Presentation is loading. Please wait.

Presentation is loading. Please wait.

© IT Innovation Centre, 2002 Grid Security Overview Mike Surridge, IT Innovation Centre Grid Security Workshop, NESC, 05-06.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "© IT Innovation Centre, 2002 Grid Security Overview Mike Surridge, IT Innovation Centre Grid Security Workshop, NESC, 05-06."— Presentation transcript:

1

2 © IT Innovation Centre, 2002 Grid Security Overview Mike Surridge, IT Innovation Centre ms@it-innovation.soton.ac.uk Grid Security Workshop, NESC, 05-06 Dec 2002

3 © IT Innovation Centre, 2002 Overview IntroductionsIntroductions The Grid Security ProblemThe Grid Security Problem –as seen by a Comb-e-Chem chemists... –motivation for the Rough Guide report Risks and issuesRisks and issues –what could go wrong with our Grid security –lots of questions – our job is to find answers Issues for discussionIssues for discussion COMMERCIAL IN CONFIDENCE

4 © IT Innovation Centre, 2002 IT Innovation The IT Innovation Centre is an autonomous research centre, alongside the research groups and industrial units of the Department of Electronics and Computer Science at the University of SouthamptonThe IT Innovation Centre is an autonomous research centre, alongside the research groups and industrial units of the Department of Electronics and Computer Science at the University of Southampton We deliver strategies, road maps, proofs-of-concept, demonstrators and novel operational systemsWe deliver strategies, road maps, proofs-of-concept, demonstrators and novel operational systems Our innovation capabilities are in the best traditions of Southampton's outstanding record of technological R&DOur innovation capabilities are in the best traditions of Southampton's outstanding record of technological R&D We have broken new ground in making these capabilities available through a dedicated off-campus Centre with a professional service cultureWe have broken new ground in making these capabilities available through a dedicated off-campus Centre with a professional service culture

5 © IT Innovation Centre, 2002 A Culture Gap (A Chemist’s View of Grid Security) Provided the user is properly authenticated [and you vouch for them] they can access [Chemistry] kit via the [University] firewall.Provided the user is properly authenticated [and you vouch for them] they can access [Chemistry] kit via the [University] firewall. If they want to use [University] kit, they will need approval from Computing Services.If they want to use [University] kit, they will need approval from Computing Services. If anything bad happens then [you Chemists] are responsible, and are in deep trouble...If anything bad happens then [you Chemists] are responsible, and are in deep trouble...

6 © IT Innovation Centre, 2002 The Rough Guide Intended to raise awareness of Grid securityIntended to raise awareness of Grid security Aimed atAimed at –project managers and principal investigators –Grid users and application developers –Grid infrastructure developers –computing services and Grid support teams ConclusionsConclusions –operational security is a team effort –everyone needs to be aware of the key issues

7 © IT Innovation Centre, 2002 Security Best Practice Build security in depth –like a medieval castle! Assume breaches will occur –don’t rely on a single barrier –design for containment Continuous security –intrusion detection methods –security advisories and updates –well-defined operating protocols –review, challenge and audit

8 © IT Innovation Centre, 2002 Grid Authentication Based on strong public-key encryptionBased on strong public-key encryption –unlikely that a digital signature could be faked But operational factors are important, e.g.But operational factors are important, e.g. –is the CA procedure rigorous enough for you? –are the RAs trained to operate it correctly? –does the certificate profile meet your needs? –could the user’s private key have been lost/stolen? –what if a user’s GSI proxy were hijacked? And...85% of intrusions come from withinAnd...85% of intrusions come from within

9 © IT Innovation Centre, 2002 Grid PKI User User Resource Resource The CA

10 © IT Innovation Centre, 2002 Conventional PKI UserUser ResourceResource CA1 CAn

11 © IT Innovation Centre, 2002 Grid Authorisation Typically done via local account mappingsTypically done via local account mappings –allowing resource owners to retain control Difficult to implement operationallyDifficult to implement operationally –local resource access controls may not exist –local admin teams don’t scale with the size of Grid Can use role-based schemes and CASCan use role-based schemes and CAS –but might CAS be disabled via DoS or spoofing? –should outsiders defined/assigned user roles? –who is responsible for correct role attribution...?

12 © IT Innovation Centre, 2002 Grid Infrastructure Presumably security loopholes exist(!)Presumably security loopholes exist(!) –e.g buffer overflow vulnerabilities Security advisory/updates (Jun-Nov’02):Security advisory/updates (Jun-Nov’02): –Apache: 5 updates –Sendmail/Fetchmail: 2 updates –OpenSSH/OpenSSL: 4 updates –DNS: 2 updates What about our Grid softwareWhat about our Grid software –who can provide security updates rapidly? –how can they be distributed rapidly? –who will apply them?

13 © IT Innovation Centre, 2002 Grid Applications Security depends on application developersSecurity depends on application developers –need awareness of classic vulnerabilities Uploaded user applicationsUploaded user applications –practically uncontainable if malicious... –users (and their code) must be 100% trustworthy Legacy applicationsLegacy applications –not designed for secure remote operation –may be full of shell escapes and system calls Commercial applicationsCommercial applications –eg. Finite Element codes with VB interpreters!

14 © IT Innovation Centre, 2002 Damn Those Pesky Firewalls

15 © IT Innovation Centre, 2002 Firewall Management Issues

16 © IT Innovation Centre, 2002 Firewall Management Issues

17 © IT Innovation Centre, 2002 Firewalls and Containment

18 © IT Innovation Centre, 2002 Intrusion Response Containment within and between Grid sitesContainment within and between Grid sites –firewalls, sandboxes, etc Detection using standard tools (Tripwire, etc)Detection using standard tools (Tripwire, etc) –what if a Grid account is compromised at another site? –how might we detect this? –can we assume all sites are equally vigilant? Coherent intrusion response between sitesCoherent intrusion response between sites –need for consistent (and realistic) usage policies? –do we need multi-site project response plans? –do we need a UK E-Science/Grid CERT?

19 © IT Innovation Centre, 2002 A Chemist’s Checklist Risk assessment and managementRisk assessment and management –with computing services involvement and support –what are the critical resources and risks? Technology choicesTechnology choices –taking account of advisory services, etc –backed up by sufficient training? Consistent operation and usage policiesConsistent operation and usage policies –including firewalls, intrusion detection, sanctions, response plans,... User training and awarenessUser training and awareness Continuous reviewContinuous review

20 © IT Innovation Centre, 2002 Summary Grid technology: pretty good but not well testedGrid technology: pretty good but not well tested –need for multiple PKI and/or CA? –need for operable authorisation mechanisms? –need for coherent intrusion containment/detection strategy? Operational issues just as importantOperational issues just as important –risk assessment and asset management/protection? –need for advisories and updates? –need for coherent intrusion responses or CERT? People must be the key to successPeople must be the key to success –need for awareness raising and training? –how to get buy-in from sys/net admin teams? –how to address human factors?

Download ppt "© IT Innovation Centre, 2002 Grid Security Overview Mike Surridge, IT Innovation Centre Grid Security Workshop, NESC, 05-06."

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.

The Whole/Hole of Security Public (DoD) v. Corporate Carl Bourland US Army Judge Advocate Generals Corps.
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Security Q&A OSG Site Administrators workshop Indianapolis August 6-7 2009 Doug Olson LBNL.

Security Q&A OSG Site Administrators workshop Indianapolis August Doug Olson LBNL.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.

Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security Controls – What Works

Security Controls – What Works
6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.

6/4/2015National Digital Certification Agency1 Security Engineering and PKI Applications in Modern Enterprises Mohamed HAMDI National.
Chapter 12 Network Security.

Chapter 12 Network Security.
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 15 Jonathan Katz.
Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation.

Comb-e-Chem PKI Mike Surridge, Steve Taylor IT Innovation.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Computer Security: Principles and Practice

Computer Security: Principles and Practice

Similar presentations

Ads by Google