Presentation is loading. Please wait.

Presentation is loading. Please wait.

Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy.

Published byAnissa Stephany Oliver Modified over 9 years ago

Similar presentations

Presentation on theme: "Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy."— Presentation transcript:

1 Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy

2 Suspended DN can’t submit jobs to sites Automated Suspension: – “Fast”: Delays configurable & known in advance – Completely automated: No human communication delays Works outside working hours Uniform response guaranteed Unbanning also automated: – False positive cost controlled – Uniform state, no suspension left behind Vincent Brillault2 Emergency suspension HEPiX Spring 2014, Annecy

3 Old procedure: – Detect something (e.g. BitCoin mining) – Forensics & Analysis of incident – Escalate with other sites if needed – Contact the user & the VO – If malicious activity confirmed, not from user: Ask all sites to ban the DN Notify the CA of the potential Certificate compromise Vincent Brillault3 Suspension procedures HEPiX Spring 2014, Annecy

4 New procedure: – Detect something – Rapid analysis (check for false positive) – Add the user to the emergency suspension list – Forensics & Analysis of incident – Escalate with other sites if needed – Contact the user & the VO – Remove from suspension list if user recognize activity (e.g. Bitcoin “testing”) or false positive Vincent Brillault4 Suspension procedures HEPiX Spring 2014, Annecy

5 Faster response: – Smaller resource losses – Reduce propagation & escalation risks Potential false positive: – Initial analysis decreases the probability – Cost: Depends on list diffusion delays Configurable/controllable Vincent Brillault5 Suspension new procedure HEPiX Spring 2014, Annecy

6 Hierarchical infrastructure: – Central servers hosted by CERN – (EGI) Relays hosted by each NGI – (EGI) sites contact only their own NGI Hierarchical rules: – Central rules: WLCG/EGI/OSG security officers – NGI rules: NGI security officers – Sites rules: Site adminitrators Vincent Brillault6 Suspension Infrastructure HEPiX Spring 2014, Annecy

7 Old EGEE project gLExec integration (Argus-PEP) Argus-PAP: – Local ACLs – Pulls remote rules Support: – Authors have dropped the project – Future support by INFN Vincent Brillault7 Argus HEPiX Spring 2014, Annecy

8 Privacy (on central list): – x509 authentication – Only accredited clients can get the suspension list Interoperability: – Argus: soap interface, can be fetched by curl! – Raw YAML list available at CERN (ACL on demand) Vincent Brillault8 Suspension Infrastructure HEPiX Spring 2014, Annecy

9 Delay propagation to Argus nodes: – Special (invalid) DN banned every day – Nagios probe – EGI will monitor NGI Argus nodes Suspension testing ? – Would require a valid banned DN – Not foreseen in close future Vincent Brillault9 Monitoring HEPiX Spring 2014, Annecy

10 Propagate Emergency Suspension list to VOs: – Simultaneous automatic suspension on VO side – Protects resources managed by VOs – Redundancy Kill jobs of suspended users? – Running malicious jobs are currently not killed! – No easy solution with current infrastructure… Vincent Brillault10 Future Potential Evolutions HEPiX Spring 2014, Annecy

11 Author/more info Questions ? 11

12 Curl: curl --cacert /etc/grid-security/certificates/CERN-TCA.pem --cert $CERT --key $KEY -H 'SOAPAction: ""' -H "Content-Type: text/xml; charset=utf- 8" -H "Content-type: text/xml; charset=utf-8" -H 'Soapaction:""' -X POST -d ' default ' 'https://lcg- argus.cern.ch:8150/pap/services/XACMLPolicyManagementService?wsdl' – XACML output (can be parsed by XML parsers) Python: – ‘Simple’ solution using soap & xml libs – Ask me the code ;) Vincent Brillault12 Fetching the list HEPiX Spring 2014, Annecy

Download ppt "Emergency Suspension list Vincent BRILLAULT HEPiX Spring 2014, Annecy."

Similar presentations

29 June 2006 GridSite - www.gridsite.org - Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.

29 June 2006 GridSite Andrew McNabwww.gridsite.org VOMS and VOs Andrew McNab University of Manchester.
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
Universal Plug and Play (UPnP) Presented by: Kamal Kamal Kamal Kamal Mohammad Atieh Mohammad Atieh.

Universal Plug and Play (UPnP) Presented by: Kamal Kamal Kamal Kamal Mohammad Atieh Mohammad Atieh.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.
DISTRIBUTED PROCESS IMPLEMENTAION BHAVIN KANSARA.

DISTRIBUTED PROCESS IMPLEMENTAION BHAVIN KANSARA.
Research on Non-repudiation service By Yi Zhang. Motivation of Non-repudiation In paper-based business Electronic business transactions Less physical.

Research on Non-repudiation service By Yi Zhang. Motivation of Non-repudiation In paper-based business Electronic business transactions Less physical.
Securing Legacy Software SoBeNet User group meeting 25/06/2004.

Securing Legacy Software SoBeNet User group meeting 25/06/2004.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 01/29/2014.
OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.

OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.
OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.

OSG Area Coordinators Meeting Security Team Report Mine Altunay 06/25/2014.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
Security Update Vincent BRILLAULT HEPiX Spring 2014, Annecy.

Security Update Vincent BRILLAULT HEPiX Spring 2014, Annecy.
HPDC 2007 / Grid Infrastructure Monitoring System Based on Nagios Grid Infrastructure Monitoring System Based on Nagios E. Imamagic, D. Dobrenic SRCE HPDC.

HPDC 2007 / Grid Infrastructure Monitoring System Based on Nagios Grid Infrastructure Monitoring System Based on Nagios E. Imamagic, D. Dobrenic SRCE HPDC.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
WP4 Security and AA(A) issues For WP4: David Groep

WP4 Security and AA(A) issues For WP4: David Groep
OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.

OSG Security Kevin Hill. Goals Operational Security – Identify software vulnerabilities – observing the practices of our VOs and sites, and sending alerts.
Blueprint Meeting Notes Feb 20, 2009. Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:

Blueprint Meeting Notes Feb 20, Feb 17, 2009 Authentication Infrastrusture Federation = {Institutes} U {CA} where both entities can be empty TODO1:
Www.egi.eu EGI-InSPIRE RI-261323 EGI-InSPIRE www.egi.eu EGI-InSPIRE RI-261323 EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI EGI Federated Cloud F2F Security Issues in the cloud Introduction Linda Cornwall,
02/07/09 1 WLCG NAGIOS Kashif Mohammad Deputy Technical Co-ordinator (South Grid) University of Oxford.

02/07/09 1 WLCG NAGIOS Kashif Mohammad Deputy Technical Co-ordinator (South Grid) University of Oxford.

Similar presentations

Ads by Google