office of science u.s. department of energy grid security at nersc/lbl presented by steve chan...
DESCRIPTION
Office of Science U.S. Department of Energy Grid Security Issues Host security – Remote exploits – Local Exploits Network Security – Firewall configuration – Network intrusion detection Account security – Certificate management – Scalable user account management Policies – Acceptable Use – Audit trailsTRANSCRIPT
![Page 1: Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers](https://reader036.vdocuments.net/reader036/viewer/2022082908/5a4d1af47f8b9ab059980579/html5/thumbnails/1.jpg)
Office of Science
U.S. Department of Energy
Grid Security at NERSC/LBL
Presented by Steve Chan [email protected], Security and Servers GroupNERSC
![Page 2: Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers](https://reader036.vdocuments.net/reader036/viewer/2022082908/5a4d1af47f8b9ab059980579/html5/thumbnails/2.jpg)
Office of Science
U.S. Department of Energy
NERSC Grid CapabilitiesNERSC Grid Capabilities
![Page 3: Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers](https://reader036.vdocuments.net/reader036/viewer/2022082908/5a4d1af47f8b9ab059980579/html5/thumbnails/3.jpg)
Office of Science
U.S. Department of Energy
Grid Security IssuesGrid Security Issues• Host security
– Remote exploits– Local Exploits
• Network Security– Firewall configuration– Network intrusion detection
• Account security– Certificate management– Scalable user account management
• Policies– Acceptable Use– Audit trails
![Page 4: Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers](https://reader036.vdocuments.net/reader036/viewer/2022082908/5a4d1af47f8b9ab059980579/html5/thumbnails/4.jpg)
Office of Science
U.S. Department of Energy
NERSC Grid Security TechnologiesNERSC Grid Security Technologies
• Centralized Authorization– LDAP Based solution
• NERSC PKI Infrastructure– Integration with NIM database– Certificate management
• Grid Firewall work– Mitigation Policies and Recommendations– Bro Network Intrusion Detection
Real-time analysis of Grid traffic– Certificate identification
• Linux Kernel extension to track certificate DN– LKM that binds a certificate name to processes
![Page 5: Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers](https://reader036.vdocuments.net/reader036/viewer/2022082908/5a4d1af47f8b9ab059980579/html5/thumbnails/5.jpg)
Office of Science
U.S. Department of Energy
NERSC PKI InfrastructureNERSC PKI Infrastructure• Existing Certificate Policies block usability enhancements
– Cannot create and manage certificates on behalf of user– Cannot integrate password with site authentication
• New CA from ESNet allows more freedom– NERSC can integrate account mgm’t system with certificate generation
Users can request certs be stored on NERSC repository No need to manage certificates
– Centralized certificate repository MyProxy server with extensive security modifications Enforces passphrase strength requirements
– Potential for PAM integration Seamless integration of PKI with normal login process
– Drawbacks Nobody recognizes the new CA Nobody recognizes the new CA (did I say that already?)
![Page 6: Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers](https://reader036.vdocuments.net/reader036/viewer/2022082908/5a4d1af47f8b9ab059980579/html5/thumbnails/6.jpg)
Office of Science
U.S. Department of Energy
Bro Network Intrusion DetectionBro Network Intrusion Detection
• Bro is standard NERSC/LBL NIDS– Watches all network traffic– Detects rootkits, remote exploits and anomalous behavior– Stops traffic at the border
• Extended to support Grid services– Disassembles GSI authentication
Can examine certificates being used– Analyzes content of network connections
Can “see” dangerous content coming over Globus services Works on gsi-ftp and Gatekeeper
• Porting functionality to SNORT is being considered• Scott Campbell [email protected] leads this work
![Page 7: Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers](https://reader036.vdocuments.net/reader036/viewer/2022082908/5a4d1af47f8b9ab059980579/html5/thumbnails/7.jpg)
Office of Science
U.S. Department of Energy
Linux Kernel Module for Certificate DNLinux Kernel Module for Certificate DN
• Kernel module that associates cert DN with process– Interface via /proc– Immutable– Inherited by children– Queried via /proc and command line
• Modified gatekeeper and gsi-ftp to set this for each connection
• Ability to send this information to execution host in batch environment
• Shane Canon [email protected] is lead
![Page 8: Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers](https://reader036.vdocuments.net/reader036/viewer/2022082908/5a4d1af47f8b9ab059980579/html5/thumbnails/8.jpg)
Office of Science
U.S. Department of Energy
Grid Security PoliciesGrid Security Policies• Defining standards
– Port ranges for Grid apps– Requirements on applications
No anonymous logins Self-identifying protocols
• Updating policies to support Grid Computing– How to support large numbers of users?– X509 certs: exposed to users & administrators
Maybe we should push it back under the covers again?– Opening networks for distributed applications
![Page 9: Office of Science U.S. Department of Energy Grid Security at NERSC/LBL Presented by Steve Chan Network, Security and Servers](https://reader036.vdocuments.net/reader036/viewer/2022082908/5a4d1af47f8b9ab059980579/html5/thumbnails/9.jpg)
Office of Science
U.S. Department of Energy
Unresolved IssuesUnresolved Issues• Lack of integration with site authentication
– Users must remember multiple passwords– Hopefully can be resolved with PAM authenticated on-
line CA– Potential for relatively transparent integration of PKI
(comparable to kerberos)• Certificate Revocation• Authorization system for Virtual Organizations• Consistent software configuration across multiple
sites