1 / 24

The MNM Team

The GIDS project A Grid-based, federated Intrusion Detection System to secure the D-Grid infrastructure Nils gentschen Felde , Felix von Eye. The MNM Team. Leibniz-Rechenzentrum der Bayerischen Akademie der Wissenschaften. Grid-related projects (excerpt: @LMU). European projects

suchin
Download Presentation

The MNM Team

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The GIDS projectA Grid-based, federated Intrusion Detection System to secure the D-Grid infrastructureNils gentschen Felde, Felix von Eye

  2. The MNM Team Leibniz-Rechenzentrum der Bayerischen Akademieder Wissenschaften

  3. Grid-related projects(excerpt: @LMU) European projects Deployment of Remote Instrumentation Infrastructure (DORII) Open Grid Forum Europe (OGF-Europe) European Grid Initiative (EGI) EMANICS - Management Solutions for Next Generation Networks g-Eclipse German projects Horizontale Integration des Ressourcen- und Dienst-Monitoring im D-Grid (D-MON) Authentication and Authorization Infrastructure for VO Management (AAI/VO) Ein Grid-basiertes, föderiertes Intrusion Detection System zur Sicherung der D-Grid Infrastruktur (GIDS) Previous research projects Interoperabilität und Integration der VO-Management Technologien im D-Grid (IVOM) VO-Management im D-Grid Monitoring und Accounting im D-Grid

  4. Project overview Partners: Associated Partners: Start: 01.07.2009 Duration: 36 months Project leader: LRZ/LMU mailto:felde@nm.ifi.lmu.de www.grid-ids.de 4 4

  5. Usage scenario of Grids Resource-provider A Resource-provider B Resource-provider D Resource-provider C • Users grouped in Virtual Organizations (VO) • With respect to scientific affiliation • Not regarding real organizations any more • Scientific environment • Generous resource sharing • Security management neglected Grid-Middleware • Intend • Loose coupling of autonomous providers • Hiding heterogeneity • Functionalities • Job-Scheduling • Storage • ... • Management • User/VO-management • Monitoring • Accounting • ...

  6. Security considerations in Grids Uplink Anti-Vir FW IDS Resource-provider A Resource-provider B Admin Resource-provider D Resource-provider C Grid-Middleware • Coupling resources • Abstracted by middleware • Collaborative use of distributed resources • Security considerations • Isolated view on domains • Security is based on trustworthiness of resource providers

  7. Example: attack scenario Break-in at one site suffices Access to Grid-middlewareAccess to all resources! Example: Compromised SSH private key, i.e. well-known SSL vulnerabilities Grid-wide login attempts→ inter-organizational! Only global event correlation yields success Resource-provider A Resource-provider B Resource-provider D Resource-provider C Grid-Middleware

  8. Goal State of the art IDS for autonomous systems Distributed IDS:always based on total trust No concept of customers Now Stepping towards a Grid-wide solution Conception of an IDS for Grids (GIDS) First glance challenges Inter-organizational system Autonomous partners Heterogeneity GIDS as a service with user-specific views Resource-provider A Resource-provider B Resource-provider D Resource-provider C Grid-Middleware

  9. Vision: GIDS as a federation Resource-provider A Resource-provider B Resource-provider D Resource-provider C • Intent: • New service in the Grid • Surveying the Grid with respect to security • Reporting thereof • Economical use of • The service • The Grid itself • Idea: • Grid-wide consolidation of security-relevant data • Derivation of security reports Grid-Middleware

  10. Methodology Analysis Architecture design Prototypical implementation Evaluation Conclusion

  11. Analysis: Methodology Threat analysis Attack goals and risks Classification of possible attackers Attack patterns Origin of attack (positional and organizational) Types of attacks in Grids Use-case driven requirements analysis User groups and customers Information providers Requirements induced by Grids Generic requirements Cooperation patterns Trust relationships Classes of requirements: • Functional • Non-functional • Security requirements • Organizational and privacy data protection • Requirements related to detection capabilities

  12. Methodology Analysis Architecture design (work in progress) Prototypical implementation Evaluation Conclusion

  13. Architecture overview GIDS-agent IDS GIDS-agent IDS GIDS-agent GIDS portal Resource-provider A Resource-provider X . . . GIDS-/IDMEF-bus GIDS-operator

  14. Resource-provider GIDS-agent data &reports Admin aggregation/correlation anonymization/pseudonymization filtering local (G)IDS-instance store dataand reports in resporting to data &reports storereports in data &reports data &reports data &reports GIDS-/IDMEF-bus GIDS- DB FW IDS storedata in … agent agent

  15. Methodology Analysis Architecture design Prototypical implementation (work in progress) Evaluation Conclusion

  16. Example:Grid-wide event correlation Reminder Break-in at one site is sufficient Access to Grid-middlewareAccess to all resources! Example: Compromised user account in context of a VO VO may use selected resources Possibility of detection Grid-wide event correlation i.e. faulting login attempts Resource-provider C Resource-provider D Resource-provider B Resource-provider A Grid-Middleware

  17. Failing login attempts <?xml version="1.0"?> <idmef:IDMEF-Message> <idmef:Alert> <idmef:Analyzer name="syslogd"/> <idmef:Classification text="SSH login attempt"/> <idmef:Source> <idmef:Node> <idmef:Address category="ipv4-addr"> <idmef:address>172.16.112.20</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ip_version="4"> <idmef:port>22</idmef:port> <idmef:protocol>TCP</idmef:protocol> </idmef:Service> </idmef:Source> ... </idmef:Alert> </idmef:IDMEF-Message> has VO-member’sSSH-private-key GIDS-agent IDS GIDS-agent IDS GIDS-agent GIDS portal Resource-provider A Resource-provider X . . . login-attempt GIDS-/IDMEF-bus GIDS-operator

  18. Exemplary Dataflow has VO-member’sSSH-private-key GIDS-agent portal GIDS IDS IDS GIDS-agent GIDS-agent Resource-provider A Resource-provider X login-attempt . . . login-attempt login-attempt GIDS-/IDMEF-bus GIDS-operator

  19. Correlation login-attempt GIDS-agent data &reports Admin anonymization/pseudonymization filtering aggregation/correlation local (G)IDS-instance store dataand reports in resporting to data &reports storereports in data &reports data &reports data &reports GIDS-/IDMEF-bus correlation-alarm GIDS- DB FW IDS storedata in … agent agent

  20. Methodology Analysis Architecture design Prototypical implementation Evaluation (→ To be done!) Conclusion

  21. Methodology Analysis Architecture design Prototypical implementation Evaluation Conclusion

  22. Conclusion Challenge: Conception of an GIDS Proceeding: Analysis: Threats, use cases, requirements induced by Grids Design of a generic GIDS architecture Development of privacy-protection concept Prototype→ later: Production ready Evaluation: Simulation und measurements in D-Grid Results: Catalogue of criteria to evaluate IDS for their use in Grids Generic GIDS architecture Privacy-protection concept GIDS in production for D-Grid

  23. Further research question Management aspects Specification of processes as in e.g. ISO20000 or ITIL Special challenges in inter-organizational environments Attack detection Which analysis techniques are appropriate in Grids, which aren’t? Implication of dynamics in Grids in regard to attack detection methods Valuable use of additionally available information in Grids(e.g. (job-)monitoring or VO-management systems) Compliance Enhancing the GIDS by making use of trust-level management data

  24. Thank you! Project details: www.grid-ids.de Contact: Nils gentschen Felde<felde@nm.ifi.lmu.de>

More Related