Plataforma para efetivação de múltiplas políticas de controle de acesso em ambientes de grade computacional
Resumo
Um serviço de controle de acesso em ambientes de Grades computacionais coerente deve combinar múltiplas políticas, permitindo com que administradores, sítios e usuários determinem regras e mecanismos para proteger seus recursos. Esse trabalho propõe uma plataforma de controle de acesso flexível para aplicações Java em ambientes de grade computacional, que permite o gerenciamento, efetivação e integração de múltiplas políticas e mecanismos de segurança. No intuito de demonstrar as capacidades do sistema proposto foi realizado um teste operacional para gerenciar e efetivar de forma integrada duas políticas: uma que integra o controle de acesso a um sistema IDS local e outra focada no princípio de privilegio mínimo.
Referências
AXIS (2006), Java platform for creating and deploying web services applications, http://ws.apache.org/axis/, November.
Bavier A., Bowman, M. et all. (2004) “Operating System Support for Planetary-Scale Network Services” In NSDI'04, San Francisco, US.
Burruss, J.; Fredian, T.; Thompson, M. (2006) “ROAM: An Authorization Manager for Grids”. In: Journal of Grid Computing, Volume 4, Number 4, pp. 413-423(11).
Coetzee, M. and Eloff, J. (2003) “Virtual enterprise access control requirements” In: South African Institute of Computer Scientists and Information Technologists (SAICSIT 2003), Indaba.
Damiani, E,, Vimercati, S. e Samarati, P. (2002) “A Fine-Grained Access Control System for XML Documents”, In: ACM Transactions on Information and System Security (TISSEC), vol. 5, n. 2, pp. 169-202.
Damiani, E., Vimercati, S. e Samarati, P. (2005) "New Paradigms for Access Control in Open Environments," In: Proc. of the 5th IEEE International Symposium on Signal Processing and Information, Athens, Greece.
Debar, H., Curry, D., Feinstein, B. (2006) “RFC4765: The Intrusion Detection Message Exchange Format (IDMEF)”, IETF.
Debar, H., Dacier, M., Wespi, A. (1999) “Towards a taxonomy of intrusion-detection systems”, In: J. Computer and Telecommunications Networking, vol. 31, no. 9, pp. 805-822.
Foster, I. (2005) “Globus Toolkit Version 4: Software for Service-Oriented Systems” In: IFIP International Conference on Network and Parallel Computing, Springer-Verlag LNCS 3779, pp 2-13.
Gridpmap (2005), International Grid Policy Management Authority. http://gridpma.org.
Humphrey, M., Thompson, M. and Jackson, K. (2005) “Security for Grids”, In: IEEE, vol. 93, no. 3, pp. 644-652.
Keahey, K., Ripeanu, M. and Doering K. (2004) “Dynamic Creation and Management of Runtime Environments in the Grid”. In: Workshop on Designing and Building Web Services (GGF 9), Chicago, IL.
Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T. (2006) A Multipolicy Authorization Framework for Grid Security. In: The Fifth IEEE International Symposium on Network Computing and Application,.
Lorch, M. and Kafura, D. (2004) “The PRIMA Grid Authorization System”. In: Journal of Grid Computing, Vol. 2, Num 3.
Mattes, L. and Zuffo, J. (2006) “Access Control Platform for Submitted Jobs in Communication”. In: Network, and Information Security (CNIS 2006), Cambridge.
Meinel C. (2005) “A Framework for Supporting Distributed Access Control Policies”. In: 10th IEEE Symposium on Computers and Communications (ISCC'05), pp. 442 - 447 .
Militelli, L. C. (2006) “Proposta de um agente de aplicação para detecção, prevenção e contenção de ataques em ambientes computacionais”. Dissertação de Mestrado. Escola Politécnica da Universidade de São Paulo, São Paulo.
Otenko, S. and Chadwick, D. (2003) “A Comparison of the Akenti and PERMIS Authorization Infrastructures,” [link].
Park, S. and Humphrey M. (2006) “Authorizing Remote Job Execution based on Job Properties”. In 2th IEE international conference on e-science and grid computing (e-Science 2006), Amsterdam.
Park, S., Kim, K., Jang, J., Noh, B. (2003) "Supporting interoperability to heterogeneous IDS in secure networking framework" The 9th Asia-Pacific Conference on Communications, Volume 2, p. 844-848
Pearlman, L., Welch, V., Foster, I. and Kesselman, C. (2003) “The Community Authorization Service: Status and Future”. In: Computing in High Energy and Nuclear Physics (CHEP03), La Jolla, USA.
Pistoia, M., Reller, F. e Gupta, D. (2005) “Java 2 Network Security”, Prentice-Hall, 2nd Edition.
Poppi, S. (2006) “Snort-IDMEF plug-in”, [link], March.
Prelude Hybrid IDS, (2006) “Prelude 0.9 Handbook”, [link], December.
Saltzer, J. H. e Schroeder, M. D. (1975) “The Protection of Information in Computer Systems”. Proceedings of the IEEE, 1975. 63(9): p. 12781308.
SAML (2007) Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) Version 2.0, [link].
Schulter, A., Reis, J. A., Koch, F., Westphall, C. B. (2006) “A Grid-based Intrusion Detection System”, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL’06)
Steenbakkers, M. (2003) “Guide to LCAS, Version 1.1.16”, 15 September 2003. Documentation of the European DataGrid Project.
Tham, C. K., Buyya, R. (2005) “SensorGrid: Integrating Sensor Networks and Grid Computing”, Special Issue on Grid Computing, Computer Society of India.
Vollbrecht, J et al. (2000) “AAA Framework” Internet RFC2904, Internet Engineering Task Force, Network Working Group, August.
Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czajkowski, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, S. and Tuecke, S. (2003) “Security for Grid Services”. In Twelfth International Symposium on High Performance Distributed Computing (HPDC-12), IEEE Press.
Welch, V., Barton, T., Keahey, K. and Siebenlist, F. (2005) “Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration”. In: Proceedings of the 4th Annual PKI R&D Workshop.
XACML (2007), Extensible Access Control Markup Language (XACML) Version 2.0, http://www.oasis-open.org/committees/xacml.
Bavier A., Bowman, M. et all. (2004) “Operating System Support for Planetary-Scale Network Services” In NSDI'04, San Francisco, US.
Burruss, J.; Fredian, T.; Thompson, M. (2006) “ROAM: An Authorization Manager for Grids”. In: Journal of Grid Computing, Volume 4, Number 4, pp. 413-423(11).
Coetzee, M. and Eloff, J. (2003) “Virtual enterprise access control requirements” In: South African Institute of Computer Scientists and Information Technologists (SAICSIT 2003), Indaba.
Damiani, E,, Vimercati, S. e Samarati, P. (2002) “A Fine-Grained Access Control System for XML Documents”, In: ACM Transactions on Information and System Security (TISSEC), vol. 5, n. 2, pp. 169-202.
Damiani, E., Vimercati, S. e Samarati, P. (2005) "New Paradigms for Access Control in Open Environments," In: Proc. of the 5th IEEE International Symposium on Signal Processing and Information, Athens, Greece.
Debar, H., Curry, D., Feinstein, B. (2006) “RFC4765: The Intrusion Detection Message Exchange Format (IDMEF)”, IETF.
Debar, H., Dacier, M., Wespi, A. (1999) “Towards a taxonomy of intrusion-detection systems”, In: J. Computer and Telecommunications Networking, vol. 31, no. 9, pp. 805-822.
Foster, I. (2005) “Globus Toolkit Version 4: Software for Service-Oriented Systems” In: IFIP International Conference on Network and Parallel Computing, Springer-Verlag LNCS 3779, pp 2-13.
Gridpmap (2005), International Grid Policy Management Authority. http://gridpma.org.
Humphrey, M., Thompson, M. and Jackson, K. (2005) “Security for Grids”, In: IEEE, vol. 93, no. 3, pp. 644-652.
Keahey, K., Ripeanu, M. and Doering K. (2004) “Dynamic Creation and Management of Runtime Environments in the Grid”. In: Workshop on Designing and Building Web Services (GGF 9), Chicago, IL.
Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T. (2006) A Multipolicy Authorization Framework for Grid Security. In: The Fifth IEEE International Symposium on Network Computing and Application,.
Lorch, M. and Kafura, D. (2004) “The PRIMA Grid Authorization System”. In: Journal of Grid Computing, Vol. 2, Num 3.
Mattes, L. and Zuffo, J. (2006) “Access Control Platform for Submitted Jobs in Communication”. In: Network, and Information Security (CNIS 2006), Cambridge.
Meinel C. (2005) “A Framework for Supporting Distributed Access Control Policies”. In: 10th IEEE Symposium on Computers and Communications (ISCC'05), pp. 442 - 447 .
Militelli, L. C. (2006) “Proposta de um agente de aplicação para detecção, prevenção e contenção de ataques em ambientes computacionais”. Dissertação de Mestrado. Escola Politécnica da Universidade de São Paulo, São Paulo.
Otenko, S. and Chadwick, D. (2003) “A Comparison of the Akenti and PERMIS Authorization Infrastructures,” [link].
Park, S. and Humphrey M. (2006) “Authorizing Remote Job Execution based on Job Properties”. In 2th IEE international conference on e-science and grid computing (e-Science 2006), Amsterdam.
Park, S., Kim, K., Jang, J., Noh, B. (2003) "Supporting interoperability to heterogeneous IDS in secure networking framework" The 9th Asia-Pacific Conference on Communications, Volume 2, p. 844-848
Pearlman, L., Welch, V., Foster, I. and Kesselman, C. (2003) “The Community Authorization Service: Status and Future”. In: Computing in High Energy and Nuclear Physics (CHEP03), La Jolla, USA.
Pistoia, M., Reller, F. e Gupta, D. (2005) “Java 2 Network Security”, Prentice-Hall, 2nd Edition.
Poppi, S. (2006) “Snort-IDMEF plug-in”, [link], March.
Prelude Hybrid IDS, (2006) “Prelude 0.9 Handbook”, [link], December.
Saltzer, J. H. e Schroeder, M. D. (1975) “The Protection of Information in Computer Systems”. Proceedings of the IEEE, 1975. 63(9): p. 12781308.
SAML (2007) Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) Version 2.0, [link].
Schulter, A., Reis, J. A., Koch, F., Westphall, C. B. (2006) “A Grid-based Intrusion Detection System”, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL’06)
Steenbakkers, M. (2003) “Guide to LCAS, Version 1.1.16”, 15 September 2003. Documentation of the European DataGrid Project.
Tham, C. K., Buyya, R. (2005) “SensorGrid: Integrating Sensor Networks and Grid Computing”, Special Issue on Grid Computing, Computer Society of India.
Vollbrecht, J et al. (2000) “AAA Framework” Internet RFC2904, Internet Engineering Task Force, Network Working Group, August.
Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czajkowski, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, S. and Tuecke, S. (2003) “Security for Grid Services”. In Twelfth International Symposium on High Performance Distributed Computing (HPDC-12), IEEE Press.
Welch, V., Barton, T., Keahey, K. and Siebenlist, F. (2005) “Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration”. In: Proceedings of the 4th Annual PKI R&D Workshop.
XACML (2007), Extensible Access Control Markup Language (XACML) Version 2.0, http://www.oasis-open.org/committees/xacml.
Publicado
27/08/2007
Como Citar
MATTES, Leonardo; MILITELLI, Leonardo C.; ZUFFO, João Antonio.
Plataforma para efetivação de múltiplas políticas de controle de acesso em ambientes de grade computacional. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 7. , 2007, Rio de Janeiro.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2007
.
p. 163-176.
DOI: https://doi.org/10.5753/sbseg.2007.20925.
