active security infrastructure
DESCRIPTION
Active Security Infrastructure. Stuart Kenny Trinity College Dublin. Active Security. Building on concepts investigated during CrossGrid project (2002-2005) and Int.Eu.Grid (2006-2008) Existing Grid security activities focused on prevention Authentication, authorization - PowerPoint PPT PresentationTRANSCRIPT
Active Security Infrastructure
Stuart Kenny
Trinity College Dublin
Active Security
• Building on concepts investigated during CrossGrid project (2002-2005) and Int.Eu.Grid (2006-2008)
• Existing Grid security activities focused on prevention– Authentication, authorization
• Active security focused on – Detection– Reaction
• 3 components– Security monitoring– Alert Analysis– Control Engine
Active Security Infrastructure
Security Monitoring (Site Level)
• Monitors state of security of a site
• Reports detected security events to security alert archive
• Monitoring performed by ‘R-GMA enabled’ security tools– Snort– Prelude-LML– Rkhunter
• Extensible– Easy inclusion of
additional tools, e.g., Tripwire
Alert Analysis (Management Level)
• Filter and analyse alerts contained in alert archive– Detect patterns that
signify attempted attack• Attempts to join alerts into
high-level attack scenarios• Output
– Correlated high-priority Grid alert
– New Grid policy• Define actions to be
taken in response to security event
• Extensible– Define additional ‘attack
scenarios’ and base policies
Control Engine (Site Level)
• Input:– Grid policies generated
by analysis component• Site Policy Decision Point
– Evaluates requests for guidance from service agents
– Decision based on applicable policies
• Decision contains action to be taken to mitigate risk of possible security incident
• Extensible– Provision of service
agents or plug-ins
Pull
Control Engine (Site Level)
• Active Plug-in– Simple plug-in interface– Plug-ins invoked on policy
update– Evaluate plug-in request
against updated policy set– User defined code handles
response and enforces obligations
• Grid-Ireland example– Grid4C iptables
management endpoint– Dynamic host blocking
Push
Grid-Ireland Deployment
• Grid-Ireland Gateway– Point-of-presence at 18 institutions– Homogenous set of hardware and software– Centrally managed by Grid Operations Centre (OpsCentre) at TCD
• ASI deployment– Security monitoring installed on gateways at 10 of 18 sites– Analysis component hosted at OpsCentre– Continuously monitoring infrastructure since June 2008
Grid-Ireland Deployment
Grid-Ireland Deployment
Analyzer Scenarios: Job Monitoring
• Scenario models attack as series of state changes– Models states job passes through once submitted to a site– State changes triggered by published alerts
• Prelude LML and PBS scripts
– Can be used as basis for ‘higher-level’ scenarios• E.g., job executing restricted command
Analyzer Scenarios: Job Monitoring
Analyzer Scenarios: Job Monitoring
Analyzer Scenarios: Job Monitoring
Future Work
• Correlation– Prelude correlation engine
• LUA rules based• Messaging
– ActiveMQ
• Additional scenarios• Control Engine
– Implement agents and deploy
• Questions?