Presentation is loading. Please wait.

Presentation is loading. Please wait.

David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly.

Published byBrisa Entwisle Modified over 9 years ago

Similar presentations

Presentation on theme: "David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly."— Presentation transcript:

1 David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly connected world

2 David Groep Nikhef Amsterdam PDP & Grid

3 David Groep Nikhef Amsterdam PDP & Grid ‘De wereld draait door’ – VARA, 8 december 2010 – http://dewerelddraaitdoor.vara.nl/

4 David Groep Nikhef Amsterdam PDP & Grid Distributed Denial of Service (DDoS)

5 David Groep Nikhef Amsterdam PDP & Grid

6 David Groep Nikhef Amsterdam PDP & Grid Just A Machine @Nikhef Note These were ‘white hat’ challenges performed as part of controlled network validation and scaling tests – so do not try this yourself!

7 David Groep Nikhef Amsterdam PDP & Grid Stoomboot: data retrieval rate stoomboot AWS price: 1.6MUS$ setup + 86.5 kUS$/month @400 TB/month

8 David Groep Nikhef Amsterdam PDP & Grid Compute-to-data-traffic NDPF/Grid BiG Grid: network utilisation at the central Facilities @ Nikhef

9 David Groep Nikhef Amsterdam PDP & Grid the Netherlands Tier 1 for wLCG is a service by BiG Grid, the Dutch e-Science Grid

10 David Groep Nikhef Amsterdam PDP & Grid 372 sites globally 10 – 40 Gbps network 296 000 CPU cores 140 000 TByte storage Data source: gSTAT, December 2010, http://gstat.egi.eu/http://gstat.egi.eu/ Image source: wLCG, http://cern.ch/lcg/http://cern.ch/lcg/

11 David Groep Nikhef Amsterdam PDP & Grid Need to stand up to analysis load ◦ Analysis is a denial-of-service attack! ◦ high-bandwidth infrastructure needed ◦ even then only sustainable with ‘right’ access pattern... but for the rest of the world, we are a potential threat – when abused ◦ cluster & network has monetary value in and of itself ◦ infected systems typically used in criminal contexts Security and Availability

12 David Groep Nikhef Amsterdam PDP & Grid price in US$ per 1000 bots per hour on an ADSL link NDPF@AWS? 3-yr reserved discounted rate... only compute, not even storage! setup * 2.3 MUS$ monthly 202 k US$ * every 3 years

13 David Groep Nikhef Amsterdam PDP & Grid need to secure our resources allow you, the ‘right people’, in whilst keeping out the ‘bad guys’ is about both security and availability

14 David Groep Nikhef Amsterdam PDP & Grid “Firewall” by Sandy Smith, www.computersforart.org

15 David Groep Nikhef Amsterdam PDP & Grid “Firewall” by Sandy Smith, www.computersforart.org

16 David Groep Nikhef Amsterdam PDP & Grid... keeping out the ‘bad guys’ Site Access Control software development white and blacklists grid-aware security vulnerability assessment CSIRT: Incident Response monitoring & forensics communications security exercises 2009 and 2010 compared Sven Gabriel: Security Service Challenges grid-mw-security@nikhef.nl LCG T1’s CSIRT response scores

17 David Groep Nikhef Amsterdam PDP & Grid... the ‘right people’,...

18 David Groep Nikhef Amsterdam PDP & Grid Before the Grid...

19 David Groep Nikhef Amsterdam PDP & Grid... the ‘right people’,...

20 David Groep Nikhef Amsterdam PDP & Grid Grid Identity and Community

21 David Groep Nikhef Amsterdam PDP & Grid graphic: Open Grid Services Architecture, © Global Grid Forum 2005, GFD.30

22 David Groep Nikhef Amsterdam PDP & Grid ‘but we know who we are – we’re us!’ allow you,... simple computer identities depend on the system involved... but for the grid we need a global identity

23 David Groep Nikhef Amsterdam PDP & Grid Your Global Identity Authentication each person globally unique name forever persistent traceable to a real person Authorization based on the unique AuthN ID grants or denies access VO & Site joint security responsible

24 David Groep Nikhef Amsterdam PDP & Grid

25 David Groep Nikhef Amsterdam PDP & Grid Where ever you are... IGTF! International Grid Trust Federation – http://www.igtf.net/ EUGridPMA – https://www.eugridpma.org/

26 David Groep Nikhef Amsterdam PDP & Grid Federated Identity – we no longer run alone! grid structure was not too much different! Single sign-on across academia and research the no. 1 ICT request from the ESFRI projects

27 David Groep Nikhef Amsterdam PDP & Grid web-SSO federations have matured HR and ICT processes aligned integration of ‘high-value grid’ & web federation now becomes reality... and we keep running... Federation peers rely on and trust home institutes to manage their users Trust has become global: accounts get high, global value

28 David Groep Nikhef Amsterdam PDP & Grid SSO for everything!

29 David Groep Nikhef Amsterdam PDP & Grid Access to new federated services Same login for most services ◦ Desktops and login.nikhef.nl ◦ Email and spam filter settings ◦ Instant Grid certificates and access to wLCG ◦ Elsevier – Science Direct ◦... windows and more web applications planned as well New applications require better controls ◦ account registration and expiration requirements needed to keep our infra secure and remain trustworthy for our global federation partners SSO for You https://sso.nikhef.nl/

30 David Groep Nikhef Amsterdam PDP & Grid http://ca.dutchgrid.nl/tcs/http://ca.dutchgrid.nl/tcs/ or https://sso.nikhef.nl/https://sso.nikhef.nl/

31 David Groep Nikhef Amsterdam PDP & Grid Your Certificate in 5 Clicks... and in120 Seconds for the longer-term future, we are working on completely hiding this... https://tcs-escience-portal.terena.org/https://tcs-escience-portal.terena.org/ & https://www.terena.org/activities/tcs/https://www.terena.org/activities/tcs/

32 David Groep Nikhef Amsterdam PDP & Grid Yes: unfortunately – security is needed Yes: we are an interesting target... and we strive to become even more so! @Nikhef we support development of security software and processes aiming at user friendliness and still remain effective Security & Availability Take-Away allow you, the ‘right people’, in whilst keeping out the ‘bad guys’

33 David Groep Nikhef Amsterdam PDP & Grid Image: MasterJM taken at Uni Bielefeld, DE found at: http://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html

Download ppt "David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly."

Similar presentations

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies Scalability.

European Research Network on Foundations, Software Infrastructures and Applications for large scale distributed, GRID and Peer-to-Peer Technologies Scalability.
EGI-InSPIRE RI-261323 EGI-InSPIRE EGI-InSPIRE RI-261323 AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
CERN, Information Technology Department

CERN, Information Technology Department
Grid Computing Test beds in Europe and the Netherlands David Groep, NIKHEF 2001-10-01.

Grid Computing Test beds in Europe and the Netherlands David Groep, NIKHEF
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
\ 2008-11-13Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.

\ Grid Security and Authentication1. David Groep Physics Data Processing group Nikhef.
Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.

Towards Cloud Federations: what we have; what we want OGF 31, Taipei Cloud security session Jens Jensen Science and Technology Facilities Council Rutherford.
Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.

Network Security Peter Behrens Seth Elschlager. Computer Security Preventing unauthorized use of your network and information within that network. Preventing.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
An Introduction to the Open Science Data Cloud Heidi Alvarez Florida International University Robert L. Grossman University of Chicago Open Cloud Consortium.

An Introduction to the Open Science Data Cloud Heidi Alvarez Florida International University Robert L. Grossman University of Chicago Open Cloud Consortium.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
TERENA Certificate Service (TCS) 9 June 2011. Slide 2 › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up.

TERENA Certificate Service (TCS) 9 June Slide 2 › Many NRENs had set-up a CA, but certificates issued were not trusted by web browsers (the ‘ pop-up.
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.

Federated Identity Management for HEP David Kelsey WLCG GDB 9 May 2012.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

Similar presentations

Ads by Google