Plataforma para efetivação de múltiplas políticas de controle de acesso em ambientes de grade computacional
Abstract
A coherent access control service for Grid environment must combine multiple policies allowing administrators, sites and users to determine specific rules to protect its resources. This paper proposes a flexible access control framework based on Java for Grid environment that permits management, effectuation and integration of multiple policies and existent security mechanisms. In order to show this framework's capabilities it was deployed an operational test to manage and put into effect two policies: one based on the least privilege principle and a second that integrates access control service to an IDS security system.
References
AXIS (2006), Java platform for creating and deploying web services applications, http://ws.apache.org/axis/, November.
Bavier A., Bowman, M. et all. (2004) “Operating System Support for Planetary-Scale Network Services” In NSDI'04, San Francisco, US.
Burruss, J.; Fredian, T.; Thompson, M. (2006) “ROAM: An Authorization Manager for Grids”. In: Journal of Grid Computing, Volume 4, Number 4, pp. 413-423(11).
Coetzee, M. and Eloff, J. (2003) “Virtual enterprise access control requirements” In: South African Institute of Computer Scientists and Information Technologists (SAICSIT 2003), Indaba.
Damiani, E,, Vimercati, S. e Samarati, P. (2002) “A Fine-Grained Access Control System for XML Documents”, In: ACM Transactions on Information and System Security (TISSEC), vol. 5, n. 2, pp. 169-202.
Damiani, E., Vimercati, S. e Samarati, P. (2005) "New Paradigms for Access Control in Open Environments," In: Proc. of the 5th IEEE International Symposium on Signal Processing and Information, Athens, Greece.
Debar, H., Curry, D., Feinstein, B. (2006) “RFC4765: The Intrusion Detection Message Exchange Format (IDMEF)”, IETF.
Debar, H., Dacier, M., Wespi, A. (1999) “Towards a taxonomy of intrusion-detection systems”, In: J. Computer and Telecommunications Networking, vol. 31, no. 9, pp. 805-822.
Foster, I. (2005) “Globus Toolkit Version 4: Software for Service-Oriented Systems” In: IFIP International Conference on Network and Parallel Computing, Springer-Verlag LNCS 3779, pp 2-13.
Gridpmap (2005), International Grid Policy Management Authority. http://gridpma.org.
Humphrey, M., Thompson, M. and Jackson, K. (2005) “Security for Grids”, In: IEEE, vol. 93, no. 3, pp. 644-652.
Keahey, K., Ripeanu, M. and Doering K. (2004) “Dynamic Creation and Management of Runtime Environments in the Grid”. In: Workshop on Designing and Building Web Services (GGF 9), Chicago, IL.
Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T. (2006) A Multipolicy Authorization Framework for Grid Security. In: The Fifth IEEE International Symposium on Network Computing and Application,.
Lorch, M. and Kafura, D. (2004) “The PRIMA Grid Authorization System”. In: Journal of Grid Computing, Vol. 2, Num 3.
Mattes, L. and Zuffo, J. (2006) “Access Control Platform for Submitted Jobs in Communication”. In: Network, and Information Security (CNIS 2006), Cambridge.
Meinel C. (2005) “A Framework for Supporting Distributed Access Control Policies”. In: 10th IEEE Symposium on Computers and Communications (ISCC'05), pp. 442 - 447 .
Militelli, L. C. (2006) “Proposta de um agente de aplicação para detecção, prevenção e contenção de ataques em ambientes computacionais”. Dissertação de Mestrado. Escola Politécnica da Universidade de São Paulo, São Paulo.
Otenko, S. and Chadwick, D. (2003) “A Comparison of the Akenti and PERMIS Authorization Infrastructures,” [link].
Park, S. and Humphrey M. (2006) “Authorizing Remote Job Execution based on Job Properties”. In 2th IEE international conference on e-science and grid computing (e-Science 2006), Amsterdam.
Park, S., Kim, K., Jang, J., Noh, B. (2003) "Supporting interoperability to heterogeneous IDS in secure networking framework" The 9th Asia-Pacific Conference on Communications, Volume 2, p. 844-848
Pearlman, L., Welch, V., Foster, I. and Kesselman, C. (2003) “The Community Authorization Service: Status and Future”. In: Computing in High Energy and Nuclear Physics (CHEP03), La Jolla, USA.
Pistoia, M., Reller, F. e Gupta, D. (2005) “Java 2 Network Security”, Prentice-Hall, 2nd Edition.
Poppi, S. (2006) “Snort-IDMEF plug-in”, [link], March.
Prelude Hybrid IDS, (2006) “Prelude 0.9 Handbook”, [link], December.
Saltzer, J. H. e Schroeder, M. D. (1975) “The Protection of Information in Computer Systems”. Proceedings of the IEEE, 1975. 63(9): p. 12781308.
SAML (2007) Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) Version 2.0, [link].
Schulter, A., Reis, J. A., Koch, F., Westphall, C. B. (2006) “A Grid-based Intrusion Detection System”, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL’06)
Steenbakkers, M. (2003) “Guide to LCAS, Version 1.1.16”, 15 September 2003. Documentation of the European DataGrid Project.
Tham, C. K., Buyya, R. (2005) “SensorGrid: Integrating Sensor Networks and Grid Computing”, Special Issue on Grid Computing, Computer Society of India.
Vollbrecht, J et al. (2000) “AAA Framework” Internet RFC2904, Internet Engineering Task Force, Network Working Group, August.
Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czajkowski, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, S. and Tuecke, S. (2003) “Security for Grid Services”. In Twelfth International Symposium on High Performance Distributed Computing (HPDC-12), IEEE Press.
Welch, V., Barton, T., Keahey, K. and Siebenlist, F. (2005) “Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration”. In: Proceedings of the 4th Annual PKI R&D Workshop.
XACML (2007), Extensible Access Control Markup Language (XACML) Version 2.0, http://www.oasis-open.org/committees/xacml.
Bavier A., Bowman, M. et all. (2004) “Operating System Support for Planetary-Scale Network Services” In NSDI'04, San Francisco, US.
Burruss, J.; Fredian, T.; Thompson, M. (2006) “ROAM: An Authorization Manager for Grids”. In: Journal of Grid Computing, Volume 4, Number 4, pp. 413-423(11).
Coetzee, M. and Eloff, J. (2003) “Virtual enterprise access control requirements” In: South African Institute of Computer Scientists and Information Technologists (SAICSIT 2003), Indaba.
Damiani, E,, Vimercati, S. e Samarati, P. (2002) “A Fine-Grained Access Control System for XML Documents”, In: ACM Transactions on Information and System Security (TISSEC), vol. 5, n. 2, pp. 169-202.
Damiani, E., Vimercati, S. e Samarati, P. (2005) "New Paradigms for Access Control in Open Environments," In: Proc. of the 5th IEEE International Symposium on Signal Processing and Information, Athens, Greece.
Debar, H., Curry, D., Feinstein, B. (2006) “RFC4765: The Intrusion Detection Message Exchange Format (IDMEF)”, IETF.
Debar, H., Dacier, M., Wespi, A. (1999) “Towards a taxonomy of intrusion-detection systems”, In: J. Computer and Telecommunications Networking, vol. 31, no. 9, pp. 805-822.
Foster, I. (2005) “Globus Toolkit Version 4: Software for Service-Oriented Systems” In: IFIP International Conference on Network and Parallel Computing, Springer-Verlag LNCS 3779, pp 2-13.
Gridpmap (2005), International Grid Policy Management Authority. http://gridpma.org.
Humphrey, M., Thompson, M. and Jackson, K. (2005) “Security for Grids”, In: IEEE, vol. 93, no. 3, pp. 644-652.
Keahey, K., Ripeanu, M. and Doering K. (2004) “Dynamic Creation and Management of Runtime Environments in the Grid”. In: Workshop on Designing and Building Web Services (GGF 9), Chicago, IL.
Lang, B., Foster, I., Siebenlist, F., Ananthakrishnan, R., Freeman, T. (2006) A Multipolicy Authorization Framework for Grid Security. In: The Fifth IEEE International Symposium on Network Computing and Application,.
Lorch, M. and Kafura, D. (2004) “The PRIMA Grid Authorization System”. In: Journal of Grid Computing, Vol. 2, Num 3.
Mattes, L. and Zuffo, J. (2006) “Access Control Platform for Submitted Jobs in Communication”. In: Network, and Information Security (CNIS 2006), Cambridge.
Meinel C. (2005) “A Framework for Supporting Distributed Access Control Policies”. In: 10th IEEE Symposium on Computers and Communications (ISCC'05), pp. 442 - 447 .
Militelli, L. C. (2006) “Proposta de um agente de aplicação para detecção, prevenção e contenção de ataques em ambientes computacionais”. Dissertação de Mestrado. Escola Politécnica da Universidade de São Paulo, São Paulo.
Otenko, S. and Chadwick, D. (2003) “A Comparison of the Akenti and PERMIS Authorization Infrastructures,” [link].
Park, S. and Humphrey M. (2006) “Authorizing Remote Job Execution based on Job Properties”. In 2th IEE international conference on e-science and grid computing (e-Science 2006), Amsterdam.
Park, S., Kim, K., Jang, J., Noh, B. (2003) "Supporting interoperability to heterogeneous IDS in secure networking framework" The 9th Asia-Pacific Conference on Communications, Volume 2, p. 844-848
Pearlman, L., Welch, V., Foster, I. and Kesselman, C. (2003) “The Community Authorization Service: Status and Future”. In: Computing in High Energy and Nuclear Physics (CHEP03), La Jolla, USA.
Pistoia, M., Reller, F. e Gupta, D. (2005) “Java 2 Network Security”, Prentice-Hall, 2nd Edition.
Poppi, S. (2006) “Snort-IDMEF plug-in”, [link], March.
Prelude Hybrid IDS, (2006) “Prelude 0.9 Handbook”, [link], December.
Saltzer, J. H. e Schroeder, M. D. (1975) “The Protection of Information in Computer Systems”. Proceedings of the IEEE, 1975. 63(9): p. 12781308.
SAML (2007) Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) Version 2.0, [link].
Schulter, A., Reis, J. A., Koch, F., Westphall, C. B. (2006) “A Grid-based Intrusion Detection System”, International Conference on Systems and International Conference on Mobile Communications and Learning Technologies (ICNICONSMCL’06)
Steenbakkers, M. (2003) “Guide to LCAS, Version 1.1.16”, 15 September 2003. Documentation of the European DataGrid Project.
Tham, C. K., Buyya, R. (2005) “SensorGrid: Integrating Sensor Networks and Grid Computing”, Special Issue on Grid Computing, Computer Society of India.
Vollbrecht, J et al. (2000) “AAA Framework” Internet RFC2904, Internet Engineering Task Force, Network Working Group, August.
Welch, V., Siebenlist, F., Foster, I., Bresnahan, J., Czajkowski, K., Gawor, J., Kesselman, C., Meder, S., Pearlman, S. and Tuecke, S. (2003) “Security for Grid Services”. In Twelfth International Symposium on High Performance Distributed Computing (HPDC-12), IEEE Press.
Welch, V., Barton, T., Keahey, K. and Siebenlist, F. (2005) “Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration”. In: Proceedings of the 4th Annual PKI R&D Workshop.
XACML (2007), Extensible Access Control Markup Language (XACML) Version 2.0, http://www.oasis-open.org/committees/xacml.
Published
2007-08-27
How to Cite
MATTES, Leonardo; MILITELLI, Leonardo C.; ZUFFO, João Antonio.
Plataforma para efetivação de múltiplas políticas de controle de acesso em ambientes de grade computacional. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 7. , 2007, Rio de Janeiro.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2007
.
p. 163-176.
DOI: https://doi.org/10.5753/sbseg.2007.20925.
