Presentation is loading. Please wait.

Presentation is loading. Please wait.

Open Science Grid Security Issues and Activities Bob Cowles Middleware Security Group – CERN 08 March 2006.

Published byMarilynn Fleming Modified over 8 years ago

Similar presentations

Presentation on theme: "Open Science Grid Security Issues and Activities Bob Cowles Middleware Security Group – CERN 08 March 2006."— Presentation transcript:

1 Open Science Grid Security Issues and Activities Bob Cowles bob.cowles@slac.stanford.edu Middleware Security Group – CERN 08 March 2006

2 OSG Security Issues and Activities 2 OSG - a Consortium -

3 08 March 2006 OSG Security Issues and Activities 3 OSG Security People OSG proposal to NSF and DOE has 3 thrusts: OSG Facility Education Training and Outreach (EOT) Science Driven Extensions. Hope to get funding around July ‘06. Don Petravick in Facility: OSG Facility Security Officer. Bob Cowles in Extensions: Responsibilities to GGF, TAGPMA, New Security CS developments for SciDAC-2 EGEE middleware meetings etc.

4 08 March 2006 OSG Security Issues and Activities 4 OSG Draft Security Plan Additions to what we have been doing in OSG to date: An OSG Facility (OSGF) security cyclical process including:  Enumeration of OSGF assets  Consideration of threats to them, and vulnerabilities.  Implementation of controls to reduce risk to acceptable level,  Monitoring the controls to assess their effectiveness. Will be reading EGEE documents for input.

5 08 March 2006 OSG Security Issues and Activities 5 Security Infrastructure Security infrastructure improvements of interest: Better handling of CRL functionality Respond expeditiously to identified VDT vulnerabilities Think about how to do some spot audits Deployment of glide-in and pilot jobs – Certificate delegation & identity control more important. Plan to evaluate glExec over next 2 months Wisconsin/Fermilab/UCSD.

6 08 March 2006 OSG Security Issues and Activities 6 JIT Workload Management ATLAS (PanDA) and CDF (GlideCAF) submit “pilot jobs” on OSG with an “administrator” rather than a “user” credential. Once the pilot is launched in a site’s batch slot, it pulls a workload according to VO priorities at launch time. This violates the security policies at sites that require knowledge & control over who runs arbitrary user code at their site.  CDF agreed with FNAL to find solution by August 2006

7 08 March 2006 OSG Security Issues and Activities 7 Solution – Minimal Proposal VO Responsibility:  Pilot job calls “home” to obtain user credential for job to run.  Pilot job presents user credential to site service. Can we use glexec for this ?  Pilot job does NOT directly run user jobs Site Responsibility:  Trust VO to play by the rules.  Allow VO to call “home” in a secure way (i.e. VO admin credentials available to pilot job).  Site service accessible to pilot job from all worker nodes.  Site service interfaced with OSG authz infrastructure.  Site service switch UID context to prevent user apps access to VO admin credentials

8 08 March 2006 OSG Security Issues and Activities 8 Other Desired Features Maintain control/connectivity between pilot and user apps.  Don’t break Condor glide-in features File transfer Killing jobs from remote Preemption & checkpointing Proxy renewal of user proxy Stdout/stderr …

9 Security for Open Science Center for Enabling Technology Lead PI - Deb Agarwal, Lawrence Berkeley National Laboratory - Lawrence Berkeley National Laboratory - Brian Tierney, Mary Thompson Argonne National Laboratory - Frank Siebenlist, Ian Foster Pacific Northwest National Laboratory - Jeff Mauth, Deb Frincke University of Illinois, NCSA - Von Welch, Jim Basney University of Virginia - Marty Humphrey University of Wisconsin - Miron Livny, Bart Miller National Energy Research Scientific Computing Center - Howard Walter Energy Science Network - Michael Helm University of Delaware – Martin Swany

10 08 March 2006 OSG Security Issues and Activities 10 Guiding Principles For DOE applications and facilities Focus on capabilities that are priorities and NEEDED Work closely with a few committed applications and facilities Provide both development and deployment with and in support Deliverables  18 months - Concrete near term goals for deployment activities  year 3 and year 5 - Longer term deliverables for deployment and possible research activities Currently Planned application Partnerships  OSG, Fusion, Astronomy (LANL), ESG, etc Currently Planned Facilities Partnerships  NERSC, NCSA, ESnet, NLCF, etc

11 08 March 2006 OSG Security Issues and Activities 11 Distributed Science Security Problems Applications & middleware poorly integrated w/ site security Difficult to track users and usage across sites Virtual organizations and sites do not have all the tools needed to manage security Forensics in distributed environments is tedious and information is scarce Grid middleware poses a potentially inviting hacker target in the future as we deploy these large grids Credential revocation is very difficult currently Firewalls often limit the application connectivity options

12 08 March 2006 OSG Security Issues and Activities 12 Topic Areas Auditing and forensics  Services to enable sites, communities, and application scientists to determine precisely who did what, where and when. Dynamic ports in firewalls  Services to open and close ports dynamically for applications while enforcing site policy. Identity management  Services to seamlessly manage identity and access control across sites and collaborations, and to allow for rapid response to security incidents. Secure middleware  Services to proactively find and fix software vulnerabilities and guarantee deployed security software is current and correctly configured.

13 08 March 2006 OSG Security Issues and Activities 13 Auditing/Forensics – Issues  Multi-institutional collaborations with extensive remote access  Virtual organizations need to be able to track resource usage, credential usage, data access, etc  Difficult to get consistent audit information across sites  Different groups need different audit information  Sample questions that are currently hard to answer: Give me a list of all data files opened by User X in the last week What are the list of sites that user X accessed in the past week? Give me a list of all users who used shared account X on resource Y yesterday. Who made requests to the dynamic firewall service yesterday? Did the IDS see any traffic on ports that where supposed to be closed, based on auditing information from the dynamic firewall service?

14 08 March 2006 OSG Security Issues and Activities 14 Auditing/Forensics High-Level Approach:  An end-to-end auditing infrastructure which uses a policy language to allow resource (both systems and data) owners specify where auditing information may be published and who may access the audit logs. Components  Logging software (instrumentation) - Applications call easy-to-use libraries to log events with detailed information.  Normalizers– Agents transform existing logs so that they can be incorporated into the common schema of the audit system.  Collection sub-system (forwarder) – Audit logs are collected by a dependable, secure collection system.  Repository (database, publisher) – Audit logs are sent over the network, normalized, and archived. Then they are made available through a query interface.  Forensic tools (analysis) – Forensic tools query and process the audit data to find problems and answer questions.

15 08 March 2006 OSG Security Issues and Activities 15 Auditing/Forensics

16 08 March 2006 OSG Security Issues and Activities 16 Firewall Ports – Issues Ports needed by Grid middleware are often blocked by firewalls  These firewalls are both host-based and network-based.  Dynamically assigned ports are particularly problematic E.g.: GridFTP data ports Many sites allow outgoing, but not incoming connections  How do a Grid FTP between 2 sites that both only allow outgoing connections?

17 08 March 2006 OSG Security Issues and Activities 17 Firewall Ports High-level Approach:  Tools and services to dynamically open and close ports needed by applications and middleware based on authentication and authorization Components  Configuration Broker maintains the overall state of the firewall configuration for the site, validates user credentials, and verifies that requested actions are consistent with site policy restrictions.  Firewall Agent interacts with the existing site firewall systems, receiving direction from the Configuration Broker.  The Validation Service receives information about the completed firewall changes and continually analyzes network traffic to insure there are no errors in the firewall configuration.  The Programming API is the mechanism for software to make requests to the broker.

18 08 March 2006 OSG Security Issues and Activities 18 Firewall Ports

19 08 March 2006 OSG Security Issues and Activities 19 Identity Management – Issues Revocation mechanisms are slow and cumbersome Level of integration amongst various solutions incomplete Nagging issues of credential renewal, configuration management, etc.

20 08 March 2006 OSG Security Issues and Activities 20 Identity Management Near Term Approach:  Build on existing solutions: VOMS, CAS, GUMS, MyProxy, GSI, OCSP  Integrate and deploy, e.g. Deploy OCSP service; client support in GT, MyProxy, etc. VOMS support in GridFTP, MyProxy GUMS callout into GT, MyProxy Longer term:  XKMS support to ease configuration management  Integrate data access control policy with work on semantic workflows  PKCS 11 support  Ubiquitous hooks in middleware for site security integration E.g. Kerberos, auditing,

21 08 March 2006 OSG Security Issues and Activities 21 Secure Middleware Problem  Grid middleware has become essential to science  Security of this infrastructure is an essential consideration Approach - steps  Architectural analysis to understand the system level view of a middleware component and its external interactions  Identify trust boundaries/threat model to understand the dependencies and areas of concern  Component and system analysis of the particular software to understand vulnerabilities  Disclosure of results process is handled carefully to allow time for mitigation efforts  Mitigation mechanisms to provide means of patching or mitigating the potential security vulnerability

22 08 March 2006 OSG Security Issues and Activities 22 Summary If funded, it is an ambitious program of work Many interconnect points with other grid efforts We must work closely and well for GIN & TONIC The spirit of cooperation we still need …

23 08 March 2006 OSG Security Issues and Activities 23 Discussion?

Download ppt "Open Science Grid Security Issues and Activities Bob Cowles Middleware Security Group – CERN 08 March 2006."

Similar presentations

EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks MyProxy and EGEE Ludek Matyska and Daniel.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org www.glite.org The gLite middleware distribution OSG Consortium Meeting Seattle, 21-23.

EGEE-II INFSO-RI Enabling Grids for E-sciencE The gLite middleware distribution OSG Consortium Meeting Seattle,
FP7-INFRA-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.

FP7-INFRA Enabling Grids for E-sciencE EGEE Induction Grid training for users, Institute of Physics Belgrade, Serbia Sep. 19, 2008.
High Performance Computing Course Notes 2007-2008 Grid Computing.

High Performance Computing Course Notes Grid Computing.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.

The Community Authorisation Service – CAS Dr Steven Newhouse Technical Director London e-Science Centre Department of Computing, Imperial College London.
1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.

1 Software & Grid Middleware for Tier 2 Centers Rob Gardner Indiana University DOE/NSF Review of U.S. ATLAS and CMS Computing Projects Brookhaven National.
National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.

National Center for Supercomputing Applications MyProxy and GSISSH Update Von Welch National Center for Supercomputing Applications University of Illinois.
A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.

A Modest Proposal for an Assertion Validation Service Bob Cowles (SLAC/OSG) 28-Mar-2007 thanks to discussions with Frank Siebenlist, Rachana Ananthakrishnan.
Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.
Computing and Data Infrastructure for Large-Scale Science Deploying Production Grids: NASA’s IPG and DOE’s Science Grid William E. Johnston

Computing and Data Infrastructure for Large-Scale Science Deploying Production Grids: NASA’s IPG and DOE’s Science Grid William E. Johnston
TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,

TeraGrid Science Gateways: Scaling TeraGrid Access Aaron Shelmire¹, Jim Basney², Jim Marsteller¹, Von Welch²,
SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.
Long Term Ecological Research Network Information System LTER Grid Pilot Study LTER Information Manager’s Meeting Montreal, Canada 4-7 August 2005 Mark.

Long Term Ecological Research Network Information System LTER Grid Pilot Study LTER Information Manager’s Meeting Montreal, Canada 4-7 August 2005 Mark.
CoG Kit Overview Gregor von Laszewski Keith Jackson.

CoG Kit Overview Gregor von Laszewski Keith Jackson.
OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.

OSG Middleware Roadmap Rob Gardner University of Chicago OSG / EGEE Operations Workshop CERN June 19-20, 2006.
Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.

Grid Resource Allocation and Management (GRAM) Execution management Execution management –Deployment, scheduling and monitoring Community Scheduler Framework.

Similar presentations

Ads by Google