1Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
The GIDS project
A Grid-based, federated Intrusion Detection System to secure the D-Grid
infrastructure
Nils gentschen Felde, Felix von Eye
2Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
The MNM Team
Leibniz-Rechenzentrum der Bayerischen Akademieder Wissenschaften
3Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Grid-related projects(excerpt: @LMU)
• European projects – Deployment of Remote Instrumentation Infrastructure (DORII) – Open Grid Forum Europe (OGF-Europe) – European Grid Initiative (EGI) – EMANICS - Management Solutions for Next Generation Networks – g-Eclipse
• German projects – Horizontale Integration des Ressourcen- und Dienst-Monitoring im
D-Grid (D-MON) – Authentication and Authorization Infrastructure for VO Management
(AAI/VO) – Ein Grid-basiertes, föderiertes Intrusion Detection System zur
Sicherung der D-Grid Infrastruktur (GIDS)• Previous research projects
– Interoperabilität und Integration der VO-Management Technologien im D-Grid (IVOM)
– VO-Management im D-Grid – Monitoring und Accounting im D-Grid
4Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
44
Project overview
• Partners:
• Associated Partners:
• Start: 01.07.2009• Duration: 36 months• Project leader: LRZ/LMU
– mailto:[email protected]– www.grid-ids.de
5Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Usage scenario of Grids
Intend• Loose coupling of autonomous
providers• Hiding heterogeneity
Functionalities Job-Scheduling Storage ...
Management• User/VO-management• Monitoring• Accounting• ...
Users grouped in Virtual Organizations (VO)
• With respect to scientific affiliation
• Not regarding real organizations any more
Scientific environment
• Generous resource sharing
• Security management neglectedGrid-Middleware
Resource-provider A
Resource-provider B
Resource-provider DResource-
provider C
6Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Security considerations in Grids
Grid-Middleware
Coupling resources
• Abstracted by middleware
• Collaborative use of distributed resources
Security considerations
• Isolated view on domains
• Security is based on trustworthiness of resource providers
Resource-provider A
Resource-provider B
Resource-provider DResource-
provider C
FW
IDS
Uplink
Admin
Anti-Vir
7Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Grid-Middleware
Resource-provider A
Resource-provider B
Resource-provider DResource-
provider C
Example: attack scenario
•Break-in at one site suffices
•Access to Grid-middlewareAccess to all resources!
•Example:– Compromised SSH private
key, i.e. well-known SSL vulnerabilities
– Grid-wide login attempts→ inter-organizational!
– Only global event correlation yields success
8Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Goal
• State of the art
– IDS for autonomous systems
– Distributed IDS:
always based on total trust
– No concept of customers
• Now
– Stepping towards a Grid-wide solution
– Conception of an IDS for Grids (GIDS)
• First glance challenges
– Inter-organizational system
– Autonomous partners
– Heterogeneity
– GIDS as a service with user-specific
views
Grid-Middleware
Resource-provider A
Resource-provider B
Resource-provider DResource-
provider C
9Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Vision: GIDS as a federation
Grid-Middleware
Resource-provider A
Resource-provider B
Resource-provider DResource-
provider C
• Intent:
– New service in the Grid• Surveying the Grid with
respect to security• Reporting thereof
– Economical use of• The service• The Grid itself
• Idea:
– Grid-wide consolidation of
security-relevant data
– Derivation of security reports
10Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Methodology
Analysis
Architecture design
Prototypical implementatio
n
Evaluation
Conclusion
11Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Analysis: Methodology
•Threat analysis– Attack goals and risks– Classification of possible
attackers• Attack patterns• Origin of attack (positional and
organizational)• Types of attacks in Grids
•Use-case driven requirements analysis
– User groups and customers– Information providers
•Requirements induced by Grids– Generic requirements– Cooperation patterns– Trust relationships
Classes of requirements:
Functional
Non-functional
Security requirements
Organizational and privacy data protection
Requirements related to detection capabilities
12Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Methodology
Analysis
Architecture design
(work in progress)Prototypical implementatio
n
Evaluation
Conclusion
13Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Architecture overview
GIDS-/IDMEF-bus
IDS
GIDS-agent
IDS
GIDS-agent
GIDS-operator
GIDS
GIDS-agent
portal
...
Resource-provider A
Resource-provider X
14Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
IDSFW
Resource-provider
agent agent
GIDS-DB
…
Admin
store
data in
filtering
data &reports
aggregation/correlation
data &reports
local (G)IDS-instance storereports in
resp
ort
ing t
o
data &reports
anonymization/pseudonymization
data &reports
data &reports
store dataand reports in
GIDS-agent
GIDS-/IDMEF-bus
15Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Methodology
Analysis
Architecture designPrototypical
implementation
(work in progress) Evaluation
Conclusion
16Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Example:Grid-wide event correlation
•Reminder– Break-in at one site is sufficient– Access to Grid-middleware
Access to all resources!
•Example:– Compromised user account in
context of a VO– VO may use selected resources
•Possibility of detection– Grid-wide event correlation– i.e. faulting login attempts
Resource-provider C
Resource-provider D
Resource-provider BResource-
provider A
Grid-Middleware
17Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Failing login attempts
GIDS-/IDMEF-bus
IDS
GIDS-agent
IDS
GIDS-agent
GIDS-operator
GIDS
GIDS-agent
portal
...
Resource-provider A
Resource-provider X
login-attempt
<?xml version="1.0"?><idmef:IDMEF-Message> <idmef:Alert> <idmef:Analyzer name="syslogd"/> <idmef:Classification text="SSH login attempt"/> <idmef:Source> <idmef:Node> <idmef:Address category="ipv4-addr"> <idmef:address>172.16.112.20</idmef:address> </idmef:Address> </idmef:Node> <idmef:Service ip_version="4"> <idmef:port>22</idmef:port> <idmef:protocol>TCP</idmef:protocol> </idmef:Service> </idmef:Source> ... </idmef:Alert></idmef:IDMEF-Message>
has VO-member’sSSH-private-key
18Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Exemplary Dataflow
GIDS-/IDMEF-bus
IDS
GIDS-agent
IDS
GIDS-agent
GIDS-operator
GIDS
GIDS-agent
portal
...
Resource-provider A
Resource-provider X
has VO-member’sSSH-private-key
login-attempt
login-attempt
login-attempt
19Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
IDSFW
Correlation
agent agent
GIDS-DB
…
Admin
store
data in
filtering
data &reports
aggregation/correlation
data &reports
local (G)IDS-instance storereports in
resp
ort
ing t
o
data &reports
anonymization/pseudonymization
data &reports
data &reports
store dataand reports in
GIDS-agent
GIDS-/IDMEF-bus
login-attempt
correlation-alarm
20Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Methodology
Analysis
Architecture design
Prototypical implementatio
nEvaluation
(→ To be done!)
Conclusion
21Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Methodology
Analysis
Architecture design
Prototypical implementatio
n
Evaluation
Conclusion
22Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Conclusion
• Challenge: Conception of an GIDS• Proceeding:
– Analysis: Threats, use cases, requirements induced by Grids
– Design of a generic GIDS architecture– Development of privacy-protection concept– Prototype
→ later: Production ready– Evaluation: Simulation und measurements in D-Grid
• Results:– Catalogue of criteria to evaluate IDS for their use in
Grids– Generic GIDS architecture– Privacy-protection concept– GIDS in production for D-Grid
23Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Further research question
• Management aspects
– Specification of processes as in e.g. ISO20000 or ITIL
– Special challenges in inter-organizational environments• Attack detection
– Which analysis techniques are appropriate in Grids, which
aren’t?
– Implication of dynamics in Grids in regard to attack
detection methods
– Valuable use of additionally available information in Grids
(e.g. (job-)monitoring or VO-management systems)• Compliance
– Enhancing the GIDS by making use of trust-level
management data
Nils gentschen Felde & Felix von Eye OGF28 München, 16.03.2010
Thank you!
Project details:www.grid-ids.de
Contact:Nils gentschen Felde<[email protected]>
24
Top Related