Challenges of Securing a Petascale Cluster Christian Servin The University of Texas at El Paso Computational Sciences Program christians@miners.utep.edu Mentor: Irfan Elahi 1
Project Overview Security Challenges in Clusters Security Baseline/Requirements Case Study: TeraGrid Proposed Security Model Implementation, Analysis, and Testing 2
Challenges in Large Clusters vs Other Environments Clusters: Diverse User Community Data Sharing High Performance Computing Different File Systems 3
Computer Security 4
Computer Security Confidentiality 4
Computer Security Confidentiality Integrity 4
Computer Security Confidentiality Integrity Usability 4
Computer Security Confidentiality Integrity Usability 4
Objective Identify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also, to provide a security design that provides the perfect balance between security and usability An Ancient Fortress on an Island www.englishrussia.com 5
Stand-alone vs Cluster High Bandwidth Connections Extensive Computational Power Massive Storage Capacity Firewall Between Nodes Storage Trust (Implicit Trust) Limited Encryption 6
Security Layers to Consider External Network Supercomputer (cluster) Other Attack External Network Login Login IO Login Attacker Gateway Nodes Internal Network Host (node) Master Service Service... Compute Nodes... Hosts Internal Network Dragon Image: www.historicfibers.com 7
Security Layers to Consider External Network Supercomputer (cluster) Other Attack External Network Login Login IO Login Attacker Gateway Nodes Internal Network Host (node) Master Service Service... Compute Nodes... Hosts Internal Network Dragon Image: www.historicfibers.com 7
Security Layers to Consider External Network Supercomputer (cluster) Other Attack External Network Login Login IO Login Attacker Gateway Nodes Internal Network Host (node) Master Service Service... Compute Nodes... Hosts Internal Network Dragon Image: www.historicfibers.com 7
Security Layers to Consider External Network Supercomputer (cluster) Other Attack External Network Login Login IO Login Attacker Gateway Nodes Internal Network Host (node) Master Service Service... Compute Nodes... Hosts Internal Network Dragon Image: www.historicfibers.com 7
Host Case Study: TeraGrid Cluster Configuration Management Unnecessary Services Protect Shared File System Network Prevent IP Address spoofing Prevent source routing Block services that cannot be access controlled at host level 8
Case Study: TeraGrid (2) Auditing Have Monitoring and Events Detection Have Centralized logs Have Process Accounting 9
Installation and Configuration Experiments Configured a Cluster of Five Nodes Configured the network on a Local Area Network (LAN) Installed Ubuntu Server Security Model was Implemented, Analyzed and Tested 10
Experiment Configuration Intruder Master/ Login Service Compute Compute 11
Security Model Configuration Network Configuration Operating System Setup Scheduler File System 12
Security Model Configuration Network Configuration Operating System Setup Scheduler File System 12
Security Model Configuration Network Configuration Operating System Setup Scheduler File System Monitoring Tools 12
Security Model Configuration Network Configuration Operating System Setup Scheduler File System Monitoring Tools 12
Security Model Configuration Network Configuration Operating System Setup Scheduler File System Decision Maker Monitoring Tools 12
Security Model Configuration Network Configuration Operating System Setup Scheduler File System Monitoring Tools Monitoring System logs Intrusion Detection Sys Decision Maker 12
Security Model Configuration Network Configuration Operating System Setup Scheduler File System Monitoring Tools Monitoring System logs Intrusion Detection Sys Decision Maker Fuzzy Logic Decision Engine Interval Computation Multi Criteria Decision Making 12
Personal Challenges OS Server Installation Linux novice Networking Network File System Services configuration 13
Summary Identify unique challenges of securing large HPC clusters Study the TeraGrid security baseline Provide a secure architecture Built a cluster with 5 nodes Implemented, analyzed, and tested on cluster 14
Future Work Establish benchmarks for a security and usability setup environment. Incorporate uncertainty models based on monitored records 15
Other SIParCS Achievements Participated in the CSG Summer Workshop Participated & observed the Bluefire upgrade Attended various vendor conference conference calls meetings Observed & Learned in day by day SSG activities 16
Special Thanks 17
Questions Thank you for your attention Christian Servin cservin@ucar.edu http://www.cs.utep.edu/christians/ 18