1. INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org NPM Security Alistair K Phipps (NeSC) a.phipps@nesc.ac.uk JRA4 Face To Face, CERN, Geneva. 7 Feb 2005.

2. Enabling Grids for E-sciencE INFSO-RI-508833 Why security? Network monitoring sites need to restrict access to their data to a known set of users to: –Restrict loading on services –Protect commercially sensitive information –Prevent release of information that could be used to attack network

3. Enabling Grids for E-sciencE INFSO-RI-508833 NPM Mediator NPM Mediator retrieves network monitoring information from Network Monitoring Points (NM Points) at the request of clients End Site EDG WP7 NM-WG Backbone Perfmonit NM-WG End Site Home grown NM-WG Backbone piPEs NM-WG Backbone GN2 NM-WG JRA4 NPM Mediator NM-WG Diagnostic Client GOC/NOC

4. Enabling Grids for E-sciencE INFSO-RI-508833 Mediator Security NM Points authorise users, not Mediators But Mediators must get access to information returned from NM Points (for aggregation and caching) so cannot use Client-NM Point end-to-end security Need a security solution both between Client and Mediator, and between Mediator and NM Point Require: –Encryption and integrity protection of data so it cannot be intercepted or changed en-route –Authentication of NM Point by Mediator to ensure communication is not being intercepted (man-in-the-middle attack) –Authentication of Mediator by Client for same reason May desire mutual authentication for logging/audit purposes This security can be provided by use X.509 certificates with appropriate Distinguished Name for the entities involved Issues with appropriate CAs to be resolved, especially for NOCs that are not GOCs

5. Enabling Grids for E-sciencE INFSO-RI-508833 Client-Mediator Security Does Mediator check user authorisation or defer checking to NM Points? –If authorisation deferred to NM Points, DoS attack on Mediator is multiplied into DoS attack on multiple NM Points unless requests from a particular client are throttled (DDoS issues?) –If authorisation done in Mediator (as well as NM Points), is the overhead of doing this checking multiple times significant? Is the list of users different from the list accepted by the NM points? Is some kind of user mapping needed? Are Mediators, NM Points divided into logical domains? –User could have authority to access Mediators and NM Points in particular domains –Authority granted in form of a certificate including user’s DN and authorised domains, signed by a trusted entity (CA) –User provides certificate along with request –Mediator checks client authorised for the domain it (mediator) lies within, and if so passes requests on to required NM points, as long as they also lie within domains for which the user is authorised

6. Enabling Grids for E-sciencE INFSO-RI-508833 Mediator-NM Point Security How does NM Point get information on user credentials? –Are there separate user lists for Mediator and each NM Point? –Does user give a time-limited Proxy certificate (or equivalent) to the Mediator to allow it to act on its behalf when contacting NM Points? How does discovery of NM Points operate? –If Mediators use Discovery to get information from NM points with no prior relationship, then NM Points must allow any Mediator to connect

7. Enabling Grids for E-sciencE INFSO-RI-508833 NPM Publisher NPM Publisher has knowledge of a number of end-site NM Points from which data is periodically collected and published into the gLite GIS

8. Enabling Grids for E-sciencE INFSO-RI-508833 Publisher Security Security must be maintained between: –Publisher and the GIS to provide reliable and secure information to gLite –NM Points and Publisher so that only end-site points wishing to publish information to gLite can do so –Between Publisher’s registry and NM points so only valid monitoring points can be registered to provide information to gLite

9. Enabling Grids for E-sciencE INFSO-RI-508833 Publisher-GIS Security Publisher interacts with GIS via standard gLite mechanisms Security specified by JRA1 and need not be considered further here

10. Enabling Grids for E-sciencE INFSO-RI-508833 NM Point-Publisher Security NM Points must verify that Publisher is authorised to access their data Publisher must be authenticated by NM Point –X.509 certificate with appropriate DN? NM Points must check Publisher’s authorisation –Publisher presents credential signed by entity NM Point trusts (NM Point operator)? –Or NM Point could have access to list of authorised Publisher users (viable for EGEE as small number of Publishers)

11. Enabling Grids for E-sciencE INFSO-RI-508833 Publisher Registry-NM Point Security Only valid NM Points must be inserted into Publisher’s registry Current registry is a static list of NM Points entered manually, so security is not an issue (apart from protecting this file from unauthorised modification) Dynamic registration will require a security scheme –Who controls Publisher and allows additions to registry? –Check NM Point will allow Publisher access before adding it to registry? –What about stale entries? Automatic cleanup?

12. Enabling Grids for E-sciencE INFSO-RI-508833 Conclusion Security has a 2-way effect: –Security issues affect implementation (e.g. method of discovery) –Implementation affects security (e.g. splitting of users into domains) Many unanswered questions about NPM security, mostly due to unanswered questions about NPM functionality But security must be considered throughout May be helpful to ask JRA3 specific questions as they come up (NPM Security discussion to follow)