Office of Science

U.S. Department of Energy

Grid Security at NERSC/LBL

Presented by Steve Chan sychan@lbl.govNetwork, Security and Servers GroupNERSC

Office of Science

U.S. Department of Energy

NERSC Grid CapabilitiesNERSC Grid Capabilities

Office of Science

U.S. Department of Energy

Grid Security IssuesGrid Security Issues• Host security

– Remote exploits– Local Exploits

• Network Security– Firewall configuration– Network intrusion detection

• Account security– Certificate management– Scalable user account management

• Policies– Acceptable Use– Audit trails

Office of Science

U.S. Department of Energy

NERSC Grid Security TechnologiesNERSC Grid Security Technologies

• Centralized Authorization– LDAP Based solution

• NERSC PKI Infrastructure– Integration with NIM database– Certificate management

• Grid Firewall work– Mitigation Policies and Recommendations– Bro Network Intrusion Detection

Real-time analysis of Grid traffic– Certificate identification

• Linux Kernel extension to track certificate DN– LKM that binds a certificate name to processes

Office of Science

U.S. Department of Energy

NERSC PKI InfrastructureNERSC PKI Infrastructure• Existing Certificate Policies block usability enhancements

– Cannot create and manage certificates on behalf of user– Cannot integrate password with site authentication

• New CA from ESNet allows more freedom– NERSC can integrate account mgm’t system with certificate generation

Users can request certs be stored on NERSC repository No need to manage certificates

– Centralized certificate repository MyProxy server with extensive security modifications Enforces passphrase strength requirements

– Potential for PAM integration Seamless integration of PKI with normal login process

– Drawbacks Nobody recognizes the new CA Nobody recognizes the new CA (did I say that already?)

Office of Science

U.S. Department of Energy

Bro Network Intrusion DetectionBro Network Intrusion Detection

• Bro is standard NERSC/LBL NIDS– Watches all network traffic– Detects rootkits, remote exploits and anomalous behavior– Stops traffic at the border

• Extended to support Grid services– Disassembles GSI authentication

Can examine certificates being used– Analyzes content of network connections

Can “see” dangerous content coming over Globus services Works on gsi-ftp and Gatekeeper

• Porting functionality to SNORT is being considered• Scott Campbell scampbell@lbl.gov leads this work

Office of Science

U.S. Department of Energy

Linux Kernel Module for Certificate DNLinux Kernel Module for Certificate DN

• Kernel module that associates cert DN with process– Interface via /proc– Immutable– Inherited by children– Queried via /proc and command line

• Modified gatekeeper and gsi-ftp to set this for each connection

• Ability to send this information to execution host in batch environment

• Shane Canon scanon@lbl.gov is lead

Office of Science

U.S. Department of Energy

Grid Security PoliciesGrid Security Policies• Defining standards

– Port ranges for Grid apps– Requirements on applications

No anonymous logins Self-identifying protocols

• Updating policies to support Grid Computing– How to support large numbers of users?– X509 certs: exposed to users & administrators

Maybe we should push it back under the covers again?– Opening networks for distributed applications

Office of Science

U.S. Department of Energy

Unresolved IssuesUnresolved Issues• Lack of integration with site authentication

– Users must remember multiple passwords– Hopefully can be resolved with PAM authenticated on-

line CA– Potential for relatively transparent integration of PKI

(comparable to kerberos)• Certificate Revocation• Authorization system for Virtual Organizations• Consistent software configuration across multiple

sites