Re: [AG-TECH] AG security and multicast ?

[Bob Riddle <bdr@internet2.edu>]

You might want to take a look at what inSORS does with their venues, 
where the "room" can be assigned a "key" you need to unlock the door.

Gavin W. Burris aka 86 wrote:
> I think allowing anyone into a secure meeting until you "lock the
> door" is a poor security model.  No need to lock the door and be
> worried about who you have already let in, because it is really not
> that user unfriendly to have an attendee list and add them to a secure
> room with the GUI server administration tool.  If you don't do
> security properly, it is just another hoop someone has to jump through
> to get what you don't want them to have.
>
> Derek Piper wrote (on Mon, 11 Apr 2005 at 08:28):
>
> > 	Something I've been asked about that's security related is about having 
> > the ability to 'lock' a room from within the venue client, akin to 
> > having a closed and locked door for a real conference room. Then, if the 
> > room were set up to encrypt the traffic and people couldn't just 
> > 'jump-in' it might make private meetings more attractive to those that 
> > have a need for it. Sure you can set up a room with allowing certain 
> > certificates, but that's cumbersome to have to do on a per-meeting basis 
> > if all you want is something like a bunch of 'conference rooms'. Having 
> > to have an operator tailor a room to a particular meeting isn't a very 
> > user-friendly way of doing it.
> > 	I asked a while ago on the list of a good way to do that and the 
> > response was it'd be something I'd have to do myself. If enough people 
> > think it's a feature they want, maybe we can convince the AG software 
> > writers/maintainers to add functionality?
> >
> > 	Derek
> >
> >
> > Gavin W. Burris aka 86 wrote:
> >
> > > Here are two good resources:
> > > http://multicasttech.com/
> > > http://multicast.internet2.edu/
> > >
> > > I get asked about security more and more now.  People are concerned that
> > > their research will be broadcast to anyone with a multicast-enabled
> > > network.  VIC and RAT do offer encryption keys, and that is an option
> > > to enable with AGTk venue servers.  Rooms can have access based on
> > > your globus certificates, too.  And AGTK uses SSL for its
> > > client/server connections.
> > >
> > >
> > > Would it be feasible to route multicast though a VPN for very secure
> > > meetings?  Say, run a VPN server on the same machine that the venue
> > > server is on, have clients connect their VPN client to it, and then
> > > fire up AG over the encrypted tunnel?
> > >
> > >
> > >
> > > Dioselin Gonzalez wrote (on Wed, 6 Apr 2005 at 09:05):
> > >
> > >
> > > > Hello everybody,
> > > >
> > > > As part of our distance learning project, we need in-depth technical 
> > > > information about security mechanisms and multicast allocation in the 
> > > > AG.  Are there any documents or papers about this?
> > > >
> > > > The team will be doing low-level implementation, so we need  hard-core 
> > > > documentation for techies :o)
> > > >
> > > > Thanks,
> > > >
> > > > Dio.-
> > --
> > Derek Piper - dcpiper@indiana.edu - (812) 856 0111
> > IRI 323, School of Informatics
> > Indiana University, Bloomington, Indiana
--
Bob Riddle (bdr@internet2.edu)    Technologist,Internet2
1000 Oakbrook, Suite 300          Ann Arbor, Michigan  48108
Business Phone: 734.913.4257      Fax Number:  734.913.4255

"An expert is a man who has made all the mistakes that can be made 
in a very narrow field."  Niels Bohr