Add to collection(s) Add to saved
  1. Business

The Semantic Firewall EPSRC Pilot Projects Meeting 26 March 2004 NESC

advertisement 
The Semantic Firewall
EPSRC Pilot Projects Meeting
26 March 2004
NESC
Overview
•
•
•
•
•
Project goals
Motivation
Approach
Current status
Next steps
The Semantic Firewall
• Started Oct’03
– 24 months duration, 42 person-months effort
• Project team:
– Mike Surridge, Darren Marvin, Steve Taylor (IT
Innovation)
– Terry Payne, Ron Ashri (IAM, Southampton)
– support from NEC and U.Sheffield
• Goals
– investigate an “adaptive” perimeter defence for
Grids
– evaluate against test cases from EC GEMSS
Damn Those Pesky Firewalls
Permitted Access
to Restricted Services
Managed Server
Resources
FIREWALL
Permitted Grid Access
New
Vulnerability
User Managed
Workstations
More Trouble with Firewalls
Service Tunnel
GSI Delegation and Trust
Proxy
Proxy
Process
Process
Proxy
Proxy
Process
Process
The Grid “Arms Race”
• Sysadmins (rightly) wish to retain control
– firewalls block P2P/Grid connections with other sites
• Users (rightly) wish to get on with their work
– develop sneaky ways around the firewalls
– tunnelling over HTTP, SSH, etc
• Sysadmins close the tunnels
– preventing crackers hopping on board
– but reducing functionality of the network
• Result:
– applications/grids may stop working within a year
– everyone wastes time and effort
The Semantic Firewall
Project Tasks
• WP1:M01-06: Semantic representations
– overall requirements analysis
– evaluation and selection of ontology and standards
• WP2:M01-12: Platform design and implementation
– service-oriented message-routing gateway
– basic authentication and access control mechanisms
• WP3:M07-18: Semantic reasoning features
– integrating adaptive reasoning into base platform
– investigating adaptive/negotiated access control
• WP4:M19-24: Evaluation
– using real-world application from U.Sheffield
– contributed by EC GEMSS (Medical Simulation)
Motivating Scenario
Grid Client
Grid Compute
Service
(1b) Request Run
Job
HTTPS / SOAP
HTTPS / SOAP
(3) Run Job
(4) Notify Client
Output Available
AP
SO
TP
AP
HT
SO
TP
S/
Semantic Firewall authorises
requests initiated from outside
the client site based on the
combination of sys admin policy
and process definition
S/
HT
(1a) Open
Authorisation to
Data
(2) Get Input
Data
Semantic Firewall uses
a process-based
authorisation
to identify valid
incoming messages
Traditional
Firewall
Semantic
Firewall
Data Service
System Design
• Inputs:
SFW Knowledge Base
SFW Reasoner
Site policies
Service descriptions
Application workflows
Policy conflict detection
Workflow analysis
Message interpretation
– site policies
– service descriptions
– application workflows
• Reasoner:
– detects conflicts
– derives access rules
• Communications:
SFW Administration
Static configuration
Logging system
Administration GUI
SFW Communications
Event handling
Message enforcement
– enforces access rules
– uses PBAC approach
• Administration:
– configuration and logging
– network admin GUI
Process Based Access Control
• Dynamic approach to Grid authorisation
–
–
–
–
applied at service provider on a “per-site” basis
controls access to resources (cf WS-RF)
access rights managed by authenticated clients
actions constrained by allowed processes
• Process-based access control
– does not use mapping to local user id
– does not use centralised authorisation services
– need not use role-based access control
• Process semantics are core to security
Semantic Representations
• Focused on process-oriented languages
– for expression of workflows
– for expression of domain policies
• Several candidate languages investigated
–
–
–
–
DAML-S process model
BPEL4WS workflow language
ebXML business process models
WS-Choreography
• Preliminary conclusions:
– platform should use WS-Security and WS-Policy
– service models are likely to use DAML-S
– no decision yet on application workflows
Current Status
• Semantics investigation almost complete
– still investigating WS-Choreography
• Platform design almost complete
– reusing existing security components
• Dissemination started
– paper at AAAI Symposium 2004
– website up (just) and discussion list open
• SFW is attracting considerable interest
– Grit Denker @ SRI and Jeff Bradshaw @ IHMC
– growing industrial interest and input
Next Steps
• Finish selection of process representations
• Implement base platform
– PBAC and WS-Security infrastructure
– administration interfaces
• Introduce semantics technology
– policy conflict detection
– derivation of low-level PBAC rules
• Evaluation (in 2005)
• Continue to expand the community of interest
– scenarios especially welcome!
Related documents
Semantic Feature Analysis
Semantic Feature Analysis
Semantic Feature Analysis Description
Semantic Feature Analysis Description
Guide to Firewalls and Network Security
Guide to Firewalls and Network Security
Background: The Grid Arms Race Project Goals:
Background: The Grid Arms Race Project Goals:
Ernesto Jimenez Ruiz, Bernardo Cuenca Grau, Ian Horrocks and
Ernesto Jimenez Ruiz, Bernardo Cuenca Grau, Ian Horrocks and
PowerPoint Presentation - Reading and Writing as Tools for Social
PowerPoint Presentation - Reading and Writing as Tools for Social
Semantic Feature Analysis
Semantic Feature Analysis
Palo Alto Networks offers a full line of purpose
Palo Alto Networks offers a full line of purpose
Download
advertisement