240 likes | 400 Views
The GIDS project A Grid-based, federated Intrusion Detection System to secure the D-Grid infrastructure Nils gentschen Felde , Felix von Eye. The MNM Team. Leibniz-Rechenzentrum der Bayerischen Akademie der Wissenschaften. Grid-related projects (excerpt: @LMU). European projects
E N D
The GIDS projectA Grid-based, federated Intrusion Detection System to secure the D-Grid infrastructureNils gentschen Felde, Felix von Eye
The MNM Team Leibniz-Rechenzentrum der Bayerischen Akademieder Wissenschaften
Grid-related projects(excerpt: @LMU) European projects Deployment of Remote Instrumentation Infrastructure (DORII) Open Grid Forum Europe (OGF-Europe) European Grid Initiative (EGI) EMANICS - Management Solutions for Next Generation Networks g-Eclipse German projects Horizontale Integration des Ressourcen- und Dienst-Monitoring im D-Grid (D-MON) Authentication and Authorization Infrastructure for VO Management (AAI/VO) Ein Grid-basiertes, föderiertes Intrusion Detection System zur Sicherung der D-Grid Infrastruktur (GIDS) Previous research projects Interoperabilität und Integration der VO-Management Technologien im D-Grid (IVOM) VO-Management im D-Grid Monitoring und Accounting im D-Grid
Project overview Partners: Associated Partners: Start: 01.07.2009 Duration: 36 months Project leader: LRZ/LMU mailto:felde@nm.ifi.lmu.de www.grid-ids.de 4 4
Usage scenario of Grids Resource-provider A Resource-provider B Resource-provider D Resource-provider C • Users grouped in Virtual Organizations (VO) • With respect to scientific affiliation • Not regarding real organizations any more • Scientific environment • Generous resource sharing • Security management neglected Grid-Middleware • Intend • Loose coupling of autonomous providers • Hiding heterogeneity • Functionalities • Job-Scheduling • Storage • ... • Management • User/VO-management • Monitoring • Accounting • ...
Security considerations in Grids Uplink Anti-Vir FW IDS Resource-provider A Resource-provider B Admin Resource-provider D Resource-provider C Grid-Middleware • Coupling resources • Abstracted by middleware • Collaborative use of distributed resources • Security considerations • Isolated view on domains • Security is based on trustworthiness of resource providers
Example: attack scenario Break-in at one site suffices Access to Grid-middlewareAccess to all resources! Example: Compromised SSH private key, i.e. well-known SSL vulnerabilities Grid-wide login attempts→ inter-organizational! Only global event correlation yields success Resource-provider A Resource-provider B Resource-provider D Resource-provider C Grid-Middleware
Goal State of the art IDS for autonomous systems Distributed IDS:always based on total trust No concept of customers Now Stepping towards a Grid-wide solution Conception of an IDS for Grids (GIDS) First glance challenges Inter-organizational system Autonomous partners Heterogeneity GIDS as a service with user-specific views Resource-provider A Resource-provider B Resource-provider D Resource-provider C Grid-Middleware
Vision: GIDS as a federation Resource-provider A Resource-provider B Resource-provider D Resource-provider C • Intent: • New service in the Grid • Surveying the Grid with respect to security • Reporting thereof • Economical use of • The service • The Grid itself • Idea: • Grid-wide consolidation of security-relevant data • Derivation of security reports Grid-Middleware
Methodology Analysis Architecture design Prototypical implementation Evaluation Conclusion
Analysis: Methodology Threat analysis Attack goals and risks Classification of possible attackers Attack patterns Origin of attack (positional and organizational) Types of attacks in Grids Use-case driven requirements analysis User groups and customers Information providers Requirements induced by Grids Generic requirements Cooperation patterns Trust relationships Classes of requirements: • Functional • Non-functional • Security requirements • Organizational and privacy data protection • Requirements related to detection capabilities
Methodology Analysis Architecture design (work in progress) Prototypical implementation Evaluation Conclusion
Architecture overview GIDS-agent IDS GIDS-agent IDS GIDS-agent GIDS portal Resource-provider A Resource-provider X . . . GIDS-/IDMEF-bus GIDS-operator
Resource-provider GIDS-agent data &reports Admin aggregation/correlation anonymization/pseudonymization filtering local (G)IDS-instance store dataand reports in resporting to data &reports storereports in data &reports data &reports data &reports GIDS-/IDMEF-bus GIDS- DB FW IDS storedata in … agent agent
Methodology Analysis Architecture design Prototypical implementation (work in progress) Evaluation Conclusion
Example:Grid-wide event correlation Reminder Break-in at one site is sufficient Access to Grid-middlewareAccess to all resources! Example: Compromised user account in context of a VO VO may use selected resources Possibility of detection Grid-wide event correlation i.e. faulting login attempts Resource-provider C Resource-provider D Resource-provider B Resource-provider A Grid-Middleware
Failing login attempts <?xml version="1.0"?> <idmef:IDMEF-Message> <idmef:Alert> <idmef:Analyzer name="syslogd"/> <idmef:Classification text="SSH login attempt"/> <idmef:Source> <idmef:Node> <idmef:Address category="ipv4-addr"> <idmef:address>172.16.112.20</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ip_version="4"> <idmef:port>22</idmef:port> <idmef:protocol>TCP</idmef:protocol> </idmef:Service> </idmef:Source> ... </idmef:Alert> </idmef:IDMEF-Message> has VO-member’sSSH-private-key GIDS-agent IDS GIDS-agent IDS GIDS-agent GIDS portal Resource-provider A Resource-provider X . . . login-attempt GIDS-/IDMEF-bus GIDS-operator
Exemplary Dataflow has VO-member’sSSH-private-key GIDS-agent portal GIDS IDS IDS GIDS-agent GIDS-agent Resource-provider A Resource-provider X login-attempt . . . login-attempt login-attempt GIDS-/IDMEF-bus GIDS-operator
Correlation login-attempt GIDS-agent data &reports Admin anonymization/pseudonymization filtering aggregation/correlation local (G)IDS-instance store dataand reports in resporting to data &reports storereports in data &reports data &reports data &reports GIDS-/IDMEF-bus correlation-alarm GIDS- DB FW IDS storedata in … agent agent
Methodology Analysis Architecture design Prototypical implementation Evaluation (→ To be done!) Conclusion
Methodology Analysis Architecture design Prototypical implementation Evaluation Conclusion
Conclusion Challenge: Conception of an GIDS Proceeding: Analysis: Threats, use cases, requirements induced by Grids Design of a generic GIDS architecture Development of privacy-protection concept Prototype→ later: Production ready Evaluation: Simulation und measurements in D-Grid Results: Catalogue of criteria to evaluate IDS for their use in Grids Generic GIDS architecture Privacy-protection concept GIDS in production for D-Grid
Further research question Management aspects Specification of processes as in e.g. ISO20000 or ITIL Special challenges in inter-organizational environments Attack detection Which analysis techniques are appropriate in Grids, which aren’t? Implication of dynamics in Grids in regard to attack detection methods Valuable use of additionally available information in Grids(e.g. (job-)monitoring or VO-management systems) Compliance Enhancing the GIDS by making use of trust-level management data
Thank you! Project details: www.grid-ids.de Contact: Nils gentschen Felde<felde@nm.ifi.lmu.de>