Security CET September 27, 2006 GGF Security for Open Science Project Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence Berkeley.

Slides:

Advertisements

Similar presentations

Scaling TeraGrid Access A Testbed for Attribute-based Authorization and Leveraging Campus Identity Management

Advertisements

MyProxy Jim Basney Senior Research Scientist NCSA

GT 4 Security Goals & Plans Sam Meder

Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.

MyProxy: A Multi-Purpose Grid Authentication Service

High Performance Computing Course Notes Grid Computing.

Science Gateway Security Recommendations Jim Basney Von Welch This material is based upon work supported by the.

Making Condor Safer with… A Collaborative Marketplace for Continuous Software Assurance Brooklin Gore, Chief Operations Officer

Jim Basney GSI Credential Management with MyProxy GGF8 Production Grid Management RG Workshop June.

Grid Security. Typical Grid Scenario Users Resources.

PKI Single Sign On & Auto Provisioning Frank Siebenlist (ANL) Rachana Ananthakrishnan (ANL) Charles Bacon (ANL)

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

GGF15 Workshop MyProxy Integration with PubCookie Marty Humphrey*, Jim Jokl*, and Jim Basney** *Department of Computer Science, University of Virginia,

National Center for Supercomputing Applications University of Illinois at Urbana-Champaign This material is based upon work supported by the National Science.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

Federated Access to US CyberInfrastructure Jim Basney CILogon This material is based upon work supported by the National Science Foundation.

Milos Kobliha Alejandro Cimadevilla Luis de Alba Parallel Computing Seminar GROUP 12.

Single Sign-On for Java Web Start Applications Using MyProxy Terry Fleury, Jim Basney, and Von Welch November 3, 2006.

NSF Middleware Initiative: GridShib Tom Barton University of Chicago.

Globus Computing Infrustructure Software Globus Toolkit 11-2.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

National Computational Science National Center for Supercomputing Applications National Computational Science MyProxy: An Online Credential Repository.

Distributed Web Security for Science Gateways Jim Basney In collaboration with: Rion Dooley Jeff Gaynor

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

Long Term Ecological Research Network Information System LTER Grid Pilot Study LTER Information Manager’s Meeting Montreal, Canada 4-7 August 2005 Mark.

CoG Kit Overview Gregor von Laszewski Keith Jackson.

TeraGrid VO Support and Plans for AAA Testbed Dane Skow, Deputy Director TeraGrid University of Chicago / Argonne National Laboratory Internet2 Member.

GT Components. Globus Toolkit A “toolkit” of services and packages for creating the basic grid computing infrastructure Higher level tools added to this.

INFSO-RI Enabling Grids for E-sciencE The US Federation Miron Livny Computer Sciences Department University of Wisconsin – Madison.

Grid Security Issues Shelestov Andrii Space Research Institute NASU-NSAU, Ukraine.

Software Project Documentation. Types of Project Documents  Project Charter  Requirements  Mockups and Prototypes  Test Cases  Architecture / Design.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

National Computational Science National Center for Supercomputing Applications National Computational Science NCSA-IPG Collaboration Projects Overview.

GridShib and MyProxy Grid Credential Management and Identity Federation Von Welch NCSA

Communicating Security Assertions over the GridFTP Control Channel Rajkumar Kettimuthu 1,2, Liu Wantao 3,4, Frank Siebenlist 1,2 and Ian Foster 1,2,3 1.

Tutorial: Building Science Gateways TeraGrid 08 Tom Scavo, Jim Basney, Terry Fleury, Von Welch National Center for Supercomputing.

Virtual Workspaces Kate Keahey Argonne National Laboratory.

National Computational Science National Center for Supercomputing Applications National Computational Science Credential Management in the Grid Security.

Identity Federation and Attribute-based Authorization through the Globus Toolkit, Shibboleth, GridShib, and MyProxy Tom Barton 1, Jim Basney 2, Tim Freeman.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

SOS August 21, 2006 GGF Security for Open Science Center for Enabling Technology Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence.

US LHC OSG Technology Roadmap May 4-5th, 2005 Welcome. Thank you to Deirdre for the arrangements.

National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.

Andrew McNabSecurity Middleware, GridPP8, 23 Sept 2003Slide 1 Security Middleware Andrew McNab High Energy Physics University of Manchester.

Trusted Virtual Machine Images a step towards Cloud Computing for HEP? Tony Cass on behalf of the HEPiX Virtualisation Working Group October 19 th 2010.

6/23/2005 R. GARDNER OSG Baseline Services 1 OSG Baseline Services In my talk I’d like to discuss two questions:  What capabilities are we aiming for.

VO Privilege Activity. The VO Privilege Project develops and implements fine-grained authorization to grid- enabled resources and services Started Spring.

Glite. Architecture Applications have access both to Higher-level Grid Services and to Foundation Grid Middleware Higher-Level Grid Services are supposed.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Shibboleth & Grid Integration STFC and University of Oxford (and University of Manchester)

Module 9 User Profiles and Social Networking. Module Overview Configuring User Profiles Implementing SharePoint 2010 Social Networking Features.

National Computational Science National Center for Supercomputing Applications National Computational Science Integration of the MyProxy Online Credential.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

VO Box Issues Summary of concerns expressed following publication of Jeff’s slides Ian Bird GDB, Bologna, 12 Oct 2005 (not necessarily the opinion of)

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

2005 GRIDS Community Workshop1 Learning From Cyberinfrastructure Initiatives Grid Research Integration Development & Support

The GRIDS Center, part of the NSF Middleware Initiative Grid Security Overview presented by Von Welch National Center for Supercomputing.

Open Science Grid Security Issues and Activities Bob Cowles Middleware Security Group – CERN 08 March 2006.

Grid Security Atlas Tier 2 Meeting Bob Cowles August 18, 2006 Work supported by U. S. Department of Energy contract DE-AC03-76SF00515.

Grid Computing Security Mechanisms: the state-of-the-art

Manuel Brugnoli, Elisa Heymann UAB

Security for Open Science

NAAS 2.0 Features and Enhancements

NSF Middleware Initiative: GridShib

A Grid Authorization Model for Science Gateways

Presentation transcript:

Security CET September 27, 2006 GGF Security for Open Science Project Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence Berkeley National Laboratory - Brian Tierney, Mary Thompson Argonne National Laboratory - Frank Siebenlist, Ian Foster Pacific Northwest National Laboratory - Jeff Mauth, Deb Frincke University of Illinois, NCSA - Von Welch, Jim Basney University of Virginia - Marty Humphrey University of Wisconsin - Miron Livny, Bart Miller National Energy Research Scientific Computing Center - Howard Walter Energy Science Network - Michael Helm University of Delaware – Martin Swany

Security CET September 27, 2006 GGF Guiding Principles Focus on capabilities that are priorities for and are NEEDED by DOE applications and facilities Work closely with a few committed applications and facilities to develop capabilities Provide development and deployment of security solutions with and in support of DOE applications and facilities Deliverables –18 months - Concrete near term goals for deployment activities –year 3 and year 5 - Longer term deliverables for deployment and possible research activities Will provide extensive deployment support

Security CET September 27, 2006 GGF Distributed Science Security Problem Applications and Middleware poorly integrated with site security Difficult to track users and usage across sites Virtual organizations and sites do not have all the tools needed to manage security Forensics in distributed environments is tedious and information is scarce Grid middleware poses a potentially inviting hacker target in the future as we deploy these large grids Credential revocation is very difficult currently Firewalls often limit the application connectivity options

Security CET September 27, 2006 GGF Strategy - Prevent, Detect, and Respond

Security CET September 27, 2006 GGF Interrelated Topic Areas Auditing and forensics –Services to enable sites, communities, and application scientists to determine precisely who did what, where and when. Dynamic ports in firewalls –Services to open and close ports dynamically for applications while enforcing site policy. Identity management –Services to seamlessly manage identity and access control across sites and collaborations, and to allow for rapid response to security incidents. Secure middleware –Services to proactively find and fix software vulnerabilities and guarantee deployed security software is current and correctly configured.

Security CET September 27, 2006 GGF Identity Management Problem: –Revocation mechanisms are slow and cumbersome –Level of integration amongst various solutions incomplete –Nagging issues of credential renewal, configuration management, etc. Near Term Approach: –Build on existing solutions: VOMS, CAS, GUMS, MyProxy, GSI, OCSP –Integrate and deploy, e.g. Deploy OCSP service; client support in GT, MyProxy, etc. VOMS support in GridFTP, MyProxy GUMS callout into GT, MyProxy

Security CET September 27, 2006 GGF SOS CET MyProxy Deliverables Von Welch and Jim Basney NCSA

Security CET September 27, 2006 GGF MyProxy News MyProxy Certificate Authority is 1 year old –Issues short-lived certificates based on PAM, Kerberos, X.509, and/or Pubcookie authentication –Many improvements over past year: LDAP and custom call-outs Support for credential renewal –See MyProxy VOMS authorization support –Developed by / Presented by Daniel Kouril –See MyProxy Java improvements –Support for credential renewal in Java CoG –MyProxy JAAS module (

Security CET September 27, 2006 GGF Plans in Bugzilla Many plans are described in MyProxy bugzilla Numbers in presentation correspond to bugzilla entry number –e.g. “(#101)” refers to bug 101 Visit bugzilla to see more details and provide feedback Add yourself to cc list for bugzilla item to stay up-to-date on development Bugzilla can be found by visiting URL below and clicking on “Bugs” link on left: –

Security CET September 27, 2006 GGF FY 07 MyProxy Deliverables Audit logging (#343) –Integration with general SOS audit framework –Logging of events to allow for intrusion detection, forensics, usage analysis, etc. Brute Force attack protection (#325) –Resistance to password-guessing attacks on MyProxy server Continued…

Security CET September 27, 2006 GGF FY 07 MyProxy Deliverables (cont) Code audit –In collaboration with UW-Madison VOMS support –MyProxy issuing credentials with VOMS assertions (#298) –Item #1 from –Daniel Kouril just did item #2: MyProxy server support authorization based on VOMS

Security CET September 27, 2006 GGF FY08 MyProxy Deliverables Renewal capabilities (#296) –Generalization of EGEE renewal service concept to work with other Grid Infrastructure –Collaborate to also support Glite delegation service interface also a possibility Replication capabilities –Server replication for high-availability (#275) –Fail-over support in clients (#306) Continued…

Security CET September 27, 2006 GGF FY08 MyProxy Deliverables (cont) Cryptographic assessment –In collaboration w/LBNL Integration with OCSP (#281) –Determination of invalid credential prior to issuance –Allows RPs to increase trust in MyProxy-issued credentials, decrease need for RP to check –Decreases trouble-shooting aspects by detecting bad credentials early

Security CET September 27, 2006 GGF FY09-FY11 MyProxy Deliverables PKCS11 Support –Obtain Grid credentials via existing HW tokens E.g. FIPS 201, Smart Cards –Provide MyProxy credentials to PKCS11-aware applications (#291) E.g. Web browsers Name-mapper service callout (#344) –Allow MyProxy to callout to determine mapping from authenticated client identity to DN –Support for existing Grid services - e.g. GUMS Continued…

Security CET September 27, 2006 GGF FY09-FY11 MyProxy Deliverables (cont) Site credential translation hooks –Enhancement of GT with hooks to callout to MyProxy in order to automatically translate between local credentials and Grid credentials E.g. Kerberos->X509 –Also hooks to translate between Grid credentials and local credentials (e.g. pkinit)

Security CET September 27, 2006 GGF Identity Management Longer term: –XKMS support to ease configuration management –Integrate data access control policy with work on semantic workflows –PKCS 11 support –Ubiquitous hooks in middleware for site security integration E.g. Kerberos, auditing,

Security CET September 27, 2006 GGF Secure Middleware Problem –Grid middleware has become an essential part of the science infrastructure security of this infrastructure is an essential consideration Approach - steps –Architectural analysis to understand the system level view of a middleware component and its external interactions –Identify trust boundaries/threat model to understand the dependencies and areas of concern –Component and system analysis of the particular software to understand vulnerabilities –Disclosure of results process is handled carefully to allow time for mitigation efforts –Mitigation mechanisms to provide means of patching or mitigating the potential security vulnerability

Security CET September 27, 2006 GGF SOS Current Plan for Start Start will be some time after October 2006 Five year development and implementation plan Aggressive schedule and tight funding Expect to be able to work closely with and leverage extensively other efforts already underway internationally