Preliminary Conclusions VO Box Task Force GDB Meeting 5 april 2006.

Slides:

Advertisements

Similar presentations

CCRC’08 Jeff Templon NIKHEF JRA1 All-Hands Meeting Amsterdam, 20 feb 2008.

Advertisements

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

SDN and Openflow.

WLCG Cloud Traceability Working Group progress Ian Collier Pre-GDB Amsterdam 10th March 2015.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 6.

Computer Security: Principles and Practice

Virtual Machine Security Summer 2013 Presented by: Rostislav Pogrebinsky.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

CERN IT Department CH-1211 Genève 23 Switzerland t Some Hints for “Best Practice” Regarding VO Boxes Running Critical Services and Real Use-cases.

K E M A, I N C. NERC Cyber Security Standards and August 14 th Blackout Implications OSI PI User Group April 20, 2004 Joe Weiss

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

Network Configuration Charles (Cal) Loomis & Mohammed Airaj LAL, Univ. Paris-Sud, CNRS/IN2P October 2013.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

David Groep Nikhef Amsterdam PDP & Grid Traceability in the face of Clouds EGI-GEANT Symposium – cloud security track With grateful thanks for the input.

CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.

OSG Site Provide one or more of the following capabilities: – access to local computational resources using a batch queue – interactive access to local.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

LCG Introduction John Gordon, SFTC GDB December 2 nd 2009.

Security at NCAR David Mitchell February 20th, 2007.

Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

INFSO-RI Enabling Grids for E-sciencE VO BOX Summary Conclusions from Joint OSG and EGEE Operations Workshop - 3 Abingdon, 27 -

Human-computer interfaces. Operating systems are software (i.e. programs) used to control the hardware directly used to run the applications software.

STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES Desktop Security Strategy Common Solutions Group September 19, 2006 Bill Clebsch.

WLCG Cloud Traceability Working Group face to face report Ian Collier 11 February 2015.

Virtual Batch Queues A Service Oriented View of “The Fabric” Rich Baker Brookhaven National Laboratory April 4, 2002.

SMS Software Distribution. Overview  Explaining How SMS Distributes Software  Managing Distribution Points  Configuring Software Distribution and the.

Human Centric Computing (COMP106) Assignment 2 PROPOSAL 23.

INFSO-RI Enabling Grids for E-sciencE Enabling Grids for E-sciencE Pre-GDB Storage Classes summary of discussions Flavia Donno Pre-GDB.

Topic 5a Operating System Fundamentals. What is an operating system? a computer is comprised of various types of software device drivers (storage, I/O,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud Security - what is needed Linda Cornwall (STFC) and the.

9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

THIS PRESENTATION: WINDOWS UPDATES VIA AUTOMATIC DEPLOYMENT RULES BEST PRACTICES SYSTEM CENTER CONFIGURATION MANAGER 2012 R2 Jodie Gaver Jodie Gaver Working.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Rutherford Appleton Lab, UK VOBox Considerations from GridPP. GridPP DTeam Meeting. Wed Sep 13 th 2005.

Report from the WLCG Operations and Tools TEG Maria Girone / CERN & Jeff Templon / NIKHEF WLCG Workshop, 19 th May 2012.

24 x 7 support in Amsterdam Jeff Templon NIKHEF GDB 05 september 2006.

VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

OSG Site Admin Workshop - Mar 2008Using gLExec to improve security1 OSG Site Administrators Workshop Using gLExec to improve security of Grid jobs by Alain.

LCG Pilot Jobs and glexec John Gordon.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Update Authorization Service Christoph Witzig,

Evolving Security in WLCG Ian Collier, STFC Rutherford Appleton Laboratory Group info (if required) 1 st February 2016, WLCG Workshop Lisbon.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

CernVM-FS Infrastructure for EGI VOs Catalin Condurache - STFC RAL Tier1 EGI Webinar, 5 September 2013.

IS3220 Information Technology Infrastructure Security

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

WLCG Operations Coordination report Maria Alandes, Andrea Sciabà IT-SDC On behalf of the WLCG Operations Coordination team GDB 9 th April 2014.

Ian Collier, STFC, Romain Wartel, CERN Maintaining Traceability in an Evolving Distributed Computing Environment Introduction Security.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud and Software Vulnerabilities Linda Cornwall, STFC 20.

How to fix Error code 0x80072ee2 in Windows 8.1? Fix%20%20Update%20Error%200x80072EE2%20in%20Windows%20 8.1,%20Windows%2010!%20-%20Fix%20PC%20Errors.htm.

Traceability WLCG GDB Amsterdam, 7 March 2016 David Kelsey STFC/RAL.

VO Box discussion ATLAS NIKHEF January, 2006 Miguel Branco -

What to expect in TB 2.0 J. Templon, NIKHEF/WP8. Jeff Templon – AWG Meeting, NIKHEF, WP1 u New resource broker architecture Big potato.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

J. Templon Nikhef Amsterdam Physics Data Processing Group Large Scale Computing Jeff Templon Nikhef Jamboree, Utrecht, 10 december 2012.

Traceability & isolation evolution Vincent BRILLAULT, CERN/EGI-CSIRT GDB Mars 2015, Amsterdam.

Honolulu - Oct 31st, 2007 Using Glideins to Maximize Scientific Output 1 IEEE NSS 2007 Making Science in the Grid World - Using Glideins to Maximize Scientific.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

J. Templon Nikhef Amsterdam Physics Data Processing Group Monitoring Session Summary EGI Virtualization Workshop May, Amsterdam Thanks to all the.

Computing infrastructure for accelerator controls and security-related aspects BE/CO Day – 22.June.2010 The first part of this talk gives an overview of.

TCG Discussion on CE Strategy & SL4 Move

Nessus Vulnerability Scanning

Presentation transcript:

Preliminary Conclusions VO Box Task Force GDB Meeting 5 april 2006

J. Templon Nikhef Amsterdam Physics Data Processing Group VO boxes, services, software, & security Jeff Templon

J. Templon Nikhef Amsterdam Physics Data Processing Group We made a big fuss about this in 2006 Good example of why Some implications for vo sw security As well as VO traceability (cf current discussion) Why this talk VO sw security, GDB January 2015

J. Templon Nikhef Amsterdam Physics Data Processing Group VO Box Priorities, C. Loomis, 7 June Classification of VO Services Class 1: ◦ Can access site's services (and work correctly) from a private network. (I.e. does not need to live within the trusted subnet of a farm.) Uses only service APIs/interfaces which are exposed to the external world past their firewall. Class 2: ◦ Uses 'private' interfaces to access information/services at the site (i.e. not exposed to those beyond the site's firewall). Essentially this is anything which is not a Class 1 service.

J. Templon Nikhef Amsterdam Physics Data Processing Group VO service authors write, install, maintain services. No site control or overview If box can live in separate network, no problem. Hacked? ◦ Wipe the box ◦ Reinstall from scratch ◦ Say “here ya go” to the VO If box has to live inside trusted subnet, huge forensic task to see whether a breach has occurred Heart of the problem VO sw security, GDB January 2015

J. Templon Nikhef Amsterdam Physics Data Processing Group Used to have a class 2 service Not anymore.. Moved to vobox network Port scan revealed vulnerable service listening Because we had it in class 1 network: ◦ Limit exposure through firewalling, but leave functional and running for a while ◦ Once fixed: wipe box & return to VO VO Box VO sw security, GDB January 2015

J. Templon Nikhef Amsterdam Physics Data Processing Group Is class 2 by design … has to see SE namespace Vulnerability found: service immediately shut down Restarted only when fix was provided Counterexample: ATLAS N2N service VO sw security, GDB January 2015

J. Templon Nikhef Amsterdam Physics Data Processing Group How many people potentially can add software to CVMFS repos? What security measures are there (also in checking / patching sw in CVMFS)? If VO deploys software for which trust is relevant beyond “VO boundaries”, some rigor is needed. Should be well-defined what is, and is not, covered or assured. Who checks VO sw? VO sw security, GDB January 2015

J. Templon Nikhef Amsterdam Physics Data Processing Group Discussion about dropping glexec et al and mapping all VO activities at site to a single “VO user” since “the VO knows who the real users are” If VOs distribute vulnerable software providing network services, can we really trust them to handle all user traceability? Suggest any new services requiring substantial trust at site level be audited. Moving Traceability to VO VO sw security, GDB January 2015