Large-scale issuing of host certs in a member-integrated or institutional CA environment.

Slides:

Advertisements

Similar presentations

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

Advertisements

1 REUNA Certificate Authority Juan Carlos Martínez REUNA Chile Rio de Janeiro,27/03/2006, F2F meeting, TAGPMA.

EXTENDING TESTING INTO THE LAB Richard Fennell Engineering Director, Black Marble

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CVE , lessons learned and actions David Groep, Nov 7 nd, 2008.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Outline  Company Profile  Services Provided  Assets  System Schema  Risk Categories  Technical Risks and Mitigation  Summary.

LinuxUNIX Red HatSUSECentOSUbuntuDebianOracleAIXHP-UXSolaris Configuration Manager * * * * * * Endpoint Protection No Plans.

Page 1 - © Richard L. Goldman Mainframe Networking ©Richard L. Goldman January 7, 2002.

Version 4.0. Objectives Describe how networks impact our daily lives. Describe the role of data networking in the human network. Identify the key components.

CILogon OSG CA Mine Altunay Jim Basney TAGPMA Meeting Pittsburgh May 27, 2015.

NECTEC-GOC CA APGrid PMA face-to-face meeting. October, Sornthep Vannarat National Electronics and Computer Technology Center, Thailand.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

NAREGI CA Updates Kento Aida NAREGI CA/NII Kento Aida, National Institute of Informatics APGrid PMA meeting 04/20/2008.

WP4 Security and AA(A) issues For WP4: David Groep

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Classic X.509 secured profile version 4.2 Proposed Changes David Groep, Nov 7 nd, 2008.

Revocation in MICS §4.4 May 11-13, 2009 Zürich, Switzerland.

Updates from the EUGridPMA David Groep, July 16 st, 2007.

ISS SiteProtector and Internet Scanner LanAdmin Group Meeting 12/8/2005.

Evoting using collaborative clustering Justin Gray Osama Khaleel Joey LaConte Frank Watson.

IHEP Grid CA Status Report Gongxing Sun F2F Meeting 20 Apr Computing Centre, IHEP,CAS,China.

IHEP Grid CA Status Report Wei F2F Meeting 8 Mar Computing Centre, IHEP,CAS,China.

KFKI CA József Kadlecsik KFKI RMKI

User Certificate Application: ASGCCA. Agenda Introduction ASGCCA User Responsibilities Certificate application form RA verify identity of users User generate.

EUGridPMA status and updates David Groep, GGF18. EUGridPMA Status Update, TAGPMA Ottawa David Groep – Items  EUGridPMA.

HEPSYSMAN UCL, 26 Nov 2002Jens G Jensen, CLRC/RAL UK e-Science Certification Authority Status and Deployment.

Academia Sinica Grid Computing Certification Authority (ASGCCA)

KISTI Grid CA Operation KISTI Supercomputing Center Sangwan Kim, Soonwook Hwang CA Operators Contact: Jan. 8, 2007.

Apache Web Server Quick and Dirty Kevin G. Chege for AfNOG 2013 (Originally by Joel Jaeggli for AfNOG 2007) ‏

LegendCorp What is System Center Virtual Machine Manager (SCVMM)? SCVMM at a glance Features and Benefits Components / Topology /

Introduction: Information security services. We adhere to the strictest and most respected standards in the industry, including: -The National Institute.

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

Look, Ma, No Hardware -Stephanie Schossow. Cisco & VMware  September 16, Industry leaders in virtualization Cisco and VMware® announced that they.

Distribution Repository Structure David Groep,

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Security Vulnerabilities in A Virtual Environment

Virtual Machine Management Challenges What are Solution Accelerators? Offline Virtual Machine Servicing Tool Next Steps.

Updates from the EUGridPMA David Groep, May 9 st, 2007.

Secure hardware tokens David Groep DutchGrid CA. DutchGrid CA requirements Need for automated clients –from the bioinformatics domain (NBIC BioRange/BioAssist)

2-Sep-02D.P.Kelsey, WP6 CA, Budapest1 WP6 CA report Budapest 2 Sep 2002 David Kelsey CLRC/RAL, UK

Web Princeton? Really, XML Applications!

Protocols Monil Adhikari. Agenda Introduction Port Numbers Non Secure Protocols FTP HTTP Telnet POP3, SMTP Secure Protocols HTTPS.

David Foster LCG Project 12-March-02 Fabric Automation The Challenge of LHC Scale Fabrics LHC Computing Grid Workshop David Foster 12 th March 2002.

TACAR Updates version David Groep, NIKHEF. 9 th EUGridPMA ‘RAL’ meeting – Jan David Groep – TACAR Aims  Trusted and.

NIIF CA Status Update and Self-Audit Results 15 th EUGridPMA meeting Nicosia Tamás Máray NIIF Institute.

Maryknoll Wireless Network Access Steps for Windows 7 As of Aug 20, 2012.

TR-GRID CA Self-Auditing Results and Status Update EUGridPMA Meeting September 12-14, 2011 Marrakesh Feyza Eryol, Onur Temizsoylu TUBITAK-ULAKBIM

HKU Computer Centre Grid Certificate Authority Status Update Lilian Chan IT Services, The University of Hong Kong APGrid.

Summary of Poznan EUGridPMA32 September EUGridPMA Poznan 2014 meeting – 2 David Groep – Welcome back at PSNC.

SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.

18 th EUGridPMA, Dublin / SRCE CA Self Audit SRCE CA Self Audit Emir Imamagić SRCE Croatia.

Academia Sinica Grid Computing Certification Authority F2F interview (Malaysia )

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Jens' obligatory soap box Can't be a PMA without a SoapBox A random collection of Soapy things Nicosia, Jan 2009.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

Updates from the EUGridPMA David Groep, Oct 17 st, 2007.

29 th EUGridPMA meeting, September 2013, Bucharest AEGIS Certification Authority Dušan Radovanović University of Belgrade Computer Centre.

JRA3-T4 eduroam development - plan Stefan Winter Task Leader JRA3-T4

Apache web server Quick overview.

Extending host credential validity in presence of DCV & OV controls October 2016 TAGPMA24 meeting David Groep, Nikhef & EUGridPMA.

AEGIS Certification Authority

TYPES OF SERVER. TYPES OF SERVER What is a server.

The software engineering solutions focuses on the development of software specially customized and tailored according to the usage requirement of projects.

Design Unit 26 Design a small or home office network

CERN Certificates platform Emmanuel Ormancey / Anatoly Gladkov

Presentation transcript:

Large-scale issuing of host certs in a member-integrated or institutional CA environment

21 st EUGridPMA Utrecht meeting – Jan David Groep – Initial use case  Centrally managed Large data centres  Example: CERN >> systems  Institutional properties  operating (as an EIRO) an institutionally-embedded CA but could also be an automated RA for an external CA...  managed hosts in physically controlled environment  fully centralised configuration management Aim: provision host certs in a scalable and secure way

21 st EUGridPMA Utrecht meeting – Jan David Groep – Simplified request flow

21 st EUGridPMA Utrecht meeting – Jan David Groep – Workflow 1.New servers that are put into production in the CERN Computer Center will communicate with the Configuration Manager Servers and will signal that they require a host certificate. 2.After the validation of the requester Configuration Manager Servers will be able to request host certificates of the new template on behalf of the servers from step 1. Only those Configuration Manager Server possessing a valid Robot certificate will be able to do that. Robot certificates will be installed on them manually and following the standard through- the-website procedure. 3.The requests from step 2 will be securely sent to CERN CA using a special web service (not a website) 4.The reply from CERN CA will be sent to the Server from step 1.

21 st EUGridPMA Utrecht meeting – Jan David Groep – Obvious pros and cons  With O(1000) requests, humans cannot accurately check them all for correctness: automated process reduces number of errors  Close integration with CA request process reduces number of points between admin  RA  CA  Automated processes can make errors as well, and very fast indeed  Identification of ‘new’ computer hardware is non-trivial  Humans are good at identifying oddities, making some attack modes harder to exploit

21 st EUGridPMA Utrecht meeting – Jan David Groep – Proposal  Full discussion in January (Ljubljana)  extended description will be given by Alexey (CERN)  assess risks and opportunities  Needs description in CP/CPS  address attacks on CM servers (referring to the attacks on automated CAs recently, like Comodo, DigiNotar,...)  heuristics to mitigate risk (correlation with installments, domain checks, time-of-day, etc.)  identification of requesting machines? How can that be done? TPM, MAC, network,...  Case should be supported – scaling really needed!