rev pa110/14/20151 ericsson canada distributed access control for carrier class clusters...

Rev PA1 04/21/23 1 Ericsson Canada

Distributed Access Control for Carrier Class Clusters

[email protected]

A. Apvrille, E. Gingras, A. Medenou, D. Gordon

Open Systems Lab

Montréal – Canada

June 26, 2003


Agenda

• Telecom servers and security• DSI overview • Distributed Access Control• Benchmark results• Conclusions


Context• Target application: soft real time applications for Telecom

• High Availability: 99.999% uptime

• Clustered servers

• Exposed to the Internet

• Providing services to different operators

• Running untrusted third-party software

• Software configuration evolves slowly over time: no wild software installations


New security threats for Telecom servers


Next Generation Network Architecture

Yesterday

Dat

a/IP

Net

wor

ks

Dat

a/IP

Net

wor

ks

PL

MN

PL

MN

PS

TN

/IS

DN

PS

TN

/IS

DN

CA

TV

CA

TV

Services

Access Transport & Switching NetworksClients

Multi-ServiceIP Backbone

Network

NarrowbandAccess

WirelessAccess

Today

BroadbandAccess

Service Control Service Capabilities

Management & Support

Applications & Content


Telecom business changes…

• Change in the market: all-IP-networks

• Increasing number of attacks via the Internet

• Huge demand for security


“Distributed Systems Require Distributed Security”

Hartman, Flinn, Beznosov,

Enterprise Security with EJB and CORBA


Distributed Security InfrastructureOverview


Goals

• Design an architecture as a platform – to support different security mechanisms – for a carrier class internet server running on a clustered system.

• Providing mechanisms to protect the system against:– External attacks: originating from Internet,– Internal attacks: attacks originating from Intranet.

• Providing mechanisms for efficient – Detection– Reaction

• Damage Control


Distributed Security Infrastructure


Security context (ScID)

• Privileges associated with each process or resource, defined through the whole cluster

• Security ID: defining the security context– Can be transferred and interpreted through the whole cluster, – Assigned by local security manager,


Distributed Security Policy

Security B roker

D ata Traffic

Ke

rne

l

SSSMSMSM

Security Server N ode N ode 1 N ode 2 N ode 3

SS : Security Server

SM : Security M anager

Port 21Proc987

Dist Sec Policy

D ist Sec PolicyD ist Sec Policy

Logical Access


DSP Update


Distributed Access Control(DisAC)


DisAC

• Goals– Extending kernel-level Mandatory Access Control features for a

single computer into features for a distributed system

• Usage– Sharing the same cluster among different applications running

untrusted third-party software – Setting up virtual security zones inside the cluster

• Characteristics – Access control at Operating system kernel level (Linux)– Cluster-wide access control– Process-level granularity access control


Cluster-wide Access Control


DisAC: Creating Virtual Security Zones


Benchmarking results

Test type Without DSI With DSI Overhead

Stat 1.92 1.94 1.0%

Open/Close 2.68 2.68 0%

Fork 92.81 93.58 0.82%

Exec 322.56 328.33 1.78%

Sh proc 2140.75 2150 0.43%

UDP 9.68 10.61 9.6%

RPC/UDP 17.66 18.7 5.9%

TCP 11.08 12.68 14.4%

RPC/TCP 23.42 24.3 3.75%

Time units are microseconds.


Conclusions

• DisAC enforces cluster-wide access control at kernel level for distributed systems.

• Already to be used for Telecom clustered servers • Can it be used for Grid environments?

• Download DSI and make your own opinion– http://sourceforge.net/projects/disec


Support Slides


Classifying binaries based on security• Using ScIDs for categorizing binaries


Distributed Access

Proc34Proc12

SMSM

SID P roc123Error

S ID C heckS ID C heck D rop

D SI LSM M odule

m ain(){...

connect(sock1,...);.}

m ain(){...

accept(sock1,...);set_delegate_sid(sock1);

.reset_sid();

}

1

32

File A

Use

r Le

vel

Ker

nel L

eve

l

SSID + SN ID

IP Packet

Source N ode Target N ode


Some facts

• Many existing security solutions:– As external security mechanisms to the servers:

• Firewalls • IDSs…

– As part of servers: • Integrity checks• Some effort to enhance security as a part of OS…

• Few efforts to make a coherent framework for

enhancing security in a dedicated distributed system


Distributed security is hard to achieve

• Many layers to fit together: applications, middleware, OS, hardware, network

• Exposed by nature • Heterogeneous environment: Variety of

– Hardware – Software: OS, Middleware – Networking technologies


Challenges in Distributed security

• Implement coherent distributed security – Many layers to fit together: Applications, Middleware, OS,

Hardware, Network– Heterogeneous environment: variety of Hardware, Software: OS,

Middleware, Networking technologies

• Integration of different security solutions

• System management– Manually managed, it is the open door for misconfigurations and

inconsistencies


Need for a new security approach

• Target application: soft real time,

• No possible security policy upon traditional login, password,

• Running for a very long time (months) under the same login without rebooting,

• Fine grained security policy based on processes,

• Pre-emptive security.

• No real time applications, • Security policy based upon login

and passwords,• Running for short period of time

(days) before each reboot,• No pre-emptive security.

Carrier class TSP alike serverTraditional Clusters(HPC Beowolf, Load Balancing LVS…)


Why the need for a security framework ?

• Abstracting the underlying security algorithms and mechanisms

• Reducing development time

• Minimizing the risk of creating subtle, but dangerous security vulnerabilities by reusing security tested software

• Maximize investment on developing security mechanisms


Why a middleware? General trends

• Hardware: More expensive and faster • Software: cheaper but slower

• Infrastructure middleware • Distribution middleware • Common services • Domain specific services

Different types of middleware


DSI must provide

• A Distributed Trusted Computing Base (TCB) • Reduce risks by eliminating vulnerabilities through reuse of

the secure middleware • Coherent and secure software upgrade• Standard way to express a desired security policy across

all services on the server • Easy management of security configurations • Coherent approach to security inside the cluster • Contains the effects of buggy (malicious?) software, and

misconfigurations • Enable effective use of surveillance and intrusion detection

mechanisms


What we do vs. what we don’t do

• Design and implement a coherent framework for the security needs of a cluster running a soft real time application

• Re-use as much as possible existing algorithms and protocols (COTS)

• Adapt current technologies to fit our needs and environment (soft real time)

• Invent new algorithms nor new protocols for cryptography, authentication or else

Do Do Not


Access control Approach on cluster computing• Current security approach in

cluster computing:– Generally based on user

privileges (login, password),

– Life time: a session of several hours,

– Scope: limited range of operations according to the application’s nature.

• Our target application:– One user only,

– Life time: months if not years,

– Scope: wide range of operations, from upgrading software to managing information in database.

Node 43674No Security check on Process 123, but on

Process 456

Security Manager

Process 123

Process 456

Security Manager

Node 8956

Access Request?


Initial Hypothesis

• Secure Boot: provides us with Distributed Trusted Computing Base (TCB)

• Kernel at secure boot is small enough to be thoroughly vulnerability tested

• Use of digital signatures and a local certification authority will prevent DTCB from malicious modifications

• DSI security mechanisms are enforced at kernel level and they are not bypassable

• The whole software and hardware configuration is under tight control


DSI inside a node: Service Discovery

A uthentica tionE ncryption /D ecryption

Security B

roker

Net

wor

k

Sec API

Use

r Le

vel

Ker

nel

Leve

l

Sec API

D SI

KeyManagem ent

PolicyManagem ent

CertificationAuthorithy

DSI SecurityProvider

Monitoring

SecurityManager Access

Control

Authentication

Secure O&M

User Application Pr

dsisecstub

Log Analyzer

S ecS ervices

SecurityServer

S ecS ervices

DS

I Ke

rne

lM

ech

an

isms

DS

I Middlew

are


Functionality• Security Management

• Access control

• Authentication: Verifies that the principals are who they claim to be.

• Auditing: provides a record of security relevant and allows monitoring of the subject in the system.

• Confidentiality and Integrity for communications


Distributed Security Policy (DSP)

• Express a coherent security vision (security policy) through out all the cluster

• Local security policy: – Initially integrated to the secure boot software – Maintained and updated by the security server through security

broker

• Based on domain enforcement • Delegation • Define communication type between processes: secure,

not secure, authenticated, encrypted…


Distributed Security Policy (2)

• Policy rules control– Access control – Authentication and Integrity for intra, extra server communications:

necessity and means

• Policy management points (PMP): In each node, caching DSP locally

• Policy Enforcement– Done by the kernel: scattered through different system calls to the

kernel


Security Services

Sec M anager

Access C ontro lService (AC )

AuthenticationService (AS)

IntegrityService (IS )

Sec Policy

Sec C ontext

Sec C ontextsR epository

M onitoringService (M S)

KeyM anagem ent

Key R epository


Why ?• Change in the market: all-IP-networks• Increasing number of attacks via the Internet

– 4,000 denial-of-service attacks every week, University of San Diego researchers, June 2001.

– 2001 Computer Crime and Security Survey: Organizations victim of attacks via the Internet increased from 38 percent in the 1996 survey to 70 percent in 2001.

• Huge demand for security– companies will spend 4 percent of their revenues on information security in

2011, up from 0.4 percent this year, Gartner Institute.

• There is little security support as a coherent solution into distributed applications developed for clustered servers.

rev pa110/14/20151 ericsson canada distributed access control for carrier class clusters...

Documents