Presentation is loading. Please wait.

Presentation is loading. Please wait.

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

Published byDuane Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University."— Presentation transcript:

1 SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University of Virginia

2 SOS EGEE ‘06 GGF Auditing/Forensic Tools The Problem: –Multi-institutional collaborations with extensive remote access –Virtual organizations need to be able to track resource usage, credential usage, data access, etc –Difficult to get consistent audit information across sites –Different groups need different audit information –Sample questions that are currently hard to answer: Give me a list of all data files opened by User X in the last week What are the list of sites that user X accessed in the past week? How much CPU did VO X use at site Y in the past month? Give me a list of all users who used shared account X on resource Y yesterday. Who made requests to the dynamic firewall service yesterday? Did the IDS see any traffic on ports that where supposed to be closed, based on auditing information from the dynamic firewall service?

3 SOS EGEE ‘06 GGF Auditing/Forensic Tools cont. High-Level Approach: –An end-to-end auditing infrastructure which uses a policy language to allow resource (both systems and data) owners specify where auditing information may be published and who may access the audit logs. Components –Logging software (instrumentation) - Applications call easy-to-use libraries to log events with detailed information. –Normalizers– Agents transform existing logs so that they can be incorporated into the common schema of the audit system. –Collection sub-system (forwarder) – Audit logs are collected by a dependable, secure collection system. –Repository (database, publisher) – Audit logs are sent over the network, normalized, and archived. Then they are made available through a query interface. –Forensic tools (analysis) – Forensic tools query and process the audit data to find problems and answer questions.

4 SOS EGEE ‘06 GGF End-to-End Auditing System

5 SOS EGEE ‘06 GGF Related Project: Troubleshooting Service

6 SOS EGEE ‘06 GGF Dynamic Host Firewall Ports The Problem: –Ports needed by Grid middleware are often blocked by firewalls These firewalls are both host-based and network-based. Dynamically assigned ports are particularly problematic —E.g.: GridFTP data ports –Many sites allow outgoing, but not incoming connections How do a Grid FTP between 2 sites that both only allow outgoing connections?

7 SOS EGEE ‘06 GGF Dynamic Firewalls, cont. High-level Approach: –Tools and services to dynamically open and close ports needed by applications and middleware based on authentication and authorization Components –Configuration Broker maintains the overall state of the firewall configuration for the site, validates user credentials, and verifies that requested actions are consistent with site policy restrictions. –Firewall Agent interacts with the existing site firewall systems, receiving direction from the Configuration Broker. –The Validation Service receives information about the completed firewall changes and continually analyzes network traffic to insure there are no errors in the firewall configuration. –The Programming API is the mechanism for software to make requests to the broker.

8 SOS EGEE ‘06 GGF Dynamic Firewall System

Download ppt "SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University."

Similar presentations

21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.

21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.
Abstraction Layers Why do we need them? –Protection against change Where in the hourglass do we put them? –Computer Scientist perspective Expose low-level.

Abstraction Layers Why do we need them? –Protection against change Where in the hourglass do we put them? –Computer Scientist perspective Expose low-level.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Chapter 13 Review Questions

Chapter 13 Review Questions
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.
Copyright B. Wilkinson, 2008. This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
OSG Logging Architecture Update Center for Enabling Distributed Petascale Science Brian L. Tierney: LBNL.

OSG Logging Architecture Update Center for Enabling Distributed Petascale Science Brian L. Tierney: LBNL.
Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.
Security Guidelines and Management

Security Guidelines and Management
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Section 13.1 Add a hit counter to a Web page Identify the limitations of hit counters Describe the information gathered by tracking systems Create a guest.

Section 13.1 Add a hit counter to a Web page Identify the limitations of hit counters Describe the information gathered by tracking systems Create a guest.

Similar presentations

Ads by Google