Presentation is loading. Please wait.

Presentation is loading. Please wait.

Preliminary Conclusions VO Box Task Force GDB Meeting 5 april 2006.

Published byDarrell Tucker Modified over 8 years ago

Similar presentations

Presentation on theme: "Preliminary Conclusions VO Box Task Force GDB Meeting 5 april 2006."— Presentation transcript:

1 Preliminary Conclusions VO Box Task Force GDB Meeting 5 april 2006

2 J. Templon Nikhef Amsterdam Physics Data Processing Group VO boxes, services, software, & security Jeff Templon 2015.01.14

3 J. Templon Nikhef Amsterdam Physics Data Processing Group We made a big fuss about this in 2006 Good example of why Some implications for vo sw security As well as VO traceability (cf current discussion) Why this talk VO sw security, GDB 2015.01.1414 January 2015

4 J. Templon Nikhef Amsterdam Physics Data Processing Group VO Box Priorities, C. Loomis, 7 June 20066 Classification of VO Services Class 1: ◦ Can access site's services (and work correctly) from a private network. (I.e. does not need to live within the trusted subnet of a farm.) Uses only service APIs/interfaces which are exposed to the external world past their firewall. Class 2: ◦ Uses 'private' interfaces to access information/services at the site (i.e. not exposed to those beyond the site's firewall). Essentially this is anything which is not a Class 1 service.

5 J. Templon Nikhef Amsterdam Physics Data Processing Group VO service authors write, install, maintain services. No site control or overview If box can live in separate network, no problem. Hacked? ◦ Wipe the box ◦ Reinstall from scratch ◦ Say “here ya go” to the VO If box has to live inside trusted subnet, huge forensic task to see whether a breach has occurred Heart of the problem VO sw security, GDB 2015.01.1414 January 2015

6 J. Templon Nikhef Amsterdam Physics Data Processing Group Used to have a class 2 service Not anymore.. Moved to vobox network Port scan revealed vulnerable service listening Because we had it in class 1 network: ◦ Limit exposure through firewalling, but leave functional and running for a while ◦ Once fixed: wipe box & return to VO VO Box VO sw security, GDB 2015.01.1414 January 2015

7 J. Templon Nikhef Amsterdam Physics Data Processing Group Is class 2 by design … has to see SE namespace Vulnerability found: service immediately shut down Restarted only when fix was provided Counterexample: ATLAS N2N service VO sw security, GDB 2015.01.1414 January 2015

8 J. Templon Nikhef Amsterdam Physics Data Processing Group How many people potentially can add software to CVMFS repos? What security measures are there (also in checking / patching sw in CVMFS)? If VO deploys software for which trust is relevant beyond “VO boundaries”, some rigor is needed. Should be well-defined what is, and is not, covered or assured. Who checks VO sw? VO sw security, GDB 2015.01.1414 January 2015

9 J. Templon Nikhef Amsterdam Physics Data Processing Group Discussion about dropping glexec et al and mapping all VO activities at site to a single “VO user” since “the VO knows who the real users are” If VOs distribute vulnerable software providing network services, can we really trust them to handle all user traceability? Suggest any new services requiring substantial trust at site level be audited. Moving Traceability to VO VO sw security, GDB 2015.01.1414 January 2015

Download ppt "Preliminary Conclusions VO Box Task Force GDB Meeting 5 april 2006."

Similar presentations

CCRC’08 Jeff Templon NIKHEF JRA1 All-Hands Meeting Amsterdam, 20 feb 2008.

CCRC’08 Jeff Templon NIKHEF JRA1 All-Hands Meeting Amsterdam, 20 feb 2008.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
SDN and Openflow.

SDN and Openflow.
WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.
Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.
Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 6.

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 6.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Virtual Machine Security Summer 2013 Presented by: Rostislav Pogrebinsky.

Virtual Machine Security Summer 2013 Presented by: Rostislav Pogrebinsky.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/i t Some Hints for “Best Practice” Regarding VO Boxes Running Critical Services and Real Use-cases.

CERN IT Department CH-1211 Genève 23 Switzerland t Some Hints for “Best Practice” Regarding VO Boxes Running Critical Services and Real Use-cases.
K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss
Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.
Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P3 24-25 October 2013.

Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P October 2013.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.

CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.

OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
LCG Introduction John Gordon, SFTC GDB December 2 nd 2009.

LCG Introduction John Gordon, SFTC GDB December 2 nd 2009.

Similar presentations

Ads by Google