rev pa110/14/20151 ericsson canada distributed access control for carrier class clusters...
TRANSCRIPT
Rev PA1 04/21/23 1 Ericsson Canada
Distributed Access Control for Carrier Class Clusters
A. Apvrille, E. Gingras, A. Medenou, D. Gordon
Open Systems Lab
Montréal – Canada
June 26, 2003
Rev PA1 04/21/23 2 Ericsson Canada
Agenda
• Telecom servers and security• DSI overview • Distributed Access Control• Benchmark results• Conclusions
Rev PA1 04/21/23 3 Ericsson Canada
Context• Target application: soft real time applications for Telecom
• High Availability: 99.999% uptime
• Clustered servers
• Exposed to the Internet
• Providing services to different operators
• Running untrusted third-party software
• Software configuration evolves slowly over time: no wild software installations
Rev PA1 04/21/23 4 Ericsson Canada
New security threats for Telecom servers
Rev PA1 04/21/23 5 Ericsson Canada
Next Generation Network Architecture
Yesterday
Dat
a/IP
Net
wor
ks
Dat
a/IP
Net
wor
ks
PL
MN
PL
MN
PS
TN
/IS
DN
PS
TN
/IS
DN
CA
TV
CA
TV
Services
Access Transport & Switching NetworksClients
Multi-ServiceIP Backbone
Network
NarrowbandAccess
WirelessAccess
Today
BroadbandAccess
Service Control Service Capabilities
Management & Support
Applications & Content
Rev PA1 04/21/23 6 Ericsson Canada
Telecom business changes…
• Change in the market: all-IP-networks
• Increasing number of attacks via the Internet
• Huge demand for security
Rev PA1 04/21/23 7 Ericsson Canada
“Distributed Systems Require Distributed Security”
Hartman, Flinn, Beznosov,
Enterprise Security with EJB and CORBA
Rev PA1 04/21/23 8 Ericsson Canada
Distributed Security InfrastructureOverview
Rev PA1 04/21/23 9 Ericsson Canada
Goals
• Design an architecture as a platform – to support different security mechanisms – for a carrier class internet server running on a clustered system.
• Providing mechanisms to protect the system against:– External attacks: originating from Internet,– Internal attacks: attacks originating from Intranet.
• Providing mechanisms for efficient – Detection– Reaction
• Damage Control
Rev PA1 04/21/23 10 Ericsson Canada
Distributed Security Infrastructure
Rev PA1 04/21/23 11 Ericsson Canada
Security context (ScID)
• Privileges associated with each process or resource, defined through the whole cluster
• Security ID: defining the security context– Can be transferred and interpreted through the whole cluster, – Assigned by local security manager,
Rev PA1 04/21/23 12 Ericsson Canada
Distributed Security Policy
Security B roker
D ata Traffic
Ke
rne
l
SSSMSMSM
Security Server N ode N ode 1 N ode 2 N ode 3
SS : Security Server
SM : Security M anager
Port 21Proc987
Dist Sec Policy
D ist Sec PolicyD ist Sec Policy
Logical Access
Rev PA1 04/21/23 13 Ericsson Canada
DSP Update
Rev PA1 04/21/23 14 Ericsson Canada
Distributed Access Control(DisAC)
Rev PA1 04/21/23 15 Ericsson Canada
DisAC
• Goals– Extending kernel-level Mandatory Access Control features for a
single computer into features for a distributed system
• Usage– Sharing the same cluster among different applications running
untrusted third-party software – Setting up virtual security zones inside the cluster
• Characteristics – Access control at Operating system kernel level (Linux)– Cluster-wide access control– Process-level granularity access control
Rev PA1 04/21/23 16 Ericsson Canada
Cluster-wide Access Control
Rev PA1 04/21/23 17 Ericsson Canada
DisAC: Creating Virtual Security Zones
Rev PA1 04/21/23 18 Ericsson Canada
Benchmarking results
Test type Without DSI With DSI Overhead
Stat 1.92 1.94 1.0%
Open/Close 2.68 2.68 0%
Fork 92.81 93.58 0.82%
Exec 322.56 328.33 1.78%
Sh proc 2140.75 2150 0.43%
UDP 9.68 10.61 9.6%
RPC/UDP 17.66 18.7 5.9%
TCP 11.08 12.68 14.4%
RPC/TCP 23.42 24.3 3.75%
Time units are microseconds.
Rev PA1 04/21/23 19 Ericsson Canada
Conclusions
• DisAC enforces cluster-wide access control at kernel level for distributed systems.
• Already to be used for Telecom clustered servers • Can it be used for Grid environments?
• Download DSI and make your own opinion– http://sourceforge.net/projects/disec
Rev PA1 04/21/23 20 Ericsson Canada
Support Slides
Rev PA1 04/21/23 21 Ericsson Canada
Classifying binaries based on security• Using ScIDs for categorizing binaries
Rev PA1 04/21/23 22 Ericsson Canada
Distributed Access
Proc34Proc12
SMSM
SID P roc123Error
S ID C heckS ID C heck D rop
D SI LSM M odule
m ain(){...
connect(sock1,...);.}
m ain(){...
accept(sock1,...);set_delegate_sid(sock1);
.reset_sid();
}
1
32
File A
Use
r Le
vel
Ker
nel L
eve
l
SSID + SN ID
IP Packet
Source N ode Target N ode
Rev PA1 04/21/23 23 Ericsson Canada
Some facts
• Many existing security solutions:– As external security mechanisms to the servers:
• Firewalls • IDSs…
– As part of servers: • Integrity checks• Some effort to enhance security as a part of OS…
• Few efforts to make a coherent framework for
enhancing security in a dedicated distributed system
Rev PA1 04/21/23 24 Ericsson Canada
Distributed security is hard to achieve
• Many layers to fit together: applications, middleware, OS, hardware, network
• Exposed by nature • Heterogeneous environment: Variety of
– Hardware – Software: OS, Middleware – Networking technologies
Rev PA1 04/21/23 25 Ericsson Canada
Challenges in Distributed security
• Implement coherent distributed security – Many layers to fit together: Applications, Middleware, OS,
Hardware, Network– Heterogeneous environment: variety of Hardware, Software: OS,
Middleware, Networking technologies
• Integration of different security solutions
• System management– Manually managed, it is the open door for misconfigurations and
inconsistencies
Rev PA1 04/21/23 26 Ericsson Canada
Need for a new security approach
• Target application: soft real time,
• No possible security policy upon traditional login, password,
• Running for a very long time (months) under the same login without rebooting,
• Fine grained security policy based on processes,
• Pre-emptive security.
• No real time applications, • Security policy based upon login
and passwords,• Running for short period of time
(days) before each reboot,• No pre-emptive security.
Carrier class TSP alike serverTraditional Clusters(HPC Beowolf, Load Balancing LVS…)
Rev PA1 04/21/23 27 Ericsson Canada
Why the need for a security framework ?
• Abstracting the underlying security algorithms and mechanisms
• Reducing development time
• Minimizing the risk of creating subtle, but dangerous security vulnerabilities by reusing security tested software
• Maximize investment on developing security mechanisms
Rev PA1 04/21/23 28 Ericsson Canada
Why a middleware? General trends
• Hardware: More expensive and faster • Software: cheaper but slower
• Infrastructure middleware • Distribution middleware • Common services • Domain specific services
Different types of middleware
Rev PA1 04/21/23 29 Ericsson Canada
DSI must provide
• A Distributed Trusted Computing Base (TCB) • Reduce risks by eliminating vulnerabilities through reuse of
the secure middleware • Coherent and secure software upgrade• Standard way to express a desired security policy across
all services on the server • Easy management of security configurations • Coherent approach to security inside the cluster • Contains the effects of buggy (malicious?) software, and
misconfigurations • Enable effective use of surveillance and intrusion detection
mechanisms
Rev PA1 04/21/23 30 Ericsson Canada
What we do vs. what we don’t do
• Design and implement a coherent framework for the security needs of a cluster running a soft real time application
• Re-use as much as possible existing algorithms and protocols (COTS)
• Adapt current technologies to fit our needs and environment (soft real time)
• Invent new algorithms nor new protocols for cryptography, authentication or else
Do Do Not
Rev PA1 04/21/23 31 Ericsson Canada
Access control Approach on cluster computing• Current security approach in
cluster computing:– Generally based on user
privileges (login, password),
– Life time: a session of several hours,
– Scope: limited range of operations according to the application’s nature.
• Our target application:– One user only,
– Life time: months if not years,
– Scope: wide range of operations, from upgrading software to managing information in database.
Node 43674No Security check on Process 123, but on
Process 456
Security Manager
Process 123
Process 456
Security Manager
Node 8956
Access Request?
Rev PA1 04/21/23 32 Ericsson Canada
Initial Hypothesis
• Secure Boot: provides us with Distributed Trusted Computing Base (TCB)
• Kernel at secure boot is small enough to be thoroughly vulnerability tested
• Use of digital signatures and a local certification authority will prevent DTCB from malicious modifications
• DSI security mechanisms are enforced at kernel level and they are not bypassable
• The whole software and hardware configuration is under tight control
Rev PA1 04/21/23 33 Ericsson Canada
DSI inside a node: Service Discovery
A uthentica tionE ncryption /D ecryption
Security B
roker
Net
wor
k
Sec API
Use
r Le
vel
Ker
nel
Leve
l
Sec API
D SI
KeyManagem ent
PolicyManagem ent
CertificationAuthorithy
DSI SecurityProvider
Monitoring
SecurityManager Access
Control
Authentication
Secure O&M
User Application Pr
dsisecstub
Log Analyzer
S ecS ervices
SecurityServer
S ecS ervices
DS
I Ke
rne
lM
ech
an
isms
DS
I Middlew
are
Rev PA1 04/21/23 34 Ericsson Canada
Functionality• Security Management
• Access control
• Authentication: Verifies that the principals are who they claim to be.
• Auditing: provides a record of security relevant and allows monitoring of the subject in the system.
• Confidentiality and Integrity for communications
Rev PA1 04/21/23 35 Ericsson Canada
Distributed Security Policy (DSP)
• Express a coherent security vision (security policy) through out all the cluster
• Local security policy: – Initially integrated to the secure boot software – Maintained and updated by the security server through security
broker
• Based on domain enforcement • Delegation • Define communication type between processes: secure,
not secure, authenticated, encrypted…
Rev PA1 04/21/23 36 Ericsson Canada
Distributed Security Policy (2)
• Policy rules control– Access control – Authentication and Integrity for intra, extra server communications:
necessity and means
• Policy management points (PMP): In each node, caching DSP locally
• Policy Enforcement– Done by the kernel: scattered through different system calls to the
kernel
Rev PA1 04/21/23 37 Ericsson Canada
Security Services
Sec M anager
Access C ontro lService (AC )
AuthenticationService (AS)
IntegrityService (IS )
Sec Policy
Sec C ontext
Sec C ontextsR epository
M onitoringService (M S)
KeyM anagem ent
Key R epository
Rev PA1 04/21/23 38 Ericsson Canada
Why ?• Change in the market: all-IP-networks• Increasing number of attacks via the Internet
– 4,000 denial-of-service attacks every week, University of San Diego researchers, June 2001.
– 2001 Computer Crime and Security Survey: Organizations victim of attacks via the Internet increased from 38 percent in the 1996 survey to 70 percent in 2001.
• Huge demand for security– companies will spend 4 percent of their revenues on information security in
2011, up from 0.4 percent this year, Gartner Institute.
• There is little security support as a coherent solution into distributed applications developed for clustered servers.