security service challenge security monitoring
play

Security Service Challenge & Security Monitoring Jinny Chien - PowerPoint PPT Presentation

Enabling Grids for E-sciencE Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing OSCT Security Workshop on 7 th March in Taipei www.eu-egee.org 1 Jinny Chien, ASGC Training and Dissemination


  1. Enabling Grids for E-sciencE Security Service Challenge & Security Monitoring Jinny Chien Academia Sinica Grid Computing OSCT Security Workshop on 7 th March in Taipei www.eu-egee.org 1 Jinny Chien, ASGC Training and Dissemination

  2. Motivation Enabling Grids for E-sciencE • After today’s training, we expect you to understand : – Handle the Incident Response Procedure – Ensure communication channels with the involved admins are in place. – Deal with sudden security attacks – Etc… • Overview – Introduction – Security Service Challenge – Security Monitoring – Conclusion 2 Training and Dissemination Jinny Chien, ASGC

  3. Security Service Challenge (SSC) Enabling Grids for E-sciencE • The objective : The goal of the LCG/EGEE Security Service Challenge, is to investigate whether sufficient information is available to be able conduct an audit trace as part of an incident response, and to ensure that appropriate communications channels are available. • The concept: At first CERN security team submit a testing job to the specific sites and site security contact must according to the clues and reply the answer at the limited time. In general the challenge executed once every year. 3 Training and Dissemination Jinny Chien, ASGC

  4. SSC-Objective Enabling Grids for E-sciencE 4 Training and Dissemination Jinny Chien, ASGC

  5. Stages / Role of SSC Enabling Grids for E-sciencE • Stages of the SSC 1. Security Challenge targeting the principal site of each of the LCG/EGEE Regional Operation Centers(ROC) 2. Security Challenge targeting the individual sites in each ROC • Roles 1. The Test Operator (TOP) : who submits the challenging job, issues the alert, escalates the alert as required and checks the response. 2. The Security Contact of the target site, who receives and acknowledges the alert, makes the necessary investigation and submits the response back to TOP 5 Training and Dissemination Jinny Chien, ASGC

  6. SSC Enabling Grids for E-sciencE The challenge is executed by submitting a Grid Job from a User Interface (UI). • SSC level 1 : – challenges the Workload Management System(WMS) of the Grid: Resource Broker(RB) and Computing Element(CE) • SSC level 2 : – challenges the Storage Elements(SE) on the Grid • SSC level 3 : – challenges the Operational Diligence of the LCG/EGEE Grid Sites • SSC level 4 : coming soon • Materials for SSC – The materials are available for download from https://twiki.cern.ch/ twiki/bin/view/LCG/LCGSecurityChallenge 6 Training and Dissemination Jinny Chien, ASGC

  7. SSC Common Setup Enabling Grids for E-sciencE • SSCs were run in two stages: – Stage 1: targeting the principal sites in the regions – Stage 2: targeting the individual sites in each ROC • The jobs were submitted from an User Interface(UI) to a chosen Grid Computing Element(CE) via a Resource Broker (RB) using standard Grid commands • They consist of a set of small, non-intrusive programs. • Not intrusive, only ‘legal’ operations are executed (job submission), file transfer,…) • No penetration tests, no execution of exploits etc. 7 Training and Dissemination Jinny Chien, ASGC

  8. Enabling Grids for E-sciencE Security Service Challenge 1 8 Training and Dissemination Jinny Chien, ASGC

  9. SSC-1 Objective and Setup Enabling Grids for E-sciencE • SSC-1 (2005- March 2006) targeted the Workload Management System(WMS) : Resource Broker (RB) and Computing Element (CE) • It tested whether sufficient information was available and whether communication channels were sufficiently open. • Did not address the Security Incident Response Procedure • Used Savannah as the vehicle for communication between the Test Operator (TOP) and the Target sites. 9 Training and Dissemination Jinny Chien, ASGC

  10. SSC-1 - Task Enabling Grids for E-sciencE • Given: Time range, IP-address of the target computer, UNIX-UID of challenging job on target • The Sites had to find out 1. The DN of grid-credentials/certificate used by the job submitter? 2. The IP-address of the submitting network device (UI)? 3. The name of the executable which ran on the target computer? 4. The data and the precise time when the executable ran? 10 Training and Dissemination Jinny Chien, ASGC

  11. Sample: SSC-1 Enabling Grids for E-sciencE • Date - 2006-03-08 • Subject: Security Service Challenge • Local date and time of request creation: • and time period of challenge, • 2006-03-08 10:38:39 (CET, UTC+2) • between: 08:23:00 -and- 08:34:00 UTC • Initials of test operator: psa • Virtual Organization (VO): • Dear LCG/EGEE Site Security Officer, • LCG/EGEE siteName: • This e-mail constitutes a security service challenge • alert. You have received this because you have opened • Resource Broker (RB): • an e-mail destined to this site's security officer. In • Regional Operation Center (ROC): • case you are not the security officer of this site, • IP-address of the target computer: • please forward this e-mail to - • lcg00189.grid.sinica.edu.tw • aproc-security@list.grid.sinica.edu.tw • just stating so. This will allow us to improve our • UNIX-UID of challenging job on target: 18118 • procedures, and we thank you in advance. • --- Security_Service_Challenge_Description • …… ------------ • We thank you for your collaboration, • Within the time period indicated above, a security • service challenge was launched on your site. The • UNIX-UID on the target computer as noted above, was • associated with the challenge. Training and Dissemination

  12. SSC-1 in AP Enabling Grids for E-sciencE • Executed time : 2006/3/5 – 2006/3/13 • Targeted Sites :  Australia-UNIMELB-LCG2  GOG-Singapore  INDIACMS-TIFR  LCG_KNU  Taiwan-IPAS-LCG2  Taiwan-NCUCC-LCG2  TOKYO-LCG2,  TW-NCUHEP – Total sites are 8 • The final report – https://twiki.cern.ch/twiki/pub/LCG/SSC1/ SSC_1_Debrief_2006-04-18.pdf 12 Training and Dissemination Jinny Chien, ASGC

  13. Enabling Grids for E-sciencE Security Service Challenge 2 13 Training and Dissemination Jinny Chien, ASGC

  14. SSC-2 Objective and Setup Enabling Grids for E-sciencE • SSC-2 tested the traceability of storage operations (2007). • From the Worker Node (WN) a sequence of seven storage operations have been executed. – lcg_crx, lcg_lgx, lcg_repx, lcg_rx, lcg_cpx, lcg_delx • Did not address the Security Incident Response Procedure • Used the Global Grid User Support (GGUS) as the vehicle for communication between the Test Operator and the Target Sites. 14 Training and Dissemination Jinny Chien, ASGC

  15. SSC-2 - Task Enabling Grids for E-sciencE • Given: User DN, Time range and SE • The Sites had to find out: 1. For each of the identified storage operation, please indicate:  The exact time (UTC).  The type of operation.  The URLs, filenames, catalog names and file paths involved. 2. Please indicate the IP-address of the User Interface (UI) that was used for the Job Submission 15 Training and Dissemination Jinny Chien, ASGC

  16. SSC-2 in AP Enabling Grids for E-sciencE • Executed time : 2007/4/20 – 2007/5/4 • Targeted Sites : – 18 sites, 8 countries • The procedure is http://lists.grid.sinica.edu.tw/apwiki/Security_Service_Challenge? highlight=%28security%29 • The final report could be found https://twiki.cern.ch/twiki/pub/ LCG/SSC2/SSC_2_Stage_2_Report_AsiaPacific.pdf 16 Training and Dissemination Jinny Chien, ASGC

  17. The result of SSC2 Enabling Grids for E-sciencE name atus Reply ack Site n St Stat Re Fe Feedbac Status : Australia-UNIMELB-LCG2 OK YES YES (1) Error – could GOG-Singapore Error NO NO not submit a SSC HK-HKU-CC-01 OK YES YES job IN-DAE-VECC-01 OK NO NO (2) OK – success INDIACMS-TIFR Error NO NO JP-KEK-CRC-01 Error NO NO JP-KEK-CRC-02 OK YES NO Reply : KR-KISTI-GCRT-01 OK YES YES (1) Yes – Reply the LCG_KNU OK YES NO answer NCP-LCG2 OK YES YES (2) No – Not reply PAKGRID-LCG2 OK YES NO the answer Taiwan-IPAS-LCG2 OK YES NO Taiwan-NCUCC-LCG2 OK YES YES TOKYO-LCG2 OK YES YES Feedback : TW-FTT Error NO NO (1) Yes – provide TW-NTCU-HPC-01 OK YES YES the feedback TW-NIU-EECS-01 OK YES NO (2) No – Not TW-NCUHEP OK NO NO provide the feedback Training and Dissemination

  18. Enabling Grids for E-sciencE Security Service Challenge 3 18 Training and Dissemination Jinny Chien, ASGC

  19. Preparing/Running Regional SSC3 Enabling Grids for E-sciencE TestOperator (TOp) is attacker and incident coordinator and ... – Get/Install SSC software from svn repository.  Malicious binary (might need some tweaking)  Job-Submission framework (scripts). Available for gLite, globus (Aashish).  Job-Monitoring webserver. – Certificate, VO and all the rest.  Get a grid certificate (short lived) for the TOp.  Negotiate an identity used for TOp with a VO (this VO has to be supported by all sites).  Make sure the default communication channels to the sites to be challenged work.  Check sufficient queue length/WallClockTime. 72h nice, everything less needs some additional tweaking, but possible. Min. is 12h. 19 Training and Dissemination Jinny Chien, ASGC

  20. SSC-3 Objective and Setup Enabling Grids for E-sciencE • SSC-3 -a more realistic simulation of an incident, it challenges the Operational Responsiveness of LCG/ EGEE Grid Sites. • The Job is launched from a User Interface (UI); – It runs with valid credentials. – Once running, it will exploit its environment to conceal its activities. – Sign of life will be reported through an out-of-band channel. 20 Training and Dissemination Jinny Chien, ASGC

Recommend


More recommend