Three Design Patterns for Secure Distributed Systems Alan H. Karp Kevin Smathers Hewlett-Packard Laboratories.

Slides:



Advertisements
Similar presentations
Pharos Uniprint 8.3.
Advertisements

The Challenges of CORBA Security It is important to understand that [CORBAsecurity] is only a (powerful) security toolbox and not the solution to all security.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.
Securing the Broker Pattern Patrick Morrison 12/08/2005.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Notes to the presenter. I would like to thank Jim Waldo, Jon Bostrom, and Dennis Govoni. They helped me put this presentation together for the field.
Security Awareness: Applying Practical Security in Your World
Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Introduction To Windows NT ® Server And Internet Information Server.
Lesson 10 – SECURING YOUR NETWORK Security devices Internal security External security Viruses and other malicious software OVERVIEW.
A Survey on Interfaces to Network Security
Understanding Active Directory
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Clinic Security and Policy Enforcement in Windows Server 2008.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.
CS 4720 Security CS 4720 – Web & Mobile Systems. CS 4720 The Traditional Security Model The Firewall Approach “Keep the good guys in and the bad guys.
Common Devices Used In Computer Networks
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
October 15, 2002Serguei A. Mokhov, 1 Intro to Internet-services from Security Standpoint SOEN321-Information-Systems Security Revision.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.
SAMANVITHA RAMAYANAM 18 TH FEBRUARY 2010 CPE 691 LAYERED APPLICATION.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CPT 123 Internet Skills Class Notes Internet Security Session A.
Lecture 10 Single Sign-On systems. What is Single Sign-on? Lets users authenticate themselves once and access different applications without re-authentication.
1 Vigil : Enforcing Security in Ubiquitous Environments Authors : Lalana Kagal, Jeffrey Undercoffer, Anupam Joshi, Tim Finin Presented by : Amit Choudhri.
Chapter 1 Overview The NIST Computer Security Handbook defines the term Computer Security as:
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
SOA-39: Securing Your SOA Francois Martel Principal Solution Engineer Mitigating Security Risks of a De-coupled Infrastructure.
NT SECURITY Introduction Security features of an operating system revolve around the principles of “Availability,” “Integrity,” and Confidentiality. For.
Virtual Workspaces Kate Keahey Argonne National Laboratory.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Windows Role-Based Access Control Longhorn Update
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 1 “Overview”. © 2016 Pearson.
Chapter2 Networking Fundamentals
Legion - A Grid OS. Object Model Everything is object Core objects - processing resource– host object - stable storage - vault object - definition of.
Chapter 3 - VLANs. VLANs Logical grouping of devices or users Configuration done at switch via software Not standardized – proprietary software from vendor.
Lecture 18 Page 1 CS 111 Online OS Use of Access Control Operating systems often use both ACLs and capabilities – Sometimes for the same resource E.g.,
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Connecting to the Network Introduction to Networking Concepts.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE September Integrating Policy with Applications.
Chapter 40 Network Security (Access Control, Encryption, Firewalls)
1 Chapter 13: RADIUS in Remote Access Designs Designs That Include RADIUS Essential RADIUS Design Concepts Data Protection in RADIUS Designs RADIUS Design.
GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
IPS Infrastructure Technological Overview of Work Done.
Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.
Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK
Computer Networks.  Which is the best definition of a circuit switched network?  An electric circuit where the connections get switched based on who.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Identity and Access Management
CONNECTING TO THE INTERNET
Middleware Policies for Intrusion Tolerance
Processes The most important processes used in Web-based systems and their internal organization.
Chapter 3: Windows7 Part 4.
Security in Networking
Done BY: Zainab Sulaiman AL-Mandhari Under Supervisor: Dr.Tarek
NAAS 2.0 Features and Enhancements
SAMANVITHA RAMAYANAM 18TH FEBRUARY 2010 CPE 691
SOFTWARE DEVELOPMENT LIFE CYCLE
Preventing Privilege Escalation
Presentation transcript:

Three Design Patterns for Secure Distributed Systems Alan H. Karp Kevin Smathers Hewlett-Packard Laboratories

Secure Distributed Systems The Eight Fallacies of Distributed Computing The network is reliable Latency is zero Bandwidth is infinite The network is secure Topology doesn't change There is one administrator Transport cost is zero The network is homogeneous Peter Deutsch

Secure Distributed Systems Aspects of Security Not Covered Physical security – Has the hardware or software been corrupted? – Is someone reading my keystrokes? – Is my private key safe from a sledgehammer? Authentication – Who am I talking to? Authorization – How do I decide what this party is allowed to do? Non-repudiation – Can I pretend I never made this deal? Privacy – Can someone I don’t know about see this thing?

Secure Distributed Systems Aspects of Security Covered Anonymity – Who can know I’ve seen this thing? Auditing – How do I know who did what to whom when? Access control – Should I honor this request? Denial of service – Can my machine be rendered unusable?

Secure Distributed Systems Modest scale Relatively static Trusted remote systems Reasonably homogeneous Little sharing across domains Assumptions  Extremely large scale  Wildly dynamic  Malicious remote systems  Heterogeneity rules the day  Be all and end all

Secure Distributed Systems Patterns Separate authorization from access control – Enhances scalability – Eases crossing administrative boundaries Mediate between requester and service – Enforces audit policies – Simplifies access control decisions Use a local proxy for remote users – Improves control over remote parties – Prevents some attacks – Limits damage done when attack succeeds

Secure Distributed Systems What These Patterns Can’t Help Attacks against underlying OS Attacks against network stack Many attacks against the application Many denial of service attacks Misplaced trust Social engineering Careless users

Secure Distributed Systems Separate Authorization From Access Control Pattern 1

Secure Distributed Systems Existing Systems User Service Request + Credentials Service User

Secure Distributed Systems The Sad Tale of Zebra Copy Mom and Pop copy center Contract with HP – 2,000 HP employees with right to order jobs – HP told Zebra Copy when an HP employee changed jobs – Zebra copy updated its list Problem – HP has over 10,000 such partners – Zebra copy had over 500 such contracts Zebra copy now out of business

Secure Distributed Systems Problems User needs credential per service – different types of credentials – different rules for use – too many passwords Every service needs to do – authentication – authorization – access control Too many updates Authentication doesn’t tell what service needs to know

Secure Distributed Systems Access Pattern Access Rule Service Authorizer Service Access Rule User Credentials Access Rights Request + Rights Request + Rights

Secure Distributed Systems Zebra Copy Done Better HP and Zebra Copy reach agreement – Zebra Copy gives HP a token representing contract – Order honored if accompanied by valid token Zebra Copy responsibilities – Verify token validity – Revoke and re-issue when asked by HP HP responsibilities – Delegate token properly – Revoke privilege when people change jobs – Pay for any use involving a valid token – Ask for replacement token when necessary

Secure Distributed Systems Benefits Service only needs simple access control mechanisms An access right can be meaningful to one service Rules can be registered by third party Each company manages its own employees Admits multiple management schemes for one service Can add new service, types of access, etc. without affecting management mechanisms Can add new management mechanisms without affecting services

Secure Distributed Systems Mediate between Client and Service Pattern 2

Secure Distributed Systems Existing Systems ServiceUser Locator Find Register Use

Secure Distributed Systems The Jini Jive Designed for sharing of resources in trusted workgroup – Promised access control within a year – Still doesn’t have it (some talk about ACLs but no details) System structure is the problem – Look up the service by interface – Invoke service directly Control points – JavaSpace only knows interface, not specifics of service – Service is a printer Do you really want to do authentication, authorization, and access control in every device?

Secure Distributed Systems Problems Each service needs to – authenticate users – make authorization decisions – produce audit trail – protect against malicious or erroneous users Common library linked with service – guaranteeing proper use – rolling forward versions

Secure Distributed Systems Mediation Pattern Service User Mediator Locator RegisterFind Use

Secure Distributed Systems Mediation Pattern ServiceUser Mediator Register Find Use Locator

Secure Distributed Systems Benefits Mediator provides – trusted path – additional metadata – mutual anonymity – audit information Service and client don’t have to trust each other directly – turns N*M problem into N+M Mediator can translate authorization information into a form meaningful to service Mediator can verify protocol adherence

Secure Distributed Systems Use a Service-side Proxy for Remote Users Pattern 3

Secure Distributed Systems Existing Systems ServiceUser Locator Register Find Use User Use Locator Register Find

Secure Distributed Systems Web Server Woes Clients talk directly with server – denial of service attacks hard to prevent Server has more privileges than any client – confused deputy a possibility – successful attack can give client all server privileges No place to enforce system policies

Secure Distributed Systems Problems Every service subject to a variety of network attacks Successful attack can do anything service can do Crashing server cuts off all users Service must – deal with authentication, authorization, access control – enforce machine-specific policies

Secure Distributed Systems Proxy Pattern ServiceUser Proxy User Proxy User

Secure Distributed Systems Use a Proxy for Remote Users ServiceUser Proxy User

Secure Distributed Systems Benefits Crashing proxy cuts off attacker Protection domain of remote user under local control Proxy can be dumb and repeat requests verbatim Proxy can be smart and filter requests Smarts added to proxy implementation protect all services

Secure Distributed Systems Example of Use

Secure Distributed Systems E-speak E-xplained First attempt at a web services infrastructure – Alpha 1.0 – May 1999 – Beta 2.2 – December 1999 – Release 1.0 – June 2000 Fully integrated platform – Naming, discovery, security, manageability Several novel features – Access control with capabilities – Extensible ontology system – Path dependent naming – Powerful event system Abandoned in May 2001

Secure Distributed Systems Single Machine View MonitorNamingPermissionRouter Repository Service User Protection Domain Service Provider Protection Domain Event Distributor Host OS = Core

Secure Distributed Systems Using a Remote Resource

Secure Distributed Systems Key Features Service sees only local requests Client makes only local requests Core sees only local requests Only proxies know about the wire Brokering comes for free Secure firewall traversal for messages Events are messages

Secure Distributed Systems Design Principles Separation of responsibility – Authorities determined when protection domain attached – Access control independent of authorization mechanism – Only components that talk on the wire know about the wire Separation of control – Each machine sets own policy via proxy protection domains – Different mechanisms for authentication and access control Limit damage done by a successful attack – Limited permissions of proxies – Mediator can filter some bad requests – Strong and rapid revocation

Secure Distributed Systems Summary

Secure Distributed Systems Fundamental Idea Design patterns – useful in object oriented coding – no reason they won’t help in distributed systems Propose using three patterns – separate authorization from access control – mediate between client and service – use a local proxy for remote users Others – connection manager – your favorite here

Secure Distributed Systems A Definition A distributed system is one in which a component I never heard of can make my computer unusable. Leslie Lamport

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.