Security aspects of the GRID infrastructures for ... · LCG LHC production Grid LHC 2002-2008 Egee...
Transcript of Security aspects of the GRID infrastructures for ... · LCG LHC production Grid LHC 2002-2008 Egee...
Security aspects of the GRID infrastructures Security aspects of the GRID infrastructures for Scientific Researchfor Scientific Research
Roberto Alfieri Università di Parma - INFN Parma
Roma, June 07 2005
Roma, 07/06/2005 2
ContentsIntroduction
Grid concepts: a definition, architecture, projects, software
Grid Security requirements
Authentication, confidentiality, data integrityGSI: Pki, X.509, CA, RA, SSL, proxy, delegation
AuthorizationGlobus grid-mapfileEDG add-on: VO-LDAP, VOMS
Firewalls
Roma, 07/06/2005 3
ContentsIntroduction
Grid concepts: a definition, architecture, projects, software
Grid Security requirements
Authentication, confidentiality, data integrityGSI: Pki, X.509, CA, RA, SSL, proxy, delegation
AuthorizationGlobus grid-mapfileEDG add-on: VO-LDAP, VOMS
Firewalls
Introduction
a GRID definition
“Enable communities (virtual organizations) to share geographically distributed resources as they pursue common goals” [I. Foster, ANL, 1999]
CPU servers
Disk servers
Tape silos and servers
Tier0 resources
at CERN
Atlas collaboration: 1850 members from 34 countries
Roma, 07/06/2005 5
Introduction
GRID architecture
User Interface
Grid services
USER
VO Server
grid services
VO admin
VO1 VO2
User Interface
grid services
USER
User Interface
Grid services
USER
User Interface
Grid services
USER
VO Server
grid services
VO adminResource Provider
SE
grid services
DISKS
CE
grid services
CPU farm
Resource Provider
SE
grid services
DISKS
CE
grid services
CPU farm
GRID Authn
GRID Authz
Local Authz
JOB Subm.WLM
??
Res.Info
Accounting (resource usage and economic)
RUN JOB
Introduction
Scientific Grid projects (INFN related)
INFNINFN production GridINFN-GRID
LHC 2002-2008LHC production GridLCG
EU 2004-2006European production GridEgee
MIUR 2002-2005National Scientific Grid:Evaluation, development, testbed
Grid.it
EU 2001-2003EU scientific Grid:Evaluation, development, testbed
DataGrid
FundedPurposeProject
Roma, 07/06/2005 7
Introduction
DataGrid
Objectives: •develop a sustainable grid computing model for large scientific communities•Large scale testbeds
Scientific applications:•6 High Energy Physics•5 Earth Observation•9 Bio-informatics
Funded: IST (UE) 9.8 M€
Period: 2001-2003
Web site:http://eu-datagrid.web.cern.ch/eu-datagrid/
Roma, 07/06/2005 8
Introduction
GRID.it Objectives: •R&D Grid technological development project •Deployment of an Italian e-Science Grid infrastructure
Scientific fields:•Earth Observation•Geophysic•Astronomy•Biology and Genomics•Computational Chemistry
Funded: FIRB (MIUR) 8.1 M€
Period: 2002-2005
Web site: www.grid.it
Roma, 07/06/2005 9
Introduction EGEE
Objectives: Create a European wide production quality Grid for Scientific Applications
Activities: 48% service, 24% middleware re-eng., 28 networking.
Period: 2004-2006
Funded: IST (EU) 35M€
Web site: http://www.eu-egee.org/
Roma, 07/06/2005 10
Introduction
LCG (LHC Computing Grid)
Purpose:Prepare and deploy the Computing Environment for the LHC expermients
Periods: 2002-20052006-2008
VO: Atlas, Alice, CMS, LHCB
Web site: lcg.web.cern.ch/LCG/
Roma, 07/06/2005 11
TORINO PADOVA
BARI
PALERMO
FIRENZE
PAVIA
GENOVA
NAPOLI
CAGLIARI
TRIESTE
ROMA
PISA
L’AQUILA
CATANIA
BOLOGNA
UDINETRENTO
PERUGIA
LNF
LNGS
SASSARI
LECCE
LNS
LNL
SALERNO
COSENZA
S.Piero
FERRARAPARMA
CNAF
ROMA2
MILANO
Introduction
INFN-Grid
Objectives:• Promote computational Grid technologies • Middleware R&D through EU projects (DataGrid, DataTAG) and internal activities• Implement a INFN-Grid infrastructure• Partecipate to the implementation of new National and Eurepean Grid Infrastructures (LCG, grid.it, EGEE, .. )
Web site: http://grid.infn.it/
Roma, 07/06/2005 12
Introduction
GRID Software: Globus Toolkit• Open source software toolkit used for building grids.
• Developed (mainly) at Argonne National Labs (ANL).
• Releases: – Globus 2: widely used distribution written in C
• 4 layer protocols:– Grid Security Infrastructure (GSI), Resource management (GRAM),
Information Service (GRIP), File Transfer (GridFTP)• 3 API categories:
– Portability and convenience API (globus_common), API implementing the four layer protocols (globus_io, Mpich-g2, ..), Collective layer API
– Globus 3: Toolkit implementing OGSI (WebService based)
Roma, 07/06/2005 13
Introduction
GRID Software: LCG-2
• Scientific Linux (RedHat Enterprise Linux recompiled) 3.04
• Globus 2 core services (Gram, Gsi, Mds, Gass, …)• Several EDG-2.0 components
– Resource Broker– Replica Management tools– Packaging– VO-LDAP , VOMS– …
• Glue 1.1 Information Schema• Few LCG modifications
globus2 based
globus3(OGSI) based
gLite-2gLite-1LCG-2LCG-1
EDGVDT. . .
LCG EGEE. . .
Roma, 07/06/2005 14
ContentsIntroduction
Grid concepts: a definition, architecture, projects, software
Grid Security requirements
Authentication, confidentiality, data integrityGSI: Pki, X.509, CA, RA, SSL, proxy, delegation
AuthorizationGlobus grid-mapfileEDG add-on: VO-LDAP, VOMS
Firewalls
Roma, 07/06/2005 15
Grid Security RequirementsAuthentication: establish the identity of an entity by means of credentials
– Grid-wide authentication– With single sign-on (Delegation support)– Credential mapping
Authorization: establish the rights of the entity on the resource– VO-level authorization– Local policies must not be overridden– Multi VO support (user and resources)
Auditing: establish a logging and traceability method– Every operation must be logged with the credential of the user (fine grained)– The resource being used may be valuable
Confidentiality: a third party cannot understand the communication– The data may be sensitive (e.g. medical data)
Integrity: data are not modified during communicationFirewall: nodes must be protected by a firewalling policy
Roma, 07/06/2005 16
EDG Security
• Grid-mapfile (Globus)• VO server: VO-LDAP (EDG 2001-2005?)• VO server: VOMS, LCAS, LCMAPS (EDG 2004->)
Authorization
• GSI (Globus) - PKIX (IETF) - SSL (IETF) - Proxy and Delegation (Globus)
Credential AuthenticationConfidentilityData integritySingle sign-on
Roma, 07/06/2005 17
ContentsIntroduction
Grid concepts: a definition, architecture, projects, software
Grid Security requirements
Authentication, confidentiality, data integrityGSI: Pki, X.509, CA, RA, SSL, proxy, delegation
AuthorizationGlobus: grid-mapfileEDG: VO-LDAP, VOMS
Firewalls
Roma, 07/06/2005 18
GSI
• In the GSI system each user has a set of credentials, based on a Public Key Infrastructure (PKI), they use to prove their identity on the grid– Consists of a X.509 certificate and private key
• Uses SSL for authentication and message protection• Adds features needed for Single-Sign on
– Proxy Credentials– Delegation
Roma, 07/06/2005 19
GSI
PKI with X.509 (PKIX)
• User’s credential is a key pair:– Private Key (known only to the entity)– Public Key (given to the world encapsulated in
a X.509 cert.)
• A key is a collection of bits (e.g. 2048 bit)
• The keys are used by special functions to encrypt and decrypt data (e.g. RSA): anything encrypted with the Private key can only be decrypted with the public key and vice versa.
DATA
DATA
Decrypt
Encrypt
Roma, 07/06/2005 20
GSI
Digital Signature
1. I can sign a document by encrypting (a hash function of) it with my Private key.
2. You can verify my signature decrypting it with my Public Key.
Q: But, how do you know that you have my correct public key?
A: A third party named “Certification Authority”
The CA joins the User Identity and his public key in a new document named “User’s Certificate” that is signed by the CA.
Hash
Name Carlo
Issuer INFNCA
Carlo’s Public key
CA signature
DATA
Signature
Encrypt
Roma, 07/06/2005 21
GSI
Certificate Authority (CA)
Name INFN CA
Issuer INFN CA
CA Public key
CA signature
• The CA signs it’s own certificate (typically self-sign) which is distributed to the world and can be used to verify certificates issued by the CA.
• The CA Certificate has a long term validity time (typically 5 years)
Roma, 07/06/2005 22
GSI
Certificate Policy (CP)• Each CA has a Certificate Policy (CP) which
states when and how the CA issues certificates; it states who will issue certificates for (typically people or host belonging to a stable Community such as Insitute, Industry, ..)
• Each CA has a namespace of certificates issued and constrains itself to sign certificates that are inside the namespace
• Each certificate issued has a FQDN• Each certificate issued has a validity time
(typically 1 year) • Certificates are published in a Directory (e.g.
LDAP or WWW) managed by the CA.• The CA periodically publishes a list of revoked
certificates that can be consulted manually (CRL) or automatically (OCSP protocol).
It
CNRINFN
Personal Cert.Host
Parma Firenze
Roberto Alfieri
INFN CA base DN
Roma, 07/06/2005 23
GSI
Sample CertificateCertificate: Data: Version: 3 (0x2) Serial Number: 1148 (0x47c) Signature Algorithm: md5WithRSAEncryption Issuer: C=IT, O=INFN, CN=INFN Certification Authority Validity Not Before: Jan 31 13:29:07 2003 GMT Not After : Jan 31 13:29:07 2004 GMT Subject: C=IT, O=INFN, OU=Personal Certificate, L=CNAF, CN=Vincenzo
Ciaschini/[email protected] Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): ….. Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:FALSE X509v3 Key Usage: critical Digital Signature, Non Repudiation, Key Encipherment, Data EnciphermentSignature Algorithm: md5WithRSAEncryptionSignature: …
Roma, 07/06/2005 24
GSI
Registration Authority (RA)
• To request a certificate a user starts by generating a key pair.
• The user sign the public key to form what is called a Certificate Request.
• The user then takes the certificate to a Registration Authority (RA)
• A RA’s responsibility is to verify the user’s name• Often the RA coexists with the CA and is not
apparent to the user
Sign
CertificateRequest
Public Key
REGISTRATION
AUTHORITY
CERTIFICATION
AUTHORITY
Verify
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
State ofIllinois
Sign
MarioRossi
Roma, 07/06/2005 25
GSI
EDG - CA
31 national certification authoritiesCommon Cert. Policies mutual
trust
Netherlands - NIKHEF
Italy – INFN CA
Israel - IUCC
Ireland – Grid-Ireland
Hungary – KFKI RMKI
Greece - HellasGrid
Germany – GridKa- CA
Estonia - EGCA- NIKHEF
Czech Rep. - CESNET
Cyprus -CyGridCA
France – GRID-FR
France - CNRS
CERN
Canada - GridCanada
Belgium - BEGrid
Austria - AustrianGrid
Armenia - ArmeSFo
INFN CA38 Registration Auth. (26 INFN, 32 other)3198 certs issued since May 1998 CRL (188 certs revoked since 1988)https://security.fi.infn.it/CA/
http://marianne.in2p3.fr/datagrid/ca/ca-table-ca.html
US - FNAL
US – DOE Grids
US – ESnet Root
UK – UK e-science
Taiwan - ASCCG
Spain – DataGrid-ES
Slovenian – SIGNET CA
Slovakia – Slovakia CA
SEE-Grid Project
Russia – Russian EDG
Portugal - LIPCA
Poland - PolishGrid
Pakistan – PK-Grid CA
Nordic co. – NorduGrid
Roma, 07/06/2005 26
GSI
Download the INFN CA cert
• http://security.fi.infn.it/CA/• Click on Certificato INFN CA
and follow the on-line instructions
Roma, 07/06/2005 27
GSI
Get your personal cert from INFN-CA
• Contact your local Registration Authority and get the ID code.
• http://security.fi.infn.it/CA/• Click on Richiesta certificati• Fill the details of the owner:
– Nome sezione;– Nome e Cognome;– E-mail, it must be the official
one, [email protected].
• Click on Sottometti Richiesta.• After the identity checks, you’ll
receive an e-mail with the instructions for the download with the same browser used to submit the request
Roma, 07/06/2005 28
GSI
Export the certificate
• Export the certificate (extension .p12) and save a copy on a floppy (two is better...).The copy can be imported in another browser.
• Protect the copy with a good password (it will be asked during the export procedure)
• Convert the certificatefor use by the globus toolkit:
openssl pkcs12 –nocerts –in user.p12 \ –out ~/.globus/userkey.pem
openssl pkcs12 –clcerts -nokeys \ –out ~/.globus/usercert.pem
Netscape
Explorer
Roma, 07/06/2005 29
GSI
SSL Authentication
• Start by exchanging X.509 certificates
• Each side then sends over a challenges
• Challenge is signed with private key and sent back over
• Each side then verifies certificate using PKI and signature using certificate
• If everything checks then the identity from the certificate can be trusted
CHALLENGE
SIGN(CHALLENGE)
CHALLENGE
SIGN(CHALLENGE)
VERIFY
SIGN(CHALLENGE)
VERIFY
SIGN(CHALLENGE)
MUTUAL
AUTHENTICATION
GSI
SSL Confidentiality
After authentication a shared session key is established to be used for message protection
DECRYPT
SESSION KEY
ENCRYPT
SESSION KEY
START
ENCRYPTED
SESSION
START
ENCRYPTED
SESSION
Roma, 07/06/2005 31
GSI
Proxy Certificate
• A Proxy is a special type of X.509 certificate, signed by the normal end entity cert (or by another proxy).
• It allows process to act on behalf of user, supporting single sign-on and delegation
– if there is a need to have agents requesting services on behalf of the user, avoids the need to re-enter the user's pass phrase
• the Subject of the proxy contains the Subject of the signing cert
• It reduces exposure of user’s private key• It is created by the grid-proxy-init command• The private key of the Proxy is not encrypted:
– stored in local file protected by file system security: must be readable only by the owner;
– proxy lifetime is short (typically 12 h) to minimize security risks.
Roma, 07/06/2005 32
GSI
Starting a Grid session
• “login”: grid-proxy-init
• Your identity: /C=IT/O=INFN/CN=M.Rossi/[email protected] GRID pass phrase for this identity: *********Creating proxy ........................................ DoneYour proxy is valid until Feb 24 02:44:51 2004
– the proxy is stored in /tmp/x509up_uxxx
• You can now use use the grid services.
“logout”: grid-proxy-destroy
Roma, 07/06/2005 33
GSI Proxy certificate structure
• openssl x509 -text -noout -in /tmp/x509up_u504
Data: Version: 3 (0x2) Serial Number: 981 (0x3d5) Signature Algorithm: md5WithRSAEncryption Issuer: C=IT,O=INFN,CN=M.Rossi/[email protected] Validity Not Before: Nov 28 14:14:57 2002 GMT Not After : Nov 29 02:19:57 2002 GMT Subject: C=IT,O=INFN,CN=M.Rossi/[email protected], CN=proxy Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit) Modulus (512 bit): ...................................... Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption ......................................
Roma, 07/06/2005 34
GSI Delegation
• Allows remote process (agent) to act on behalf of the user• Avoids sending passwords or private keys across the network• Proxy creation can be recursive• The proxy may be a “Restricted Proxy”: a proxy with a reduced set of
privileges (e.g. cannot submit jobs).
Roma, 07/06/2005 35
ContentsIntroduction
Grid concepts: a definition, architecture, projects, software
Grid Security requirements
Authentication, confidentiality, data integrityGSI: Pki, X.509, CA, RA, SSL, proxy, delegation
AuthorizationGlobus grid-mapfileEDG add-on: VO-LDAP, VOMS
Firewalls
Roma, 07/06/2005 36
Globus Authorization:the grid-mapfile
Resource Provider
SE
grid services
DISKS
CE
grid services
CPU farmManaged manually by the resource admin:
• No centralization
• No scalability
"/C=IT/O=INFN/L=Parma/CN=Roberto Alfieri/[email protected]" alfieri
"/C=IT/O=INFN/L=Parma/CN=Fabio Spataro/[email protected]" spataro
User Interface
Grid services
USER
> grid-proxy-init> edg-job-submit job-name
User cert
Roma, 07/06/2005 37
EDG Authorization:VO-LDAP (2001-2005?)
Resource Provider
SE
grid services
DISKS
CE
grid services
CPU farmManaged automatically by the resource admin using mkgridmap script:
•Run daily
•VOs selection
•Local pool accounts
•Ban list
User Interface
Grid services
USER
> grid-proxy-init> edg-job-submit job-name
User cert
VO2 server
Grid services
VO-LDAPVO1 server
Grid services
VO-LDAP
Roma, 07/06/2005 38
EDG Authorization
Sample mkgridmap.conf #### GROUP: group URI [lcluser]# EDG Standard Virtual Organizationsgroup ldap://grid-vo.nikhef.nl/ou=testbed1,o=alice,dc=eu-datagrid,dc=org .alicegroup ldap://grid-vo.nikhef.nl/ou=testbed1,o=atlas,dc=eu-datagrid,dc=org .atlasgroup ldap://grid-vo.nikhef.nl/ou=tb1users,o=cms,dc=eu-datagrid,dc=org .cmsgroup ldap://grid-vo.nikhef.nl/ou=tb1users,o=lhcb,dc=eu-datagrid,dc=org .lhcbgroup ldap://grid-vo.nikhef.nl/ou=tb1users,o=biomedical,dc=eu-datagrid,dc=org .biomegroup ldap://grid-vo.nikhef.nl/ou=tb1users,o=earthob,dc=eu-datagrid,dc=org .eogroup ldap://marianne.in2p3.fr/ou=ITeam,o=testbed,dc=eu-datagrid,dc=org .iteamgroup ldap://marianne.in2p3.fr/ou=wp6,o=testbed,dc=eu-datagrid,dc=org .wpsix# Other Virtual Organizationsgroup ldap://grid-vo.cnaf.infn.it/ou=testbed1,o=infn,c=it .infngrid
#### Optional - ACL: deny|allow pattern_to_match deny *Cecchini*
#### Optional - GRID-MAPFILE-LOCAL gmf_local /opt/edg/etc/grid-mapfile-local
Roma, 07/06/2005 39
Roma, 07/06/2005 40
EDG Authorization
VO Registration• Select your VO, Read the usage guidelines and Sign the Registation Form
Roma, 07/06/2005 41
EDG Authorization
VO-LDAP drawbacks
• Flexibility– Only group membership supported (no roles or other Authz info)– No Multi-VO support for users– Grid Authz info are mapped to Unix ACL (site-oriented)
• Reliability– Authz info obtained using a Pull model are less reliable
• Scalability– LDAP vs RDBMS
Roma, 07/06/2005 42
EDG Authorization: VOMS (2003 -> )
• Virtual Organization Membership Service (VOMS)– Grants authorization data to users at VO level– Each VO has its own VOMS
• Local Centre Authorization Service (LCAS)– Handles authorization requests to local fabric
• Local Credential Mapping Service (LCMAPS)– Provides local credentials needed for jobs in fabric
Roma, 07/06/2005 43
EDG Authorization
VOMS: User Client Operations
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
User’sattributes
AuthDB
Authentication
Request
User’sattributes
1. Mutual authentication and encrypted communication Client-Server (via SSL)
2. Client sends request to Server 3. Server checks correctness of
request 4. Server sends back the required
info, signed by itself 5. Client checks results6. Client repeats process for other
VOMS’s 7. Client creates proxy certificates
containing all the info received into a (non critical) extension
1
2 3
6
45
7
Roma, 07/06/2005 44
EDG Authorization
voms-proxy-init Options
All the queries have an implicit <userid> field, derived from the user’s certificate. A : all info regarding the user (default option);G <group> : user is member of <group>;R <role> : user has role <role>;B <group>:<role> : user is member of <group> with role
<role>;
The administrator can add VO-specific SQL queriesL : lists all available queries;S <qid> : executes the query <qid>.
Example:voms-proxy-init -voms cms -voms infngrid:Gtestbed1
Roma, 07/06/2005 45
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 976 (0x3d0)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=IT, O=INFN, OU=Personal Certificate, L=Parma, CN=Roberto Alfieri
Validity
Not Before: Dec 17 15:48:24 2002 GMT
Not After : Dec 18 03:53:24 2002 GMT
Subject: C=IT, O=INFN, OU=Personal Certificate, L=Parma, CN=Roberto Alfieri, CN=proxy
Subject Public Key (omissis)
X509v3 extensions:
1.3.6.1.4.1.8005.100.100.1:
SIGLEN:128
SIGNATURE:.......2.;...@.+.G...B.d.X`..H......&.+..r._cF._..=...........M)i.........".z=...;..9.....]R..../...^[email protected]...
USER:/C=IT/O=INFN/OU=Personal Certificate/L=Parma/CN=Roberto Alfieri
UCA:/C=IT/O=INFN/CN=INFN Certification Authority
SERVER:/C=IT/O=INFN/OU=cas server/L=Bologna/CN=cas/aaa-test.cnaf.infn.it
SCA:/C=IT/O=INFN/OU=Authority/CN=INFN CA (2)
VO:unspecified
021217155324Z
021217155824Z
DATALEN:8
NO DATA
Signature (omissis)
EDG Authorization
Proxy Certificate with Authz info
Roma, 07/06/2005 46
EDG Authorization
Authn/Authz control flow
SSL auth+ encrypt
LCAS client
apply creds
Jobmanager
GatekeeperLCAS
ACL
timeslot
gridmap
config
LCMAPS clntLCMAPS
role2uid
role2afs
config
IdYes/no
Id
credlist
EDG-gatekeeper (EDG1.4 and later distributions) supports plug-ins in the authorization processing flow.
LCAS is an access permission plug-in actually based on the grid-mapfile
LCMAPS is a plug-in for the VO credential to local credential mapping.
The resource manager can customize these plug-ins for the user’s attribute processing.
C=IT/O=INFN /L=CNAF/CN=Pinco Palla/CN=proxy
VOMSpseudo-
cert
Roma, 07/06/2005 47
EDG Authorization
mkgridmap-2.x
We support a transitional period where VOMS and VO-LDAP can coexist: VOMS can also be used for grid-mapfile generation by an enhanced version of mkgridmap
• New feature: Authenticated access to VOMS (not LDAP) servers to restrict the clients allowed to download the list of the VO members
• New directive in the config file:
authn and
restricted
access
mkgridmap group ldap://…
group https://….
grid-mapfile
VO-LDAP VOMS
CE
group ldap://grid-vo.cnaf.infn.it/ou=testbed1,o=infn,c=it .infngridgroup https://vo-iteam.datagrid.cnrs.fr/iteam .iteam
Roma, 07/06/2005 48
EDG AA: workflow
User Interface
Grid services
USER
VO-LDAP
grid services
VO admin
VO1 VO2
User Interface
grid services
USER
User Interface
Grid services
USER
User Interface
Grid services
USER
VOMS
grid services
VO admin
NEW USER
Resource Provider
SE
grid services
DISKS
CE
grid services
CPU farm
Resource Provider
SE
grid services
DISKS
CE
grid services
CPU farm
VO regAuthz (lcas-lcmaps)
RInf InfoIndex
grid services
?
?JS WLM RBroker
grid services
RA
CA
cert req
cert
Authn (voms-proxy-init )
Accounting (resource usage and economic)
RUN JOB
Roma, 07/06/2005 49
ContentsIntroduction
Grid concepts: a definition, architecture, projects, software
Grid Security requirements
Authentication, confidentiality, data integrityGSI: Pki, X.509, CA, RA, SSL, proxy, delegation
AuthorizationGlobus grid-mapfileEDG add-on: VO-LDAP, VOMS
Firewalls
Roma, 07/06/2005 50
EDG Firewalling
Roma, 07/06/2005 51
EDG Firewall policiesExample: Medium Security PolicyOutgoing: accept allIncoming: accept only needed portsCE : 2119/tcp (Gatekeeper), 9002/tcp (edg-wl-logd) CE, SE: 2135/tcp (MDS)ALL : 20000-25000/tcp (dynamic ports), 2811/tcp (GridFTP control), 123/tcp (NTP)
#!/bin/shiptables --policy INPUT DROPiptables --flushiptables -A INPUT -p tcp --dport ssh -s 192.135.11.0/24 -j ACCEPT # ALL LOCALiptables -A INPUT -p tcp --dport ntp -j ACCEPT # ALLiptables -A INPUT -p tcp --dport 20000:25000 -j ACCEPT # ALLiptables -A INPUT -p tcp --dport gridftp -j ACCEPT # ALLiptables -A INPUT -p tcp --dport globus-gatekeeper -j ACCEPT # CEiptables -A INPUT -p tcp --dport wl-logd -j ACCEPT # CEiptables -A INPUT -p tcp --dport MDS -j ACCEPT # CE,SE
Roma, 07/06/2005 52
Further Information
• EDG Security Coordination Group: http://cern.ch/hep-project-grid-scg• EDG CAs: http://marianne.in2p3.fr/datagrid/ca • INFN Production Grid: http://grid-it.cnaf.infn.it/• INFN Development Grid: http://infnforge.cnaf.infn.it/• EDG VOMS Admin: http://cern.ch/edg-wp2/security/voms• Grid Security Infrastructure (GSI):
http://www.globus.org/toolkit/docs/4.0/security/