1 / 14

LCG Security issues

LCG Security issues. Ian Neilson LCG Security Officer Grid Deployment Group CERN. LCG Security Issues. LCG Security Group Policy GOC Guides Risk Analysis Usage Rules Authentication Trusted CAs User Registration VO membership management Incident Response Audit

janine
Download Presentation

LCG Security issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. LCG Security issues Ian Neilson LCG Security Officer Grid Deployment Group CERN GridPP Collaboration meeting @ CERN – June 4th 2004 1

  2. LCG Security Issues • LCG Security Group • Policy • GOC Guides • Risk Analysis • Usage Rules • Authentication • Trusted CAs • User Registration • VO membership management • Incident Response • Audit • Security Collaboration • EGEE – OSG - ? GridPP Collaboration meeting @ CERN – June 4th 2004 2

  3. GOC Guides Policy Incident Response Certification Authorities Audit Requirements Usage Rules Security & Availability Policy Application Development & Network Admin Guide User Registration http://cern.ch/proj-lcg-security/documents.html GridPP Collaboration meeting @ CERN – June 4th 2004 3

  4. Risk Analysis - 1 • http://cern.ch/proj-lcg-security/RiskAnalysis/risk.html • Intentional and accidental incidents • Misuse of resources • Confidentiality & integrity • Service disruption GridPP Collaboration meeting @ CERN – June 4th 2004 4

  5. Risk Analysis - 2 • Top 4 • Launch attacks on other sites • Illegal or inappropriate distribution or sharing of data • Disruption by exploit of security holes • Damage caused by viruses, worms etc. • Distributed Denial of Service • Limit WN outgoing connectivity ? • But jobs want worker to anywhere connections • Site Questionnaire • “Concerned about DDOS?” • Mostly YES • “Problems with current firewall requirements?” • Mostly NO • “Allowing outgoing now?” • YES, unwillingly, may change, NAT GridPP Collaboration meeting @ CERN – June 4th 2004 5

  6. Usage Rules • “Rules for the Use of LCG-1 Computing Resources” • Extended by GDB to cover LCG-x • Adapted from EU DataGrid Project • “…to lay down the rules governing the use of these resources…without prejudice to the application of the rules of each LCG-1 Regional Centre and each LCG-1 site, and of any national laws which may apply.” • Procedure for obtaining a user account • Organisation of security • Rules governing the use of resources • Third-party access to user accounts • Responsibilities • and liabilities • Basis for General Grid Usage Rules ? • Will be LCG + EGEE GridPP Collaboration meeting @ CERN – June 4th 2004 6

  7. Authentication • EUGridPMA Certification Authorities • Formed from EDG CA Coordination Group • Charter agreed in April 2004 • http://www.eugridpma.org • ~20 Authorities + Major Relying Parties • EU + US + Asia-Pacific • Establish Trust • FNAL Kerberized Certification Authority • LCG Security Group Approved • Uses existing Kerberos infrastructure • Mapping Kerberos token to short-lifetime certificate • LCG “catch-all” CA • Taking LCG workload off EGEE(ex-EDG) “catch-all” at CNRS • Not a CA but a Registration Authority (RA) of DOEGrids • http://www.doegrids.org • Approved in May 2004 • http://cern.ch/lcg/catch-all-ca • Not yet operational • LCG approved CAs • https://lcg-registrar.cern.ch/pki_certificates.html • Issues • Do current trust mechanisms scale up ? • “On-line” certification authorities & Certificate Stores • KCA & VSC – policy and best practice “… is a body to establish requirements and best practices for grid identity providers to enable a common trust domain applicable to authentication of end-entities in inter-organisational access to distributed resources. …” GridPP Collaboration meeting @ CERN – June 4th 2004 7

  8. User Registration - 1 • User Registration & VO Management • Established for LCG-1 in 2003 • EDG model & infrastructure + LCG Registrar • Single point to agree to Usage Rules • Single point for joining a VO • Aim for single “grid sign-on” GridPP Collaboration meeting @ CERN – June 4th 2004 8

  9. Resource VOs Site XYZ VO Manager User Registration – 2 (2003-4) 1. “I agree to the Usage Rules please register me, my VO is XYZ” GRID Certificate Submit job User lcg-registrar.cern.ch Usage Rules 2. Confirm email 3. User Details Authz ? Authz 4. Register 6. User Details 5.“You’re in” GridPP Collaboration meeting @ CERN – June 4th 2004 9

  10. ? XYZ VO Manager User Registration – 3 (? 2004 - ) • Issues • gridmapfile will not scale up • Multiple VO membership • Inflexible authorization • VO manager needs to validate user data • How ? • Solutions • Attribute proxy certificates (VOMS) • Groups and Roles - not just user mapping • Local credential mapping and authorization tools • LCMAPS, LCAS, SAZ, LRAS … • LHC Experiment Membership Databases but … • What about exceptions ? (the 2-week summer student) • What about other VOs ? (for deployment, testing, EGEE…) • How to integrate with existing tools ? • Process • Establish robust requirements • Update 2003 User Registration document • Approved by GDB May 2004 • VOMS-admin & VOMRS implementations ? • GDB task force to study GridPP Collaboration meeting @ CERN – June 4th 2004 10

  11. Incident Response • Agreement on Incident Response – 2003 • Security contact data gathered when site registers • Establish communication channels • maillists maintained by Deployment Team • Incident response • List of CSIRT lists • Channel for reporting • Security contacts at site • Channel for discussion & resolution • Escalation to Deployment Manager & GDB • Currently no message traffic (apart from SPAM!) • Good thing or bad ? • Need to test ! GridPP Collaboration meeting @ CERN – June 4th 2004 11

  12. Workload Manager networkserver … log monitor certificate Audit • Audit Requirements doc – 2003 • Trace from certificate DN to uid • Mandates to save specified logfiles for 90 days • Computing Element • Storage Element • Problems • Middleware changes • Poorly formatted logs • Incomplete trail • Should be updated Compute Element gatekeeper jobmanager • Storage • Element • - gridftp • Castor • dCache • ??? Storage Element - gridftp Worker Node batch system process acct uid gid GridPP Collaboration meeting @ CERN – June 4th 2004 12

  13. Security Collaboration • Projects sharing resources & have close links • Need for inter-grid global security collaboration • ? Common accepted Usage Rules • ? Common authentication and authorization requirements • ? Common incident response channels • LCG – EGEE – OSG - ? • LCG Security Group is now Joint Security Group • JSG for LCG & EGEE • Provide requirements for middleware development • Some members from OSG already in JSG GridPP Collaboration meeting @ CERN – June 4th 2004 13

  14. LCG Security Issues Thank you. GridPP Collaboration meeting @ CERN – June 4th 2004 14

More Related