EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Security - the Grid View The Good, the Bad.

Slides:



Advertisements
Similar presentations
Marcus Pattloch (DFN-Verein) DESY Technisches Seminar
Advertisements

EGEE-II INFSO-RI Enabling Grids for E-sciencE Practical using EGEE middleware: AA and simple job submission.
Lousy Introduction into SWITCHaai
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability AAI and Grids Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
MyProxy Jim Basney Senior Research Scientist NCSA
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Introduction to EGEE hands-on Gergely Sipos.
1 ABCs of PKI TAG Presentation 18 th May 2004 Paul Butler.
Grid Security Policy GridPP18, Glasgow David Kelsey 21sr March 2007.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Grid Security Vulnerabilities Dr Linda Cornwall,
5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK
29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
The National Grid Service and OGSA-DAI Mike Mineter
VO Support and directions in OMII-UK Steven Newhouse, Director.
Grid Security Policy David Kelsey (RAL) 1 July 2009 UK HEP SYSMAN Security workshop david.kelsey at stfc.ac.uk.
EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager
Privacy Impact Assessment Future Directions TRICARE Management Activity HEALTH AFFAIRS 2009 Data Protection Seminar TMA Privacy Office.
EMI Development Plans for Identity Management Henri Mikkonen / HIP Moonshot, Grid and HPC Workshop London, UK.
E-science grid facility for Europe and Latin America SA1 - Status Report Grid Infrastructure Activity Diego Carvalho (SA1 Activity Manager)
EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
2006 © SWITCH Authentication and Authorization Infrastructures in e-Science (and the role of NRENs) Christoph Witzig SWITCH e-IRG, Helsinki, Oct 4, 2006.
INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
2006 © SWITCH SWITCH Plans for Shibboleth and Grid GGF16 Feb 14, 2006 Christoph Witzig (Thomas Lenggenhager, Valery Tschopp, Placi Flury) SWITCH.
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Handling Grid Security Vulnerabilities in.
Enabling Grids for E-sciencE EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.
INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
2005 © SWITCH Perspectives of Integrating AAI with Grid in EGEE-2 Christoph Witzig Amsterdam, October 17, 2005.
Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
Deployment Issues David Kelsey GridPP13, Durham 5 Jul 2005
2006 © SWITCH Grid Activities at SWITCH Christoph Witzig EGEE - 06 Geneva Sep 28, 2006.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
Evolution of the Open Science Grid Authentication Model Kevin Hill Fermilab OSG Security Team.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,
UKI ROC/GridPP/EGEE Security Mingchao Ma Oxford 22 October 2008.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Linda Cornwall CCLRC (RAL) FP6 Security workshop.
US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.
Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005
Summary of AAAA Information David Kelsey Infrastructure Policy Group, Singapore, 15 Sep 2008.
INFSO-RI Enabling Grids for E-sciencE EGEE SA1 in EGEE-II – Overview Ian Bird IT Department CERN, Switzerland EGEE.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Dr Linda Cornwall CCLRC (RAL) FP6 Security workshop.
Status Organization Overview of Program of Work Education, Training It’s the People who make it happen & make it Work.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security Policy: From EGEE to EGI David Kelsey (STFC-RAL) 21 Sep 2009 EGEE’09, Barcelona david.kelsey at stfc.ac.uk.
WLCG Laura Perini1 EGI Operation Scenarios Introduction to panel discussion.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
Additional Services: Security and IPv6 David Kelsey STFC-RAL.
EGI-InSPIRE RI EGI EGI-InSPIRE RI Establishing Identity in EGI the authentication trust fabric of the IGTF and EUGridPMA.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.
EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Operations Automation Team Kickoff Meeting.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Interoperability Shibboleth - gLite Christoph.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security aspects (based on Romain Wartel’s.
Grid Deployment Technical Working Groups: Middleware selection AAA,security Resource scheduling Operations User Support GDB Grid Deployment Resource planning,
Grid Security Policy: EGEE to EGI David Kelsey (RAL) 16 Sep 2009 JSPG meeting, DFN Berlin david.kelsey at stfc.ac.uk.
The EPIKH Project (Exchange Programme to advance e-Infrastructure Know-How) gLite Grid Introduction Salma Saber Electronic.
JRA1 Middleware re-engineering
Bob Jones EGEE Technical Director
LCG Security Status and Issues
Ian Bird GDB Meeting CERN 9 September 2003
LCG/EGEE Incident Response Planning
Long-term Grid Sustainability
Romain Wartel EGEE08 Conference, Istanbul, 23rd September 2008
Grid Security M. Jouvin / C. Loomis (LAL-Orsay)
Presentation transcript:

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Security - the Grid View The Good, the Bad and the Ugly e-IRG Workshop Zurich, April 24, 2008 Christoph Witzig

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Content Introduction Technical Side Organizational Side The road ahead

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Introduction (1/2) Security: is the condition of being protected against danger or loss (source: Wikipedia) Counter measures: –Good walls –Good soldiers (Technical and organizational measures) Grids: Sharing of resources across administrative domains --> easy and open access vs danger and loss

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Introduction (2/2) Google on “Grid Security” yields –GSI = Grid Security Infrastructure  Certificates  Mutual authentication  Confidential communication  Private keys  Delegation, single sign-on –Technical view No standards on Grid security organization! –EGEE security coordination group

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Content Introduction Technical Side Organizational Side The road ahead

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Grid Security Model (GSI) (1/2) Resource Broker Computing Element (CE) Worker Nodes X.509 Proxy X.509 w/ VOMS AC job sub- mission VO attributes

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Grid Security Model (GSI) (2/2) Issuance of long-lived certificates –Revocation of certificates Use of proxy certificates –Needed for delegation ! –Private key together with proxy certificate –Short lifetime –Need to be renewed Grid services perform authentication and authorization of users –Authorization policies not standardized, often inconsistently published

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Summary Technical Side Very successful --> basis on which existing Grid infrastructures have been built Based on certificates –advantages and disadvantages Use of proxies for delegation

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Content Introduction Technical Side Organizational Side The road ahead

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Use Case 1 1.A system administrator of the IT services discovers during regular check at his site that a Grid resource in a temporary test- bed has been compromised (e.g. sshd). The resource was installed and maintained by a user group in a department of the university. 2.Site security officer is informed 1.National CERT and OSCT are informed (over restricted mailing lists) 3.OS reinstallation, host (and user) certificate revocation 4.All hosts maintained by this user group are checked: 1.Accounts have been compromised 2.Weak passwords are found 3.Incoming SSH connections are possible on pool accounts 4.Firewall rules needed cleanup 5.User group receives additional training by local CERT team 6.OSCT takes this incident as an example at their next training session at the EGEE forum Outcome: One weak spot in the Grid was fixed and lessons learnt.

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Use Case 2 1.Local site administrator discovers by pure chance a vulnerability in a script on a grid resource. He mentions it to a colleague, who mentions over coffee it to the local CERT. 2.The CERT member (not a Grid specialist himself) asks another colleague to post a mail on the MSWG mailing list. 3.A discussion starts whether this is a “bug or a feature”, i.e. poor scripting or a site security issue. 4.Key person is on vacation - nothing happens. 5.OSCT insists on a quick action: Warnings are given to grid site security personnel. Script is modified, tested, certified and released. 6.A bug in the script is discovered while it is being installed in the entire Grid --> back to step 5. Outcome: Long, painful and inefficient resolution of a simple problem. Conclusion: Efficient organization is key for success

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, EGEE Security Organization Security in EGEE-III: 440 PM JRA1 / Security Middleware Security Group Grid Security Vulnerability GroupJoint Security Policy Group EUGridPMA Operational Security Coordination Team

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Middleware Security Group Meeting place for security architects and security related groups Co-chaired by EGEE and OSG Longer-term middleware issues as well as short-term important issues Challenges: –Transition from ideas into implementations –Stronger interaction between middleware and site security specialists  Emphasis for EGEE-III

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Grid Security Vulnerability Group Purpose: –find and eliminate any Grid Security Vulnerabilities in the Grid middleware and its deployment, and prevent any new Grid Security Vulnerabilities from being introduced Eliminating Vulnerabilities by handling specific issues –Most of the work done so far is in this area –Grid security Vulnerability issues may be reported by anyone –Or may come as a result of code walkthroughs or security testing and reviews –Since start of activity 133 issues submitted, currently 55 open issues –Detailed process described at –Advisories at: Prevention of the introduction of new vulnerabilities –Education – developer guidelines and checklist –Plan to further develop this area in EGEE-III.

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Joint Security Policy Group Prepare and maintain security policies for EGEE and WLCG –And advise on any security matter Aim for simple, general and interoperable policies of use to many Grids –To allow VOs to easily use resources in multiple Grids Joint effort by EGEE and WLCG –With strong participation by OSG, NDGF and others Policy documents on –General Grid Security –Acceptable Use –Site Operations –VO Operations –User, Site and VO registration –Traceability and Logging –Security Incidents response Aim for EGEE-III: involve more NGIs

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, EUGridPMA Coordination of the (PKI-based) trust fabric for e-Science Grid authentication in Europe Collaboration with peer organizations in America and Asia (IGTF) Basis for the guidelines on the accreditation procedure and profiles for CAs Distribution of CA root certificates

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Operational Security Coordination Team Operational response to security threads against EGEE infrastructure –Focus on computer security incident handling –Providing reporting channels (OSCT -> ROC -> site) –Pan-regional coordination and support –Security monitoring –SSC: Security Service Challenge –Best practice and advice for Grid system administrators  Training Much needed feedback for middleware developers

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, EGEE Framework

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Content Introduction Technical Side Organizational Side The road ahead (personal view)

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, The Road Ahead … (1/3) 1.Security threats will only increase It’s all about money ! e-Science must not assume that it will not be a target Source: symantec

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, The Road Ahead … (2/3) 2.National Authentication and Authorization Infrastructures (AAI) Based on Federated Identity In CH: 80% coverage in higher education (220’000 accounts) Opportunity for Grids to grow significantly beyond existing user base

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, The Road Ahead … (3/3) 3.Increased collaboration in security between Grid community and CERT / NRENs At institutional level At national level At international level

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Conclusion 1.Technical and organizational measures must be combined to increase security 2.EGEE Security Organization as a model for security in Grid infrastructure 3.(Personal) Outlook: 1.Federated identity offers perspective of large user community 2.Increased collaboration between stakeholders in e-Science (Grid - CERT - NREN) 3.Security challenges will only get bigger Finale “the good, the bad and the ugly” “there are two kind of men: those with loaded guns and those who dig”

Enabling Grids for E-sciencE EGEE-II INFSO-RI e-IRG Workshop: Zurich, April 24, Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.