Fermilab / FermiGrid / FermiCloud Security Update Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359 Keith Chadwick Grid.

Slides:

Advertisements

Similar presentations

PRAGMA Application (GridFMO) on OSG/FermiGrid Neha Sharma (on behalf of FermiGrid group) Fermilab Work supported by the U.S. Department of Energy under.

Advertisements

Dec 14, 20061/10 VO Services Project – Status Report Gabriele Garzoglio VO Services Project WBS Dec 14, 2006 OSG Executive Board Meeting Gabriele Garzoglio.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

 Contributing >30% of throughput to ATLAS and CMS in Worldwide LHC Computing Grid  Reliant on production and advanced networking from ESNET, LHCNET and.

Business Continuity Efforts at Fermilab Keith Chadwick Fermilab Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Jan 2010 Current OSG Efforts and Status, Grid Deployment Board, Jan 12 th 2010 OSG has weekly Operations and Production Meetings including US ATLAS and.

Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.

Tech Savvy Secondary School Technology Plan and Budget Summary Addressing Ethical and Social Issues Related to Technology Integration in School by Implementing.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

Teaching with Wikis Ken Baclawski College of Computer and Information Science.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 12/21/2011.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

1 1 Vulnerability Assessment of Grid Software Jim Kupsch Associate Researcher, Dept. of Computer Sciences University of Wisconsin-Madison Condor Week 2006.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

SG - OSG Improving Campus Research CI Through Leveraging and Integration: Developing a SURAgrid-OSG Collaboration John McGee, RENCI/OSG Engagement Coordinator.

May 8, 20071/15 VO Services Project – Status Report Gabriele Garzoglio VO Services Project – Status Report Overview and Plans May 8, 2007 Computing Division,

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Apr 30, 20081/11 VO Services Project – Stakeholders’ Meeting Gabriele Garzoglio VO Services Project Stakeholders’ Meeting Apr 30, 2008 Gabriele Garzoglio.

Virtualization within FermiGrid Keith Chadwick Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359.

SAMGrid as a Stakeholder of FermiGrid Valeria Bartsch Computing Division Fermilab.

Mar 28, 20071/9 VO Services Project Gabriele Garzoglio The VO Services Project Don Petravick for Gabriele Garzoglio Computing Division, Fermilab ISGC 2007.

Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.

10/24/2015OSG at CANS1 Open Science Grid Ruth Pordes Fermilab

OSG Security Review Mine Altunay December 4, 2008.

Russ Hobby Program Manager Internet2 Cyberinfrastructure Architect UC Davis.

Interoperability Grids, Clouds and Collaboratories Ruth Pordes Executive Director Open Science Grid, Fermilab.

Incident Response Plan for the Open Science Grid Grid Operations Experience Workshop – HEPiX 22 Oct 2004 Bob Cowles – Work.

Fermilab Site Report Spring 2012 HEPiX Keith Chadwick Fermilab Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359.

Mine Altunay July 30, 2007 Security and Privacy in OSG.

Ruth Pordes November 2004TeraGrid GIG Site Review1 TeraGrid and Open Science Grid Ruth Pordes, Fermilab representing the Open Science.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Open Science Grid & its Security Technical Group ESCC22 Jul 2004 Bob Cowles

Status Organization Overview of Program of Work Education, Training It’s the People who make it happen & make it Work.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

CMS Usage of the Open Science Grid and the US Tier-2 Centers Ajit Mohapatra, University of Wisconsin, Madison (On Behalf of CMS Offline and Computing Projects)

WLCG Laura Perini1 EGI Operation Scenarios Introduction to panel discussion.

Eileen Berman. Condor in the Fermilab Grid FacilitiesApril 30, 2008  Fermi National Accelerator Laboratory is a high energy physics laboratory outside.

An Introduction to Campus Grids 19-Apr-2010 Keith Chadwick & Steve Timm.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 02/13/2012.

Identity Management in Open Science Grid Identity Management in Open Science Grid Challenges, Needs, and Future Directions Mine Altunay, James Basney,

Site Authorization Service Local Resource Authorization Service (VOX Project) Vijay Sekhri Tanya Levshina Fermilab.

OSG Security: Updates on OSG CA & Federated Identities Mine Altunay, PhD OSG Security Team OSG AHM March 24, 2015.

Auxiliary services Web page Secrets repository RSV Nagios Monitoring Ganglia NIS server Syslog Forward FermiCloud: A private cloud to support Fermilab.

Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab Work supported by the U.S. Department of.

Building on virtualization capabilities for ExTENCI Carol Song and Preston Smith Rosen Center for Advanced Computing Purdue University ExTENCI Kickoff.

Ruth Pordes, March 2010 OSG Update – GDB Mar 17 th 2010 Operations Services 1 Ramping up for resumption of data taking. Watching every ticket carefully.

April 18, 2006FermiGrid Project1 FermiGrid Project Status April 18, 2006 Keith Chadwick.

Hao Wu, Shangping Ren, Gabriele Garzoglio, Steven Timm, Gerard Bernabeu, Hyun Woo Kim, Keith Chadwick, Seo-Young Noh A Reference Model for Virtual Machine.

OSG VO Security Policies and Requirements Mine Altunay OSG Security Team July 2007.

HTCondor-CE. 2 The Open Science Grid OSG is a consortium of software, service and resource providers and researchers, from universities, national laboratories.

Scientific Computing at Fermilab Lothar Bauerdick, Deputy Head Scientific Computing Division 1 of 7 10k slot tape robots.

New OSG Virtual Organization Security Training OSG Security Team.

FermiGrid The Fermilab Campus Grid 28-Oct-2010 Keith Chadwick Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359.

Virtualization within FermiGrid Keith Chadwick Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359.

Academic Technology Services The UC Grid Project OSG Consortium All-Hands Meeting Bill Labate & Joan Slottow Research Computing Technologies UCLA Academic.

Cloud Security Session: Introduction 25 Sep 2014Cloud Security, Kelsey1 David Kelsey (STFC-RAL) EGI-Geant Symposium Amsterdam 25 Sep 2014.

FermiGrid - PRIMA, VOMS, GUMS & SAZ Keith Chadwick Fermilab

WLCG Update Hannah Short, CERN Computer Security.

OSG Security Kevin Hill.

Open Science Grid Consortium Meeting

LCG Security Status and Issues

f f FermiGrid – Site AuthoriZation (SAZ) Service

LCG/EGEE Incident Response Planning

Leigh Grundhoefer Indiana University

Presentation transcript:

Fermilab / FermiGrid / FermiCloud Security Update Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359 Keith Chadwick Grid & Cloud Computing Department Fermilab

About Keith Chadwick Fermilab employee for 25+ years, –Started as a VAX/VMS system administrator & code management for the CDF collaboration. Head of the Grid and Cloud Computing Department at Fermilab, –FermiGrid Project Leader, –FermiCloud Project Sponsor. Serve on the Fermilab Computer Security Policy Board & the Fermilab Network Design Task Force, Up until March 2012 – Served as the Deputy Head of the Fermilab Computer Incident Response Team. 17-Sep-2012EGI TF CSIRT Meeting1

About FermiGrid FermiGrid = Fermilab Campus Grid + operation of the central services used to implement the Fermilab Campus Grid, Currently have 7 Grid clusters (1 x CDF, 1 x CMS, 4 x D0, 1 x GP) with > 24K job slots, Services include GUMS (Grid User Mapping Service), SAZ (Site AuthoriZation) Service, Squid, MyProxy, etc. Services provided in a distributed highly available architecture (two sites separated by ~1.6 km). Strongly “encourage” that all logs are sent to the central security logging service. FermiGrid members are available to assist with incident response. FermiGrid operates in the Open Science Environment (formerly Enclave), with a different security baseline than the remainder of the Fermilab General Computing Environment. 17-Sep-2012EGI TF CSIRT Meeting2

17-Sep-2012EGI TF CSIRT Meeting3

17-Sep-2012EGI TF CSIRT Meeting4

17-Sep-2012EGI TF CSIRT Meeting5

FCC and GCC 25-Apr-2012Business Continuity at Fermilab6 FC C GC C The FCC and GCC buildings are separated by approximately 1 mile (1.6 km). FCC has UPS and Generator. GCC has UPS.

About FermiCloud A private IaaS cloud operated at Fermilab based on OpenNebula with x.509 credential based authentication. Used by: –Fermilab Grid and Cloud computing personnel (service development, testing, integration, hardening, etc.), –Open Science Grid for development of the OSG software distribution, –Used for “low impact” production services, –Tests have shown that it can support HPC code development, Will be used to support Fermilab 100 Gigabit/second network testing and join the Fermilab and ESnet 100 Gigabit/second network. 17-Sep-2012EGI TF CSIRT Meeting7

Fermilab Incident Response Due to the changing nature of the incident response, the incident response coordination duties are now handled by members of the Fermilab Computer Security Team. Most incidents today are “routine” infections of laptops/desktops. They are identified by well defined “triggers” based on network and anti-virus monitoring, and occasional external reports. These incidents are handled through well defined “deskside” support procedures (up to and including “wipe and reinstall from known good media”). Knowledgeable members of the Fermilab community (such as FermiGrid/FermiCloud administrators) are available to be conscripted as part of any incident response. 17-Sep-2012EGI TF CSIRT Meeting8

WLCG 2012 Security Challenge Apparently did not include CMS T1 at Fermilab… ??  / ?? 17-Sep-2012EGI TF CSIRT Meeting9

Recent Grid Incidents User “1” submitted a bunch of misbehaving jobs and left on travel… User “2” submitted a bunch of misbehaving jobs and did not check their over the weekend… VO “A” submitted a bunch of misbehaving jobs… In all of the above cases, we used our Site AuthoriZation (SAZ) service capability to “ban” the user/VO until they claimed that they had fixed their jobs and we verified that the jobs were really fixed. 17-Sep-2012EGI TF CSIRT Meeting10

OSG CA Transition DOEgrids CA will be ending operation in mid 2013, OSG has signed a contract with DigiCert to provide CA services to OSG members, Tools have been revised/upgraded/enhanced to deal with DigiCert, Will be released as part of late September/mid October OSG software package. 17-Sep-2012EGI TF CSIRT Meeting11

Thank You! Any Questions? 17-Sep-2012EGI TF CSIRT Meeting12