1 / 9

Grid Security at NERSC/LBL

Grid Security at NERSC/LBL. Presented by Steve Chan sychan@lbl.gov Network, Security and Servers Group NERSC. NERSC Grid Capabilities. Grid Security Issues. Host security Remote exploits Local Exploits Network Security Firewall configuration Network intrusion detection Account security

herne
Download Presentation

Grid Security at NERSC/LBL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Grid Security at NERSC/LBL Presented by Steve Chan sychan@lbl.govNetwork, Security and Servers Group NERSC

  2. NERSC Grid Capabilities

  3. Grid Security Issues • Host security • Remote exploits • Local Exploits • Network Security • Firewall configuration • Network intrusion detection • Account security • Certificate management • Scalable user account management • Policies • Acceptable Use • Audit trails

  4. NERSC Grid Security Technologies • Centralized Authorization • LDAP Based solution • NERSC PKI Infrastructure • Integration with NIM database • Certificate management • Grid Firewall work • Mitigation Policies and Recommendations • Bro Network Intrusion Detection • Real-time analysis of Grid traffic • Certificate identification • Linux Kernel extension to track certificate DN • LKM that binds a certificate name to processes

  5. NERSC PKI Infrastructure • Existing Certificate Policies block usability enhancements • Cannot create and manage certificates on behalf of user • Cannot integrate password with site authentication • New CA from ESNet allows more freedom • NERSC can integrate account mgm’t system with certificate generation • Users can request certs be stored on NERSC repository • No need to manage certificates • Centralized certificate repository • MyProxy server with extensive security modifications • Enforces passphrase strength requirements • Potential for PAM integration • Seamless integration of PKI with normal login process • Drawbacks • Nobody recognizes the new CA • Nobody recognizes the new CA (did I say that already?)

  6. Bro Network Intrusion Detection • Bro is standard NERSC/LBL NIDS • Watches all network traffic • Detects rootkits, remote exploits and anomalous behavior • Stops traffic at the border • Extended to support Grid services • Disassembles GSI authentication • Can examine certificates being used • Analyzes content of network connections • Can “see” dangerous content coming over Globus services • Works on gsi-ftp and Gatekeeper • Porting functionality to SNORT is being considered • Scott Campbell scampbell@lbl.gov leads this work

  7. Linux Kernel Module for Certificate DN • Kernel module that associates cert DN with process • Interface via /proc • Immutable • Inherited by children • Queried via /proc and command line • Modified gatekeeper and gsi-ftp to set this for each connection • Ability to send this information to execution host in batch environment • Shane Canon scanon@lbl.gov is lead

  8. Grid Security Policies • Defining standards • Port ranges for Grid apps • Requirements on applications • No anonymous logins • Self-identifying protocols • Updating policies to support Grid Computing • How to support large numbers of users? • X509 certs: exposed to users & administrators • Maybe we should push it back under the covers again? • Opening networks for distributed applications

  9. Unresolved Issues • Lack of integration with site authentication • Users must remember multiple passwords • Hopefully can be resolved with PAM authenticated on-line CA • Potential for relatively transparent integration of PKI (comparable to kerberos) • Certificate Revocation • Authorization system for Virtual Organizations • Consistent software configuration across multiple sites

More Related