1 / 15

Network/Security Talking Points

Network/Security Talking Points. ECI Workshop NSF 6-7 Dec 2004. Major Topics for Discussion. Networking Trends : Bigger, Faster Cheaper – but “it’s the software, stupid” Security Concerns User Identification Role-based Authorization Data integrity Data Security Privacy.

freya-hardy
Download Presentation

Network/Security Talking Points

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network/Security Talking Points ECI Workshop NSF 6-7 Dec 2004

  2. Major Topics for Discussion • Networking Trends : Bigger, Faster Cheaper – but “it’s the software, stupid” • Security Concerns • User Identification • Role-based Authorization • Data integrity • Data Security • Privacy

  3. Networking in the 21st Century • National 10-gigabit research networks • TeraGrid, National LambaRail • Internet2 backbone to go beyond 10 Gigabits • International connections at 10+ Gbits and growing • Shared/distributed datasets can be quite large • Networking and application software have a long ways to go to effectively utilize this this resource

  4. National Lambda Rail • Consortium of GigaPOPs that collectively own 1000’s of miles of fiber • Multiple 10-gigabit networks running on this fiber (DWDM) NLR Map Source: John Silvester, Dave Reese, Tom West, CENIC

  5. Driving Observations • Aggregate carrying capacity of fiber is doubling faster than yearly • DWDM (long-haul), CWDM (Metro, Campus) • Each fiber carries multiple signals differentiated by color • System network interface increases by O(10) ~ every 5 years • This is on Moore’s curve, not on the fiber curve • Over the next decade, the external bandwidth to a collection of machines (cluster) roughly matches their aggregate BW • Value of the external network changes • Aside: NIC bandwidth approaches memory bandwidth

  6. Reality The Clogged (and ossified) Internet… < 50Mbps is Common File Transport, NASA EOSDIS Source: Bernard Minster, SIO, UCSD

  7. Critical Networking Challenge • Observe that networks are getting significantly faster • Learn to design software for this future environment • MIT Athena Project took this exact approach with X-Windows

  8. Security • User Identification • Globus team proposed 10 years ago that public key cryptography and user credential management was an essential building block for mutually authenticating “single sign on grids” (GSI) • Right technology • Too hard for users with the current state of tools (this is improving)

  9. How Single Sign On Works (Abbreviated) • User requests a public/private key pair from a certificate authority (CA) • CA issues pair to user, records the footprint and makes the user responsible for management • User creates a grid proxy (time limited) from private key. Proxy can be validated with the user’s public key. • Proxy is transferred to a site as the identity of the user • If the proxy is valid • If the site trusts the issuer of the user’s certificate • If the site can match the valid identity to a local account • If the local account is in good standing • Then, the user is signed onto the grid resource

  10. Identity Management is Step 0 • Real-world problems • Explicit certificate management by users is untenable • Users lose passwords • Users lose private/public keypairs • Users mistakenly transmit passwords in the clear because private key is on a shared resource (eg. NFS share). • Sites read too much into what a certificate “Certifies” • Emerging common solution • A grid certificate bank holds private/public keypairs • Using only a small number of access mechanisms, the bank will generate a proxy on behalf of the user (e.g. MyProxy or CAS) • Users only see username/passwords • This is only the initialization step, Grids still have to understand what roles a particular user has.

  11. Identity Management Challenge #1 • It is easy to build Certificate Authorities (eg. One for NEON, one GEON, one for Teragrid, … ) • It is more difficult to get other sites to accept the a foreign CA signing policy • Identity Trust/Transformation Systems (Eg. Shibboleth) can ease this. • ?? For all grid based science • Build or Buy a CA? • Second challenge, what happens when a user has multiple certificates? (E.g. which passport does a dual citizen use to enter a country) • Third Challenge – what do you read into the identity provided by a certificate?

  12. Authorization • Identity just says who, not “what is allowed” • Role-based authorization is one essential • A dearth of tools of exist in this area

  13. Data Integrity • How do you validate data that resides in an archive • Do not believe that magnetic storage systems (eg. Disk) don’t mangle bits …. “bit rot” is real. • How do you validate data that is coming from sensors ? • How do you provide data provenance for derived data?

  14. Data Security • End-to-End Encryption is the only type of encryption that can be reasoned about (transmission security) • How do you audit who has accessed/changed data? • User (and machine) authorization (eg. Derived from GSI credentials) is critical • Can you watermark digital data so that the original source is embedded in the complete set

  15. Data Privacy • Can outsiders determine who has accessed what on the grid?

More Related