Security recommendations for dCache

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Storage: Futures Flavia Donno CERN/IT WLCG Grid Deployment Board, CERN 8 October 2008.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 5: Configuring Access to Internal Resources.

Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.

Chapter 7: Using Windows Servers to Share Information.

1 Web Server Administration Chapter 9 Extending the Web Environment.

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Chapter 13 – Network Security

INSTALLING MICROSOFT EXCHANGE SERVER 2003 CLUSTERS AND FRONT-END AND BACK ‑ END SERVERS Chapter 4.

Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.

Daemon issue 14 SSH Port Forwarding Yannis Tsopokis Wednesday, April 26 th 2006.

Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.

EMerge Browser Managed Security Platform Module 3: Startup eMerge Certification Course  Physical connection  TCP/IP Characteristics of PC  Initial connection.

DCache at Tier3 Joe Urbanski University of Chicago US ATLAS Tier3/Tier2 Meeting, Bloomington June 20, 2007.

D C a c h e Michael Ernst Patrick Fuhrmann Tigran Mkrtchyan d C a c h e M. Ernst, P. Fuhrmann, T. Mkrtchyan Chep 2003 Chep2003 UCSD, California.

Introduction to dCache Zhenping (Jane) Liu ATLAS Computing Facility, Physics Department Brookhaven National Lab 09/12 – 09/13, 2005 USATLAS Tier-1 & Tier-2.

1 Chapter Overview Password Protection Security Models Firewalls Security Protocols.

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

DCache Basics Alessandro Usai, Sergio Maffioletti Grid Group CSCS.

FTP File Transfer Protocol Graeme Strachan. Agenda  An Overview  A Demonstration  An Activity.

SRM Monitoring 12 th April 2007 Mirco Ciriello INFN-Pisa.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Derek Ross E-Science Department DCache Deployment at Tier1A UK HEP Sysman April 2005.

Module 10: Windows Firewall and Caching Fundamentals.

17 Establishing Dial-up Connection to the Internet Using Windows 9x 1.Install and configure the modem 2.Configure Dial-Up Adapter 3.Configure Dial-Up Networking.

SESEC Storage Element (In)Security hepsysman, RAL 0-1 July 2009 Jens Jensen.

Lemon security. Previous security enhancements user lemon: lemon-db-admin-OraMon will create user lemon (Miro). - OraMon switches to user lemon at its.

INFSO-RI ETICS Local Setup Experiences A Case Study for Installation at Customers Location 4th. All Hands MeetingUwe Müller-Wilm VEGA Bologna, Nov.

BNL dCache Status and Plan CHEP07: September 2-7, 2007 Zhenping (Jane) Liu for the BNL RACF Storage Group.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Mario Reale – GARR NetJobs: Network Monitoring Using Grid Jobs.

Security recommendations DPM Jean-Philippe Baud CERN/IT.

Nov 05, 2008, PragueSA3 Workshop1 A short presentation from Owen Synge SA3 and dCache.

ArcGIS for Server Security: Advanced

Understand Names Resolution

Chapter 7: Using Windows Servers

The sign of success.

Pilot Watcher Product Overview V5.3

Module 8: Networking Services

Classic Storage Element

Module Overview Installing and Configuring a Network Policy Server

dCache “Intro” a layperson perspective Frank Würthwein UCSD

SECURING NETWORK TRAFFIC WITH IPSEC

dCache – protocol developments and plans

Securing the Network Perimeter with ISA 2004

Radius, LDAP, Radius used in Authenticating Users

Introduction to SQL Server 2000 Security

SUBMITTED BY: NAIMISHYA ATRI(7TH SEM) IT BRANCH

Quality Control in the dCache team.

Implementing TMG Server Publishing

Brookhaven National Laboratory Storage service Group Hironori Ito

Chapter 6: Network Layer

Working at a Small-to-Medium Business or ISP – Chapter 7

DCache things Paul Millar … on behalf of the dCache team.

dCache: new and exciting features

Working at a Small-to-Medium Business or ISP – Chapter 7

Chapter 27: System Security

TCP/IP Networking An Example

Working at a Small-to-Medium Business or ISP – Chapter 7

Goals Introduce the Windows Server 2003 family of operating systems

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

Firewalls Routers, Switches, Hubs VPNs

TELNET BY , S.AISHWARYA III-IT.

APACHE WEB SERVER.

(DNS – Domain Name System)

Designing IIS Security (IIS – Internet Information Service)

Computer Networks Protocols

Internet Applications (Telnet, FTP)

Summary of the dCache workshop

Presentation transcript:

Security recommendations for dCache Paul Millar on behalf of .. Antje, Dmitry, Christian, Gerd, Jan, Patrick, Tanja, Tigran, Timur, Thomas, Owen, Kai dCache.org

A long-lived Golden release and shorter supported feature releases A long-lived Golden release and shorter supported feature releases. Recommendations that depend on which version is used are prefixed with “[1.9.5]” or “[later]”

Component overview Additional, optional, component that are not shown here: SRM, SpaceManager, PinManager, TransferManager,

How to start/stop services dCache runs as one or more Java processes Starting and stopping all dCache processes: /opt/d-cache/bin/dcache start /opt/d-cache/bin/dcache stop Chimera NFS server [1.9.5] /opt/d-cache/libexec/chimera-nfs- run.sh [later] NFS server is just another service. [later] can run dCache as non-root user But there are some hurdles Some services need to listen on <1024 port Grid certificates may be readable only by root Billing and statistics attempt to write to /opt/d-cache

Network usage - messaging dCache uses a message-passing system: cells and JMS. Cells: Default on all current dCache releases. Two steps: discovery, connectivity. Discovery: LB listens in dCacheDomain for UDP port 11111, Remote domain: sends packet to dCacheDomain, receives reply which tunnels are needed to establish connectivity. Connectivity: dCacheDomain listens on a (by default) random port, but can be configured, Remote domain establishes TCP connection, JMS [later] JMS with embedded ActiveMQ: dCacheDomain listen on TCP 11112, others connect to this.

Network usage - transfers Doors and SRM listen on configurable ports: LAN protocols: NFS 2049, dcap 22125, Gsidcap 22128, Kerberos-dcap 22725 WAN protocols: SRM 8443, GridFTP 2811, HTTP/WedDAV 2880, KerberosFTP 22127, (insecure/normal) FTP 22126 Ephemeral ports are taken from a configurable range: LAN protocols use port-range (33115..33145) WAN protocols use port-range (20000..25000)

Network usage – database, NFS Some components need access to a database Those that need database access: SRM, Pin Manager, space manager, replica manager [<1.9.9] gPlazma cell. If using Chimera: NFS server, PnfsManager If using PNFS: PNFS (dbserver processes). Restrict access to db: Grant access to a username with a good password POSIX access to namespace (NFS mounting): Only needed by some components: PnfsManager (if using PNFS), [1.9.5] SRM, dirDomain. Results in NFS network traffic between namespace (PNFS and Chimera) and the node running the service.

User mapping gPlazma component to control user mapping. Several mechanisms: XACML SAML Kpwd GridMap, Gplazmalite, SAZ Any number can be enabled, site-admin supplies the order, first plugin to map wins.

How to prevent access Banning users is configured inside gPlazma Use gPlazmaLite (grid-vorolemap) with dash as username This should be first in list of gPlazma plugin Ban a user outright: Ban a user as member of FQAN: Ban all members of an FQAN: be aware of explicit DN mappings will not be banned. "/O=ExampleGrid/OU=ExampleSite/CN=Joe Bloggs" - "/O=ExampleGrid/OU=ExampleSite/CN=Joe Bloggs" "/example.org" - "*" "/example.org/Role=rogue_user" -

Log files In general: Services run within a “domain” (i.e., a JVM instance) Each domain has a log file (in /var/log by default) SRM [1.9.5] /opt/d-cache/libexec/apache- tomcat/logs/catalina.out [later] normal logging for domain Chimera [1.9.5] /tmp/himera.log

Administrator access Two main means of sys-admin access: web and ssh Web monitoring listens on port 2880 SSH admin interface listens on port 22223 Recommend securing access to these two service from trusted hosts. For example: Allow access to port 22223 only from localhost Allow access access to port 2880 from site- admin's machine Relay web access via an Apache instance listening on a secure port, require user certificate from web browser and authorise on that certificate.

Future plans (security) New gPlazma: more modular, more flexible As part of this, support for Argus. Moving towards JMS: Allows redundant communication, Allows tunnelling messages through encrypted communication. New web admin interface: Security model

Summary Run latest patch version of dCache, Secure network communication Message, Data transfers, Mounted namespace (if needed). Know (practice) how to ban a user, “Know thy system” To know when something is abnormal, you must know what is normal. know what is happening.