Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Published byEsther Harrison Modified over 8 years ago

Similar presentations

Presentation on theme: "Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor."— Presentation transcript:

1 Hao Wang Computer Sciences Department University of Wisconsin-Madison hbwang@cs.wisc.edu http://www.cs.wisc.edu/condor Security in Condor

2 www.cs.wisc.edu/condor Outline › Motivations › Security Goals › Design › Current Status › Issues and Future Work

3 www.cs.wisc.edu/condor Why Do We Need Security? Alice Condor

4 www.cs.wisc.edu/condor Why Do We Need Security? Alice Condor I am Alice; Please run 100 jobs for me

5 www.cs.wisc.edu/condor Why Do We Need Security? Alice Condor

6 www.cs.wisc.edu/condor Why Do We Need Security? Here comes Bob…. Alice Condor Bob I am Alice; Please remove all my jobs

7 www.cs.wisc.edu/condor Why Do We Need Security? Alice Condor Bob

8 www.cs.wisc.edu/condor Why Do We Need Security? › Problem:  False identification, stolen identity › Solution:  Authentication Establish the identities reliably AliceBob Condor

9 www.cs.wisc.edu/condor Other Problems › Stolen data › Eavesdropping ProblemsSolutions › Encryption

10 www.cs.wisc.edu/condor Other Problems › Stolen data › Eavesdropping › Tampered data or messages › Integrity check via Message Authentication Code (MAC) ProblemsSolutions › Encryption

11 www.cs.wisc.edu/condor Design Requirements › The ultimate goal – Secure Channel › Strong authentication  Cross platform support (Unix, NT, Linux, etc…)  Must support multiple authentication protocols Different sites have different security requirements Flexibility

12 www.cs.wisc.edu/condor Design Requirements › Protecting data and secure communication  Encryption  Integrity check  Support multiple platform  Must support both TCP and UDP › User based authorization  Fine-Grained access control › Auditing  Logging

13 www.cs.wisc.edu/condor Grid Requirements › Condor is part of the Grid community  Need to meet various Grid security requirements  AAA: Authentication -- X.509 based PKI infrastructure Authorization Accounting  Fully integrated with Globus Toolkit

14 www.cs.wisc.edu/condor Trust Model › In what do we trust?  Authentication Protocols Kerberos, X.509, NTSSPI, etc. Strong authentication is the key  Authentication services Certificate Authorities, Kerberos servers, etc  System Administrators Configurations  Machines where Condor is installed

15 www.cs.wisc.edu/condor Condor Daemons and Tools Condor Security Architecture TCP/UDP OpenSSLGlobus GSIKerberos Cryptography Services Authentication Services Other CEDAR Libraries Services Authorization

16 www.cs.wisc.edu/condor Current Status (>=V6.3.2) › Authentication  Support multiple protocols Kerberos, X.509, NTSSPI, File System Use Globus Toolkit (2.0) for Grid related security services

17 www.cs.wisc.edu/condor Authorization › User based access control policy  Access Control Format: ACCESS_LEVEL = user@domain/hostname,  Support wild cards for flexibility › Each Condor command is associated with an authorization level: READ, WRITE, DAEMON, CONFIG, ADMIN, OWNER, NEGOTIATOR › Specify users for each authorization level  Either ALLOW or DENY

18 www.cs.wisc.edu/condor Authorization Examples › Allow all users READ access  ALLOW_READ=*/* › Allow all engineering department users who come from a machine on UW campus network WRITE access  ALLOW_WRITE=*@engr.wisc.edu/*.wisc.edu › Allow condor-1 and condor-2 to have CONFIG access level  ALLOW_CONFIG = condor-1@cs.wisc.edu/*,condor-@cs.wisc.edu/*

19 www.cs.wisc.edu/condor Authorization Examples › Only allow the user condor@cs.wisc.edu who come from CS department network to have DAEMON access level  ALLOW_DAEMON= condor@cs.wisc.edu/*.cs.wisc.edu › Only condor-admin@cs.wisc.edu from the host bigbird can have ADMIN level of access  ALLOW_ADMIN= condor-admin@cs.wisc.edu/bigbird.cs.wisc.edu

20 www.cs.wisc.edu/condor Authorization Examples › Deny following users READ access  DENY_READ=bob@crash.net/*, bob@hack.biz › Deny bob@crash.net WRITE access  DENY_WRITE=bob@crash.net/*

21 www.cs.wisc.edu/condor Current Status (Cont.) › Data Encryption  OpenSSL based Support 3DES, Blowfish  Support both TCP and UDP › Data Integrity  OpenSSL based Support MD5  Support both TCP and UDP

22 www.cs.wisc.edu/condor UDP Encryption/Integrity › Encryption and Integrity support for UDP is hard  UDP is connectionless Packets may come from different sources!  UDP is not reliable  How to address these issues?

23 www.cs.wisc.edu/condor UDP Encryption/Integrity › Use TCP+strong authentication protocol for initial key exchange  The protocol must provide encryption support  Exchange a secret key and a key Id › Each side cache the pair › Include in subsequent communication › Use for encryption, for integrity check for UDP packets

24 www.cs.wisc.edu/condor UDP Encryption/Integrity ScheddStartd Central Manager Initial State

25 www.cs.wisc.edu/condor UDP Encryption/Integrity ScheddStartd Central Manager UPDATE Command Request (UDP)

26 www.cs.wisc.edu/condor UDP Encryption/Integrity Schedd Startd Central Manager AUTHENTICATE Authentication (TCP)

27 www.cs.wisc.edu/condor UDP Encryption/Integrity Schedd Startd Central Manager [Key-1, ID-1] ID-1Key-1 ID-1 Key Exchange (TCP+Encryption)

28 www.cs.wisc.edu/condor UDP Encryption/Integrity ScheddStartd Central Manager [UPDATE,ID-1] ID-1Key-1 ID-1 Update (UDP with Encryption/Integrity)

29 www.cs.wisc.edu/condor UDP Encryption/Integrity ScheddStartd Central Manager ID-1Key-1 ID-1Key-2ID-2 Key-2ID-2 [UPDATE,ID-1] [UPDATE,ID-2] Steady State (UDP) ID-3Key-3 ID-3

30 www.cs.wisc.edu/condor Issues with UDP Encryption/Integrity › Session Management › Key Management › Key expiration  How frequent should we exchange a new set of keys? › Crash recovery

31 www.cs.wisc.edu/condor Status Summary › Strong authentication  Support multiple protocols › User-based authorization › Encryption for both TCP/UDP › Integrity check for both TCP/UDP

32 www.cs.wisc.edu/condor Future Work › Grid related work  Science Grid, PPDG … related work  Community Authorization Service (CAS) › Credential related  Expiration, refresh, delegation  MyProxy › More work on authorization  SPKI/SDSI, ClassAd

33 www.cs.wisc.edu/condor Questions? › Demo on Wednesday  Room 3397, CS Building, 9am – noon › More about Condor  http://www.cs.wisc.edu/condor  condor-admin@cs.wisc.edu › Talk to us: Zachary Miller, Todd Tannenbaum Miron Livny Hao Wang

Download ppt "Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.

Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
A Computation Management Agent for Multi-Institutional Grids

A Computation Management Agent for Multi-Institutional Grids
Chapter 5 Network Security Protocols in Practice Part I

Chapter 5 Network Security Protocols in Practice Part I
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Netprog: Security1 Security Terminology Traditional Unix Security TCP Wrapper Cryptography Kerberos.

Netprog: Security1 Security Terminology Traditional Unix Security TCP Wrapper Cryptography Kerberos.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google