© IT Innovation Centre, 2002 Grid Security Overview Mike Surridge, IT Innovation Centre [email protected] Grid Security Workshop, NESC, 05-06

© IT Innovation Centre, 2002

Grid Security OverviewGrid Security Overview

Mike Surridge, IT Innovation CentreMike Surridge, IT Innovation [email protected]@it-innovation.soton.ac.uk

Grid Security Workshop,Grid Security Workshop,

NESC, 05-06 Dec 2002NESC, 05-06 Dec 2002

mailto:[email protected]


OverviewOverview

• IntroductionsIntroductions• The Grid Security ProblemThe Grid Security Problem

– as seen by a Comb-e-Chem chemists...as seen by a Comb-e-Chem chemists...– motivation for the Rough Guide reportmotivation for the Rough Guide report

• Risks and issuesRisks and issues– what could go wrong with our Grid securitywhat could go wrong with our Grid security– lots of questions – our job is to find answerslots of questions – our job is to find answers

• Issues for discussionIssues for discussion

COMMERCIAL IN CONFIDENCECOMMERCIAL IN CONFIDENCE


IT InnovationIT Innovation

• The IT Innovation Centre is an autonomous research The IT Innovation Centre is an autonomous research centre, alongside the research groups and industrial centre, alongside the research groups and industrial units of the Department of Electronics and Computer units of the Department of Electronics and Computer Science at the University of SouthamptonScience at the University of Southampton

• We deliver strategies, road maps, proofs-of-concept, We deliver strategies, road maps, proofs-of-concept, demonstrators and novel operational systemsdemonstrators and novel operational systems

• Our innovation capabilities are in the best traditions of Our innovation capabilities are in the best traditions of Southampton's outstanding record of technological R&DSouthampton's outstanding record of technological R&D

• We have broken new ground in We have broken new ground in making these capabilities making these capabilities available through a dedicated available through a dedicated off-campus Centre with a off-campus Centre with a professional service cultureprofessional service culture


A Culture GapA Culture Gap(A Chemist’s View of Grid Security)(A Chemist’s View of Grid Security)

• Provided the user is properly Provided the user is properly authenticated [and you vouch for authenticated [and you vouch for them] they can access [Chemistry] them] they can access [Chemistry] kit via the [University] firewall.kit via the [University] firewall.

• If they want to use [University] If they want to use [University] kit, they will need approval from kit, they will need approval from Computing Services.Computing Services.

• If anything bad happens then [you If anything bad happens then [you Chemists] are responsible, and are Chemists] are responsible, and are in deep trouble...in deep trouble...


The Rough GuideThe Rough Guide

• Intended to raise awareness of Grid securityIntended to raise awareness of Grid security• Aimed atAimed at

– project managers and principal investigatorsproject managers and principal investigators– Grid users and application developersGrid users and application developers– Grid infrastructure developersGrid infrastructure developers– computing services and Grid support teamscomputing services and Grid support teams

• ConclusionsConclusions– operational security is a team effortoperational security is a team effort– everyone needs to be aware of the key issueseveryone needs to be aware of the key issues


Security Best PracticeSecurity Best Practice

• Build security in depthBuild security in depth– like a medieval castle!like a medieval castle!

• Assume breaches will occurAssume breaches will occur– don’t rely on a single barrierdon’t rely on a single barrier– design for containmentdesign for containment

• Continuous securityContinuous security– intrusion detection methodsintrusion detection methods– security advisories and security advisories and

updatesupdates– well-defined operating well-defined operating

protocolsprotocols– review, challenge and auditreview, challenge and audit


Grid AuthenticationGrid Authentication

• Based on strong public-key encryptionBased on strong public-key encryption– unlikely that a digital signature could be fakedunlikely that a digital signature could be faked

• But operational factors are important, e.g.But operational factors are important, e.g.– is the CA procedure rigorous enough for you?is the CA procedure rigorous enough for you?– are the RAs trained to operate it correctly?are the RAs trained to operate it correctly?– does the certificate profile meet your needs?does the certificate profile meet your needs?– could the user’s private key have been lost/stolen?could the user’s private key have been lost/stolen?– what if a user’s GSI proxy were hijacked?what if a user’s GSI proxy were hijacked?

• And...85% of intrusions come from withinAnd...85% of intrusions come from within


Grid PKIGrid PKI

UserUser

UserUser

ResourceResource

ResourceResource

The CAThe CA


Conventional PKIConventional PKI

UserUser

UserUser

ResourceResource

ResourceResource

CA1CA1 CACAnn


Grid AuthorisationGrid Authorisation

• Typically done via local account mappingsTypically done via local account mappings– allowing resource owners to retain controlallowing resource owners to retain control

• Difficult to implement operationallyDifficult to implement operationally– local resource access controls may not existlocal resource access controls may not exist– local admin teams don’t scale with the size of Gridlocal admin teams don’t scale with the size of Grid

• Can use role-based schemes and CASCan use role-based schemes and CAS– but might CAS be disabled via DoS or spoofing?but might CAS be disabled via DoS or spoofing?– should outsiders defined/assigned user roles?should outsiders defined/assigned user roles?– who is responsible for correct role attribution...?who is responsible for correct role attribution...?


Grid InfrastructureGrid Infrastructure

• Presumably security loopholes exist(!)Presumably security loopholes exist(!)– e.g buffer overflow vulnerabilitiese.g buffer overflow vulnerabilities

• Security advisory/updates (Jun-Nov’02):Security advisory/updates (Jun-Nov’02):– Apache: 5 updatesApache: 5 updates– Sendmail/Fetchmail: 2 updatesSendmail/Fetchmail: 2 updates– OpenSSH/OpenSSL: 4 updatesOpenSSH/OpenSSL: 4 updates– DNS: 2 updatesDNS: 2 updates

• What about our Grid softwareWhat about our Grid software– who can provide security updates rapidly?who can provide security updates rapidly?– how can they be distributed rapidly?how can they be distributed rapidly?– who will apply them?who will apply them?


Grid ApplicationsGrid Applications

• Security depends on application developersSecurity depends on application developers– need awareness of classic vulnerabilitiesneed awareness of classic vulnerabilities

• Uploaded user applicationsUploaded user applications– practically uncontainable if malicious...practically uncontainable if malicious...– users (and their code) must be 100% trustworthyusers (and their code) must be 100% trustworthy

• Legacy applicationsLegacy applications– not designed for secure remote operationnot designed for secure remote operation– may be full of shell escapes and system callsmay be full of shell escapes and system calls

• Commercial applicationsCommercial applications– eg. Finite Element codes with VB interpreters!eg. Finite Element codes with VB interpreters!


Damn Those Pesky FirewallsDamn Those Pesky Firewalls

Managed ServerResources

User ManagedWorkstations

Scanning Attacks

Scanning Attacks

FIR

EW

ALL

Permitted Accessto Restricted Services

Permitted Grid Access

NewVulnerability


Firewall Management IssuesFirewall Management Issues

Cam

pus

FIR

EW

ALL

GRID COMPUTESERVER

FIR

EW

ALL

3rd PartyDatabase

Globus GRID

SOAP/HTTPS/

PGP

SOAP/HTTPS/

PGP LabDatabaseNCS

GATEWAYSERVER

GASS

RemoteClient Site

DMZ LabResources


Firewall Management IssuesFirewall Management Issues

Cam

pus

FIR

EW

ALL

GRIDCOMPUTESERVER

FIR

EW

ALL

3rd PartyDatabase

Globus GRID

SOAP/HTTPS/

PGP

SOAP/HTTPS/

PGP

LabDatabase

NCSGATEWAYSERVER

GASS

RemoteClient Site

CampusNetwork

Lab DMZ


Firewalls and ContainmentFirewalls and Containment

Grid DMZ

PrivateLAN

PrivateLAN

PrivateLAN

PrivateLAN

Grid DMZ Grid DMZ

Grid DMZ

GRIDINFRASTRUCTURE

RESTRICTEDACCESS

RESTRICTEDACCESS

Generic GridResources

High SecurityResources


Intrusion ResponseIntrusion Response

• Containment within and between Grid sitesContainment within and between Grid sites– firewalls, sandboxes, etcfirewalls, sandboxes, etc

• Detection using standard tools (Tripwire, etc)Detection using standard tools (Tripwire, etc)– what if a Grid account is compromised at another what if a Grid account is compromised at another

site?site?– how might we detect this?how might we detect this?– can we assume all sites are equally vigilant?can we assume all sites are equally vigilant?

• Coherent intrusion response between sitesCoherent intrusion response between sites– need for consistent (and realistic) usage policies?need for consistent (and realistic) usage policies?– do we need multi-site project response plans?do we need multi-site project response plans?– do we need a UK E-Science/Grid CERT?do we need a UK E-Science/Grid CERT?


A Chemist’s ChecklistA Chemist’s Checklist

• Risk assessment and managementRisk assessment and management– with computing services involvement and supportwith computing services involvement and support– what are the critical resources and risks?what are the critical resources and risks?

• Technology choicesTechnology choices– taking account of advisory services, etctaking account of advisory services, etc– backed up by sufficient training?backed up by sufficient training?

• Consistent operation and usage policiesConsistent operation and usage policies– including firewalls, intrusion detection, sanctions, response including firewalls, intrusion detection, sanctions, response

plans,...plans,...

• User training and awarenessUser training and awareness• Continuous reviewContinuous review


SummarySummary

• Grid technology: pretty good but not well testedGrid technology: pretty good but not well tested– need for multiple PKI and/or CA?need for multiple PKI and/or CA?– need for operable authorisation mechanisms?need for operable authorisation mechanisms?– need for coherent intrusion containment/detection strategy?need for coherent intrusion containment/detection strategy?

• Operational issues just as importantOperational issues just as important– risk assessment and asset management/protection?risk assessment and asset management/protection?– need for advisories and updates?need for advisories and updates?– need for coherent intrusion responses or CERT?need for coherent intrusion responses or CERT?

• People must be the key to successPeople must be the key to success– need for awareness raising and training?need for awareness raising and training?– how to get buy-in from sys/net admin teams?how to get buy-in from sys/net admin teams?– how to address human factors?how to address human factors?

Documents

© IT Innovation Centre, 2002 Grid Security Overview Mike Surridge, IT Innovation Centre [email protected] Grid Security Workshop, NESC, 05-06