Presentation is loading. Please wait.

Presentation is loading. Please wait.

Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers

Published bySherilyn Tate Modified over 9 years ago

Similar presentations

Presentation on theme: "Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers"— Presentation transcript:

1 Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan sychan@lbl.gov Network, Security and Servers Groupsychan@lbl.gov NERSC

2 Office of Science U.S. Department of Energy NERSC Grid Capabilities

3 Office of Science U.S. Department of Energy Grid Security Issues Host security – Remote exploits – Local Exploits Network Security – Firewall configuration – Network intrusion detection Account security – Certificate management – Scalable user account management Policies – Acceptable Use – Audit trails

4 Office of Science U.S. Department of Energy NERSC Grid Security Technologies Centralized Authorization –LDAP Based solution NERSC PKI Infrastructure –Integration with NIM database –Certificate management Grid Firewall work –Mitigation Policies and Recommendations –Bro Network Intrusion Detection  Real-time analysis of Grid traffic –Certificate identification Linux Kernel extension to track certificate DN –LKM that binds a certificate name to processes

5 Office of Science U.S. Department of Energy NERSC PKI Infrastructure Existing Certificate Policies block usability enhancements – Cannot create and manage certificates on behalf of user – Cannot integrate password with site authentication New CA from ESNet allows more freedom – NERSC can integrate account mgm’t system with certificate generation  Users can request certs be stored on NERSC repository  No need to manage certificates – Centralized certificate repository  MyProxy server with extensive security modifications  Enforces passphrase strength requirements – Potential for PAM integration  Seamless integration of PKI with normal login process – Drawbacks  Nobody recognizes the new CA  Nobody recognizes the new CA (did I say that already?)

6 Office of Science U.S. Department of Energy Bro Network Intrusion Detection Bro is standard NERSC/LBL NIDS – Watches all network traffic – Detects rootkits, remote exploits and anomalous behavior – Stops traffic at the border Extended to support Grid services – Disassembles GSI authentication  Can examine certificates being used – Analyzes content of network connections  Can “see” dangerous content coming over Globus services  Works on gsi-ftp and Gatekeeper Porting functionality to SNORT is being considered Scott Campbell scampbell@lbl.gov leads this workscampbell@lbl.gov

7 Office of Science U.S. Department of Energy Linux Kernel Module for Certificate DN Kernel module that associates cert DN with process – Interface via /proc – Immutable – Inherited by children – Queried via /proc and command line Modified gatekeeper and gsi-ftp to set this for each connection Ability to send this information to execution host in batch environment Shane Canon scanon@lbl.gov is leadscanon@lbl.gov

8 Office of Science U.S. Department of Energy Grid Security Policies Defining standards – Port ranges for Grid apps – Requirements on applications  No anonymous logins  Self-identifying protocols Updating policies to support Grid Computing – How to support large numbers of users? – X509 certs: exposed to users & administrators  Maybe we should push it back under the covers again? – Opening networks for distributed applications

9 Office of Science U.S. Department of Energy Unresolved Issues Lack of integration with site authentication – Users must remember multiple passwords – Hopefully can be resolved with PAM authenticated on- line CA – Potential for relatively transparent integration of PKI (comparable to kerberos) Certificate Revocation Authorization system for Virtual Organizations Consistent software configuration across multiple sites

Download ppt "Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers"

Similar presentations

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.

GridWorld 2006 Use of MyProxy for the FusionGrid Mary Thompson Monte Goode GridWorld 2006.
MyProxy Jim Basney Senior Research Scientist NCSA

MyProxy Jim Basney Senior Research Scientist NCSA
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
DGC Paris 4.03.02 Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.

DGC Paris Community Authorization Service (CAS) and EDG Presentation by the Globus CAS team & Peter Kunszt, WP2.
Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.

Figure 1: SDR / MExE Download Framework SDR Framework Network Server Gateway MExE Download + Verification Using MExE Repository (Java sandbox) MExE Applet.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Massimo Cafaro GridLab Review GridLab WP10 Information Services Massimo Cafaro CACT/ISUFI University of Lecce, Italy.

Massimo Cafaro GridLab Review GridLab WP10 Information Services Massimo Cafaro CACT/ISUFI University of Lecce, Italy.
Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.

Office of Science U.S. Department of Energy Grids and Portals at NERSC Presented by Steve Chan.
A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.

A Model for Grid User Management Rich Baker Dantong Yu Tomasz Wlodek Brookhaven National Lab.
Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.

Security Management IACT 918 July 2004 Gene Awyzio SITACS University of Wollongong.
File Transfer and Use of Clear Text Passwords Update NERSC Users Group Meeting Stephen Lau NERSC June 21, 2015.

File Transfer and Use of Clear Text Passwords Update NERSC Users Group Meeting Stephen Lau NERSC June 21, 2015.
Grid Services at NERSC Shreyas Cholia Open Software and Programming Group, NERSC NERSC User Group Meeting September 17, 2007.

Grid Services at NERSC Shreyas Cholia Open Software and Programming Group, NERSC NERSC User Group Meeting September 17, 2007.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Department Of Computer Engineering

Department Of Computer Engineering
Authentication, Authorization and Accounting

Authentication, Authorization and Accounting

Similar presentations

Ads by Google