Active Security Infrastructure

Stuart Kenny

Trinity College Dublin

Active Security

• Building on concepts investigated during CrossGrid project (2002-2005) and Int.Eu.Grid (2006-2008)

• Existing Grid security activities focused on prevention– Authentication, authorization

• Active security focused on – Detection– Reaction

• 3 components– Security monitoring– Alert Analysis– Control Engine

Active Security Infrastructure

Security Monitoring (Site Level)

• Monitors state of security of a site

• Reports detected security events to security alert archive

• Monitoring performed by ‘R-GMA enabled’ security tools– Snort– Prelude-LML– Rkhunter

• Extensible– Easy inclusion of

additional tools, e.g., Tripwire

Alert Analysis (Management Level)

• Filter and analyse alerts contained in alert archive– Detect patterns that

signify attempted attack• Attempts to join alerts into

high-level attack scenarios• Output

– Correlated high-priority Grid alert

– New Grid policy• Define actions to be

taken in response to security event

• Extensible– Define additional ‘attack

scenarios’ and base policies

Control Engine (Site Level)

• Input:– Grid policies generated

by analysis component• Site Policy Decision Point

– Evaluates requests for guidance from service agents

– Decision based on applicable policies

• Decision contains action to be taken to mitigate risk of possible security incident

• Extensible– Provision of service

agents or plug-ins

Pull

Control Engine (Site Level)

• Active Plug-in– Simple plug-in interface– Plug-ins invoked on policy

update– Evaluate plug-in request

against updated policy set– User defined code handles

response and enforces obligations

• Grid-Ireland example– Grid4C iptables

management endpoint– Dynamic host blocking

Push

Grid-Ireland Deployment

• Grid-Ireland Gateway– Point-of-presence at 18 institutions– Homogenous set of hardware and software– Centrally managed by Grid Operations Centre (OpsCentre) at TCD

• ASI deployment– Security monitoring installed on gateways at 10 of 18 sites– Analysis component hosted at OpsCentre– Continuously monitoring infrastructure since June 2008

Grid-Ireland Deployment

Grid-Ireland Deployment

Analyzer Scenarios: Job Monitoring

• Scenario models attack as series of state changes– Models states job passes through once submitted to a site– State changes triggered by published alerts

• Prelude LML and PBS scripts

– Can be used as basis for ‘higher-level’ scenarios• E.g., job executing restricted command

Analyzer Scenarios: Job Monitoring

Analyzer Scenarios: Job Monitoring

Analyzer Scenarios: Job Monitoring

Future Work

• Correlation– Prelude correlation engine

• LUA rules based• Messaging

– ActiveMQ

• Additional scenarios• Control Engine

– Implement agents and deploy

• Questions?