WP4 Gridification Security Components in the Fabric overview of the WP4 architecture as of D4.2 for Gridification Task: David Groep

Slides:

Advertisements

Similar presentations

5-Dec-02D.P.Kelsey, GridPP Security1 GridPP Security UK Security Workshop 5-6 Dec 2002, NeSC David Kelsey CLRC/RAL, UK

Advertisements

GT 4 Security Goals & Plans Sam Meder

Grid Resource Allocation Management (GRAM) GRAM provides the user to access the grid in order to run, terminate and monitor jobs remotely. The job request.

Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep

MyProxy: A Multi-Purpose Grid Authentication Service

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester

Grid Security. Typical Grid Scenario Users Resources.

A Computation Management Agent for Multi-Institutional Grids

DataGrid is a project funded by the European Union 22 September 2003 – n° 1 EDG WP4 Fabric Management: Fabric Monitoring and Fault Tolerance

WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

30-Jan-03D.P.Kelsey, GridPP Security1 Security GridPP6 30 Jan 2003 Coseners House David Kelsey CLRC/RAL, UK

WP4 Gridification Subsystem overlap & existing systems for Gridification Task: David Groep

GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.

/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.

WP4 Security Update For WP4: David Groep

Data Security in Local Networks using Distributed Firewalls

Understanding Active Directory

Additional SugarCRM details for complete, functional, and portable deployment.

GRID Centralized management of the Globus grid-mapfile Carlo Rocca INFN, Catania.

Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.

1 School of Computer, National University of Defense Technology A Profile on the Grid Data Engine (GridDaEn) Xiao Nong

Hao Wang Computer Sciences Department University of Wisconsin-Madison Security in Condor.

WP4 Security and AA(A) issues For WP4: David Groep

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Simplify and Strengthen Security with Oracle Application Server Allan L Haensgen Senior Principal Instructor Oracle Corporation Session id:

Module 9: Fundamentals of Securing Network Communication.

Using NMI Components in MGRID: A Campus Grid Infrastructure Andy Adamson Center for Information Technology Integration University of Michigan, USA.

3-Nov-00D.P.Kelsey, HEPiX, JLAB1 Certificates for DataGRID David Kelsey CLRC/RAL, UK

Module 3 Configuring File Access and Printers on Windows 7 Clients.

10-May-01D.P.Kelsey, Security Workshop Summary1 DataGrid Security Workshop 29/30 March 2001 SUMMARY David Kelsey CLRC/RAL, UK

DataGrid Fabric Management (WP4) Gridification of Large Farms, a very brief overview David Groep, NIKHEF

Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.

Integrating and Troubleshooting Citrix Access Gateway.

What is SAM-Grid? Job Handling Data Handling Monitoring and Information.

Practical Distributed Authorization for GARA Andy Adamson and Olga Kornievskaia Center for Information Technology Integration University of Michigan, USA.

User Management: Authentication & Authorization on the NorduGrid Balázs Kónya, AndersWäänänen 3 rd NorduGrid Workshop, 23 May, 2002 Helsinki.

Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.

Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Introduction to Grids By: Fetahi Z. Wuhib [CSD2004-Team19]

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Authorisation, Authentication and Security Guy Warner NeSC Training Team Induction to Grid Computing and the EGEE Project, Vilnius,

Module 10: Windows Firewall and Caching Fundamentals.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

Globus: A Report. Introduction What is Globus? Need for Globus. Goal of Globus Approach used by Globus: –Develop High level tools and basic technologies.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.

WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.

Ákos FROHNER – DataGrid Security n° 1 Security Group TODO

Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.

8-Mar-01D.P.Kelsey, Certificates, WP6, Amsterdam1 WP6: Certificates for DataGrid Testbeds David Kelsey CLRC/RAL, UK

Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

1 Example security systems n Kerberos n Secure shell.

Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

Administering the SOWN Network David R Newman & Chris Malton.

Server Concepts Dr. Charles W. Kann.

Update on EDG Security (VOMS)

Server-to-Client Remote Access and DirectAccess

WP4 Security Update For WP4: David Groep

Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS

Gridification progress report

Information Providers

Presentation transcript:

WP4 Gridification Security Components in the Fabric overview of the WP4 architecture as of D4.2 for Gridification Task: David Groep

David Groep – WP4 gridification security components and D4.2 – Fabric security components u External (“Grid”) components n issues relating to the three core Grid protocols (GRAM, GSIFTP,GRIP) n network issues (firewall admin, NAT) n fabric authorization interoperability (multi-domain, AAA, co-allocing) u Internal components n authenticated installation services n secure bootstrapping services

David Groep – WP4 gridification security components and D4.2 – WP4 Subsystems and relationships (D4.2)

David Groep – WP4 gridification security components and D4.2 – Job submission protocol & interface u Current design n Client tools connect to gatekeeper n GRAM (attributes over HTTPS) n Gatekeeper does authentication, authorization and user mapping n RSL passed to JobManager u Identified design differences n authorization and user mapping done too early in process u Identical components n Protocol must stay the same (GRAM) n Separation of JobManager (closer to RMS) and GateKeeper will remain u Issues:scalability problems with many jobs within one centre (N jobmanagers) authorization cannot take into account RMS state (budget, etc.)

David Groep – WP4 gridification security components and D4.2 – Authorization and AAA u Current design: n Authorization and user mapping are combined (see next slide) n Local local site policy in authorization u Identified design points n new component, taking concepts from generic AAA architectures n coordinate with AuthZ group and GGF u Identical components n towards generic AAA architectures/servers (LCAS will be like an ASM) n distributed AAA decisions/brokering n concepts from new SciDAC/SecureGRID/AAAARCH work Accounting framework yet to be considered…

David Groep – WP4 gridification security components and D4.2 – Credential Mapping u Current design: n Authorization and user mapping are combined n Gatekeeper map file with GridMapDir (on connection establishment) n Kerberos by external service (sslk5) u Identified design points n move to later in the process (after the authorization decision) n Extend for multiple credential types… u Identical components n gridmapdir patch by Andrew McNab n sslk5/k5cert service u Issues in current design n mapping may be expensive (updating password files, NIS, LDAP, etc.)

David Groep – WP4 gridification security components and D4.2 – Local security service (FLIdS) Non-critical for grid services needed for intra-fabric security u Current design: n Component is not Gridcomponent → not there n Technology ubiquitous (X.509 PKI) u Identified design points n Policy driven automatic service n policy language design (based on generic policy language or ACLs) u Identical components n PKI X.509 technology (OpenSSL) n use by GSI and HTTPS u Issues: n mainly useful in untrusted environments (e.g., outside a locked computer centre) n prevents CA overloading…

David Groep – WP4 gridification security components and D4.2 – Information Services (GriFIS) u Current design: n MDS2.1: LDAP protocol with back-ends or F-Tree n Modular information providers u Identical components n NO fundamental changes by WP4 n GIS/Ftree and/or GMA/R-GMA or … n Just More information providers n Correlators between RMS, Monitoring and CDB (internal WP4 components) u Issues design n How will global scheduling decisions be made (AAA-wise)? n distributed AAA based on new standard n future for LCAS

David Groep – WP4 gridification security components and D4.2 – Network access to large fabrics u Current Globus design n Is not in scope of Globus toolkit u Identified issues n Needed component for large farms n Needed for bandwidth provisioning, brokerage & selective firewall adminning n Farm nodes not visible from outside! u Identical components n 0 st order: no functionality n 1 st order: IP Masquerading routers n 2 nd order: IP Masq & protocol translation (IPv6 → IPv4 and v.v.) n later: use of intelligent edge devices, managed bandwidth (and connections) per job, AAA interaction (with LCAS)

David Groep – WP4 gridification security components and D4.2 – Intra-fabric security issues u How to install a node in an untrusted network environment n distribution of sensitive config data (SSH host keys) n integrity of configuration data n bootstrapping problem! u Secure install scenario requires a local quasi-CA (FLIdS = Fabric-Local Identity Service) u See use-case on next slide (don’t be terrified by the arrows…)

David Groep – WP4 gridification security components and D4.2 – Bootstrapping a machine on a hostile net New host to be installed CFG Configuration Database Secured http server LCA root cert Operator install disk: -kernel and init -CFG https agent -Signed cert of operator -Protected private key of operator -LCA root certificate CFG data ACLs LCA cert and privkey FLIDS engine Automated CA, Will sign when request Approved by `operator’ 1:Operator boots system 2:agent makes https request using operator credentials 3:https server checks CFG data ACL (operator has all rights), can verify ID of operator using LCA root cert 4: sens config data encrypted using session key 5: host generates key pair (but without a passphrase to protecting private part) 6: request sent to FLIDS engine, signed by operator key (in cleartext) (FLIDS hostname known from CFG data) 7: FLIDS checks signature of operator, and signs request with LCA key. Request DN namespace limited. 8: signed host cert back to host (in clear) 9: host checks signature on cert using the LCA root cert on the boot disk 10: https requests to CFG authenticated with new signed host certificate 11: CFG web server can check hostname in cert against requesting IP address and check ACLs

David Groep – WP4 gridification security components and D4.2 – Component Summary u LCAS n comprehensive local authorization taking RMS issues into account n accepted jobs WILL run n should evolve into an “ASM” to allow inter-domain co-allocation u LCMAPS n take as much as possible from existing gridmapdir work, generalize for K5 u FabNAT n 1 st goal: solve addressing issue; later: managed firewalls etc; allow plug-in to LCAS u FLIdS n build secure fabrics on an insecure network (smaller uni’s etc.), prevent CA overload u Key is to stay compatible and interoperable! n GRAM protocol (& RSL) [Globus, GGF] n Information framework (GRIP, GMA, R-GMA, …) [Globus, GGF and EDG WP3] n All work on security in AAAARCH, PKIX, GGF sec. area, SecureGRID