Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Lecture 2: Security Rachana Ananthakrishnan Argonne National Lab.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 23: Internet Authentication Applications.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Lecture 23 Internet Authentication Applications
Grid Security. Typical Grid Scenario Users Resources.
A Computation Management Agent for Multi-Institutional Grids
Chapter 5 Network Security Protocols in Practice Part I
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Netprog: Security1 Security Terminology Traditional Unix Security TCP Wrapper Cryptography Kerberos.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Security Management.
1 CS 194: Distributed Systems Security Scott Shenker and Ion Stoica Computer Science Division Department of Electrical Engineering and Computer Sciences.
Integrated Security Model for SNMPv3 (ISMS) pronounced "is" "miss" David T. Perkins & Wes Hardaker 60 th IETF August 6, 2004.
Condor Project Computer Sciences Department University of Wisconsin-Madison Asynchronous Notification in Condor By Vidhya Murali.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Lockdown of a Basic Pool.
Jaeyoung Yoon Computer Sciences Department University of Wisconsin-Madison Virtual Machines in Condor.
Zach Miller Condor Project Computer Sciences Department University of Wisconsin-Madison Securing Your Condor Pool With SSL.
Zach Miller Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Todd Tannenbaum Computer Sciences Department University of Wisconsin-Madison What’s New in Condor.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:
1 The Roadmap to New Releases Todd Tannenbaum Department of Computer Sciences University of Wisconsin-Madison
Module 9: Fundamentals of Securing Network Communication.
Hao Wang Computer Sciences Department University of Wisconsin-Madison Authentication and Authorization.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Nick LeRoy & Jeff Weber Computer Sciences Department University of Wisconsin-Madison Managing.
Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.
Todd Tannenbaum Computer Sciences Department University of Wisconsin-Madison Condor RoadMap.
The Roadmap to New Releases Derek Wright Computer Sciences Department University of Wisconsin-Madison
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University.
Zach Miller Computer Sciences Department University of Wisconsin-Madison Securing Condor.
1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz
Zach Miller Computer Sciences Department University of Wisconsin-Madison Securing Condor.
Condor Project Computer Sciences Department University of Wisconsin-Madison Grids and Condor Barcelona,
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Ian D. Alderman Computer Sciences Department University of Wisconsin-Madison Condor Week 2008 End-to-end.
Dan Bradley Condor Project CS and Physics Departments University of Wisconsin-Madison CCB The Condor Connection Broker.
Todd Tannenbaum Computer Sciences Department University of Wisconsin-Madison Condor NT Condor ported.
HTCondor Security Basics HTCondor Week, Madison 2016 Zach Miller Center for High Throughput Computing Department of Computer Sciences.
EMI is partially funded by the European Commission under Grant Agreement RI Common Authentication Library Daniel Kouril, for the CaNL PT EGI CF.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Cryptography CSS 329 Lecture 13:SSL.
1 Example security systems n Kerberos n Secure shell.
Secure Connected Infrastructure
HTCondor Security Basics
Grid Security.
Radius, LDAP, Radius used in Authenticating Users
THE STEPS TO MANAGE THE GRID
Building Grids with Condor
HTCondor Security Basics HTCondor Week, Madison 2016
Presentation transcript:

Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor

Outline › Motivations › Security Goals › Design › Current Status › Issues and Future Work

Why Do We Need Security? Alice Condor

Why Do We Need Security? Alice Condor I am Alice; Please run 100 jobs for me

Why Do We Need Security? Alice Condor

Why Do We Need Security? Here comes Bob…. Alice Condor Bob I am Alice; Please remove all my jobs

Why Do We Need Security? Alice Condor Bob

Why Do We Need Security? › Problem:  False identification, stolen identity › Solution:  Authentication Establish the identities reliably AliceBob Condor

Other Problems › Stolen data › Eavesdropping ProblemsSolutions › Encryption

Other Problems › Stolen data › Eavesdropping › Tampered data or messages › Integrity check via Message Authentication Code (MAC) ProblemsSolutions › Encryption

Design Requirements › The ultimate goal – Secure Channel › Strong authentication  Cross platform support (Unix, NT, Linux, etc…)  Must support multiple authentication protocols Different sites have different security requirements Flexibility

Design Requirements › Protecting data and secure communication  Encryption  Integrity check  Support multiple platform  Must support both TCP and UDP › User based authorization  Fine-Grained access control › Auditing  Logging

Grid Requirements › Condor is part of the Grid community  Need to meet various Grid security requirements  AAA: Authentication -- X.509 based PKI infrastructure Authorization Accounting  Fully integrated with Globus Toolkit

Trust Model › In what do we trust?  Authentication Protocols Kerberos, X.509, NTSSPI, etc. Strong authentication is the key  Authentication services Certificate Authorities, Kerberos servers, etc  System Administrators Configurations  Machines where Condor is installed

Condor Daemons and Tools Condor Security Architecture TCP/UDP OpenSSLGlobus GSIKerberos Cryptography Services Authentication Services Other CEDAR Libraries Services Authorization

Current Status (>=V6.3.2) › Authentication  Support multiple protocols Kerberos, X.509, NTSSPI, File System Use Globus Toolkit (2.0) for Grid related security services

Authorization › User based access control policy  Access Control Format: ACCESS_LEVEL =  Support wild cards for flexibility › Each Condor command is associated with an authorization level: READ, WRITE, DAEMON, CONFIG, ADMIN, OWNER, NEGOTIATOR › Specify users for each authorization level  Either ALLOW or DENY

Authorization Examples › Allow all users READ access  ALLOW_READ=*/* › Allow all engineering department users who come from a machine on UW campus network WRITE access  › Allow condor-1 and condor-2 to have CONFIG access level  ALLOW_CONFIG =

Authorization Examples › Only allow the user who come from CS department network to have DAEMON access level  ALLOW_DAEMON= › Only from the host bigbird can have ADMIN level of access  ALLOW_ADMIN=

Authorization Examples › Deny following users READ access  › Deny WRITE access 

Current Status (Cont.) › Data Encryption  OpenSSL based Support 3DES, Blowfish  Support both TCP and UDP › Data Integrity  OpenSSL based Support MD5  Support both TCP and UDP

UDP Encryption/Integrity › Encryption and Integrity support for UDP is hard  UDP is connectionless Packets may come from different sources!  UDP is not reliable  How to address these issues?

UDP Encryption/Integrity › Use TCP+strong authentication protocol for initial key exchange  The protocol must provide encryption support  Exchange a secret key and a key Id › Each side cache the pair › Include in subsequent communication › Use for encryption, for integrity check for UDP packets

UDP Encryption/Integrity ScheddStartd Central Manager Initial State

UDP Encryption/Integrity ScheddStartd Central Manager UPDATE Command Request (UDP)

UDP Encryption/Integrity Schedd Startd Central Manager AUTHENTICATE Authentication (TCP)

UDP Encryption/Integrity Schedd Startd Central Manager [Key-1, ID-1] ID-1Key-1 ID-1 Key Exchange (TCP+Encryption)

UDP Encryption/Integrity ScheddStartd Central Manager [UPDATE,ID-1] ID-1Key-1 ID-1 Update (UDP with Encryption/Integrity)

UDP Encryption/Integrity ScheddStartd Central Manager ID-1Key-1 ID-1Key-2ID-2 Key-2ID-2 [UPDATE,ID-1] [UPDATE,ID-2] Steady State (UDP) ID-3Key-3 ID-3

Issues with UDP Encryption/Integrity › Session Management › Key Management › Key expiration  How frequent should we exchange a new set of keys? › Crash recovery

Status Summary › Strong authentication  Support multiple protocols › User-based authorization › Encryption for both TCP/UDP › Integrity check for both TCP/UDP

Future Work › Grid related work  Science Grid, PPDG … related work  Community Authorization Service (CAS) › Credential related  Expiration, refresh, delegation  MyProxy › More work on authorization  SPKI/SDSI, ClassAd

Questions? › Demo on Wednesday  Room 3397, CS Building, 9am – noon › More about Condor   › Talk to us: Zachary Miller, Todd Tannenbaum Miron Livny Hao Wang

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.