Download presentation
Presentation is loading. Please wait.
1
David Kelsey CCLRC/RAL, UK d.p.kelsey@rl.ac.uk
EGEE/LCG Joint Security Group EGEE Middleware Security Group meeting CERN 17 June 2004 David Kelsey CCLRC/RAL, UK 17-Jun-04 D.P.Kelsey, Joint Security Group
2
D.P.Kelsey, Joint Security Group
Overview What is the Joint Security Group? Grid security warning (Draft) Guide to Application & Network Security EGEE Site Security requirements 17-Jun-04 D.P.Kelsey, Joint Security Group
3
The EGEE/LCG Joint Security Group
Merger of old LCG Security Group (presented at MWSG1) and the new EGEE SA1 Site Security Group Agreed by EGEE SA1 leader and LCG GDB in May 2004 One group with two roles Advises the LCG GDB on security policy, operational and procedural issues. LCG GDB makes decisions for LCG Advises EGEE (SA1) on security policy etc for EGEE and input to EGEE MWSG No equivalent (yet?) of LCG GDB.. JSG is not responsible for security middleware and tools development, selection etc. (EGEE JRA3 and MWSG) EU pushing for common policy for the whole of EU eScience aim to make all of JSG policy documents “general” Establish strong links between JSG and OSG Security to encourage/facilitate global interoperability. 17-Jun-04 D.P.Kelsey, Joint Security Group
4
D.P.Kelsey, Joint Security Group
Meetings, web etc. Recent Joint Security Group meetings 19 May & 4 June 2004 Next meeting: 1 July 2004 Agenda, presentations, minutes etc Joint Security Group Web site 17-Jun-04 D.P.Kelsey, Joint Security Group
5
D.P.Kelsey, Joint Security Group
LCG SEC Membership Experiment representatives/VO managers Alberto Masoni, ALICE Anders Waananen, ATLAS David Stickland, Greg Graham, CMS Joel Closier, LHCb Site Security Officers Denise Heagerty (CERN), Dane Skow (FNAL) Site/Resource Managers David Groep (NIKHEF) (&middleware expert) Dave Kelsey (RAL) - Chair Security middleware/tools experts Roberto Cecchini (INFN), Tanya Levshina (FNAL) CERN LCG team Ian Neilson (LCG Security Officer) Maria Dimou Non-LHC HEP experiments/Grids Bob Cowles (SLAC) 17-Jun-04 D.P.Kelsey, Joint Security Group
6
D.P.Kelsey, Joint Security Group
JSG membership Need to expand to cover non-LCG sites and non-HEP applications E.g. Biomedical Volunteers? Suggestions? Mail list Change name? Open or closed? 17-Jun-04 D.P.Kelsey, Joint Security Group
7
D.P.Kelsey, Joint Security Group
LCG Security warning Growing interest in Grid TeraGrid attack Article in New Scientist magazine (22 May) “Hacking the Grid” Talk at 2600 hacker conference (9-11 July) An attack is inevitable! All sites need to be aware Keep each other informed via the Security Contacts list Follow LCG Incident Response procedures Important role for GOC Warning sent to all security contacts on 10th June Planning to test security procedures (LCG service challenges) 17-Jun-04 D.P.Kelsey, Joint Security Group
8
Guide to LCG Application & Network Security
The final document in the set of LCG policy and procedures V1.4 (7th June) now being discussed by LCG GDB Main author: Ian Neilson (LCG Security Officer) Aim It is a Guide and not Policy but GDB may insist that it is Policy Guide choices in design, planning and deployment of LCG Grid services Identify key areas of best practice BUT, it contains important recommendations for deploying a secure production Grid Important for GDB to approve the Guide 17-Jun-04 D.P.Kelsey, Joint Security Group
9
Guide: Application and Service Development
LCG expects development processes that Support adequate and documented treatment of security E.g. Current misalignment IP connectivity from anywhere to anywhere Incoming: weakens site Outgoing: distributed DOS Current firewall requirements in Appendix B LCG Security Group considers these inappropriate for a production Grid Application developers MUST NOT rely on the current settings – not a minimal set 17-Jun-04 D.P.Kelsey, Joint Security Group
10
Some recommendations (development)
Design and development process Coding practice Communications security Authentication Encryption Use existing protocols Functional security Authorization Degrade and fail gracefully Logging Avoid leakage of information 17-Jun-04 D.P.Kelsey, Joint Security Group
11
Application and Service Deployment
LCG expects security instructions in documentation Evaluate risks Establish clear network access control policy Apply configuration management and automate Keep systems patched for security updates Configure and retain audit logs 17-Jun-04 D.P.Kelsey, Joint Security Group
12
EGEE Site Security Requirements
Other important input (both on agenda page) Network & Applications Security Guide the GGF Site AAA requirements guide 17-Jun-04 D.P.Kelsey, Joint Security Group
13
“Top 10” security requirements (not in priority order)
Sites in control of local security policy Audit/track at individual user level Sites control local AuthZ policy Authorize, limit or forbid IP connectivity Hooks/logging for intrusion detection Consistent and appropriate audit logs Development and deployment of secure middleware Able to cope with distributed AuthZ (user, VO, site) Shutdown and restart services gracefully Robust VO and user registration tools (procedures) See document on agenda page for more details 17-Jun-04 D.P.Kelsey, Joint Security Group
14
Some feedback from LCG sites
Is there are plan to investigate/use SELinux? Or look at security features of Linux kernel 2.6? List of current LCG-2 security problems 17-Jun-04 D.P.Kelsey, Joint Security Group
Similar presentations
