| Friday, May 12 |
| 11:30 am - 12:30 pm | |
| |
Teragrid Security: Managing security across a grid.
(60 mins)
Abe Singer (SDSC), Jim Marsteller (PSC)
View Participants
The Teragrid Security Working Group developed policy and procedures to
address the inter-site security issues that result from grid operations --
maintaining security across multiple domains, many without firewalls.
A large-scale incident in 2004, involving the Teragrid, was greatly
mitigated due to the foresight and planning of the Security Working Group.
The group's efforts and a chronology of the attack will be presented.
The Teragrid consists of sites in different security domains, with
different policies and procedures. Grid architectures introduce security
interdependencies that can be difficult to resolve between these sites.
The Teragrid Security Working Group has addressed some of these issues,
developed policy and procedures, and reviewed security issues with
grid technologies.
Many Teragrid sites, like many academic sites, have to maintain security
without relying on "conventional" security technologies such as firewalls.
Rather, an emphasis is placed on host-based security by making use of
scalable configuration management to maintain our security posture across
thousands of hosts, and we believe is as effective, or more effective,
an approach as many firewall-based methods.
In 2004, many Teragrid sites were affected by an intruder who compromised
numerous sites around the world. The work done by the Security Working
Group greatly improved Teragrid sites' abilities to detect and respond,
mitigating the impact of the intruder.
This presentation will show the work that we've done and how it applies
to grids in general, plus a history of the security incident and how
our work was of benefit, and continues to do so.
Agenda:
Background
conflict between interoperation and security
grid technologies
transitive trust
file sharing
resolving local policy v.s. grid policy
The Security Working Group activities
Teragrid Security Policies
CA acceptance
Baseline Security Requirements
Security MOU
Two-factor Authentication
Teragrid Security Procedures
Inter-site reporting
Grid-wide Site Emergency contacts
Grid-wide Incident handling
The Intrusion of 2004
Other work
Site audits -- how to do, how to share information
Incident meetings
"Newbie" Guide
CA self-evaluation
Maintaining Security Without Firewalls
Principles
Network Architecture
Configuration Management
Authentication and Account Management
Maintenance and Incident Management
Issues that need to be addressed and Future Work
Kerberos Authentication
Regular site security audits
Sysadmin Training
Working with Law Enforcement
Location: G409
|
| |
| |
|
| |