Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005.

Slides:

Advertisements

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Advertisements

GT 4 Security Goals & Plans Sam Meder

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April

May 9, 2008 Reorganization of the OSG Project The existing project organization chart was put in place at the beginning of It has worked very well.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

Computing and Data Infrastructure for Large-Scale Science Deploying Production Grids: NASA’s IPG and DOE’s Science Grid William E. Johnston

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

PPDG for CHEP031 Results of PPDG Site Requirements on AAA Project Dane Skow Robert Cowles PPDG SiteAAA Project CHEP03 March 25, 2003 PPDG Work Supported.

Network security policy: best practices

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

SEC835 Database and Web application security Information Security Architecture.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.

Ákos FROHNER – DataGrid Security Requirements n° 1 Security Group D7.5 Document and Open Issues

September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Mine Altunay OSG Security Officer Open Science Grid: Security Gateway Security Summit January 28-30, 2008 San Diego Supercomputer Center.

AREVA T&D Security Focus Group - 09/14/091 Security Focus Group A Vendor & Customer Collaboration EMS Users Conference September 14, 2009 Rich White AREVA.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Grid User Management System Gabriele Carcassi HEPIX October 2004.

Engineering Essential Characteristics Security Engineering Process Overview.

Global Grid Forum GridWorld GGF15 Boston USA October Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.

Overview of Privilege Project at Fermilab (compilation of multiple talks and documents written by various authors) Tanya Levshina.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Grid Authorization Landscape and Futures Von Welch NCSA

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

OSG AuthZ components Dane Skow Gabriele Carcassi.

Open Science Grid & its Security Technical Group ESCC22 Jul 2004 Bob Cowles

INFSO-RI Enabling Grids for E-sciencE The gLite File Transfer Service: Middleware Lessons Learned form Service Challenges Paolo.

Security Discussion IST Retreat June IT Security Statement definition In the context of computer science, security is the prevention of, or protection.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

Role Of Network IDS in Network Perimeter Defense.

VOMS Attribute Authorities Michael Helm ESnet/LBNL 23 Feb 2007.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

IS3220 Information Technology Infrastructure Security

DataGrid Security Wrapup Linda Cornwall 4 th March 2004.

Abhishek Singh Rana and Frank Wuerthwein UC San Diegowww.opensciencegrid.org The Open Science Grid ConsortiumCHEP 2006 Mumbai INDIA February gPLAZMA:

OGF PGI – EDGI Security Use Case and Requirements

JRA3 Introduction Åke Edlund EGEE Security Head

A Model for Grid User Management

David Kelsey CCLRC/RAL, UK

Lecture 3: Secure Network Architecture

Intrusion Detection system

Presentation transcript:

Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005

Grid, grid(s), and more grids No commonly accepted definition of a grid. –Grid: New function parallel to Web noosphere –grid: Particular instance of a internally consistent grid. Parallels Internet being network of networks FNAL participates in Grid at many different levels –Open Science Grid (OSG) –LHC Computing Grid (LCG) –Particle Physics Data Grid (PPDG) –FermiGrid –SAMGrid Resources may participate in multiple grids

Why allow Grids ? To get the work done Better integration host lab and remote resources Facilitate resource sharing among larger communities Establish common standards for use of services There’s nothing in the Grid that users can’t (and aren’t ) already do independently. Faith that facilitating this leads to innovation and improvement

Four Pillars of (Grid) Security Identity (DN or public key) –Isolation –Traceability Authentication (TLS handshake) –Prevent Identity Theft Authorization (gridmapfile or Globus+OGSA-AuthZ+Services) –Access Control –Resource Control Audit (logfiles) –Troubleshooting –Forensics –Accounting

Identity Needs globally unique name –Cert (or DN) is managed namespace /etc/grid-security/certificates lists trusted CAs /etc/grid-security/xxxxxxxx.signing_policy files are tool for this –Public keys statistically unique Granularity of identity under debate –Process level ? –Human vrs. Agent moderated ?

Authentication Openssl is your friend Debate over scope of authentication –Session level –.1 Msec ≈ 1 day –1 Msec ≈ AFS token lifetime – Msec ≈ account revalidation lifetime Privacy is serious concern

Authorization Gridmapfile is default at /etc/grid- security/grid-mapfile Authorization callouts at /etc/grid- security/gsi-authz.conf Expression and interpretation of policy by 3rd parties is TBD

Audit No common standard or requirement yet. Rely on local expertise and experience to guide Not clear what tools are useful/needed

Putting it all together VOMS Attribute Server (push - user,VO) AuthZ Provisioning (Site, eg. GUMS, Resource) AuthZ Access Control (VO - eg. RB, Site - eg.SAZ, Resource) 3rd party authN Grid Resource Management of ACLs ACLs on Resource Object AuthZ Policy Engine

Incident Response Identify –Requester identity (full cert preferred) –Requesting IP address –Requesting identity (full cert preferred) Contain –Local action first priority –Now frequently requires coordinated action –FCSC Alert grid incident response channel Explain –Need to identify thresholds of investigation (wipe vrs investigate decision) Respond –Authorization is “big stick”, not network directly

Vulnerability Assessment Troubles of new software/ideas –Exploit of software vulnerabilities –Configuration errors –Logic errors All the same old stuff only more so –Inventory attacks (worms) –Broad authentication cells Explicit, not just shared/sniffed passwords –Trojan applications and system software

Forensics New services –Gatekeeper is port 2119 TCP –GSIftp (aka Gridftp) is port 2811 TCP –Various monitoring/directory services Grid Service logs –GLOBUS_LOCATION default is /usr/local/grid/globus –Gatekeeper log is at $GLOBUS_LOCATION/var/globus- gatekeeper.log –GridFTP log is at $GLOBUS_LOCATION/var/gridftp.log

Authorization Services SAZ at FNAL –Site AuthoriZation service –Provides single point access control –Offloads CRL maintenance from servers GUMS identity mapping –Grid Identity is X509 SubjectName and Issuer –Local Identity is uid (resource scope) –Kerberos/AFS not mapped (site scope) Local Service authorization may do provisioning

Forensics (cont’d) System tools –Same as before Grid tools –Non-existent –Not clear what can/should be automated –Need to involve VO in most investigations

Roles and Responsibilities FCIRT continues as FNAL Incident Response Team Site Autonomy –Focus on local defense first –Second priority contain damage Now include consideration of Grid partners in assessment Coordinate with others using OSG Incident Response Plan –Currently in effect for OSG –Adopted as new model for LCG. Migrating.

Roles and Responsibilities Notification –Notification infrastructure to support adhoc and best effort collaboration on incident response. –Issues: Skill level and tolerance vary widely Reasonable response expectations need to be developed –Likely that some contention will occur while level-setting is achieved.

Recommended Reading SSL and TLS Essentials, Stephen Thomas OSG Incident Response Plan – /002/OSG_incident_handling_v1.0.pdfhttp://computing.fnal.gov/docdb/osg_documents/0000/ /002/OSG_incident_handling_v1.0.pdf LCG Security Policy Documents – security/documents.htmlhttp://proj-lcg-security.web.cern.ch/proj-lcg- security/documents.html Globus Documentation –

Questions ??