lcg egee grid incident response n.
Skip this Video
Loading SlideShow in 5 Seconds..
LCG/EGEE Grid Incident Response PowerPoint Presentation
Download Presentation
LCG/EGEE Grid Incident Response

Loading in 2 Seconds...

play fullscreen
1 / 18

LCG/EGEE Grid Incident Response - PowerPoint PPT Presentation

  • Uploaded on

LCG/EGEE Grid Incident Response. Ian Neilson, Grid Deployment Group, CERN TERENA NRENS-Grids Workshop 12 th May 2005, Amsterdam. TOC. Background Grids Grid Projects Grid Environment Incident Handling Guide Requirements Requests Operational Aspects Project Environment

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'LCG/EGEE Grid Incident Response' - avital

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
lcg egee grid incident response

LCG/EGEE Grid Incident Response

Ian Neilson, Grid Deployment Group, CERN

TERENA NRENS-Grids Workshop

12th May 2005, Amsterdam

  • Background
    • Grids
    • Grid Projects
    • Grid Environment
  • Incident Handling Guide
    • Requirements
    • Requests
  • Operational Aspects
    • Project Environment
    • Security Coordination Team
  • Planning
    • Use-case Testing
    • Service Challenges

TERENA NRENS-Grids Workshop, Amsterdam


LCG – LHC Computing Grid


Job Managers

EGEE – Enabling Grids for e-Science in Europe

OSG – Open Science Grid

Globus Toolkit

Computing Elements

Resource Brokers

Proxy Servers

GridPP – Grid Particle Physics

Virtual Data Toolkit

PPDG – Particle Physics Data Grid

Storage Resource Manager



“[Grids] enable the sharing, exchange, discovery, and aggregation of resources distributed across multiple administrative domains ...”- Sun Microsystems

Virtual Organisations

TERENA NRENS-Grids Workshop, Amsterdam

egee in one slide
EGEE in one slide
  • 70 institutions in 28 countries,federated in regional clusters
  • 32MEUR for first 2 years(plans for another 2 years)
  • Deployment andreengineering project
  • 50% operations & support,25% training & appl. support,25% reengineering

TERENA NRENS-Grids Workshop, Amsterdam

computing resources april 2005
Computing Resources: April 2005
  • Country providing resources
  • Country anticipating joining
  • In LCG-2:
  • 131 sites, 30 countries
  • >12,000 cpu
  • ~5 PB storage
  • Includes non-EGEE sites:
  • 9 countries
  • 20 sites

TERENA NRENS-Grids Workshop, Amsterdam

lcg egee security environment
LCG/EGEE Security environment
  • The players



Personal data


Usage patterns

Experiment data

Access patterns







TERENA NRENS-Grids Workshop, Amsterdam

the risks
The Risks
  • Top risks from Security Risk Analysis
    • Launch attacks on other sites
      • Large distributed farms of machines
    • Illegal or inappropriate distribution or sharing of data
      • Massive distributed storage capacity
    • Disruption by exploit of security holes
      • Complex, heterogeneous and dynamic environment
    • Damage caused by viruses, worms etc.
      • Highly connected and novel infrastructure

TERENA NRENS-Grids Workshop, Amsterdam

joint security policy group









Security & Availability




Application Development

& Network Admin Guide

Joint Security Policy Group



TERENA NRENS-Grids Workshop, Amsterdam

incident response
Incident Response
  • Overview
    • LCG Security Group Agreement on Incident Response
      • June 2003 LCG-1
    • Updated as The OSG Incident Handling and Response Guide
      • Developed with JSPG

“To guide the development and maintenance of a common capability for handling and response to cyber security incidents on Grids.”

    • Aims to established
      • common policies and processes, organizational structures,
      • cross-organizational relationships,
      • common communications methods, and
      • a modicum of centrally-provided services and processes.

Grid Incident definition:

“..event that poses a .. threat [to] the integrity of services, resources, infrastructure, or identities.”

TERENA NRENS-Grids Workshop, Amsterdam

incident response1
Incident Response
  • The OSG Incident Handling and Response Guide
    • What it mandates (MUST do’s)
      • REPORT
      • RESPOND
      • PROTECT information gathered
      • ANALYSE
    • What it recommends (SHOULD do’s)
      • Provide monitored contact mailing lists at sites
      • Public Disclosure (summary) through site Public Relations
      • Use signed mails
  • See also Andrew Cormack’s draft “CSIRTs and Grids”comparison available here.

TERENA NRENS-Grids Workshop, Amsterdam

incident response2
Incident Response
  • Reporting (MUST)
    • Provide contact information
      • Individual contacts
      • Monitored list (optional but HIGHLY desirable)
      • Management through GOCDB (?soon)
    • Report to LOCAL site security
      • = sites should have local plan
      • Does not replace or interfere with local plans
    • Report to
      • Initial incident notification only, no chat
      • Closed list
      • Filtered abuse@.. & security@..
      • Currently we use
        • -egee- alias
        • Open list hence no moderated lists

TERENA NRENS-Grids Workshop, Amsterdam

incident response3
Incident Response
  • Responding (MUST)
    • Initial Classification
      • Low, Medium, High classifications
    • Containment
      • Assumes local containment process in place
      • Attacks through the grid
        • Default action to block grid access initially
          • Authorization control MUST be provided for services
      • Attacks on the grid
        • Little/no possible central control
        • Notify the attacking site (NREN CSIRTS)
        • Coordination of blocking, restoration of service
    • Notification
      • User, VO if identity compromise
      • Management
    • Post-Incident Analysis

TERENA NRENS-Grids Workshop, Amsterdam

operational security coordination










Operational Security Coordination
  • Operational Security Coordination Team - OSCT
  • Incident Response Planning
  • Best Practice Information
  • Security Monitoring
  • Security Service Challenges
  • EGEE operational channels are still being established.
  • No central authority over sites

TERENA NRENS-Grids Workshop, Amsterdam

operational issues
Operational issues
  • Recognising and reporting 
  • What is a local CSIRT?
    • Scale of coverage
      • 24x7 site/campus network operations team
      • Department Security Officer
      • LCG system administrator
  • Who is a security contact?
    • as above
  • Contact management
  • Intersection with local CSIRT procedures
    • Local quarantine and analysis
  • Keeping emergency channels clear
    • Discussions, cross-postings

TERENA NRENS-Grids Workshop, Amsterdam

incident response planning
Incident Response Planning
  • Response Planning Objectives
    • Provide a framework to use when something happens
    • But must be usable flexibly
    • Can be tested
  • Classification Based ‘Use Cases’
    • LOW
      • e.g. Local single non-privileged identity compromised, local denial of service.
    • MEDIUM
      • e.g. Local privileged identity compromised, attack on grid service not threatening grid stability.
    • HIGH
      • e.g. Exploitation of trust fabric, attack leading to grid instability or denial of service against all service replicas.

TERENA NRENS-Grids Workshop, Amsterdam

security service challenges
Security Service Challenges
  • Objectives
    • Simulating small, well defined security incidents.
    • Learn and iterate to update procedures.
    • Formalise in updated incident response procedures.
    • Feedback to development and testing activities.
  • Exercise response procedures in controlled manner
    • Non-intrusive
      • Compute resource usage trace to owner
        • Run a job, can we trace it back to submission?
  • SSC1 in testing phase now.
  • Future ?SSC2
      • Storage resource usage trace to owner
        • Run a job to store a file
      • Disruptive
        • Disrupt a service and map the effects on the service and grid

TERENA NRENS-Grids Workshop, Amsterdam

  • Diverse and complex Grid environments
  • We have
    • Basic Incident Response proposals in place
    • Basic Organisational structures in place
  • We need to implement through
    • Testing and awareness through Service Challenges
    • Improving planning process in OSCT

TERENA NRENS-Grids Workshop, Amsterdam

thank you
Thank You

Thanks to UK PPARC for my funding in LCG

TERENA NRENS-Grids Workshop, Amsterdam