Presentation is loading. Please wait.

Presentation is loading. Please wait.

Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab Work supported by the U.S. Department of.

Published byJeffery Simmons Modified over 8 years ago

Similar presentations

Presentation on theme: "Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab Work supported by the U.S. Department of."— Presentation transcript:

1 Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab chadwick@fnal.gov Work supported by the U.S. Department of Energy under contract No. DE-AC02-07CH11359.

2 03-Mar-2008Fermilab Open Science Enclave1 What - Is an Enclave? All Computers at Fermilab General Computing Enclave Open Science Enclave Major App Minor App Major App Minor App Minor App Major App

3 03-Mar-2008Fermilab Open Science Enclave2 How - Do the Enclaves Differ? General Computing Enclave:  Systems accessed via Strong Authentication (Kerberos).  Windows and Scientific Linux.  Interactive+Batch computing.  Storage.  Strong authentication for batch and interactive use.  Strong authentication and X509 certificate authentication for “file” access.  Major and Minor Applications within the Enclave. Open Science Enclave:  Systems can be accessed via Credentials not issued by Fermilab (DOEgrids).  Scientific Linux only.  Batch computing “only” - very limited interactive access.  X509 certificate authentication for “batch” computing resource use.  X509 certificate authentication for “file” access.  Major and Minor Applications within the Enclave

4 03-Mar-2008Fermilab Open Science Enclave3 Why - Purpose of the Baseline The settings in the Fermilab Open Science Enclave (OSE) baseline are intended to:  Minimize the exposure of computing resources in the Fermilab Open Science Enclave to known vulnerabilities, and to:  Reduce the risk of compromise of computing resources in the General Computing Enclave.

5 03-Mar-2008Fermilab Open Science Enclave4 OSE Computing Resource Definition A computing resource is administratively defined as being in the Fermilab Open Science Enclave if it meets the following definition:  A computing resource must be part of the Open Science Enclave (OSE) if it is managed by Fermilab and allows grid users to install and/or run software using credentials which are not issued and revocable by Fermilab.  Other explicitly identified computing resources supporting the operation of the OSE may be designated part of the OSE by Fermilab. “Current” inventory of OSE Computing Resources:  http://fermigrid.fnal.gov/monitor/fermigrid-worker-lists.html http://fermigrid.fnal.gov/monitor/fermigrid-worker-lists.html

6 03-Mar-2008Fermilab Open Science Enclave5 Baseline Document The Fermilab OSE baseline was developed by the Fermilab OSE Working Group over a (approximately) four month period:  Mine Altunay, Eileen Berman, Keith Chadwick, Matt Crawford, Mike Diesburg, Stu Fuess, Irwin Gaines, Don Petravick, Igor Sfiligoi, Steven Timm & Dan Yocum. The current draft of the Fermilab OSE baseline document is available here:  http://cd-docdb.fnal.gov/cgi-bin/ShowDocument?docid=2573 http://cd-docdb.fnal.gov/cgi-bin/ShowDocument?docid=2573

7 03-Mar-2008Fermilab Open Science Enclave6 Mandatory & Recommended Settings The baseline presents both the minimum (mandatory) and recommended (best practice) levels of security settings. The baseline is supposed to be a “living” document:  It is not “written in stone”,  Today's copy does have things that need additional work,  It will evolve to address issues and threats as they are identified in the future. The forum for discussing the changes to the baseline is the OSE working group:  Weekly face-to-face meeting,  “fermigrid-security-discuss” email list,  “homework” assignments. Output from the OSE working group is presented to the Fermilab Computer Security Executive (CSEXEC) for acceptance or additional work.  There is roughly 50% overlap between the OSE WG and the CSEXEC.

8 03-Mar-2008Fermilab Open Science Enclave7 Areas Covered by the Baseline Physical Security. System Registration. Secure Installation. Daily OS and other updates (CRLs). Policies for Accounts. Pilot Jobs and gLExec. Network Configuration. File Systems and File Services (NFS, AFS, other). Installation and Configuration of Grid Middleware. Accepted Certificate Authorities. Required use of Central Grid Services (VOMS, GUMS, SAZ). Web Servers, Squid, MyProxy. Xen, Edge, VOBox Services. Certificates and Certificate Storage. Logging and Auditing. Backup and Recovery. Systems Authorized to Offer “Restricted Central Grid Services”. Detailed assessment of where specific systems are with respect to compliance with the (draft) baseline.

9 03-Mar-2008Fermilab Open Science Enclave8 Baseline Status The baseline is currently in draft form, awaiting incorporation of comments from the review of the baseline by experimental communities, a review of the revised baseline by the experimental communities and the Computing Division management. Once the baseline is formally accepted by the Computing Division, All systems in the Fermilab Open Science Enclave will be required to (eventually) come into compliance with the baseline. Several Fermilab organizations are already taking steps to move to configurations which are closer to compliance with the baseline.

10 03-Mar-2008Fermilab Open Science Enclave9 Fin Any Questions?

Download ppt "Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab Work supported by the U.S. Department of."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.

Site Authorization Service (SAZ) at Fermilab Vijay Sekhri and Igor Mandrichenko Fermilab CHEP03, March 25, 2003.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Information Security Policies and Standards

Information Security Policies and Standards
Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.

Open Science Grid Use of PKI: Wishing it was easy A brief and incomplete introduction. Doug Olson, LBNL PKI Workshop, NIST 5 April 2006.
Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.
University of California, Davis1 Draft Wireless Network Policy Administrative Computing Coordinating Council September 10, 2001.

University of California, Davis1 Draft Wireless Network Policy Administrative Computing Coordinating Council September 10, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 12: Managing and Implementing Backups and Disaster Recovery.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.

WLCG Security TEG, risks and Identity Management David Kelsey GridPP28, Manchester 18 Apr 2012.
CHEP2006 Network Information and Management Infrastructure Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore,

CHEP2006 Network Information and Management Infrastructure Igor Mandrichenko, Eileen Berman, Phil DeMar, Maxim Grigoriev, Joe Klemencic, Donna Lamore,
Network security policy: best practices

Network security policy: best practices
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced Chapter 12: Managing and Implementing Backups and Disaster Recovery.
11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.

11 WORKING WITH USER ACCOUNTS Chapter 6. Chapter 6: WORKING WITH USER ACCOUNTS2 CHAPTER OVERVIEW Understand the differences between local user and domain.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

Similar presentations

Ads by Google