LCG Security issues

1
LCG Security issues

• Ian Neilson
• LCG Security Officer
• Grid Deployment Group
• CERN

2
LCG Security Issues

• LCG Security Group
• Policy
• GOC Guides
• Risk Analysis
• Usage Rules
• Authentication
• Trusted CAs
• User Registration
• VO membership management
• Incident Response
• Audit
• Security Collaboration
• EGEE OSG - ?

3
Policy
Incident Response
Certification Authorities
Audit Requirements
Usage Rules
Security Availability Policy
Application Development Network Admin Guide
User Registration
http//cern.ch/proj-lcg-security/documents.html
4
Risk Analysis - 1

• http//cern.ch/proj-lcg-security/RiskAnalysis/ri
  sk.html
• Intentional and accidental incidents
• Misuse of resources
• Confidentiality integrity
• Service disruption

5
Risk Analysis - 2

• Top 4
• Launch attacks on other sites
• Illegal or inappropriate distribution or sharing
  of data
• Disruption by exploit of security holes
• Damage caused by viruses, worms etc.
• Distributed Denial of Service
• Limit WN outgoing connectivity ?
• But jobs want worker to anywhere connections
• Site Questionnaire
• Concerned about DDOS?
• Mostly YES
• Problems with current firewall requirements?
• Mostly NO
• Allowing outgoing now?
• YES, unwillingly, may change, NAT

6
Usage Rules

• Rules for the Use of LCG-1 Computing Resources
• Extended by GDB to cover LCG-x
• Adapted from EU DataGrid Project
• to lay down the rules governing the use of
  these resourceswithout prejudice to the
  application of the rules of each LCG-1 Regional
  Centre and each LCG-1 site, and of any national
  laws which may apply.
• Procedure for obtaining a user account
• Organisation of security
• Rules governing the use of resources
• Third-party access to user accounts
• Responsibilities
• and liabilities
• Basis for General Grid Usage Rules ?
• Will be LCG EGEE

7
Authentication

• EUGridPMA Certification Authorities
• Formed from EDG CA Coordination Group
• Charter agreed in April 2004
• http//www.eugridpma.org
• 20 Authorities Major Relying Parties
• EU US Asia-Pacific
• Establish Trust
• FNAL Kerberized Certification Authority
• LCG Security Group Approved
• Uses existing Kerberos infrastructure
• Mapping Kerberos token to short-lifetime
  certificate
• LCG catch-all CA
• Taking LCG workload off EGEE(ex-EDG) catch-all
  at CNRS
• Not a CA but a Registration Authority (RA) of
  DOEGrids
• http//www.doegrids.org
• Approved in May 2004
• http//cern.ch/lcg/catch-all-ca
• Not yet operational
• LCG approved CAs

is a body to establish requirements and best
practices for grid identity providers to enable a
common trust domain applicable to authentication
of end-entities in inter-organisational access to
distributed resources.
8
User Registration - 1

• User Registration VO Management
• Established for LCG-1 in 2003
• EDG model infrastructure LCG Registrar
• Single point to agree to Usage Rules
• Single point for joining a VO
• Aim for single grid sign-on

9
User Registration 2 (2003-4)
1. I agree to the Usage Rules please register
me, my VO is XYZ
GRID
Certificate
Submit job
User
lcg-registrar.cern.ch
Usage Rules
2. Confirm email
3. User Details
Authz
?
Authz
4. Register
5.Youre in
6. User Details
10
User Registration 3 (? 2004 - )

• Issues
• gridmapfile will not scale up
• Multiple VO membership
• Inflexible authorization
• VO manager needs to validate user data
• How ?
• Solutions
• Attribute proxy certificates (VOMS)
• Groups and Roles - not just user mapping
• Local credential mapping and authorization tools
• LCMAPS, LCAS, SAZ, LRAS
• LHC Experiment Membership Databases but
• What about exceptions ? (the 2-week summer
  student)
• What about other VOs ? (for deployment, testing,
  EGEE)
• How to integrate with existing tools ?
• Process
• Establish robust requirements
• Update 2003 User Registration document
• Approved by GDB May 2004

11
Incident Response

• Agreement on Incident Response 2003
• Security contact data gathered when site
  registers
• Establish communication channels
• maillists maintained by Deployment Team
• Incident response
• List of CSIRT lists
• Channel for reporting
• Security contacts at site
• Channel for discussion resolution
• Escalation to Deployment Manager GDB
• Currently no message traffic (apart from SPAM!)
• Good thing or bad ?
• Need to test !

12
Audit

• Audit Requirements doc 2003
• Trace from certificate DN to uid
• Mandates to save specified logfiles for 90 days
• Computing Element
• Storage Element
• Problems
• Middleware changes
• Poorly formatted logs
• Incomplete trail
• Should be updated

Compute Element gatekeeper jobmanager

• Storage
• Element
• - gridftp
• Castor
• dCache
• ???

Storage Element - gridftp
Worker Node batch system process acct
uid gid
13
Security Collaboration

• Projects sharing resources have close links
• Need for inter-grid global security collaboration
• ? Common accepted Usage Rules
• ? Common authentication and authorization
  requirements
• ? Common incident response channels
• LCG EGEE OSG - ?
• LCG Security Group is now Joint Security Group
• JSG for LCG EGEE
• Provide requirements for middleware development
• Some members from OSG already in JSG

14
LCG Security Issues

• Thank you.