Presentation is loading. Please wait.

Presentation is loading. Please wait.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

Published byMervyn Webster Modified over 8 years ago

Similar presentations

Presentation on theme: "Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid."— Presentation transcript:

1 Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia scholia@lbl.gov NERSC Division, Lawrence Berkeley Lab Open Source Grid and Cluster Conference May 15th, 2008

2 Information Collection in Grids To create a successful and functional grid you need to collect information from sites Grid infrastucture must publish collected information and make it available to interested parties We want to analyze the vectors of information collection –Systems publishing/collecting information –Type of information being gathered –Methods of data protection applied to this information

3 Focus on Open Science Grid What is the Open Science Grid? –Virtual Facility providing distributed compute and storage resources –Comprised of VOs and their Users + Resource Providing Sites + OSG Infrastructure Providers –Broad range of sites - small universities to large national labs –Must have flexible infrastructure to meet diverse site/VO requirements –Information collection and publishing coordinated by Grid Operations Center (GOC) NERSC/LBL heavily involved in OSG Our study started out as a recommendation report for OSG, but many of the results applicable to other grids

4 Information Being Published Resource Selection Information Monitoring Accounting Troubleshooting Log Files Site Availability information Site Validation

5 Information Collection Systems in OSG GIP/CEMon Gratia Syslog-NG RSV site_verify Monalisa Others?

6 CEMon Periodically queries Compute Element state Publishes CE information as GIP attributes Information made public through BDII and ReSS Condor Class-Ads Used for resource selection queries

7 CEMon Sensitive Info Operating System version info Underlying jobmanager Internal System Paths Authentication Method All this is necessary for a successful grid query BUT: Site must understand that info is public May want to restrict level of detail to avoid a “Google hack”

8 Gratia OSG Accounting System Sites install local probes that report job/storage usage records to collector Information published through web interface Web interface supports custom SQL queries

9 Gratia - Sensitive Info User DN and local account names Job Information Risks: Users may consider job information private. If DN (or password) is compromised, it becomes very easy to discover other sites supporting the same DN.

10 Syslog-NG Collects grid log files at a central collector Centralized Log Collection –Troubleshooting distributed grid workflows –Security Incident Response eg. where was a compromised DN used Queriable database backend Tiered architecture

11 Syslog-NG Risks Log files are sensitive! Most sites want to limit access to these. –Internal system info - may expose vulnerabilities –Detailed user, software info and failure modes May not want to make these available to grid infrastructure providers –No longer under site control Tiered architecture design allows sites to set up local collectors that can filter and forward limited information to the grid

12 Monalisa Publishes –resource availability –load information –Performance information Public web interface. Very useful for querying the “state of the grid” at a high level. BUT May be used to target overloaded sites for DoS

13 RSV and Site-Verify Probes run by grid infrastructure to verify site capabilities and report on site availability –Verifies information published by CEMon –Publishes results online (VORS) Risks: Same risks as CEMon info Additionally, historical data is available - may be able to trace downtimes (when system is in transitional state).

14 Summary of Sensitive Info Account Names, User DNs (VORS, Gratia) Failure Modes, Security Related Details (Syslog-NG) Historical System Availability (VORS) System Load (MonALISA) Application Names, Internal Paths (Gratia, CEMon) Software Levels (CEMon)

15 Security Risks Gratia - public interface to Gratia DB –Track user activity on a site –Rival project can discover job information –In case of compromised cert/account, query DB for other sites with same account Syslog-NG –Internal failure modes, other logging details available to non- site personnel –Security incident details no longer private CEMon/VORS –List of valid user accounts, DNs made public –Software levels, Authn method public - possible “Google Hack” –Historical archive of system info (may be able to target recurring downtimes) MonALISA –System Load Info - DoS attack during high load

16 Data Protection (for Sites) Turn down logging in Syslog-NG to minimal level –Start-stop times, User DN info –Increase level for troubleshooting Customize probes to meet site requirements. –Only publish necessary information –Be AWARE of what is going out!! Modify GIP attributes –Override or Modify attributes as necessary Mask sensitive data –Use generic VO names instead of local account names Site level collectors –Review and filter, before forwarding to OSG Choose secure/encrypted publication channels

17 Suggestions for OSG Authenticated access to information services –Use GSI certs within browser to authenticate user –Limit access based on VO Consolidate services where possible –Minimize information streams publishing the same data –Teragrid INCA as a model? Use encrypted SSL based communication for ALL information streams –https, GSI etc. Use “robots.txt” to prevent web caching Authenticate probes using GSI hostcerts to prevent bogus information.

18 Conclusions Not a replacement for hard security policies –Must fix and patch software regularly –Internally monitor systems Sites should have more flexibility and control over published information OSG should consider limiting public access to user/VO based access

Download ppt "Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
FP7-INFRA-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim

The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Services Abderrahman El Kharrim
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Grid Services at NERSC Shreyas Cholia Open Software and Programming Group, NERSC NERSC User Group Meeting September 17, 2007.

Grid Services at NERSC Shreyas Cholia Open Software and Programming Group, NERSC NERSC User Group Meeting September 17, 2007.
OSG Logging Architecture Update Center for Enabling Distributed Petascale Science Brian L. Tierney: LBNL.

OSG Logging Architecture Update Center for Enabling Distributed Petascale Science Brian L. Tierney: LBNL.
Sergey Belov, Tatiana Goloskokova, Vladimir Korenkov, Nikolay Kutovskiy, Danila Oleynik, Artem Petrosyan, Roman Semenov, Alexander Uzhinskiy LIT JINR The.

Sergey Belov, Tatiana Goloskokova, Vladimir Korenkov, Nikolay Kutovskiy, Danila Oleynik, Artem Petrosyan, Roman Semenov, Alexander Uzhinskiy LIT JINR The.
SCD FIFE Workshop - GlideinWMS Overview GlideinWMS Overview FIFE Workshop (June 04, 2013) - Parag Mhashilkar Why GlideinWMS? GlideinWMS Architecture Summary.

SCD FIFE Workshop - GlideinWMS Overview GlideinWMS Overview FIFE Workshop (June 04, 2013) - Parag Mhashilkar Why GlideinWMS? GlideinWMS Architecture Summary.
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Storage Security and Management: Security Framework

Storage Security and Management: Security Framework
MyOSG: A user-centric information resource for OSG infrastructure data sources Arvind Gopu, Soichi Hayashi, Rob Quick Open Science Grid Operations Center.

MyOSG: A user-centric information resource for OSG infrastructure data sources Arvind Gopu, Soichi Hayashi, Rob Quick Open Science Grid Operations Center.
Rsv-control Marco Mambelli – Site Coordination meeting October 1, 2009.

Rsv-control Marco Mambelli – Site Coordination meeting October 1, 2009.
SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.
OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.

OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.
Introduction on R-GMA Shi Jingyan Computing Center IHEP.

Introduction on R-GMA Shi Jingyan Computing Center IHEP.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
Mark L. Green, Ph.D. Grid Computational Scientist Monitoring and Information Services Architecture and Deployment University at Buffalo The State University.

Mark L. Green, Ph.D. Grid Computational Scientist Monitoring and Information Services Architecture and Deployment University at Buffalo The State University.
Summary of Accounting Discussion at the GDB in Bologna Dave Kant CCLRC, e-Science Centre.

Summary of Accounting Discussion at the GDB in Bologna Dave Kant CCLRC, e-Science Centre.
A.Guarise – F.Rosso 1 Enabling Grids for E-sciencE INFSO-RI-508833 Comprehensive Accounting Views on large computing farms. Andrea Guarise & Felice Rosso.

A.Guarise – F.Rosso 1 Enabling Grids for E-sciencE INFSO-RI Comprehensive Accounting Views on large computing farms. Andrea Guarise & Felice Rosso.

Similar presentations

Ads by Google