3. SAVI Clearinghouse
• Clearinghouse is a system that brokers trust between C&M
plane and resources. It is the only component that every
entity in SAVI TB fully trusts.
• Components
• AAA (Authentication, Authorization, Accounting)
• Intrusion Detection network
• Incident Handling
4. Identity Manager Tasks
• Identity establishment: Distinguishes users
• Authentication: verifies identity claim
• Authorization: permits user’s request
• Accounting: keeps track of usage
• Federation: extends resources
• Complementary duties
• Service Catalog: lists available services
• Service Discovery: keeps up with the latest changes
11. Keystone (January 2011)
• Password Authentication
• Token Validation
• Simple rule based Access control
• Middleware to Openstack components
12. Token
Request Authenticated Request for Service
Verification Verified Response from the service
13. Middleware
Auth Token EC2 Token
Request for SWIFT
Keystone
Cons
• Need network to verify
• Keystone becomes chockpoint
• Is UUID Random
Request
14. How original Keystone meets SAVI
requirements
• Authentication
+ Password-based
• Strong authentication
• Authorization
+ Simple Match (either admin or not)
• RBAC
• ABAC
• Accounting
• Service Discovery
+ Simple Service Catalog
• Service Information
• Service Registry
• Federation (OAUTH, OpenID, SAML)
15. Goals
1. Integration of Keystone with SAVI TB C&M (VANI)
2. Deploying Central Keystone
3. Implementing fine-grained access control
4. Federation with other testbeds
16. Goal (1): SAVI C&M Integration
• Writing middleware to connect SAVI control service to
Keystone (Wilson Project)
• Writing Client library to enable user to use keystone as
identity provider (Griffin Project)
17. Wilson
• A java middleware that connect SAVI in-house developed components
to Keystone (cheetah, HW)
SAVI Control Service Wilson Keystone
(Cheetah)
• Now, Cheetah does authorization and authentication through Wilson
• https://github.com/savi-dev/wilson
18. Griffin
• Clients can use Griffin to use Keystone as IdM if it is Java
• https://github.com/savi-dev/griffin
• Tasks:
• Authentication & Authorization
• TenantManagement
• User Management
• Service Management
20. Goal (2): Central Keystone
• Clean up Keystone source code
• Implementing Central Keystone ( devstack Project)
• Adding concept of domain to Keystone
• Restructure role API calls to be specific to (user, project) or
(user, domain)
• Offline Token validation
• Generalized credentials associated with a user/project combo
(ec2, pki, ssh keys, etc)
• Bidirectional Authentication
21. Domain
• A group of project
• Domains are administratively independent
• User can have role in domain or project
• Each domain has its own intrusion detection mechanism
22. Offline Token verfication
• PKIS signed Tokens
• Cryptographically signed Text
• Crypto Message Syntax (SMIME)
• Content of “Verify”
• Signed with Keystone Private Key
• Verified using
• Openssl
• Public certificate
• Can also be verified using HTTP
29. Constraint RBAC
• Resources are different
• A user may have access to a resource id but not others
although they have same type
• Actions may be limited
• Admins can write stored procedures
30. Attribute Based Access Control
(ABAC) – Attributes Defined
• Subject Attributes
• Related to a subject (e.g. user, application, process) that defines
the identity and characteristics of the subject
• E.g. identifier, name, job title, role
• Resource Attributes
• Associated with a resource (web service, system function, or
data)
• E.g. Dublin Core metadata elements
• Environment Attributes
• Describes the operational, technical, or situational environment
or context in which the information access occurs
• E.g. current date time, current threat level, network security
classification
31. ABAC Policy Formulation
1. S, R, and E are subjects, resources, and environments, respectively;
2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre-defined
attributes for subjects, resources, and environments, respectively;
3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for
subject s, resource r, and environment e, respectively:
ATTR (s ) SA1 SA 2 ... SA K
ATTR (r ) RA1 RA2 ... RAM
ATTR (e) EA1 EA 2 ... EA N
32. ABAC in SAVI
Researcher SA Edge Node
SOAP Msg 1 3
Resources
Control
Service
APIs
Web
1
SA
2
RA
Access Service Catalog
Trust Anchor EA Control (Beacon)
SA
Policy Attribute
Admin. Policy Unit
Service & Policy
Identity
Services
Provider
33. Goal (4): Federation
• Aspects
• Authentication
• Authorization
• Federation allows
• Different Smart edges users to work together
• SAVI serves other testbed users
• SAVI researchers use other testbed
34. Authentication Interoperability
Security Assertion Markup Language - SAML
Policy Policy Policy
Credentials Authentication Attribute Policy Decision
Collector Authority Authority Point
SAML
Authentication Attribute Authorization
Assertion Assertion Decision
Assertion
System Application Policy Enforcement
Entity Request Point
Source: OASIS SAML Standard
35. Authorization Interoperability
eXtensible Access Control Markup Language – XACML
XACML
Policy Policy Serve in SAVI
XML
XML
XML XML
XACML
XACML
XACML XACML
Federation Layer Virtualization Openflow Switch Firewall
• Policy server distributes policy changes to all network elements using XACML 35
36. SAVI Federation Architecture
SAVI Federation Oversight SAVI Core
node
Trust Anchor (Keystone)
Domain Admin
Service Accounting
User 1 User 2 User 3 SAVI edge
(Beacon)
node
Repository
Testbed
Identity
Providers
Remote
Datacenters
37. Other components …
• Clearinghouse has two more components
• Intrusion Detection Network
• Incident Handling module
38. Intrusion Detection Network
Resource Traffic
Resource Traffic
Agent
Agent
Policy Policy data
data
Swarm Intelligence
Brain
Brain
Status , Policy
Situational Awareness
Sergeant Human
Policy
Guidance
Domain
39. Incident Types
• Malicious code • Disruption of service
attacks • Unauthorized use /
• Unauthorized access Misuse
• Attempted intrusion • Infraction of Policy
• Reconnaissance • Illegal activity
• System compromise/ • Espionage
intrusion • Hoaxes (False
• Loss of, theft of or Information)
missing assets, data,
etc.