Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Slides:

Advertisements

Similar presentations

Current methods for negotiating firewalls for the Condor ® system Bruce Beckles (University of Cambridge Computing Service) Se-Chang Son (University of.

Advertisements

Building a secure Condor ® pool in an open academic environment Bruce Beckles University of Cambridge Computing Service.

Access Control Chapter 3 Part 3 Pages 209 to 227.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

{ Best Practice Why reinvent the wheel?.   Domain controllers   Member servers   Client computers   User accounts   Group accounts   OUs 

Mr C Johnston ICT Teacher

Forum IT Infrastructure. Integration Goals of IT: - Make work more efficient by integrating. - Make repetitive tasks automated. Active Directory/ HR database.

Access Control Chapter 3 Part 5 Pages 248 to 252.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

System and Network Security Practices COEN 351 E-Commerce Security.

Understanding Active Directory

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

SOA Security Chapter 12 SOA for Dummies. Outline User Authentication/ authorization Authenticating Software and Data Auditing and the Enterprise Service.

Security Management IACT 418/918 Autumn 2005 Gene Awyzio SITACS University of Wollongong.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Lesson 18: Configuring Application Restriction Policies

seminar on Intrusion detection system

Intrusion Detection System Marmagna Desai [ 520 Presentation]

Network security policy: best practices

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Firewalls and the Campus Grid: an Overview Bruce Beckles University of Cambridge Computing Service.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Microsoft ® Official Course Module 9 Configuring Applications.

Module 9 Configuring Server Security Compliance. Module Overview Securing a Windows Infrastructure Overview of EFS Configuring an Audit Policy Overview.

Cloud Computing for the Enterprise November 18th, This work is licensed under a Creative Commons.

AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)

Enforcing Concurrent Logon Policies with UserLock.

Module 14: Configuring Server Security Compliance

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

20411B 8: Installing, Configuring, and Troubleshooting the Network Policy Server Role Presentation: 60 minutes Lab: 60 minutes After completing this module,

September 18, 2002 Windows 2000 Server Active Directory By Jerry Haggard.

© 2001 by Carnegie Mellon University SS5 -1 OCTAVE SM Process 5 Background on Vulnerability Evaluations Software Engineering Institute Carnegie Mellon.

Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Security monitoring boxes Andrew McNab University of Manchester.

CE Operating Systems Lecture 21 Operating Systems Protection with examples from Linux & Windows.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

Chapter 2 Securing Network Server and User Workstations.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

Week 4 Objectives Overview of Group Policy Group Policy Processing Implementing a Central Store for Administrative Templates.

The world leader in serving science Overview of Thermo 21 CFR Part 11 tools Overview of software used by multiple business units within the Spectroscopy.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

Mr C Johnston ICT Teacher BTEC IT Unit 09 - Lesson 11 Network Security.

Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.

Some Great Open Source Intrusion Detection Systems (IDSs)

INFSO-RI Enabling Grids for E-sciencE Workshop WLCG Security for Grid Sites Louis Poncet System Engineer SA3 - OSCT.

SQL Database Management

Configuring Windows Firewall with Advanced Security

LAND RECORDS INFORMATION SYSTEMS DIVISION

Security mechanisms and vulnerabilities in .NET

Printer Admin Print Job Manager

Chapter 14: Protection.

Utilize Group Policy Terminal Server Settings

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Chapter 27: System Security

CE Operating Systems Lecture 21

Privilege Separation in Condor

Intrusion Detection system

PLANNING A SECURE BASELINE INSTALLATION

Designing IIS Security (IIS – Internet Information Service)

OU BATTLECARD: Oracle Identity Management Training

Presentation transcript:

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service

Overview Organisational issues Authentication Authorisation Auditing (not Accounting) –Rhys will talk about Accounting next Control access to the Campus Grid Workstation issues: –Securing workstations (nodes) –Control the local environment User issues

Organisational issues Need dedicated staff responsible for security of campus grid: –Must have or develop expertise in grid security – very much a moving target! –May be part of local IT security team –…If not, must work closely with IT security team Automate, automate, automate!: –Automate deployment and monitoring procedures –…but periodically perform manual checks as well Decide a security policy: –Prevention or Punishment? –What information must be collected to enforce / support this policy? (Auditing)

Authentication Why do we need authentication?: –Without it we have no idea who is using the Campus Grid –No way to tell authorised use from illegitimate use Use your existing authentication infrastructure: –Kerberos, Active Directory, NIS, etc –Users are already familiar with it –Administration is handled by existing procedures and personnel Avoid digital certificates and GSI. If you must use them: –Find (or create) a usable implementation –Make it completely transparent to users –Remember it doesnt scale well

Authorisation Needs low administrative overhead: –Develop quick, simple, usable procedures –Build in error checking! Must scale well: –Centralised database with secondary servers –…Or distribute database automatically Balance central control vs. delegated control: –Central control: Clear where to apply for access Tight control over who grants access Easier to audit handling of access requests Less vulnerable to persuasion –Delegated control: Divisions more likely to know individual users …but easier for user to persuade them to grant access Periodically audit authorisation database

Auditing (1) Absolutely vital, but frequently overlooked Determine what you need to audit to support your security policy Analyse usage logs so you have some idea of what is normal for your Campus Grid Analyse network traffic logs so you have some idea of what is normal for your network Consider using an Intrusion Detection System (IDS) only if security staff already use one

Auditing (2) Current grid software not very good at it …but use whatever it gives you (usage logs, etc) Use systems auditing facilities wherever possible –Login records, process accounting (psacct), syslog, Windows Event Logs, etc. Do not store audit trails on the local machine! Consider keeping copies of users executables (but if you do this, make sure you let the users know)

Control Access Tightly control access points: –As few as possible –…but balance need for scalability –Ideally centralised –Must be under your control Restrict user access to underlying grid middleware as much as possible Develop usable front-ends for users: –Web portals –Interfaces to familiar queuing systems –etc

Secure the workstation Secure each individual workstation / node in Campus Grid: –A single insecure workstation can compromise the entire Campus Grid –So keep all software on workstations up to date! –Centrally manage workstations –Keep network services to a minimum –Tightly control software installed –Consider using sensible local firewalls (iptables, Windows Firewall, etc) with simple rule sets Plan for a different attack profile: –A grid will attract different types of attacks (and attackers) than a managed workstation service –If your grid consists of managed workstations, then expect to get both types of attacks

Control the local environment Control local environment on workstation where jobs will run: –Restrict privileges of job processes (privilege separation, ACLs, etc) –Control network access if possible / practical –Sanitise environment before and after jobs run: Start job with a clean environment Delete temporary files, jobs data files, etc Kill any extraneous processes –Run jobs in a sandbox / virtual machine if possible (but consider performance implications) –Make local environment uniform across each workstation OS

User Issues No users, no problem!: –So start small, with known, trusted users (of course, this doesnt scale) –Then expand your user base gradually –Try to avoid a our campus grid is open to all policy Vet your users: –Ask for sample jobs and inspect them personally –Initially constrain new users to a small part of the Campus Grid –Paranoia: only allow them to run code you have approved Know your users: –Try to get to know your users (not personally, although that helps), but their patterns of behaviour –How much do you trust them?

Questions?