Grids and Security. Ian Neilson Grid Deployment Group CERN. TF-CSIRT London 27 Jan

Similar documents
Enabling Grids for E-sciencE. EGEE security pitch. Olle Mulmo. EGEE Chief Security Architect KTH, Sweden. INFSO-RI

30 Nov Dec Advanced School in High Performance and GRID Computing Concepts and Applications, ICTP, Trieste, Italy

DIRAC Distributed Secure Framework

Grid Services Security Vulnerability and Risk Analysis

Grid Security Policy

DIRAC distributed secure framework

Credential Management in the Grid Security Infrastructure. GlobusWorld Security Workshop January 16, 2003

EGI-InSPIRE. Security Drill Group: Security Service Challenges. Oscar Koeroo. Together with: 09/23/11 1 EGI-InSPIRE RI

Grid Computing Security hack.lu 2006 :: Security in Grid Computing :: Lisa Thalheim 1

Risk and Security Management for Distributed Supercomputing with Grids

The University of Oxford campus grid, expansion and integrating new partners. Dr. David Wallom Technical Manager

Introduction to SciTokens

High Performance Computing Course Notes Grid Computing I

Grid Security Incident Handling and Response Guide

The LHC Computing Grid

Grid Security Infrastructure

LCG User Registration & VO management

Travelling securely on the Grid to the origin of the Universe

ShibVomGSite: A Framework for Providing Username and Password Support to GridSite with Attribute based Authorization using Shibboleth and VOMS

On the employment of LCG GRID middleware

Grid Architectural Models

Security Service Challenge & Security Monitoring

Globus Toolkit Firewall Requirements. Abstract

A Roadmap for Integration of Grid Security with One-Time Passwords

Future Developments in the EU DataGrid

THEBES: THE GRID MIDDLEWARE PROJECT Project Overview, Status Report and Roadmap

Grid Computing. MCSN - N. Tonellotto - Distributed Enabling Platforms

Grid security and NREN CERTS in the Nordic Countries

The Grid: Processing the Data from the World s Largest Scientific Machine

Federated access to Grid resources

EGEE and Interoperation

Interfacing Operational Grid Security to Site Security. Eileen Berman Fermi National Accelerator Laboratory

Scientific data processing at global scale The LHC Computing Grid. fabio hernandez

Grid Challenges and Experience

Smart Grid Security. Selected Principles and Components. Tony Metke Distinguished Member of the Technical Staff

Federated Security Incident Response. Tom Barton, University of Chicago Jim Basney, NCSA Vincente Brillault, CERN Scott Koranda, LIGO

Development of new security infrastructure design principles for distributed computing systems based on open protocols

Deploying the TeraGrid PKI

Grid Computing a new tool for science

Grid-CERT Services. Modification of traditional and additional new CERT Services for Grids

Security+ SY0-501 Study Guide Table of Contents

Authentication for Virtual Organizations: From Passwords to X509, Identity Federation and GridShib BRIITE Meeting Salk Institute, La Jolla CA.

Introduction to Grid Infrastructures

SLCS and VASH Service Interoperability of Shibboleth and glite

Goal. TeraGrid. Challenges. Federated Login to TeraGrid

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Using the MyProxy Online Credential Repository

Improving Grid User's Privacy with glite Pseudonymity Service

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Grid Computing Security

Identity Management in ESA Grid on-demand Infrastructure

Grid Security Infrastructure

Andrea Sciabà CERN, Switzerland

GRIDS INTRODUCTION TO GRID INFRASTRUCTURES. Fabrizio Gagliardi

Introduction to Programming and Computing for Scientists

Grid Interoperation and Regional Collaboration

Grid Security: The Globus Perspective

CIRT: Requirements and implementation

DESY. Andreas Gellrich DESY DESY,

glite Grid Services Overview

Grid Computing Middleware. Definitions & functions Middleware components Globus glite

Troubleshooting Grid authentication from the client side

EU Policy Management Authority for Grid Authentication in e-science Charter Version 1.1. EU Grid PMA Charter

Troubleshooting Grid authentication from the client side

A Multipolicy Authorization Framework for Grid Security

A security architecture for the ALICE Grid Services

A VO-friendly, Community-based Authorization Framework

Service Level Agreement Metrics

EUROPEAN MIDDLEWARE INITIATIVE

Access the power of Grid with Eclipse

Operating the Distributed NDGF Tier-1

International Grid Trust Federation

The LHC Computing Grid. Slides mostly by: Dr Ian Bird LCG Project Leader 18 March 2008

70-742: Identity in Windows Server Course Overview

Grid Computing Fall 2005 Lecture 5: Grid Architecture and Globus. Gabrielle Allen

Balabit s Privileged Session Management and Remote Desktop Protocol Scenarios

RUSSIAN DATA INTENSIVE GRID (RDIG): CURRENT STATUS AND PERSPECTIVES TOWARD NATIONAL GRID INITIATIVE

Authorization Strategies for Virtualized Environments in Grid Computing Systems

Easy Access to Grid Infrastructures

GSI Online Credential Retrieval Requirements. Jim Basney

Juliusz Pukacki OGF25 - Grid technologies in e-health Catania, 2-6 March 2009

GLOBUS TOOLKIT SECURITY

MCSE Server Infrastructure. This Training Program prepares and enables learners to Pass Microsoft MCSE: Server Infrastructure exams

Single Sign-On Architectures. Jan De Clercq Senior Member of Technical Staff Technology Leadership Group Hewlett-Packard

Best practices and recommendations for attribute translation from federated authentication to X.509 credentials

GÉANT Community Programme

VMs at a Tier-1 site. EGEE 09, Sander Klous, Nikhef

Multiple Broker Support by Grid Portals* Extended Abstract

Grid Computing Security: A Survey

Hardware Tokens in META Centre

CIP Security Pull Model from the Implementation Standpoint

Projectplace: A Secure Project Collaboration Solution

Outline. Infrastructure and operations architecture. Operations. Services Monitoring and management tools

Grid Scheduling Architectures with Globus

ELFms industrialisation plans

e-science for High-Energy Physics in Korea

ENISA s Position on the NIS Directive

DHANALAKSHMI COLLEGE OF ENGINEERING, CHENNAI

ISTITUTO NAZIONALE DI FISICA NUCLEARE

Classification and Characterization of Core Grid Protocols for Global Grid Computing

Transcription:

Grids and Security Ian Neilson Grid Deployment Group CERN TF-CSIRT London 27 Jan 2004-1

TOC Background Grids Grid Projects Some Technical Aspects The three or four A s Some Operational Aspects Security Coordination and Incident Response Other stuff TF-CSIRT London 27 Jan 2004-2

Grids LCG LHC Computing Grid [Grids] enable the sharing, exchange, discovery, and aggregation of resources distributed across multiple OSG administrative Open domains Science... Grid - Sun Microsystems Virtual Organisations Middleware Computing Elements Job Managers Resource Brokers EGEE Enabling Grids for e-science in Europe Virtual Data Toolkit GridPP Grid Particle Physics A [VO is a] participating organization in a grid to which grid end users must be registered and authenticated in order to gain access to the grid's resources. A VO must establish resource-usage agreements with grid resource providers. Members of a VO may come from many different home institutions, may have in common only a general interest or goal (e.g., CMS physics analysis), and may communicate and coordinate their work solely through information technology (hence the term virtual). An organization like an HEP experiment can be glite regarded as one VO. A more comprehensive definition can be found at. Glossary - http://www.opensciencegrid.org/home/terminology.html Proxy Servers PPDG Particle Physics Data Grid Storage Resource Manager Globus Toolkit TF-CSIRT London 27 Jan 2004-3

LCG in one slide Computing fabric for the Large Hadron Collider experiments Operating 2007+ 95 sites 31 countries 9000 CPUs 6 TB storage http://goc.grid-support.ac.uk/gppmonworld/gppmon_maps/lcg2.html TF-CSIRT London 27 Jan 2004-4

EGEE in one slide 70 institutions in 28 countries, federated in regional clusters 32MEUR for first 2 years (plans for another 2 years) Deployment and reengineering project 50% operations & support, 25% training & appl. support, 25% reengineering TF-CSIRT London 27 Jan 2004-5

Scaling up, surely... TF-CSIRT London 27 Jan 2004-6

LCG/EGEE Security environment The players Personal data Roles Usage patterns Users Grid VOs Experiment data Access patterns Membership Resources Availability Accountability Sites TF-CSIRT London 27 Jan 2004-7

The Risks Top risks from Security Risk Analysis http://proj-lcg-security.web.cern.ch/proj-lcg-security/riskanalysis/risk.html Launch attacks on other sites Large distributed farms of machines Illegal or inappropriate distribution or sharing of data Massive distributed storage capacity Disruption by exploit of security holes Complex, heterogeneous and dynamic environment Damage caused by viruses, worms etc. Highly connected and novel infrastructure TF-CSIRT London 27 Jan 2004-8

Policy the Joint Security Group Certification Authorities Incident Response Audit Requirements Usage Rules Security & Availability Policy GOC Guides User Registration Application Development & Network Admin Guide http://cern.ch/proj-lcg-security/documents.html TF-CSIRT London 27 Jan 2004-9

The goal User VO Group of unique names Other Stakeholders Organizational role Delegation Key Material Process acting on user s behalf Delegation Policy User Attributes VO Policy Authorization Policy Architecture Standardize Policy Policy Enforcement Point Resource PKI Identity PKI/Kerberos Identity Translation Service Local Site Kerberos Identity Site/ Resource Owner Site Policy Resource Attributes Policy and attributes. Authorization Service/ PDP Allow or Deny Server TF-CSIRT London 27 Jan 2004-10

Authentication Infrastructure Users and Services own long-lived (1yr) credentials Digital certificates (X.509 PKI) European Grid Policy Management Authority is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in interorganisational access to distributed resources. www.eugridpma.org covers EU (+ USA + Asia) Shared infrastructure between all EU FP6 Grid projects (and others) Establish and audit common minimum operational requirement TF-CSIRT London 27 Jan 2004-11

Authentication Issues Do trust mechanisms scale up? Lots of CAs.. Can users keep the secret? On-line certification authorities & Certificate Stores Kerberized CA MyProxy certificate store Virtual SmartCard TF-CSIRT London 27 Jan 2004-12

AAA : Authorization 1: VO-based User Registers Accepts Usage Rules Provides personal/contact data Request to join VO VO managers add to VO database Certificate Identity (DN) captured Submits job Creates short-lived proxy using long-lived certificate Proxy travels with the job jobs arrive at resource Checks certificate validity Trusted CAs and revocation lists Checks user is authorized whitelist Downloaded from Registration/VO database Maps certificate DN to a local account Runs job Currently in use by Nordugrid ARC, LCG/EGEE TF-CSIRT London 27 Jan 2004-13

AAA : Authorization 2 : VO/Role-based User Registers. As above but may be assigned a role by VO Creates proxy Contacts VO server to sign user s attributes into proxy Submits jobs Proxy travels with the job Resources authorize access Checks certificate validity Trusted CAs and revocation lists Checks user authorization from attibutes in the proxy Allows for one user, multiple VOs, and multiple roles Maps to a local account Runs job Being deployed by LCG/EGEE TF-CSIRT London 27 Jan 2004-14

AAA : Accounting Accountability Little thought given here Retention of logs at sites Dispersed information No standard formatting Debug information Usual concerns of privacy Billing By user, by VO, per site, aggregated? Need to sort out local from grid usage TF-CSIRT London 27 Jan 2004-15

So,... but scaling up securely? Diverse audience Operations, Middleware, Applications, End users Regional differences Impossible and Contradicting requirements Traceability and Anonymity tradeoffs Performance and Security tradeoffs Lucky nothing has happened so far Grid is on the hackers radar User certificates and keys are spread all over Private key file scrambled - password? File protections? Similar to the SSH key problem Proxy certs way too unrestricted Too many services operate as root VERY hard to audit what s going on. TF-CSIRT London 27 Jan 2004-16

Global Grid Forum activities Information exchange Grid Security Infrastructure (GSI) Proxy certificates (now RFC3820) CA operations recommendations Site operations recommendations Authorization Firewall issues Application domain interests... Workshop on Operational Security http://grid.ncsa.uiuc.edu/ggf12-sec-wkshp/ TF-CSIRT London 27 Jan 2004-17

Security Coordination Activities in LCG/EGEE Updates to Incident Response Agreement In collaboration with Open Science Grid To guide the development and maintenance of a common capability for handling and response to cyber security incidents on Grids. http://computing.fnal.gov/cgi-bin/docdb/osg_public/showdocument?docid=19&version=2 The capability will be established through common policies and processes, organizational structures, cross-organizational relationships, common communications methods, and a modicum of centrally-provided services and processes. Managed contacts lists Links with policy, development and deployment activities TF-CSIRT London 27 Jan 2004-18

Security Coordination Activities in LCG/EGEE Security Service Challenges Exercise response procedures in controlled manner Non-intrusive Compute resource usage trace to owner E.g. Run a job to send an email Storage resource trace to owner E.g. Run a job to store a file Disruptive Disrupt a service and map the effects on the service and grid TF-CSIRT London 27 Jan 2004-19

Operational Security Coordination Team Media/Press PR External GRID CSIRT OSCT CIC/GOC EGEE operational channels still being established. Does not have central authority over sites RC ROC TF-CSIRT London 27 Jan 2004-20

Other issues Software and standards immaturity Production quality by academia standards 80/20 rule often applied Standards either far ahead or far behind Firewalls Need to regard network connectivity as another resource TF-CSIRT London 27 Jan 2004-21

Thank You Thanks to UK PPARC for my funding in LCG Acknowledgement to Olle Mullmo who took several slides stolen from older presentations made by Steve Tuecke, Von Welch, Frank Siebenlist, and others Dave Kelsey TF-CSIRT London 27 Jan 2004-22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback