Grid Computing Security: A Survey

Similar documents
A Distributed Media Service System Based on Globus Data-Management Technologies1

UNICORE Globus: Interoperability of Grid Infrastructures

Credentials Management for Authentication in a Grid-Based E-Learning Platform

Grid Security Infrastructure

Day 1 : August (Thursday) An overview of Globus Toolkit 2.4

Scalable, Reliable Marshalling and Organization of Distributed Large Scale Data Onto Enterprise Storage Environments *

A Resource Discovery Algorithm in Mobile Grid Computing Based on IP-Paging Scheme

Solutions Business Manager Web Application Security Assessment

WHITEPAPER. Vulnerability Analysis of Certificate Validation Systems

The Grid Authentication System for Mobile Grid Environment

Using the MyProxy Online Credential Repository

An Introduction to the Grid

Network Security and Cryptography. December Sample Exam Marking Scheme

Question No: 2 Which identifier is used to describe the application or process that submitted a log message?

A Survey of BGP Security Review

Soft Enforcement of Access Control Policies in Distributed Environments

Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

Grid Architectural Models

Globus Toolkit Firewall Requirements. Abstract

Vidder PrecisionAccess

THEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

High Performance Computing Course Notes Grid Computing I

Network Security and Cryptography. 2 September Marking Scheme

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

A RESOURCE MANAGEMENT FRAMEWORK FOR INTERACTIVE GRIDS

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

A Resource Discovery Algorithm in Mobile Grid Computing based on IP-paging Scheme

Bank Infrastructure - Video - 1

GSI Online Credential Retrieval Requirements. Jim Basney

Systems and Network Security (NETW-1002)

Grid-CERT Services. Modification of traditional and additional new CERT Services for Grids

ISACA CISA. ISACA CISA ( Certified Information Systems Auditor ) Download Full Version :

Wireless LAN Security. Gabriel Clothier

Chapter 2. Switch Concepts and Configuration. Part II

Web-based access to the grid using. the Grid Resource Broker Portal

By Ian Foster. Zhifeng Yun

Grid Computing Security

GLOBUS TOOLKIT SECURITY

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

DIRAC Distributed Secure Framework

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 1 Introduction to Security

Symmetric Key Services Markup Language Use Cases

Globus GTK and Grid Services

Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT

(2½ hours) Total Marks: 75

An Architecture For Computational Grids Based On Proxy Servers

Survey of Cyber Moving Targets. Presented By Sharani Sankaran

Securing Cloud Computing

ATTACKING AND DEFENDING WEB SERVICES

Fabric Security (Securing the SAN Infrastructure) Daniel Cohen Solutioneer Brocade Communications Systems, Inc

Design and Implementation of a RFC3161-Enhanced Time-Stamping Service

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

Virtual CMS Honey pot capturing threats In web applications 1 BADI ALEKHYA, ASSITANT PROFESSOR, DEPT OF CSE, T.J.S ENGINEERING COLLEGE

Network Security - ISA 656 Review

Why Firewalls? Firewall Characteristics

Introduction to GT3. Introduction to GT3. What is a Grid? A Story of Evolution. The Globus Project

RB-GACA: A RBAC based Grid Access Control Architecture

Cloud Computing. Up until now

Question: 1 DES - Data Encryption standard has a 128 bit key and is very difficult to break.

Grid Computing Fall 2005 Lecture 5: Grid Architecture and Globus. Gabrielle Allen

EFFECTIVE INTRUSION DETECTION AND REDUCING SECURITY RISKS IN VIRTUAL NETWORKS (EDSV)

Multilingual Interface for Grid Market Directory Services: An Experience with Supporting Tamil

Layered Architecture

Leveraging the InCommon Federation to access the NSF TeraGrid

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Forum XWall and Oracle Application Server 10g

ROCI 2: A Programming Platform for Distributed Robots based on Microsoft s.net Framework

Evaluating the Security Risks of Static vs. Dynamic Websites

Research on the Interoperability Architecture of the Digital Library Grid

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Programming Environment Oct 9, Grid Programming (1) Osamu Tatebe University of Tsukuba

WEB-202: Building End-to-end Security for XML Web Services Applied Techniques, Patterns and Best Practices

Enterprise SOA Experience Workshop. Module 8: Operating an enterprise SOA Landscape

Cloud-Security: Show-Stopper or Enabling Technology?

Copyright

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

VoIP Security Threat Analysis

Detecting Insider Attacks on Databases using Blockchains

KALASALINGAM UNIVERSITY

Specialized Security Services, Inc. REDUCE RISK WITH CONFIDENCE. s3security.com

ISC2 EXAM - SSCP. Systems Security Certified Practitioner. Buy Full Product.

SECURING AWS ACCESS WITH MODERN IDENTITY SOLUTIONS

THE GLOBUS PROJECT. White Paper. GridFTP. Universal Data Transfer for the Grid

THE VEGA PERSONAL GRID: A LIGHTWEIGHT GRID ARCHITECTURE

CUNY John Jay College of Criminal Justice MATH AND COMPUTER SCIENCE

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Grid Computing Security hack.lu 2006 :: Security in Grid Computing :: Lisa Thalheim 1

Computer Security Policy

Chapter 9. Firewalls

DIRAC distributed secure framework

ISO/IEC Common Criteria. Threat Categories

UNIT IV PROGRAMMING MODEL. Open source grid middleware packages - Globus Toolkit (GT4) Architecture, Configuration - Usage of Globus

Technical Brief. A Checklist for Every API Call. Managing the Complete API Lifecycle

CHAPTER 8 SECURING INFORMATION SYSTEMS

1. Federation Participant Information DRAFT

Introduction to Grid Computing

Cloud-Based Data Security

Transcription:

Grid Computing Security: A Survey Basappa B. Kodada, Shiva Kumar K. M Dept. of CSE Canara Engineering College, Mangalore basappabk@gmail.com, shivakumarforu@rediffmail.com Abstract - This paper provides a survey of Security in the computational grid environment. A computational grid is collection of heterogeneous computers and resources spread across multiple administrative domains with the intent of providing users easy access to the resources. There may be many way to access the resources of computational grid, each with security requirements for both resource user and resource provider. There are many security issues in the Grid Computing Environment mentioned in [4]. So the main goal of this paper is to provide the information about security, security issues in the grid computing environment and also analyzes security problems existing in Grid Computing System and describes the security mechanism in Grid Computing System Key Words: Grid Security, Grid Protocols, SOAP 1. Introduction With the development of application requirements for high-performance computing, it is impossible to solve super large-scale issues using a single highperformance computer or a single computer cluster. Therefore, it is needed to connect distributed heterogeneous high-performance computer, computer cluster, large-scale database server and large-scale file server with high-speed interconnection network and integrate them into a transparent virtual highperformance computing environment. This environment is named Grid Computing System Grid Computing is a collection of cluster head nodes used for spread the resources across the multiple domains or share resources among many computers to solve large-scale problems[5-7]. Computational Grids are motivated by the desire to share processing resources among many organizations to solve large-scale problems [2, 3]. Very often, a Grid is used for executing a large number of jobs at dispersed resource sites. Each site executes not only local jobs but also jobs submitted from remote sites. Thus, job outsourcing becomes a major trend in Grid computing [1]. So while executing job or providing any service from the grid portal becomes major security issue or vulnerabilities in Grid Computing. Vulnerability is a flaw or weakness in a system's design, implementation, or operations that could be exploited to violate the system's security policy. Exploit is a way to take advantage of specific software vulnerability. Threat is a violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm. Attack is an assault on system security that derives from an intelligent threat Incident is a result of successful Attack The rest of the paper is organized as follows. Section 2 contains information about Grid Computing Environment, Section 3 will explain about Security in Grid Computing Environment, Section 4 contains the Security issues in the Grid computing Environment which gives information of security holes in Grid, section 5 gives you about Xml protocol Threats/Attacks in Grid Environment while providing any services from the grid environment and finally section 6 gives the Conclusion of this paper. 2. Grid Computing Environment Grids are usually heterogeneous networks. Grid nodes, generally individual computers, consist of different hardware and software in terms of resources. This resource are used among the various objects and forms the system as the aggregation of resources for a particular task i.e. virtual organization. Grid computing uses networked clusters of CPUs connected over the Internet. The resulting network of CPUs acts as a foundation for a set of grid-enabling software tools. These tools let the grid accept a large computing job and break it down into tens, hundreds or thousands of independent tasks. The tool searches Proc. of the International Conference on Advanced Computing and Communication Technologies (ACCT 2011) Copyright 2011 RG Education Society ISBN: 978-981-08-7932-7 302

available resources; assign tasks to processors, aggregate the work and spit out one final result. Whenever user submits the job from a grid client, the cluster head gets the available resource information from one of the shared resources computer or computing node and then distributes the batch of jobs among the computing nodes which are connected to it as shown in Figure 1. The figure shows simple grid environment in which a number of CPU (cluster resources) + Data resources connected to the grid share the resources. Figure 1: Architecture of Grid Environment Grid computing consists of number of components [8] as shown in Figure 2. A brief description of these components is as follows: Portal/User Interface: A grid user should not see all of the complexities of the computing grid. From this perspective, the user sees the grid as a virtual computing resource just as the consumer of power sees as an interface to a virtual generator. Security: The grid environment provides security, including authentication, authorization, and so on. The Grid Security Infrastructure (GSI) component of the Globus Toolkit provides robust security mechanisms. The GSI includes an Open SSL implementation. It provides a single sign-on mechanism, so that once a user is authenticated, a proxy certificate is created and used when performing actions within the grid Broker: Once authenticated, the user will be launching an application. Based on the application, and possibly on other parameters provided by the user, the next step is to identify the available and appropriate resources to use within the grid. This task could be carried out by a broker function Scheduler: Once the resources have been identified, the next logical step is to schedule the individual jobs to run on them. If a set of stand-alone jobs are to be executed with no interdependencies, then a specialized scheduler may not be required. However, if you want to reserve a specific resource or ensure that different jobs within the application run concurrently, then a job scheduler should be used to coordinate the execution of the jobs. The Globus Toolkit does not include such a scheduler, but there are several schedulers available that have been tested with and can be used in a Globus grid environment like OpenPBS (Portable Batch System), Torque, SGE (Sun Grid Engine). Data Management: If any data including application modules must be moved or made accessible to the nodes where an application's jobs will execute, then there needs to be a secure and reliable method for moving files and data to various nodes within the grid. The Globus Toolkit contains a data management component, Grid Access to Secondary Storage (GASS) (facilities like Grid FTP). Job and Resource Management: The Grid Resource Allocation Manager (GRAM) provides the services to launch a job on the particular resources, check its status, and retrieve its results when it is complete. Figure 2: Grid component architecture (GRAM) 3. Security in Grid Computing System Grid provides the security like authentication and authorization, delegation services, GSI (Grid security 303

Proc. of the International Conference on Advanced Computing and Communication Technologies (ACCT 2011) infrastructure) and so on. Internet Security provides two kinds of security services: access control service, which protects various resources being used by violate user and prevents resources abused from authorized user; Secure communication service, which provides mutual authentication, and message protection as well, such as message integrity and confidentiality. Based on the analysis of GSI, [9, 10] has presented five-layered security architecture as shown in Figure 3. This security architecture is a good schema for Grid research because of its good scalability and its ability of adapting to the dynamic system environment Figure 3: Security architecture of the Grid computing system In the Figure 3, the extra grid security layers are Grid Security Basic Layer and Grid Security Protocol Layer. Grid Security Basic Layer[10] provides user and resource mapping policy, including general mapping rules. In this layer, the Grid Computing System is abstracted to the elements as Objects, Subjects, Security Policies, Trust Domains, Operations, Authorization, etc. The security of Grid Computing System can be regarded as the relationships among the basic elements, which gives an effective way to realize user s restrictive authorization. Grid Security Protocol Layer[10] defines the seven protocols based on the Grid Computing Resource Management. These protocols are listed in table 1. Name User Proxy Creation Protocol Representation User how to create user proxy Resource Proxy Creation Protocol System how to create resource proxy User Proxy s Resource Application Protocol User proxy how to apply for resources Process s Resource Process how to apply for Application Protocol resources Process s Signature How to sign the process s Application Protocol certificate Broker Creation Protocol System how to create broker Broker Service Protocol Broker how to allot resources coordinately Table 1: Protocol at Grid Security Protocol Layer WS authentication and authorization: Globus Toolkit 4 enables message-level security and transport-level security for SOAP (Simple Object Access Protocol) communication of Web services. Also, it provides an Authorization Framework for container-level authorization Pre-WS authentication and authorization Pre-W authentication and authorization consists of APIs and tools for authentication, authorization, and certificate management. Community Authorization Service (CAS): CAS provides access control to virtual organizations. The CAS server grants fine-grained permissions on subsets of resources to members of the community.cas authorization is currently not available for Web services, but it supports the GridFTP server Delegation service: The Delegation service enables delegation of credentials between various services in one host. The Delegation service allows a single delegated credential to be used by many services. Also, this service has a credential renewal interface, and this service is capable of extending the valid date of credentials. SimpleCA: SimpleCA is a simplified Certificate Authority. This package has fully functioning CA features for a PKI environment. My Proxy: My Proxy is responsible for storing X.509 proxy credentials, protecting them by pass phrase, and enabling an interface for retrieving the proxy credential. My Proxy acts as a repository of credentials, and is often used by Web portal applications. GSI-OpenSSH: GSI-OpenSSH is a modified version of the OpenSSH client and server that adds support 304

for GSI authentication. GSI-OpenSSH can be used to remotely create a shell on a remote system to run shell scripts or to interactively issue shell commands, and it also permits the transfer of files between systems without being prompted for a password and a user ID. Nevertheless, a valid proxy must be created by using the grid-proxy-init command. 4. Grid Security Issues The grid security issues can be divided into three main categories: architecture related issues, infrastructure related issues, and management related issues. Architecture Related Issues: These issues address concerns about the architecture of the grid. Users of the grid are concerned about the data processed by the grid and hence there is a requirement to protect the data confidentiality and integrity, as well as user authentication. We categorize these requirements under information security. Similarly, resource level authorization is a critical requirement for grid systems. Finally, there are issues where users of the grid system may be denied the service of the grid or the Quality-of-Service (QoS) is violated. Infrastructure Related Issues: These issues related to the network and host components which constitute the grid infrastructure. Host level security issues are those issues that make a host apprehensive about affiliating itself to the grid system. The main sub issues here are: data protection, job starvation, and host availability. A grid involves running alien code in the host system. Therefore, the host can be apprehensive about the part of the system which contains important data. Similarly, a host can also be concerned about the jobs that is running locally. The external jobs should not reduce the priority of the local jobs, and hence lead to job starvation. Similarly, if the host is a server, it can be concerned about its own availability. There should be mechanisms to prevent the system from going down resulting in denial of service to the clients attached to the host. Management Related Issues: The third set of issues to the management of the grid. Managing credentials is more important in grid systems because of the heterogeneous nature of the grid infrastructure and applications. Like any distributed system, managing trust is also critical and comes under the management related issues. Grid systems require some amount of resource monitoring for auditing purposes. Much of the information obtained from the monitoring systems is fed back to higher level systems like intrusion detection and scheduling systems. 5. Xml Protocol Threats/Attacks In Grid Environment SOAP (Simple Object Access Protocol) messaging infrastructure operates on top of network transport protocols, uses similar services for delivering and routing SOAP messages, and therefore can be susceptible to typical network/infrastructure based attacks like Denial of Service (DoS), replay or manin-the-middle attacks[4]. SOAP Flooding Attack (DoS): A hacker can issue repetitive SOAP message requests in an attempt to overload a Web service. This type of network activity will not be detected as a network intrusion because the source IP is valid, the network packet behavior is valid and the HTTP request is well formed. However, the business behavior is not legitimate and constitutes an XML-based intrusion. In the replay variant of this kind of attack, a completely valid XML payload can be used to issue a denial of service attack. Replay Attacks: Replay technique may be used for both DoS attacks and a kind of man-in-the-middle attacks. Replay technique can also be to manipulate AuthN/AuthZ security tokens, to fraud accounting system and bypass credit limits. Routing Detours: In a distributed Web Services environment SOAP messages may pass multiple intermediate systems and may be actively routed depending resource availability at specific location. The WS-Routing specification provides a way to direct XML traffic through a complex environment. It operates by allowing an interim station to assign routing instructions to a SOAP message/document. If one of intermediate stations is compromised, it may be used for a man-in-the-middle attack by inserting bogus routing instructions to point a confidential document to a malicious location. From that location, then, it may be possible to forward on the document, after stripping out the malicious instructions, to its original destination. 305

Proc. of the International Conference on Advanced Computing and Communication Technologies (ACCT 2011) Message Eavesdropping: Eavesdropping is possible in network which is not completely secure. Eavesdropping can gather wide spectrum of sensitive information that may be used later for launching an attack. Even if the SOAP messages content is encrypted, a lot of information can be obtained by analyzing SOAP Headers, WSDL ports, Certificate chain or CA trust relations, service names and addresses, etc. Man-in-the-middle attack: One particular case of eavesdropping based attack is the man-in-themiddle attack that may target any subsystem of the target system. One specific type of attack that may be ultimately based on man-in-the- middle method is an attack on cryptographic system or related security services, for example, private key compromise, credentials theft or compromise, AuthN/AuthZ tokens tampering, etc. [8]. By Joshy Joseph, Craig Fellenstein. Grid Computing, Prentice Hall PTR, December 30, 2003. [9]. Ian Foster, Carl Kesselman, Gene Tsudik, and Steven Tuecke. A Security Architecture for Computational Grids, Proc. 5th ACM Conference on Computer and Communications Security Conference, 1998. [10]. FANG Xiangming YANG Shoubao GUO Leitao ZHANG Lei, Research on Security Architecture and Protocols of Grid Computing System, National 863 High-Tech Program of China under Grant No. 2002AA104560 6. Conclusion This paper analyzes Security mechanism present in the Grid Computing Environment and also security issues/problems existing in Grid Computing Environment. Several protocols are defined at Grid Security Protocol Layer based on GSI security architecture model. This paper also provides the xml protocol threat/attacks in the Grid Environment. References [1].Shanshan Song, Kai Hwang and Yu-Kwong Kwok, "Trusted Grid Computing with Security Binding and Trust Integration", Internet and Grid Computing Laboratory, University of Southern California, EEB-212, 3740 McClintock Avenue, Journal of Grid Computing (2005) 3: 5373 [2]. F. Berman, G. Fox and T. Hey (eds.), Grid Computing: Making the Global Infrastructure a Reality. Wiley, 2003 [3]. M. Cosnard and A. Merzky, "Meta- and Grid-Computing" in Proceedings of the 8 th International Euro-Par Confrence,August 2002, PP. 861-862 [4]. Yuri Demchenko, White collar Attacks on Web Services and Grids Grid Security threats analysis and Grid Security Incident data model definition Draft Version 0.2, August 12, 2004 [5]. Ian Foster and Carl Kesselman, The Grid: Blueprint for a New Computing Infrastructure, Morgan Kaufmann Publishers, Inc., San Francisco, California, 1999. [6]. Ian Foster, Carl Kesselman, and Steven Tuecke. The Anatomy of the Grid: Enabling Scalable Virtual Organizations, International Journal of Supercomputer Applications, 2001. [7]. Ian Foster, Internet Computing and the Emerging,http://www.nature.com/nature/webmatters/grid/grid.ht ml 306

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback