![Page 1: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/1.jpg)
Challenges of Securing a Petascale Cluster
Christian ServinThe University of Texas at El PasoComputational Sciences Program
Mentor: Irfan Elahi
1Wednesday, July 27, 2011
![Page 2: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/2.jpg)
Project Overview
• Security Challenges in Clusters
• Security Baseline/Requirements
• Case Study: TeraGrid
• Proposed Security Model
• Implementation, Analysis, and Testing
2Wednesday, July 27, 2011
![Page 3: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/3.jpg)
• Clusters:
• Diverse User Community
• Data Sharing
• High Performance Computing
• Different File Systems
Challenges in Large Clusters vs Other Environments
3Wednesday, July 27, 2011
![Page 4: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/4.jpg)
Computer Security
4Wednesday, July 27, 2011
![Page 5: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/5.jpg)
Computer Security
Confidentiality
4Wednesday, July 27, 2011
![Page 6: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/6.jpg)
Integrity
Computer Security
Confidentiality
4Wednesday, July 27, 2011
![Page 7: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/7.jpg)
Integrity
Computer Security
Confidentiality
Usability
4Wednesday, July 27, 2011
![Page 8: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/8.jpg)
Integrity
Computer Security
Confidentiality
Usability
4Wednesday, July 27, 2011
![Page 9: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/9.jpg)
ObjectiveIdentify security challenges of securing open
science large HPC supercomputers as compared with stand-alone servers. Also, to provide a
security design that provides the perfect balance between security and usability
An Ancient Fortress on an Island
www.englishrussia.com
5Wednesday, July 27, 2011
![Page 10: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/10.jpg)
• High Bandwidth Connections
• Extensive Computational Power
• Massive Storage Capacity
• Firewall Between Nodes
• Storage Trust (Implicit Trust)
• Limited Encryption
Stand-alone vs Cluster
6Wednesday, July 27, 2011
![Page 11: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/11.jpg)
Security Layers to Consider
• External Network
• Supercomputer (cluster)
• Internal Network
• Host (node)
Login Login IO Login
Service
. . .
Compute Nodes
ServiceMaster
External Network
. . .
Gateway Nodes
Internal Network
Hosts
Other Attack
Dragon Image: www.historicfibers.com
Attacker
7Wednesday, July 27, 2011
![Page 12: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/12.jpg)
Security Layers to Consider
• External Network
• Supercomputer (cluster)
• Internal Network
• Host (node)
Login Login IO Login
Service
. . .
Compute Nodes
ServiceMaster
External Network
. . .
Gateway Nodes
Internal Network
Hosts
Other Attack
Dragon Image: www.historicfibers.com
Attacker
7Wednesday, July 27, 2011
![Page 13: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/13.jpg)
Security Layers to Consider
• External Network
• Supercomputer (cluster)
• Internal Network
• Host (node)
Login Login IO Login
Service
. . .
Compute Nodes
ServiceMaster
External Network
. . .
Gateway Nodes
Internal Network
Hosts
Other Attack
Dragon Image: www.historicfibers.com
Attacker
7Wednesday, July 27, 2011
![Page 14: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/14.jpg)
Security Layers to Consider
• External Network
• Supercomputer (cluster)
• Internal Network
• Host (node)
Login Login IO Login
Service
. . .
Compute Nodes
ServiceMaster
External Network
. . .
Gateway Nodes
Internal Network
Hosts
Other Attack
Dragon Image: www.historicfibers.com
Attacker
7Wednesday, July 27, 2011
![Page 15: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/15.jpg)
Case Study: TeraGrid Cluster
• Host
✓ Configuration Management
✓ Unnecessary Services
✓ Protect Shared File System
• Network
✓ Prevent IP Address spoofing
✓ Prevent source routing
✓ Block services that cannot be access controlled at host level
8Wednesday, July 27, 2011
![Page 16: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/16.jpg)
• Auditing
✓ Have Monitoring and Events Detection
✓ Have Centralized logs
✓ Have Process Accounting
Case Study: TeraGrid (2)
9Wednesday, July 27, 2011
![Page 17: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/17.jpg)
• Configured a Cluster of Five Nodes
• Configured the network on a Local Area Network (LAN)
• Installed Ubuntu Server
• Security Model was Implemented, Analyzed and Tested
Installation and Configuration Experiments
10Wednesday, July 27, 2011
![Page 18: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/18.jpg)
Compute Compute
ServiceMaster/Login
Intruder
Experiment Configuration
11Wednesday, July 27, 2011
![Page 19: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/19.jpg)
Con
figur
atio
n
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
![Page 20: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/20.jpg)
Con
figur
atio
n
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
![Page 21: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/21.jpg)
Con
figur
atio
nM
onito
ring
Too
ls
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
![Page 22: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/22.jpg)
Con
figur
atio
nM
onito
ring
Too
ls
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
![Page 23: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/23.jpg)
Con
figur
atio
nM
onito
ring
Too
lsD
ecis
ion
Mak
er
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
![Page 24: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/24.jpg)
Con
figur
atio
nM
onito
ring
Too
lsD
ecis
ion
Mak
er
Security ModelOperating System Setup
Network Configuration
File System
Monitoring System
Intrusion Detection Sys
logs
Scheduler
12Wednesday, July 27, 2011
![Page 25: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/25.jpg)
Con
figur
atio
nM
onito
ring
Too
lsD
ecis
ion
Mak
er
Security ModelOperating System Setup
Network Configuration
File System
Fuzzy LogicInterval
ComputationMulti Criteria
Decision Making
Decision Engine
Monitoring System
Intrusion Detection Sys
logs
Scheduler
12Wednesday, July 27, 2011
![Page 26: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/26.jpg)
Personal Challenges
• OS Server Installation
• Linux novice
• Networking
• Network File System
• Services configuration
13Wednesday, July 27, 2011
![Page 27: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/27.jpg)
Summary
• Identify unique challenges of securing large HPC clusters
• Study the TeraGrid security baseline
• Provide a secure architecture
• Built a cluster with 5 nodes
• Implemented, analyzed, and tested on cluster
14Wednesday, July 27, 2011
![Page 28: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/28.jpg)
Future Work
• Establish benchmarks for a security and usability setup environment.
• Incorporate uncertainty models based on monitored records
15Wednesday, July 27, 2011
![Page 29: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/29.jpg)
• Participated in the CSG Summer Workshop
• Participated & observed the Bluefire upgrade
• Attended various vendor conference conference calls meetings
• Observed & Learned in day by day SSG activities
Other SIParCS Achievements
16Wednesday, July 27, 2011
![Page 30: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/30.jpg)
Special Thanks
17Wednesday, July 27, 2011
![Page 31: Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of securing open science large HPC supercomputers as compared with stand-alone servers. Also,](https://reader036.vdocument.in/reader036/viewer/2022071501/612026eeaa08880d7051fa0f/html5/thumbnails/31.jpg)
Questions
Thank you for your attention
• Christian Servin
• http://www.cs.utep.edu/christians/
18Wednesday, July 27, 2011