SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

Slides:

Advertisements

Similar presentations

21 Sep 2005LCG's R-GMA Applications R-GMA and LCG Steve Fisher & Antony Wilson.

Advertisements

Abstraction Layers Why do we need them? –Protection against change Where in the hourglass do we put them? –Computer Scientist perspective Expose low-level.

Enabling Secure Internet Access with ISA Server

Chapter 13 Review Questions

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

Middleware technology and software quality issues Andrew McNab Grid Security Research Fellow University of Manchester.

High Performance Computing Course Notes Grid Computing.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

Copyright B. Wilkinson, This material is the property of Professor Barry Wilkinson (UNC-Charlotte) and is for the sole and exclusive use of the students.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

OSG Logging Architecture Update Center for Enabling Distributed Petascale Science Brian L. Tierney: LBNL.

Web-based Portal for Discovery, Retrieval and Visualization of Earth Science Datasets in Grid Environment Zhenping (Jane) Liu.

Security Guidelines and Management

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Section 13.1 Add a hit counter to a Web page Identify the limitations of hit counters Describe the information gathered by tracking systems Create a guest.

Performance and Exception Monitoring Project Tim Smith CERN/IT.

1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.

COEN 252 Computer Forensics

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

The Data Grid: Towards an Architecture for the Distributed Management and Analysis of Large Scientific Dataset Caitlin Minteer & Kelly Clynes.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.

Production Data Grids SRB - iRODS Storage Resource Broker Reagan W. Moore

Network Security. Need for security  Connecting to the Internet is quickly becoming a necessity for companies/ individuals  Understand the security.

Security Requirements for Software Defined Networks Internet Area WG IETF 85: Atlanta November 4, 2012 Margaret Wasserman

2  Supervisor : MENG Sreymom  SNA 2012_Group4  Group Member  CHAN SaratYUN Sinot  PRING SithaPOV Sopheap  CHUT MattaTHAN Vibol  LON SichoeumBEN.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Configuring Network Access Protection

Module 7: Advanced Application and Web Filtering.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

SOS August 21, 2006 GGF Security for Open Science Center for Enabling Technology Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence.

E-infrastructure shared between Europe and Latin America FP6−2004−Infrastructures−6-SSA gLite Information System Pedro Rausch IF.

1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.

Presented by: Tony Rimovsky TeraGrid Account Management Tony Rimovsky, Area Director for Network Operations and Security

Module 7: Implementing Security Using Group Policy.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Security CET September 27, 2006 GGF Security for Open Science Project Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence Berkeley.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

Auditing Project Architecture VERY HIGH LEVEL Tanya Levshina.

Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.

- GMA Athena (24mar03 - CHEP La Jolla, CA) GMA Instrumentation of the Athena Framework using NetLogger Dan Gunter, Wim Lavrijsen,

Rights Management for Shared Collections Storage Resource Broker Reagan W. Moore

DataTAG is a project funded by the European Union International School on Grid Computing, 23 Jul 2003 – n o 1 GridICE The eyes of the grid PART I. Introduction.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

ASHRAY PATEL Protection Mechanisms. Roadmap Access Control Four access control processes Managing access control Firewalls Scanning and Analysis tools.

Preservation Data Services Persistent Archive Research Group Reagan W. Moore October 1, 2003.

Open Science Grid Security Issues and Activities Bob Cowles Middleware Security Group – CERN 08 March 2006.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Services for Distributed e-Infrastructure Access Tiziana Ferrari on behalf.

Enabling Grids for E-sciencE Claudio Cherubino INFN DGAS (Distributed Grid Accounting System)

Grid Security Atlas Tier 2 Meeting Bob Cowles August 18, 2006 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515.

SQL Database Management

REDCap General Overview

Regional Operations Centres Core infrastructure Centres

OGF PGI – EDGI Security Use Case and Requirements

DMQ4:Instruments & Sensors for online remote access

Security for Open Science

Leigh Grundhoefer Indiana University

Data Security in Local Networks using Distributed Firewalls

Proposed Grid Protocol Architecture Working Group

Presentation transcript:

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University of Virginia

SOS EGEE ‘06 GGF Auditing/Forensic Tools The Problem: –Multi-institutional collaborations with extensive remote access –Virtual organizations need to be able to track resource usage, credential usage, data access, etc –Difficult to get consistent audit information across sites –Different groups need different audit information –Sample questions that are currently hard to answer: Give me a list of all data files opened by User X in the last week What are the list of sites that user X accessed in the past week? How much CPU did VO X use at site Y in the past month? Give me a list of all users who used shared account X on resource Y yesterday. Who made requests to the dynamic firewall service yesterday? Did the IDS see any traffic on ports that where supposed to be closed, based on auditing information from the dynamic firewall service?

SOS EGEE ‘06 GGF Auditing/Forensic Tools cont. High-Level Approach: –An end-to-end auditing infrastructure which uses a policy language to allow resource (both systems and data) owners specify where auditing information may be published and who may access the audit logs. Components –Logging software (instrumentation) - Applications call easy-to-use libraries to log events with detailed information. –Normalizers– Agents transform existing logs so that they can be incorporated into the common schema of the audit system. –Collection sub-system (forwarder) – Audit logs are collected by a dependable, secure collection system. –Repository (database, publisher) – Audit logs are sent over the network, normalized, and archived. Then they are made available through a query interface. –Forensic tools (analysis) – Forensic tools query and process the audit data to find problems and answer questions.

SOS EGEE ‘06 GGF End-to-End Auditing System

SOS EGEE ‘06 GGF Related Project: Troubleshooting Service

SOS EGEE ‘06 GGF Dynamic Host Firewall Ports The Problem: –Ports needed by Grid middleware are often blocked by firewalls These firewalls are both host-based and network-based. Dynamically assigned ports are particularly problematic —E.g.: GridFTP data ports –Many sites allow outgoing, but not incoming connections How do a Grid FTP between 2 sites that both only allow outgoing connections?

SOS EGEE ‘06 GGF Dynamic Firewalls, cont. High-level Approach: –Tools and services to dynamically open and close ports needed by applications and middleware based on authentication and authorization Components –Configuration Broker maintains the overall state of the firewall configuration for the site, validates user credentials, and verifies that requested actions are consistent with site policy restrictions. –Firewall Agent interacts with the existing site firewall systems, receiving direction from the Configuration Broker. –The Validation Service receives information about the completed firewall changes and continually analyzes network traffic to insure there are no errors in the firewall configuration. –The Programming API is the mechanism for software to make requests to the broker.

SOS EGEE ‘06 GGF Dynamic Firewall System