics for discussion How to define at the early stage that a private key has been compromised? May require credentials storing (not caching) and adding history/evidence chain to credentials format X.509 credentials are not capable of this Does SAML have required functionality Note: Audit/log events together with related data can be also referred to as an Evidence TF-EMC2. November 4, Amsterdam AIRG Update 2004

21 Discussion: security credentials compromise detection
How to define at the early stage that a private key or other security credentials have been compromised? Will it require credentials storing (not caching) and adding history/evidence chain to credentials format? X.509 credentials are not capable of this Does SAML have required functionality TF-EMC2. November 4, Amsterdam AIRG Update 2004

Download ppt "Policy Enforcement Framework for Web Services and Grid Operational Security Advanced Internet Research Group Update Yuri Demchenko <demch@science.uva.nl>"

Similar presentations

0 McLean, VA August 8, 2006 SOA, Semantics and Security.

0 McLean, VA August 8, 2006 SOA, Semantics and Security.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Internet Technologies (Grid Computing (OGSA, WSRF) )

Internet Technologies (Grid Computing (OGSA, WSRF) )
Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.

Donkey Project Introduction and ideas around February 21, 2003 Yuri Demchenko.
This product includes material developed by the Globus Project (http://www.globus.org/). Introduction to Grid Services and GT3.

This product includes material developed by the Globus Project ( Introduction to Grid Services and GT3.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV 16-22 Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.

Authorization of a QoS path based on Generic AAA SC2002 Baltimore NOV Bas van Oudenaarde Advanced Internet Research Group University of Amsterdam.
Authz work in GGF David Chadwick

Authz work in GGF David Chadwick
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.

A Heterogeneous Network Access Service based on PERMIS and SAML Gabriel López Millán University of Murcia EuroPKI Workshop 2005.
Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.

Audumbar. Access control and privacy Who can access what, under what conditions, and for what purpose.
INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.

INFSO-RI Enabling Grids for E-sciencE SAML-XACML AuthZ Interface Analysis and design suggestions Yuri Demchenko SNE Group, University.
1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo

1 © Talend 2014 XACML Authorization Training Slides 2014 Jan Bernhardt Zsolt Beothy-Elo
EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.

EGEE Security Area 13 May 2004 EGEE Security Area Stakeholders JRA3 middleware Architecture What we have for Unix and Java What.
MWSG3 August 25, 2004 JRA3 - Incident Response Issues to decide on and next steps Yuri Demchenko www.eu-egee.org EGEE is a project.

MWSG3 August 25, 2004 JRA3 - Incident Response Issues to decide on and next steps Yuri Demchenko EGEE is a project.
● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.

● Problem statement ● Proposed solution ● Proposed product ● Product Features ● Web Service ● Delegation ● Revocation ● Report Generation ● XACML 3.0.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Extending user controlled security domain.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Extending user controlled security domain.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

Similar presentations

Ads by Google