Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005.

Published byArline Lang Modified over 8 years ago

Similar presentations

Presentation on theme: "Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005."— Presentation transcript:

1 Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005

2 Grid, grid(s), and more grids No commonly accepted definition of a grid. –Grid: New function parallel to Web noosphere –grid: Particular instance of a internally consistent grid. Parallels Internet being network of networks FNAL participates in Grid at many different levels –Open Science Grid (OSG) –LHC Computing Grid (LCG) –Particle Physics Data Grid (PPDG) –FermiGrid –SAMGrid Resources may participate in multiple grids

3 Why allow Grids ? To get the work done Better integration host lab and remote resources Facilitate resource sharing among larger communities Establish common standards for use of services There’s nothing in the Grid that users can’t (and aren’t ) already do independently. Faith that facilitating this leads to innovation and improvement

4 Four Pillars of (Grid) Security Identity (DN or public key) –Isolation –Traceability Authentication (TLS handshake) –Prevent Identity Theft Authorization (gridmapfile or Globus+OGSA-AuthZ+Services) –Access Control –Resource Control Audit (logfiles) –Troubleshooting –Forensics –Accounting

5 Identity Needs globally unique name –Cert (or DN) is managed namespace /etc/grid-security/certificates lists trusted CAs /etc/grid-security/xxxxxxxx.signing_policy files are tool for this –Public keys statistically unique Granularity of identity under debate –Process level ? –Human vrs. Agent moderated ?

6 Authentication Openssl is your friend Debate over scope of authentication –Session level –.1 Msec ≈ 1 day –1 Msec ≈ AFS token lifetime –10-100 Msec ≈ account revalidation lifetime Privacy is serious concern

7 Authorization Gridmapfile is default at /etc/grid- security/grid-mapfile Authorization callouts at /etc/grid- security/gsi-authz.conf Expression and interpretation of policy by 3rd parties is TBD

8 Audit No common standard or requirement yet. Rely on local expertise and experience to guide Not clear what tools are useful/needed

9 Putting it all together VOMS Attribute Server (push - user,VO) AuthZ Provisioning (Site, eg. GUMS, Resource) AuthZ Access Control (VO - eg. RB, Site - eg.SAZ, Resource) 3rd party authN Grid Resource Management of ACLs ACLs on Resource Object AuthZ Policy Engine

10 Incident Response Identify –Requester identity (full cert preferred) –Requesting IP address –Requesting identity (full cert preferred) Contain –Local action first priority –Now frequently requires coordinated action –FCSC Alert grid incident response channel Explain –Need to identify thresholds of investigation (wipe vrs investigate decision) Respond –Authorization is “big stick”, not network directly

11 Vulnerability Assessment Troubles of new software/ideas –Exploit of software vulnerabilities –Configuration errors –Logic errors All the same old stuff only more so –Inventory attacks (worms) –Broad authentication cells Explicit, not just shared/sniffed passwords –Trojan applications and system software

12 Forensics New services –Gatekeeper is port 2119 TCP –GSIftp (aka Gridftp) is port 2811 TCP –Various monitoring/directory services Grid Service logs –GLOBUS_LOCATION default is /usr/local/grid/globus –Gatekeeper log is at $GLOBUS_LOCATION/var/globus- gatekeeper.log –GridFTP log is at $GLOBUS_LOCATION/var/gridftp.log

13 Authorization Services SAZ at FNAL –Site AuthoriZation service –Provides single point access control –Offloads CRL maintenance from servers GUMS identity mapping –Grid Identity is X509 SubjectName and Issuer –Local Identity is uid (resource scope) –Kerberos/AFS not mapped (site scope) Local Service authorization may do provisioning

14 Forensics (cont’d) System tools –Same as before Grid tools –Non-existent –Not clear what can/should be automated –Need to involve VO in most investigations

15 Roles and Responsibilities FCIRT continues as FNAL Incident Response Team Site Autonomy –Focus on local defense first –Second priority contain damage Now include consideration of Grid partners in assessment Coordinate with others using OSG Incident Response Plan –Currently in effect for OSG –Adopted as new model for LCG. Migrating.

16 Roles and Responsibilities Notification –Notification infrastructure to support adhoc and best effort collaboration on incident response. –Issues: Skill level and tolerance vary widely Reasonable response expectations need to be developed –Likely that some contention will occur while level-setting is achieved.

17 Recommended Reading SSL and TLS Essentials, Stephen Thomas OSG Incident Response Plan –http://computing.fnal.gov/docdb/osg_documents/0000/ 000019/002/OSG_incident_handling_v1.0.pdfhttp://computing.fnal.gov/docdb/osg_documents/0000/ 000019/002/OSG_incident_handling_v1.0.pdf LCG Security Policy Documents –http://proj-lcg-security.web.cern.ch/proj-lcg- security/documents.htmlhttp://proj-lcg-security.web.cern.ch/proj-lcg- security/documents.html Globus Documentation –http://www-unix.globus.org/toolkit/docs/3.2/index.htmlhttp://www-unix.globus.org/toolkit/docs/3.2/index.html

18 Questions ??

Download ppt "Computer Security and the Grid … or how I learned to stop worrying and love The Grid. Dane Skow Fermilab Computer Security Awareness Day 8 March 2005."

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.
Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.

Role Based VO Authorization Services Ian Fisk Gabriele Carcassi July 20, 2005.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.
CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.

CMS Applications Towards Requirements for Data Processing and Analysis on the Open Science Grid Greg Graham FNAL CD/CMS for OSG Deployment 16-Dec-2004.
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.

Implementing Finer Grained Authorization in the Open Science Grid Gabriele Carcassi, Ian Fisk, Gabriele, Garzoglio, Markus Lorch, Timur Perelmutov, Abhishek.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006 www.opensciencegrid.org.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April
May 9, 2008 Reorganization of the OSG Project The existing project organization chart was put in place at the beginning of 2006. It has worked very well.

May 9, 2008 Reorganization of the OSG Project The existing project organization chart was put in place at the beginning of It has worked very well.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Computing and Data Infrastructure for Large-Scale Science Deploying Production Grids: NASA’s IPG and DOE’s Science Grid William E. Johnston

Computing and Data Infrastructure for Large-Scale Science Deploying Production Grids: NASA’s IPG and DOE’s Science Grid William E. Johnston
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
PPDG for CHEP031 Results of PPDG Site Requirements on AAA Project Dane Skow Robert Cowles PPDG SiteAAA Project CHEP03 March 25, 2003 PPDG Work Supported.

PPDG for CHEP031 Results of PPDG Site Requirements on AAA Project Dane Skow Robert Cowles PPDG SiteAAA Project CHEP03 March 25, 2003 PPDG Work Supported.

Similar presentations

Ads by Google