active security infrastructure stuart kenny trinity college dublin

16
Active Security Infrastructure Stuart Kenny Trinity College Dublin

Upload: evan-harris

Post on 11-Jan-2016

212 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Active Security Infrastructure

Stuart Kenny

Trinity College Dublin

Page 2: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Active Security

• Building on concepts investigated during CrossGrid project (2002-2005) and Int.Eu.Grid (2006-2008)

• Existing Grid security activities focused on prevention– Authentication, authorization

• Active security focused on – Detection– Reaction

• 3 components– Security monitoring– Alert Analysis– Control Engine

Page 3: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Active Security Infrastructure

Page 4: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Security Monitoring (Site Level)

• Monitors state of security of a site

• Reports detected security events to security alert archive

• Monitoring performed by ‘R-GMA enabled’ security tools– Snort– Prelude-LML– Rkhunter

• Extensible– Easy inclusion of

additional tools, e.g., Tripwire

Page 5: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Alert Analysis (Management Level)

• Filter and analyse alerts contained in alert archive– Detect patterns that

signify attempted attack• Attempts to join alerts into

high-level attack scenarios• Output

– Correlated high-priority Grid alert

– New Grid policy• Define actions to be

taken in response to security event

• Extensible– Define additional ‘attack

scenarios’ and base policies

Page 6: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Control Engine (Site Level)

• Input:– Grid policies generated

by analysis component• Site Policy Decision Point

– Evaluates requests for guidance from service agents

– Decision based on applicable policies

• Decision contains action to be taken to mitigate risk of possible security incident

• Extensible– Provision of service

agents or plug-ins

Pull

Page 7: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Control Engine (Site Level)

• Active Plug-in– Simple plug-in interface– Plug-ins invoked on policy

update– Evaluate plug-in request

against updated policy set– User defined code handles

response and enforces obligations

• Grid-Ireland example– Grid4C iptables

management endpoint– Dynamic host blocking

Push

Page 8: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Grid-Ireland Deployment

• Grid-Ireland Gateway– Point-of-presence at 18 institutions– Homogenous set of hardware and software– Centrally managed by Grid Operations Centre (OpsCentre) at TCD

• ASI deployment– Security monitoring installed on gateways at 10 of 18 sites– Analysis component hosted at OpsCentre– Continuously monitoring infrastructure since June 2008

Page 9: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Grid-Ireland Deployment

Page 10: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Grid-Ireland Deployment

Page 11: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Analyzer Scenarios: Job Monitoring

• Scenario models attack as series of state changes– Models states job passes through once submitted to a site– State changes triggered by published alerts

• Prelude LML and PBS scripts

– Can be used as basis for ‘higher-level’ scenarios• E.g., job executing restricted command

Page 12: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Analyzer Scenarios: Job Monitoring

Page 13: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Analyzer Scenarios: Job Monitoring

Page 14: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Analyzer Scenarios: Job Monitoring

Page 15: Active Security Infrastructure Stuart Kenny Trinity College Dublin

Future Work

• Correlation– Prelude correlation engine

• LUA rules based• Messaging

– ActiveMQ

• Additional scenarios• Control Engine

– Implement agents and deploy

Page 16: Active Security Infrastructure Stuart Kenny Trinity College Dublin

• Questions?