active security infrastructure stuart kenny trinity college dublin
TRANSCRIPT
![Page 1: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/1.jpg)
Active Security Infrastructure
Stuart Kenny
Trinity College Dublin
![Page 2: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/2.jpg)
Active Security
• Building on concepts investigated during CrossGrid project (2002-2005) and Int.Eu.Grid (2006-2008)
• Existing Grid security activities focused on prevention– Authentication, authorization
• Active security focused on – Detection– Reaction
• 3 components– Security monitoring– Alert Analysis– Control Engine
![Page 3: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/3.jpg)
Active Security Infrastructure
![Page 4: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/4.jpg)
Security Monitoring (Site Level)
• Monitors state of security of a site
• Reports detected security events to security alert archive
• Monitoring performed by ‘R-GMA enabled’ security tools– Snort– Prelude-LML– Rkhunter
• Extensible– Easy inclusion of
additional tools, e.g., Tripwire
![Page 5: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/5.jpg)
Alert Analysis (Management Level)
• Filter and analyse alerts contained in alert archive– Detect patterns that
signify attempted attack• Attempts to join alerts into
high-level attack scenarios• Output
– Correlated high-priority Grid alert
– New Grid policy• Define actions to be
taken in response to security event
• Extensible– Define additional ‘attack
scenarios’ and base policies
![Page 6: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/6.jpg)
Control Engine (Site Level)
• Input:– Grid policies generated
by analysis component• Site Policy Decision Point
– Evaluates requests for guidance from service agents
– Decision based on applicable policies
• Decision contains action to be taken to mitigate risk of possible security incident
• Extensible– Provision of service
agents or plug-ins
Pull
![Page 7: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/7.jpg)
Control Engine (Site Level)
• Active Plug-in– Simple plug-in interface– Plug-ins invoked on policy
update– Evaluate plug-in request
against updated policy set– User defined code handles
response and enforces obligations
• Grid-Ireland example– Grid4C iptables
management endpoint– Dynamic host blocking
Push
![Page 8: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/8.jpg)
Grid-Ireland Deployment
• Grid-Ireland Gateway– Point-of-presence at 18 institutions– Homogenous set of hardware and software– Centrally managed by Grid Operations Centre (OpsCentre) at TCD
• ASI deployment– Security monitoring installed on gateways at 10 of 18 sites– Analysis component hosted at OpsCentre– Continuously monitoring infrastructure since June 2008
![Page 9: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/9.jpg)
Grid-Ireland Deployment
![Page 10: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/10.jpg)
Grid-Ireland Deployment
![Page 11: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/11.jpg)
Analyzer Scenarios: Job Monitoring
• Scenario models attack as series of state changes– Models states job passes through once submitted to a site– State changes triggered by published alerts
• Prelude LML and PBS scripts
– Can be used as basis for ‘higher-level’ scenarios• E.g., job executing restricted command
![Page 12: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/12.jpg)
Analyzer Scenarios: Job Monitoring
![Page 13: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/13.jpg)
Analyzer Scenarios: Job Monitoring
![Page 14: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/14.jpg)
Analyzer Scenarios: Job Monitoring
![Page 15: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/15.jpg)
Future Work
• Correlation– Prelude correlation engine
• LUA rules based• Messaging
– ActiveMQ
• Additional scenarios• Control Engine
– Implement agents and deploy
![Page 16: Active Security Infrastructure Stuart Kenny Trinity College Dublin](https://reader036.vdocument.in/reader036/viewer/2022070406/56649de65503460f94adfd52/html5/thumbnails/16.jpg)
• Questions?