WP4 Security and AA(A) issues For WP4: David Groep

Slides:



Advertisements
Similar presentations
Wei Lu 1, Kate Keahey 2, Tim Freeman 2, Frank Siebenlist 2 1 Indiana University, 2 Argonne National Lab
Advertisements

GT 4 Security Goals & Plans Sam Meder
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
Policy Based Dynamic Negotiation for Grid Services Authorization Infolunch, L3S Research Center Hannover, 29 th Jun Ionut Constandache Daniel Olmedilla.
Gridification Task Development Plan for Release 1.1 – 2.0 For Gridification: David Groep
MyProxy: A Multi-Purpose Grid Authentication Service
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Andrew McNab - EDG Access Control - 14 Jan 2003 EU DataGrid security with GSI and Globus Andrew McNab University of Manchester
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DataGrid is a project funded by the European Union 22 September 2003 – n° 1 EDG WP4 Fabric Management: Fabric Monitoring and Fault Tolerance
WP4 Gridification Subsystem overlap Globus & existing systems LCAS and AAA in WP4 for Gridification Task: David Groep
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Apache Web Server Quick and Dirty Steve Gibbard for SANOG 16 (Originally by Joel Jaeggli for AfNOG 2007) ‏
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
WP4 Gridification Subsystem overlap & existing systems for Gridification Task: David Groep
GGF Toronto Spitfire A Relational DB Service for the Grid Peter Z. Kunszt European DataGrid Data Management CERN Database Group.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
/ David GroepSummary of Security Workshop - DataGRID WP4 workshop1 DataGrid Security WS Summary Targets: Identify requirements from WP's Define.
WP4 Security Update For WP4: David Groep
WP4 Gridification Security Components in the Fabric overview of the WP4 architecture as of D4.2 for Gridification Task: David Groep
Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.
Payment Card Industry (PCI) Data Security Standard
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Course 201 – Administration, Content Inspection and SSL VPN
Additional SugarCRM details for complete, functional, and portable deployment.
Smart Card Single Sign On with Access Gateway Enterprise Edition
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.
Unit 1: Protection and Security for Grid Computing Part 2
Summary from CA coordination and Security working group meeting WP4 workshop
Module 9: Fundamentals of Securing Network Communication.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
DataGrid Fabric Management (WP4) Gridification of Large Farms, a very brief overview David Groep, NIKHEF
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
VO management: Progress since Chicago Workshop Vincenzo Ciaschini 23/5/2002 CNAF – Bologna.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
Creating and Managing Digital Certificates Chapter Eleven.
Web Services Security Patterns Alex Mackman CM Group Ltd
Presentation at ISMS WG Meeting1 ISMS – March 2005 IETF David T. Perkins.
WLCG Authentication & Authorisation LHCOPN/LHCONE Rome, 29 April 2014 David Kelsey STFC/RAL.
2/19/2016clicktechsolution.com Security. 2/19/2016clicktechsolution.com Threats Threats to the security of itself –Loss of confidentiality.
Ákos FROHNER – DataGrid Security n° 1 Security Group TODO
1 Public Key Infrastructure Rocky K. C. Chang 6 March 2007.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Gridification progress report David Groep, Oscar Koeroo Wim Som de Cerff, Gerben Venekamp Martijn Steenbakkers.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
1 Example security systems n Kerberos n Secure shell.
Overview of the New Security Model Akos Frohner (CERN) WP8 Meeting VI DataGRID Conference Barcelone, May 2003.
INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.
Administering the SOWN Network David R Newman & Chris Malton.
The European DataGrid Project Team
Module 8: Securing Network Traffic by Using IPSec and Certificates
THE STEPS TO MANAGE THE GRID
Update on EDG Security (VOMS)
Server-to-Client Remote Access and DirectAccess
WP4 Security Update For WP4: David Groep
Gridification Gatekeeper LCAS: Local Centre AuthZ Service LCAS
Gridification progress report
Information Providers
Module 8: Securing Network Traffic by Using IPSec and Certificates
Advanced Computer Networks
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

WP4 Security and AA(A) issues For WP4: David Groep

David Groep – WP4 security and AAA issues – WP4 self-organization (1) u Configuration management n What should a system look like, what is installed u Systems Installation n Bootstrapping and installing software packages on nodes u Resource Management n Queuing system, task scheduling, quotas ’n budget

David Groep – WP4 security and AAA issues – WP4 self-organization (2) u Monitoring n Performance and functional monitoring u Fault Tolerance & Exception Recovery n Detect exceptions using monitoring information and schedule recovery actions, make self-healing nodes u Gridification n Job authorization, credential mapping, information abstraction and network accessibility

David Groep – WP4 security and AAA issues – Internal and external AAA u External AAA: interaction of a compute centre with “global” grid → through WP1 (ComputeElement) and WP2 (StorageElement) u Internal AAA: n recognizing trusted components and operators n authorization for jobs and files n access to information services n Protecting jobs and files whilst in the fabric (uid issues)

David Groep – WP4 security and AAA issues – A use case for job submission u Accept a job from ComputeElement (the Grid) u Check authorization w.r.t. extra local policies u Assign necessary local credentials u Have the job run on the local fabric

David Groep – WP4 security and AAA issues – Gridification of a Compute Centre ComputeElmt GridJob Mediating Serv LRMS Farms Local Credential Mapping Serv User Rep. Job Rep. LCAS AuthZ plugins: QuotaCheck Policy list Fabric-local ID-service Local to the fabric Externally visible Grid Info Serv (WP3) GriFIS GridGATE protocol gateway

David Groep – WP4 security and AAA issues – Job life cycle in a fabric u GjMS – Grid-job Mediating Service n Accept jobs from ComputeElement and shuffle them through the AAA chain u LCAS – Local Community Authorization Service n Authorize a job or store request to run on this fabric n Based on community-wide CAS (VO’s) add extra constrains like: budgets, ban lists, wall clock limitations u LCMAPS – Local Credential Mapping Service n Obtain the `usual’ credentials for running (uid/gid) n Issues: additional credentials for AFS, K5, ….

David Groep – WP4 security and AAA issues – Gridification of a Compute Centre Grid Info Serv (WP3) GriFIS ComputeElmt GridJob Mediating Serv Fabric-local ID-service Local Credential Mapping Serv LRMS Farms LCAS AuthZ plugins: QuotaCheck Policy list User Rep. Job Rep. Local to the fabric Externally visible GridGATE protocol gateway

David Groep – WP4 security and AAA issues – FLIDS (Fabric-local ID service) u within a fabric only a local certifying entity will be sufficiently trusted n Signing authority for LCAS accepted (job) requests n Identify trusted operators for installation of new systems n Identify and certify hosts within a fabric u FLIDS is (a tree of) certification authorities u Some of those “automated” CA ’s n Sign certificates when request is singed by trusted operator

David Groep – WP4 security and AAA issues – Information and Configuration u A configuration database exists containing the desired state of the local fabric n Contains sensitive information n Prevent unauthorized read access n Prevent snooping information sent to other hosts n PM9 (and possibly beyond?): web-server XML over HTTPS n Write access limited to special operator interface only

David Groep – WP4 security and AAA issues – Another FLIDS application u Adding a new host to a fabric u Possibly in a `hostile’ environment u We have a trusted operator with an install disk u Need to get initial configuration information u Which includes,e.g., a ssh host key Next slide is for your reference only (don’t be baffled by it)

David Groep – WP4 security and AAA issues – New host to be installed CFG Configuration Database Secured http server LCA root cert Operator install disk: -kernel and init -CFG https agent -Signed cert of operator -Protected private key of operator -LCA root certificate CFG data ACLs LCA cert and privkey FLIDS engine Automated CA, Will sign when request Approved by `operator’ 1:Operator boots system 2:agent makes https request using operator credentials 3:https server checks CFG data ACL (operator has all rights), can verify ID of operator using LCA root cert 4: sens config data encrypted using session key 5: host generates key pair (but without a passphrase to protecting private part) 6: request sent to FLIDS engine, signed by operator key (in cleartext) (FLIDS hostname known from CFG data) 7: FLIDS checks signature of operator, and signs request with LCA key. Request DN namespace limited. 8: signed host cert back to host (in clear) 9: host checks signature on cert using the LCA root cert on the boot disk 10: https requests to CFG authenticated with new signed host certificate 11: CFG web server can check hostname in cert against requesting IP address and check ACLs

David Groep – WP4 security and AAA issues – Issues not (yet) addressed u Information services n Use whatever security framework WP3 chooses n Will likely not publish list of authorized users u Networking issues n WP4 does not envision using network-layer security n IPv6 is being studied, but only for address space issues n GridGATE is not a VPN router and is not doing IPsec

David Groep – WP4 security and AAA issues – Gridification of a Compute Centre Grid Info Serv (WP3) GriFIS ComputeElmt GridJob Mediating Serv Fabric-local ID-service Local Credential Mapping Serv LRMS Farms LCAS AuthZ plugins: QuotaCheck Policy list User Rep. Job Rep. Local to the fabric Externally visible GridGATE protocol gateway

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.