1 / 12

The current security policy of JINR

The current security policy of JINR. ________________________. The current JINR local network structure. GRID Cluster Network Structure. Cluster organized on L2 technology with one broadcast domain . Cluster connect to JINR BackBone by two redundant links. Site network security.

errol
Download Presentation

The current security policy of JINR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The current security policy of JINR ________________________

  2. The current JINR local network structure

  3. GRID Cluster Network Structure Clusterorganizedon L2 technologywithonebroadcastdomain. Clusterconnectto JINR BackBonebytworedundantlinks

  4. Site network security • Центральный firewall построен на двух взаимо-резервируемых Cisco 6500 FW модулях и Cisco ACL. • Firewall ОИЯИконтролируют доступ до каждого из незапрещенных сервисоввнутри ОИЯИ. • ACL на лабораторных свитчах обеспечивают безопасность локальной сети ОИЯИ. • Доступ к сетевому оборудованию обеспечивается TACACS сервероми Cisco ACL (Login, DualUP, VPN). • Kerberos V обеспечивает заход на центральный информационно-вычислительный комплекс. • Доступ до домашних пользовательских директорий контролируется при помощи AFS token.

  5. Accounts policy and system security • Все пользовательские пароли сохранены в Kerberos V • Домашние директории находятся на AFS • Разрешены только безопасные прото-колы (SSL, SSH or Kerberos) • Каждая лаборатория может иметь собственный Kerberos Server

  6. Kerberos V with LDAP backend • AFS использует Kerberos V • База Kerberos сохранена в LDAP • LDAP используется для хранения пользовательской информации

  7. JINR Network DataBase (IPDB)

  8. Monitoring (NMIS) Eachclusterelementusecentralloggingserver. Monitoringforalarmsandtroublesprovidedby NMIS.

  9. AUDIT • Network and System audit based on analyzing logs from central routers, firewalls and local switchboards. • IDS (intrusion detect system) build on freeware flow-tools (Cisco NetFlow). • InprogressdevelopmentworksonownPDS, based on ROOT package.

  10. Problem • Problems with hardware filtration of hi speed incoming dataflow (more then 1Gb). • Deficiency of common account dependent information system which provides information of security options for each node and possibility for tuning this options for each node. • Deficiency of hardware dataflow encryption devices, for security data transfer.

  11. Near Future Plans • Particle replacement Linux “iptable” on Cisco ACL for increase data speed transmission. • Installation LDAP authentication instead of /etc/passwd • Future modification IDS and PDS system

More Related