Transcription
Cryptologic Systems Group“Securing the Global Information Grid (GIG)”AF SOA IIB PilotSecurity Approach &Lessons LearnedMichael LeonardCPSG/NIMay 21, 2009Unclassified
OverviewIIB / SMI-ELS BackgroundFederation & WS-Trust Security FlowsIIB ConfigurationResources for Service DevelopersLessons LearnedIIB ChallengesUnclassified“Securing the Global Information Grid (GIG)”Slide #2
SMI-ELS VisionThe SMI-ELS vision is to support Warfighter missionassurance by providing access to mission critical informationthrough secure, trusted sharing mechanisms that protect theintegrity of the information from its creation to its utilizationby the WarfighterSMI-ELS will accomplish this mission assurance through theimplementation of the two components of SMI-ELS, theSingularly Managed Infrastructure and the Enterprise LevelSecurityUnclassified“Securing the Global Information Grid (GIG)”Slide #3
CPSG Support to SOA IIB PilotSAF/XC driven initiativeCPSG support focused on PKI, Identity Federationand Security Token ServicesAccomplishments & Ongoing ActivitiesSupported AF SOA IIB Spiral 1&2 activity managed by 554th ELSWSupporting IIB extended pilot security and performance/load testingSupported installation & configuration of Identity Federation, Security TokenService (STS) capabilities in Surrogate Forest, Pods A & B at DISA DECC inSan Antonio and Pod C in DISA DECC in MontgomerySupporting standup of future installs in AFNET (Scott AFB APC) & onSIPRNETSupported Interoperability demonstrations between PingFederate (IIBFederation Server) and the IBM and Oracle Identity Federation productsSupporting GCSS-AF and AF SOA IIB Identity Federation effortUnclassified“Securing the Global Information Grid (GIG)”Slide #4
Requirements Snapshot (Spiral1/2 of IIB Pilot)Common CriteriaFIPS 140-2 HSMWS-FederationSAML 2.0 FederationSAML 1.1 FederationWS-TrustWS-SecurityAbility to support signed and/or encrypted SAML 2.0 assertionsSSL/TLSIntegration with .NET & J2EE Apps / ServicesSupport user authentication to IdP via PKI, IWA or Forms basedauthenticationInteroperable with DoD PKIWeb Service client authentication via PKIIntegration with LDAP data store / ADSupport multi-valued attributes, and ability to prune attributes based ontarget application / serviceRevocation Status checking via OCSP / DoD RCVSSupport High AvailabilitySupport expected Enterprise Load through clustering / load balancingUnclassified“Securing the Global Information Grid (GIG)”Slide #5
End-to-End rvice InvokerApplicationSOAPHTTPTLS/SSLApplicationWeb Services Security(Authentication, Integrity,Confidentiality, Non-Repudiation, Access Control (SAML))SSL(Integrity, MACMACMACClientApplicationSSL EndpointServiceSSL Processoror HTTPServiceImplementationCodeTCPUNTRUSTED NETWORKSource: IBM“Securing the Global Information Grid (GIG)”Slide #6
-initiatedSSO:SSO:POSTPOSTPOST SAML Assertion to SP Federation SOAccessTargetResourceRequestwithRedirectSSO URLTargetAccessResourceRedirect toSAML ResponseTarget URLin HTTP POSTSAML Responsein HTML FormRedirect withTarget URLEnclave ASAML n ServerData Source(s)Enclave BFederation ServerIdentity Provider (IdP)Service Provider (SP)“Asserting Party”“Relying Party”Data Source(s)Source: Ping Identity, Inc ng the Global Information Grid (GIG)”Slide #7
WS-Trust Security Token Service(STS)STS ImplementsFederated IdentityConceptsAttribute ContractsAttribute RetrievalSubject, Attribute andRole MappingSource: Ping Identity, Inc ing the Global Information Grid (GIG)”Slide #8
IIB ConfigurationUnclassified“Securing the Global Information Grid (GIG)”Slide #9
Resources for Application /Service DevelopersCaveat – Pilot not Production – product selection for FederationServer/STS TBDPingFederate SSO Integration ?csModule security/getfile&pageid 14006SP Integration KitsJava, .NET, PHP, CA Siteminder, OAM, IIS, Apache, WebLogic,WebSphere, SAP NetWearver, Salesforce.com, Citrix, SharepointSDK for WS-TrustUsed to support MDE and DRS Service DevelopersWS-Trust Issue & ValidateIIB Developers GuidanceIncludes sample services, source code, sample COI products, instructions forhow to realize COI products as runtime objects, requirements for registeringusers and services in AD and in the MDE, and test definitions services areexpected to pass.Unclassified“Securing the Global Information Grid (GIG)”Slide #10
Lessons LearnedUse of a robust SOA testing tool(s) during development /deployment extremely helpfulIIB team has experience with both ITKO LISA and LoadrunnerUseful for troubleshooting, optimization, load / performance testing,even monitoringTesting in standalone lab environment is a good start – butevaluation in a more representative production environment is keyELS comes at a price - performanceFederation, TLS & Message Layer SecurityAs we move forward – tradeoffs may be requiredExamplesIf we implement message layer signatures/encryption, or use WS-SecureConversation – do we also need TLS on top of that?Do all Services require the same security measures?Is PKI based authentication of all Active Entities achievable (or warranted) in ALLcases?Caching can really improve performanceSAML tokens issued by STS valid for more than one time useSAML tokens issued by STS cached by Web Service Clients until expirationUnclassified“Securing the Global Information Grid (GIG)”Slide #11
Lessons Learned (cont.)Standards are critical for interoperability – and they really do workDemonstrated Federation interoperability between PingFederate andIBM & Oracle Identity Federation products, using SAML 2.0 IdPInitiated SSO with both POST and Artifact bindingsState of Practice & current technologies limit achievement of longterm ELS visionExample – No SOAP / WS* from standard web browserNo clean solution for Constrained Delegation with SAML (capabilitysimilar to Kerberos Constrained Delegation (KCD))Many app servers can’t consume SAML 2.0 tokens directlyFederation Servers – no common token format (examples, opentokenw/ PingFederate, OBSSO cookie w/ Oracle, HTTP headers w/ IBMTFIM)Common Criteria challenges for small companies with rapiddevelopment / release scheduleUnclassified“Securing the Global Information Grid (GIG)”Slide #12
IIB Continuing ChallengesChained authentication & authorizationExtending security to the browser – true end-to-endAuditing across Service chainAuthorization strategy (ABAC, GBAC, etc) – one size maynot fit allWhere is the Policy Enforcement Point – at the service?Performance and Scalability with an undefined number ofrequestors (may grow rapidly)Delegation of authorizationsMonitoring of the system – requestor to provider across alllayers of the stackAcceptance criteria (testing and certification) before aservice is released for useFederating with multiple types of security environmentsUnclassified“Securing the Global Information Grid (GIG)”Slide #13
IdPIdP-initiated SSO: -initiated SSO: POSTPOST Retrieve Additional Attributes (optional) IdP-initiated SSO: POST Request SSO IdP-initiated SSO: POST . .NET, PHP, CA Siteminder, OAM, IIS, Apache, WebLogic, WebSphere, SAP NetWearver, Salesforce.com, Citrix, Sharepoint SDK for WS-Trust Used to support MDE and DRS Service Developers WS-Trust .
