1 - SSH Tunneling 2 - ProActive Security Infrastructure
Transcription
1 - SSH Tunneling 2 - ProActive Security Infrastructure
1 - SSH Tunneling 2 - ProActive Security Infrastructure Arnaud Contes Ubiquitous – Deployment Based – Hierarchical – Dynamic Security Arnaud Contes ProActive User Group 1 A ProActive Application Virtual Node 1 Arnaud Contes Virtual Node 2 ProActive User Group Virtual Node 3 Active object 2 Multiple Deployments Issues Different Deployments Different Security Policies One Host Arnaud Contes Local Grid ProActive User Group Distributed Grids 3 Security Issues • Authentication of Computers, Users, and Applications • Creation, connection to, and monitoring of activities • Authentication, Integrity and Confidentiality (AIC) of communications • Various security policies (physical and logical organizations) Arnaud Contes ProActive User Group 4 1 - SSH Tunneling Static authentication and encryption Arnaud Contes ProActive User Group 5 SSH Tunneling • A fact : overprotected clusters – Firewalls prevent incoming connections – Use of private addresses – NAT, IP Address filtering, … • A consequence : – Multi clustering is a NIGHTMARE Arnaud Contes ProActive User Group 6 SSH Tunneling • Context : – SSH protocol : encrypt network traffic – Administrators accept to open SSH port – SSH provides encryption • So : – Let us do SSH tunneling ! Arnaud Contes ProActive User Group 7 Without SSH Tunneling Denied Runtime Arnaud Contes Active object ProActive User Group Communications 8 With SSH Tunneling SSH Forwarder SSH server SSH Forwarder Runtime Arnaud Contes Active object Communications ProActive User Group Secure channel 9 Abstract • Pros : – VPN like • Static authentication • Static encryption of communication • Cons : – No notion of security at application level – Static feature Arnaud Contes ProActive User Group 10 2 - ProActive Security Architecture Hierarchical – Dynamic Security Arnaud Contes ProActive User Group 11 ProActive Security: Key Features • Authentication of computers, users and applications • Authentication, Integrity and Confidentiality of communications [A,I,C] • In XML deployment files, Not In Source • Hierarchical security domains • Mobility Aware • Dynamically negotiated policies Arnaud Contes ProActive User Group 12 Descriptor Security Model • A key principle: –Specify security policies in the XML deployment, NOT IN SOURCE! • In program source: –Virtual Node (VN, a string name): • In XML descriptors: –List of policy rules Arnaud Contes ProActive User Group 13 Hierarchical Domains • A logical way to group entities that have the same security needs. • Domains : – are hierarchical – enforce policies to contained entities • Dynamically configurable via SSL connections Arnaud Contes ProActive User Group 14 Who is Who ? • Existing entities at runtime : – Runtimes (JVM), Applications, Nodes, Active Objects • Specific security entities : – Domains A certificate identify each entity Arnaud Contes ProActive User Group 15 Application Authentication SPKI certificate : • Certification chain User certificate Generate certificate Arnaud Contes Application (SPKI) certificate • No CA SPKI Certificates for active objects, nodes ProActive User Group 16 Security Rule Entities->Entities:Interactions#Attributes • • Entities : – Domain – User – Virtual Node – Object Arnaud Contes Interactions : – – – – – – – – JVMCreation NodeCreation CodeLoading ObjectCreation ObjectMigration Request Reply Listing ProActive User Group • Attributes : – Authentication [A] – Integrity [I] – Confidentiality [C] • Each attribute can be : – Allowed [+] – Optional [?] – Disallowed [-] 17 Adaptative Security • Dynamic setting of the security attributes • Dynamic negotiation between different: • Domain and Sub-domain • Virtual Nodes • Active Objects on JVMs on different Machines Arnaud Contes ProActive User Group 18 Hierarchical Security Policies Dn Accept Security policy is defined according all matching rules from: • Domains Deny • Virtual Nodes D0 • Active Objects Accept Deny Runtime Accept Application-level policy Deny VN Administrator + User-level policy AO Accept Deny Accept Arnaud Contes ProActive User Group Final Security policy Deny 19 Combining Policies • Search for the most specific rule in each domain. • Retrieve all matching rules in the Domain hierarchy, the Virtual Node and the Active Object. • Compute policies according to security attributes. Receiver Sender Required (+) Optional (?) Disallowed (-) Required (+) + + invalid Optional (?) + ? - - - Disallowed (-) Arnaud Contes invalid ProActive User Group 20 Security Example • 2 domains GridA & gridB with security policies – Domain [GridA] -> Domain [GridB] : Q,P,M # [+A,+I,+C] – Domain [GridB] -> Domain [GridA] : Q,P,M # [+A,+I,+C] • Application : –2 Virtual Nodes (vn1,vn2) –2 Active objects Arnaud Contes ProActive User Group 21 Descriptor with Security VirtualNodes: vn1, vn2 SECURITY: VN [vn1] -> VN [vn2] : Q,P # [?A,?I,?C] VN [vn1] -> VN [vn2] : M # Forbidden VN [vn2] -> VN [vn1] : Q,P # [?A,?I,?C] VN [vn2] -> VN [vn1] : M # Forbidden Mapping: vn1 --> GridAComputers, GridBComputers vn2 --> GridAComputers JVMs: /…/ Arnaud Contes ProActive User Group 22 Example: std. code, no security /…/ proActiveDescriptor.activateMappings(); vn1 = proActiveDescriptor.getVirtualNode("vm1"); vn2 = proActiveDescriptor.getVirtualNode("vm2"); /…/ Flower rose = (Flower) ProActive.newActive(Flower.class,new Object[]{« Rose »}, vn1.getNode()}; Flower daliah = (Flower) ProActive.newActive(Flower.class,new Object[]{« Daliah »}, vn2.getNode()}; /* next VN1 node inside the same domain */ rose.migrateTo(vn1); /* communication inside the same domain */ rose.sayHelloTo(daliah); /* other virtual node, forbidden */ rose.migrateTo(vn2); /* next VN1 Node, other domain */ rose.migrateTo(vn1); /* communication with another domain */ rose.sayHelloTo(daliah); Arnaud Contes ProActive User Group 23 Example Domain GridA Arnaud Contes Policy rules database ProActive User Group Domain GridB VN1 VN2 Runtime 24 Example Domain GridA Arnaud Contes Policy rules database ProActive User Group Domain GridB VN1 VN2 Runtime 25 Example Domain GridA Domain GridB Rose Daliah Arnaud Contes Policy rules database ProActive User Group VN1 VN2 Runtime 26 Example Migration : - same VN - same domain Domain GridA Domain GridB Rose Can I migrate to the next VN1 node ? Daliah Arnaud Contes Policy rules database ProActive User Group VN1 VN2 Runtime 27 Example Migration : - same VN - same domain Domain GridA Domain GridB Rose 1 - Retrieve VN policy 2 - migration allowed Daliah Arnaud Contes Policy rules database ProActive User Group VN1 VN2 Runtime 28 Example Migration : - same VN - same domain Domain GridA Domain GridB Rose Daliah Arnaud Contes Policy rules database ProActive User Group VN1 VN2 Runtime 29 Negotiated Policy: Rose -> Daliah : [?A,?I,?C] Example Migration : - same VN - same domain Domain GridA Domain GridB Rose Receive a method call : Daliah -> Rose : [?A,?I,?C] Perform a method call Rose -> Daliah : [?A,?I,?C] Daliah Arnaud Contes Policy rules database ProActive User Group VN1 VN2 Runtime 30 Example Migration : - same VN - same domain Domain GridA Domain GridB Rose Daliah Arnaud Contes Policy rules database ProActive User Group VN1 VN2 Runtime 31 Example Migration : - same VN - other domain Domain GridA Domain GridB Rose Daliah Arnaud Contes Can I migrate to the next VN1 node on GridB domain? Policy rules database ProActive User Group VN1 VN2 Runtime 32 Example Migration : - same VN - other domain Domain GridA Rose 1- VN1 policy -> none 2- GridA -> GridB : [+A,+I,+C] 3- migration with [+A,+I,+C] Daliah Arnaud Contes Domain GridB Policy rules database ProActive User Group VN1 VN2 Runtime 33 Example Migration : - same VN - other domain Domain GridA Domain GridB Rose Daliah Arnaud Contes Policy rules database ProActive User Group VN1 VN2 Runtime 34 Negotiated Policy: Rose -> Daliah : [+A,+I,+C] Example Method call : - other VN - other domain From Rose --> Daliah Domain GridA Domain GridB Rose Receive a method call : Daliah -> Rose : [+A,+I,?C] Perform a method call Rose -> Daliah : [+A,?I,+C] Daliah Arnaud Contes Policy rules database ProActive User Group VN1 VN2 Runtime 35 Conclusion : ProActive Security • ProActive Security Features – – – – – – Authentication of users and applications Authentication, Integrity and Confidentiality of communications Ubiquitous security : In XML deployment files, Not In Source Security model for mobile applications Dynamically negotiated policies Logical security representation : security is easily adaptable to the deployment • Perspectives: – Extend security to others features (group communications, components) Arnaud Contes ProActive User Group 36 Deployment Based Security ? Multi Level Policy ? SPKI ? Ubiquitous Security ? Questions ? SSH Tunneling ? Migration and Security ? Dynamically Negotiated Policy ? Arnaud Contes ProActive User Group Hierarchical Security ? 37 Lunch ! Arnaud Contes ProActive User Group 38 Arnaud Contes ProActive User Group 39 SSH Tunneling • Authenticate with a SSH server located on distanthost:22. • Request creation of a SSH channel. • Instantiate a small TCP server on localhost:localport which sends all data to distanthost:22 with the correct channel headers. • SSH server reads channels data on distanthost:22, decapsulates it and forwards it to distanthost:distantport. Arnaud Contes ProActive User Group 40 Port Forwarding scenario Arnaud Contes ProActive User Group 41 RMI over SSH - client • We hold a reference to an RMI ssh stub. • We make a method call on this stub. • We don't have the bytecode of this stub: we download it with the stub codebase which is httpssh://host:port/server • The stub opens a socket to the RMI server with a SshRMIClientSocketFactory. Arnaud Contes ProActive User Group 42 RMI over SSH - server • We set java.rmi.server.codebase to httpssh://host:port/ • We instantiate an object which implements java.rmi.Remote. • We export the object with a SshRMIClientSocketFactory and a SshRMIserverSocketFactory. Arnaud Contes ProActive User Group 43 Objectives • Authentication of Computers, Users, and Applications • Privacy and Integrity of communications • Easy and adaptable configuration : no modification of source code or bytecode • Support features of current middlewares : deployment, migration, group communication, components, ... Arnaud Contes ProActive User Group 44 5.1 Issues for Grid Security • Authentication of Computers, Users, and Applications • Creation, connection to, and monitoring of activities • Authentication, Integrity and Confidentiality (AIC) • Hierarchical domains • Security Policies: Domain, User, Application • Variation in Grid connectivity: LAN, Wireless, Arnaud ContesInternet ProActive User Group 45 VPN, • Variation in deployment Objectives • Goals : –Authentication of Computers, Users, and Applications –Communication authentication, privacy and integrity –Security defined at user and administrator level –Easy and adaptable configuration –Support for current middlewares features : deployment, migration, group communication, Arnaud Contes ProActive User Group components 46 ProActive Security: Key Features • ProActive Security Features –Authentication of users and applications (PKI X 509 certificates) –Authentication, Integrity and Confidentiality of communications [A,I,C] –In XML deployment files, Not In Source –Mobility Aware –Dynamically negotiated policies Arnaud Contes ProActive User Group 47 ProActive Security Manager • • • • In charge of security for an active object Retrieve, combine and negotiate policies Negotiate session key, Encrypt/decrypt messages Arnaud Contes ProActive User Group 48 Request to an Active Object •Policy computation encrypt decrypt • Keys exchange Security Manager Request Receiver Reply Receiver Request Receiver Request Sender Body Reply Receiver Reply Sender Request Sender Body Reply Sender Service Service Object Request path Arnaud Contes Security Manager Object Proxy Active Object ProActive User Group Security mechanims 49 Principles • Ubiquitous Security : – Remove security from application source code • Logical Security Architecture / Abstract Deployment : – Hierarchical security entities, Dynamic policy • Declarative Security Language : – Simple, Extensible Arnaud Contes ProActive User Group 50 User Authentication Requestor Generates Key Pair CA Verifies ID, Key Pair, and User Eligibility CA Presents Signed X509 v3 Certificate to Requestor Arnaud Contes ProActive User Group CA Binds Public Key to ID by Signing the Certificate 51 Object Communication Arnaud Contes ProActive User Group 52 ProActive Security Principles • Dynamic policy negotiation • Certification chain to identify users, JVMs, objects • Application security policies set by deployment descriptors Arnaud Contes ProActive User Group 53 Objectives • Authentication of Computers, Users, and Applications • Communication authentication, privacy and integrity • Security defined at user and administrator level • Easy and adaptable configuration • Support for current middleware features : deployment, migration, group communication, components Arnaud Contes ProActive User Group 54