A Technical Paper Presentation On1
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View A Technical Paper Presentation On1 as PDF for free.
More details
- Words: 3,262
- Pages: 15
A Technical paper presentation on
SECURITY IN GRID COMPUTING
V.R.SIDDHARTHA ENGINEERING COLLEGE. VIJAYAWADA-07 PRESENTED BY: P.SUDHEER, Y07IT105, II/IVB.Tech, E-mail:[email protected] Ph no:9989153955
TO Quest 09 JNTUCE,HYDERABAD
ABSTRACT: A Computational Grid is a collection of
an assurance that ad hoc related principals
heterogeneous computers and resources
(users, platforms or instruments) forming a
spread
administrative
grid virtual alorganisation (VO) must each
domains with the intent of providing users
act in conformity with the rules for the VO
uniformaccess to these resources. There are
constitution.
many ways to access
the resources of a
technology can add to grid computingthe
Computational Grid, each with unique
needed property of behaviour conformity.
security requirements and implications for
With TC using an essentially in-platform
both the resource user and the resource
(trusted) third party, a principal can be
provider. Grid Computing strives to provide
imposed to have conformed behaviour and
seamless, scalable access to wide-area
this fact can be reportedto interested parties
distributed
who may only need to be ad hoc related to
across
multiple
resources. However, with this benefit of resource collection and distribution, security of that information becomes a major risk
Trusted
Computing
(TC)
theformer. A broader goal of these scenarios are to increase the awareness of security issues in grid computing
(Vijayan, 2004). Currently there is debate among IT professionals as to the security, functionality, middleware, and scalability provisions of computational grids. A central security requirement for grid computing can be referred to as behaviour conformity. This is
KEY WORDS: VIRTUAL ORGANIZATION(VO),TRANSMISSION CONTROL PROTOCAL(TCP),OPEN GRID SERVICE ARCHITECTURE(OGSA),
CONTENTS: ABSTRACT INTRODUCTION WHAT IS A GRID COMPUTING? WHAT GRID COMPUTING CAN DO? CONCEPTS AND COMPUTING
COMPONENTS
OF
GRID
CONSTRUCTION OF GRID COMPUTING? MIDDLEWARE VIRTUAL ORGANISATION WHAT GRID COMPTING CANNOT DO? SECURITY IN GRID COMPUTING FUNDAMENTALS
IN
GRID
SECURITY SYMMENTIC AND SYMMENTIC KEY
ANTI
CERTIFICATE AND DIGITAL GRID SECURITY PROCDURE
POLICIES
AND
GRID SECURITY INFRASTRUCTURE
PHYSICAL
GRIDFRIEWALL
OPERATING SYSTEM
HOST INTRUSION DECTION
POTENTIAL GRID SECURITY RISKS APPLICATIONS COMPUTING.
AND
LIMITATIONS
OF
GRID
PRESENT AND NEXT GENERATIONS OF GRID COMPUTING CONCLUSION REFERENCE
P
INTRODUCTION:Security
requirements
risk.
To
properly
secure
your
grid
are fundamental to the grid design. The
environment, there are many different tools
basic security components within the Globus
and technologies available. This chapter will
Toolkit
for
examine some of those technologies and the
and
different components provided within the
confidentiality of communication between
Grid Security Infrastructure (GSI) of the
grid computers.Without this functionality,
Globus Toolkit.
provide
the
mechanisms
authentication,authorization,
the integrity and confidentiality of the dataocessed
within the grid would be at
WHAT IS A GRID COMPUTING?
Grid computing, most simply stated, is
communications
distributed computing taken to the next
system created the Internet explosion. The
evolutionary level. The goal is to create the
emerging
illusion of a simple yet large and powerful
resources, along with the availability of
self managing virtual computer out of a
higher bandwidth, are driving a possibly
large collection of connected heterogeneous
Lequally large evolutionary step in grid
systems sharing various combinations of
computing.
resources.The
standardization
between
standardization
heterogeneous for
sharing
of
WHAT CAN GRID COMPUTING DO? When you deploy a grid, it will be to meet a set of customer requirements. To better match grid computing capabilities to those requirements, it is useful to keep in mind the reasons for using grid computing.
PARALLEL CPU: The potential for massive parallel CPU capacity is one of the most attractive features of a grid. In addition to pure
scientific needs, such computing power isdriving a new evolution in industries such as the bio-medical field, financialmodeling, oil exploration, motion picture animation, and many others. CONCEPTS AND COMPONENTS OF GRID COMPUTING: CONCEPTS: Types of resources
COMPONENTS: Any grid system has some management components. First, there is a component that keeps track of the resources available to the grid and whichusers are members of the grid. This information is used primarily to decide where grid jobs should be assigned.Second, there are measurement com ponents that determine both the capacities of the nodes on the grid and their current utilization rate at any given time. This information is used to schedule jobs in the grid. Such information is also used to determine the health of the grid, alerting personnel to problems such as outages,congestion, or overcommitment. This information is also used to determine CONSTRUCTION: DEPLOYMENT PLANNING: The use of a grid is often born from a need for increased resources of some type.One often looks to their neighbor who may have excess capacity in the particular resource. One of the first considerations is the hardware available and how it is connected via a LAN or WAN. Next, an organization may want to
A grid is a collection of machines, sometimes referred to as “nodes,” “resources,” “members,” “donors,” “clients,” “hosts,” “engines,” and many other such terms.They all contribute any combination of resources to the grid as a whole. Someresources may be used by all users of the grid while others may have specificrestrictions. add additional hardware to augment the capabilities of the grid. ORGANIZATION: The technology considerations are important in deploying a grid. However,organizational and business issues can be equally important. It is important to understand how the departments in an organization interact, operate, and contribute to the whole. SECURITY: Security is a much more important factor in planning and maintaining a grid than in conventional distributed computing, where data sharing comprises the bulk ofthe activity. In a grid, the member machines are configured to execute programs rather than just move data. This makes an unsecured grid potentially fertile ground for viruses and Trojan horse programs MIDDLEWARE: DEVELOPMENT:This discribes the software for the grid portal environment .source code and applications for two of the main gro=id protocals.resource and datamanagement.the software ws written by apache jetspeed and IBMwebspherebportal sphere.
SCHEDULER:schedulers are at the foundation of thee ny grid system.their job is to schedule programme or jobs in clusters of of maachine among others.and it also includes sun grid engine,(Sge),condorand others.and also includes managedd job factory service providede by troubleshootuing& globus toolkit.
OGSA:Open grid service architecture is the middle-tier software that glues client and scheduler service together.this includes overview of ogsa,service models,interfaces,factories,lifetime management,service discovery,notifications
. VIRTUAL ORGANIZATION: Two or more
bullet that can take any application and run
organizations that share resources become
it a 1000 times faster withoutthe need for
VO.The policies governing access to those
buying any more machines or software. Not
resource vary according to the actual
every application issuitable or enabled for
organizations
involved,creating
running
environmemnt
of
providers
an
on
a
grid.
Some
kinds
of
and
applications simplycannot be parallelized.
consumers.resources are made available by
For others, it can take a large amount of
owners withconstraints on when,where and
work to modifythem to achieve faster
what can be done on them.Resources
throughput. The configuration of a grid can
consumers may also place constraints on
greatly affect the performance, reliability,
properties of the resources they are prepared
and security of an organization’s computing
to work with.For example ,a consumer may
infrastructure. For all of these reasons, it is important for the users to understand how far the grid has evolved today and
accept resource over a secure channel only. WHAT CAN GRID COMPUTING CANNOT DO: A word of caution should be given to the overly enthusiastic. The grid is not a silver :SECURITY IN GRID COMPUTING:
which features are coming tomorrow or in the distant future.
as to whether or not any requested access or
FUNDAMENTALS IN GRID SECURITY: Security requires the three fundamental
operation is allowed within .
services: authentication, authorization,and
of verifying the validity of a claimed
encryption. A grid resource must be
individual and identifying who he or she
authenticated before any checks can be done
is.Authentication is not limited to human
Authentication Authentication is the process
beings; services,
applications, and other entities may be required to authenticate also. Access control Assurance that each user or computer that uses the service is permitted to do what he or she asks for. The process of authorization is often used as a synonym for access control, but it also includes granting the access or rights to perform some actions
SYMMENTIC: Symmetric key encryption is based on the use of one shared secret key to
perform
both
the
encryption
and
decryption of data. To ensure that the data is only read by the two parties (sender and receiver), the key has to be distributed securely between the two parties and no others. If someone should gain access to the
based on access rights. Data integrity Data integrity assures that the data is not altered or destroyed in an unauthorized manner. Data confidentiality Sensitive information must not be revealed to parties that it was not meant for. Data confidentiality is often also referred to as privacy. Key management Key management deals with the secure generation,distribution,authentication, and storage of keys used in cryptography. SYMMENTIC AND ANTI SYMMENTIC KEYS ENCRYPTION: _ Data Encryption Standard (DES): 56-bit key plus 8 parity bits, developed by IBM in the middle 1970s
secret key that is used to encrypt the data, they
would
be
able
to
decrypt
the
information. This form of encryption is much faster than asymmetricencryption Here are some commonly used examples of a symmetric key cryptosystem:
ANTI SYMMENTIC KEY ENCRYPTION: The asymmetric key pair is generated by a
_ Triple-DES: 112-bit key plus 16 parity bits
computation which starts by finding two
or 168-bit key plus 24 parity bits
vary large prime numbers. Even though the
(that is, two to three DES keys) _ RC2 and RC4: Variable-sized key, often 40 to 128 bits long To summarize, secret key cryptography is
public key is widely distributed, it is
fast for both the encryption and decryption
key. The security is derived from the fact
processe . However, secure distribution and
that it is very difficult to factor numbers
management
exceeding
guarantee.
of
keys
is
difficult
to
practically impossible for computers to calculate the private key from the public
hundreds
of
digits.This
mathematical algorithm improves security, but requires
a long
encryption
time,
especially for large amounts of data. For this
key between the two parties,and all further
reason, public key encryption is used to
encryption
securely transmit a symmetric encryption
symmetric key.
is
performed
using
this
Figure 3-1 Symmetric key encryption using a shared secret key
CERTIFICATE AUTHORITIES:
AND
DIGITAL
CERTIFICATE:A properly implemented Certificate Authority (CA) has many responsibilities. responsibilities.These should be followed diligently to achieve good security. The primary responsibilities are: _ Positively identify entities requesting certificates _ Issuing, removing, and archiving certificates
_ Protecting the Certificate Authority server _ Maintaining a namespace of unique names for certificate owners _ Serve signed certificates to those needing to authenticate entities _ Logging activity DIGITAL: Digital certificates are digital documents that associate a grid resource with its specific public key. A certificate is a data structure containing a public key and
pertinent details about the key owner. A certificate is considered to be a tamper-proof electronic ID when it signed by the Certification
Authority
for
the
grid
environment. Digital certificates, also called X.509 certificates, act very much like passports;they
provide
a
means
of
identifying grid resources. Unlike passports, digital certificates are used to identify grid resources.
GRID SECURITY POLOCIES AND PROCEDURE:
build a CA, but unfortunately none of the
CA AUTHORITY A PKI must be operated in accordance with
some of the basic policies and expectations
defined policies. The deployment of a PKI system in an organization requires the development
of
security
policies
and
processes for that organization. The demo CA that is provided within the Globus
policies. In this section, we will examine that a CA would normally be responsible for. For any type of 76 Introduction to Grid Computing with Globus production CA duties, it is suggested that you examine a commercial vendor To providetheseservices for you
Toolkit provides the software in order to . CONTROL REVIEW: When building any new environment or mplementing a new software application, it is always a good idea to perform a security health check. A security health check will help determine how these new changes will
affect
the
overall
security
of
the
environment and any other areas of change. This can help provide guidance on the overall use of security controls or how you are
managing
security
within
your
environment. A review of your security
controls can help you better understand how
will provide an in-depth review of the site
security
security controls in place and the related
works
administration,
for
your
toolsets,
passwords,
auditing,
and
processes used within the organization.
monitoring within your environment. This GRID SECURITY INFRASTRUCTURE:
require additional security. In a grid
Apart from the different GSI components
environment,this is no different. The use of
and technologies, there are many other
firewalls within a grid design helps restrict
infrastructure security components that are
network.access to computers. The firewall is
needed to secure the grid.
an
Physical security Once again, the
securityinfrastructure, so it needs to be security
of
grid
infrastructure is based on other common
important
piece
of
the
carefully analyzed and understood before it is implemented.
security fundamentals. The basics involve solid physical security practices for all grid computers. The physical environment of a system is also considered a part of theinfrastructure. physical access should be controlled and ispart of the security policies that need to be defined For maximum security, the network segment where the PKI-sensitive servermachines are installed should be physically and logically separated from the rest of the network. Ideally, the separation is done through a firewall that Is transparent only for PKI-related traffic. Normally, PKI traffic is reduced to using only a few TCP/IP ports. GRID FIREWALLSFirewalls can be used within networked environment to logically separate different sets of computers that
OPERATING SYSTEM: A review of the configuration files for each operating
system
and
middleware
component within the scope of the project determines how each effectively allows authorized users access based on your security policy and prevents and detects unauthorized access attempts at all times. You should: _ Remove any unnecessary processes from the servers. If the grid server does not need sendmail or an FTP server running, these processes should be disabled. _ Remove any unnecessary users or groups. Introduction to Grid Computing with Globus _ Use strong passwords for all users on the grid server. _ Update your server with the latest updates and security FixPacks. This includes all software the has been installed as well.
_ Restrict access to the /.globus directory. _ Consider using host IDS to monitor important directories on the server. _ Enable logging and auditing for the server. _ Use a uniform operating system build whenever possible. _ Enable file level restrictions on important files within the server. _ Make periodic reviews of the operating system every other month to ensure that nothing major has changed. _ Enable anti-virus protection. HOST INTRUSION DETECION: A recommended option for further securing your grid computers is to invest in a host intrusion detection (IDS) product. As with POTENTIAL GRID SECURITY RISK:
any
software
application
that
stores
important files within the local workstation, host intrusion detection can add a greater defense for anyone manipulating files on the workstation thatshould not be doing so. Intrusion detection functions include: _ Monitoring and analyzing both user and system activities _ Analyzing system configurations and vulnerabilities _ Assessing system and file integrity _ Ability to recognize typical patterns of attacks _ Analysis of abnormal activity patterns _ Tracking user policy violations and understand that with any networked environment there is going to be some risk
potential:
involved.
Building a PKI environment will provide the
Impersonation: Obtaining a certificate through fraudulent means (either user or organization).
necessary services along with the GSI to design a secure grid solution. This, however, does not guarantee that there are not any security risks. Within this section, we will examine somen possible vulnerabilities to watch out for during your security design. This is by no means a laundry list for all security vulnerabilities or a cookbook for
Theft of private key: Unauthorized use of a private key associated with a validcertificate. Compromise of root CA private key: Using a CA key to sign fraudulentcertificates or destroying a private key.
building a srcure infrastructure.
Automatic Trust Decisions: Automated trust decisions can also automate fraud.
PKI vulnerabilitiesJust because you have
Grid server vulnerabilities
built a PKI environment does not mean that your networkis completely secure. There are still many vulnerabilities to be aware of. It isnecessary to always keep an open mind
Any server or workstation that participates in the grid is a potential vulnerability to an external or internal hacker. Knowing this, it is very important to protect and isolate any
grid
computer
from
any
network
or
Any modification of the gridmap file.
resources that do not need explicit access to
Latest operating system FixPacks. Any
the grid. Good physical security will limit
application FixPacks.
the exposure of anybody walking up to the server and accessing the console. Protect any directories of the /.globus directory. Theft of the digital certificate and private key (along with the private key phrase). Any application vulnerabilities or processes that are running on the grid
APPLICATIONS AND LIMITATIONS OF GRID COMPUTING: Distributed data management • Compute resources for simulations • Coupling distributed data with simulation Virtual resources and virtual organizations for collaboration: Reliability: High-end conventional computing systems use expensive hardware to increase reliability.
VIRTUAL ORGANIZATION THROUGH GEOGRAPHICALLY.
PRESENT AND GENERATION OF GRIDS:
FUTURE
provide guidance for theGrid user, the Grid application developer, and the Grid resource
Today, grid systems are still at the early
provider. While a given scenario can
stages
well
provide practical guidance for design and
performing, and automatically recoverable
deployment, additional insightis gained by
virtual data sharing and storage. We will see
recognizing the general, rapidly-emerging
products that take on this task in a grid
issuessuch as the need for restricted
setting, federating data of all kinds, and
delegation (giving onlysubset of your rights
achieving better performance, integration
to something that will act on yourbehalf)
with scheduling, reliability, and capacity.
that can be seen running through many of
Autonomic computing has the goal to make
the scenarios.
of
providing
a
reliable,
the administrator’s job easier by automating the various complicated tasks involved in managing a grid. These include identifying problems in real time and quickly initiating corrective actions before they seriously impair the grid. CONCLUSION: Computational Grids are rapidly emerging as a practical means by which to perform new science and new applications. The goal of this paper was not to discuss the particularsecurity mechanisms or policies of systems such as Legion,Globus, or any other existing system, but rather to describeGrid security that transcends existing approaches. Each scenarioin this paper is designed to
There are many subtle security implications involved in the many emerging Grid usage scenarios. Both the resource provider and the resource consumer should under stand, from
a
security
perspective,
what
is
expected from each other and what might happen if these expectations are not met. Without this understanding, the transition from experimental systems into production systems will soon be curtailed by explicit security
violations
or
more
subtly
a
compromise of information that a user had believed was securely kept private. REFERENCES: TEXTBOOKS: GRID COMPUTING A Monograph by D JANAKIRAM GRID COMPUTING for by VLADIMIR SILVA
Research
DEVELOPERS
Introduction to GRID COMPUING with globus By IBM.com/redbooks WEBSITES: AN INTERNATIONAL WORK SHOP PAPER ON Security Implications of Typical Grid Computing Usage Scenarios by Marty Humphrey, Mary R. Thompson http://www.wikipedia.com/ www.amazon.com www.grid.org www.ibm.com/redbooks
SECURITY IN GRID COMPUTING
V.R.SIDDHARTHA ENGINEERING COLLEGE. VIJAYAWADA-07 PRESENTED BY: P.SUDHEER, Y07IT105, II/IVB.Tech, E-mail:[email protected] Ph no:9989153955
TO Quest 09 JNTUCE,HYDERABAD
ABSTRACT: A Computational Grid is a collection of
an assurance that ad hoc related principals
heterogeneous computers and resources
(users, platforms or instruments) forming a
spread
administrative
grid virtual alorganisation (VO) must each
domains with the intent of providing users
act in conformity with the rules for the VO
uniformaccess to these resources. There are
constitution.
many ways to access
the resources of a
technology can add to grid computingthe
Computational Grid, each with unique
needed property of behaviour conformity.
security requirements and implications for
With TC using an essentially in-platform
both the resource user and the resource
(trusted) third party, a principal can be
provider. Grid Computing strives to provide
imposed to have conformed behaviour and
seamless, scalable access to wide-area
this fact can be reportedto interested parties
distributed
who may only need to be ad hoc related to
across
multiple
resources. However, with this benefit of resource collection and distribution, security of that information becomes a major risk
Trusted
Computing
(TC)
theformer. A broader goal of these scenarios are to increase the awareness of security issues in grid computing
(Vijayan, 2004). Currently there is debate among IT professionals as to the security, functionality, middleware, and scalability provisions of computational grids. A central security requirement for grid computing can be referred to as behaviour conformity. This is
KEY WORDS: VIRTUAL ORGANIZATION(VO),TRANSMISSION CONTROL PROTOCAL(TCP),OPEN GRID SERVICE ARCHITECTURE(OGSA),
CONTENTS: ABSTRACT INTRODUCTION WHAT IS A GRID COMPUTING? WHAT GRID COMPUTING CAN DO? CONCEPTS AND COMPUTING
COMPONENTS
OF
GRID
CONSTRUCTION OF GRID COMPUTING? MIDDLEWARE VIRTUAL ORGANISATION WHAT GRID COMPTING CANNOT DO? SECURITY IN GRID COMPUTING FUNDAMENTALS
IN
GRID
SECURITY SYMMENTIC AND SYMMENTIC KEY
ANTI
CERTIFICATE AND DIGITAL GRID SECURITY PROCDURE
POLICIES
AND
GRID SECURITY INFRASTRUCTURE
PHYSICAL
GRIDFRIEWALL
OPERATING SYSTEM
HOST INTRUSION DECTION
POTENTIAL GRID SECURITY RISKS APPLICATIONS COMPUTING.
AND
LIMITATIONS
OF
GRID
PRESENT AND NEXT GENERATIONS OF GRID COMPUTING CONCLUSION REFERENCE
P
INTRODUCTION:Security
requirements
risk.
To
properly
secure
your
grid
are fundamental to the grid design. The
environment, there are many different tools
basic security components within the Globus
and technologies available. This chapter will
Toolkit
for
examine some of those technologies and the
and
different components provided within the
confidentiality of communication between
Grid Security Infrastructure (GSI) of the
grid computers.Without this functionality,
Globus Toolkit.
provide
the
mechanisms
authentication,authorization,
the integrity and confidentiality of the dataocessed
within the grid would be at
WHAT IS A GRID COMPUTING?
Grid computing, most simply stated, is
communications
distributed computing taken to the next
system created the Internet explosion. The
evolutionary level. The goal is to create the
emerging
illusion of a simple yet large and powerful
resources, along with the availability of
self managing virtual computer out of a
higher bandwidth, are driving a possibly
large collection of connected heterogeneous
Lequally large evolutionary step in grid
systems sharing various combinations of
computing.
resources.The
standardization
between
standardization
heterogeneous for
sharing
of
WHAT CAN GRID COMPUTING DO? When you deploy a grid, it will be to meet a set of customer requirements. To better match grid computing capabilities to those requirements, it is useful to keep in mind the reasons for using grid computing.
PARALLEL CPU: The potential for massive parallel CPU capacity is one of the most attractive features of a grid. In addition to pure
scientific needs, such computing power isdriving a new evolution in industries such as the bio-medical field, financialmodeling, oil exploration, motion picture animation, and many others. CONCEPTS AND COMPONENTS OF GRID COMPUTING: CONCEPTS: Types of resources
COMPONENTS: Any grid system has some management components. First, there is a component that keeps track of the resources available to the grid and whichusers are members of the grid. This information is used primarily to decide where grid jobs should be assigned.Second, there are measurement com ponents that determine both the capacities of the nodes on the grid and their current utilization rate at any given time. This information is used to schedule jobs in the grid. Such information is also used to determine the health of the grid, alerting personnel to problems such as outages,congestion, or overcommitment. This information is also used to determine CONSTRUCTION: DEPLOYMENT PLANNING: The use of a grid is often born from a need for increased resources of some type.One often looks to their neighbor who may have excess capacity in the particular resource. One of the first considerations is the hardware available and how it is connected via a LAN or WAN. Next, an organization may want to
A grid is a collection of machines, sometimes referred to as “nodes,” “resources,” “members,” “donors,” “clients,” “hosts,” “engines,” and many other such terms.They all contribute any combination of resources to the grid as a whole. Someresources may be used by all users of the grid while others may have specificrestrictions. add additional hardware to augment the capabilities of the grid. ORGANIZATION: The technology considerations are important in deploying a grid. However,organizational and business issues can be equally important. It is important to understand how the departments in an organization interact, operate, and contribute to the whole. SECURITY: Security is a much more important factor in planning and maintaining a grid than in conventional distributed computing, where data sharing comprises the bulk ofthe activity. In a grid, the member machines are configured to execute programs rather than just move data. This makes an unsecured grid potentially fertile ground for viruses and Trojan horse programs MIDDLEWARE: DEVELOPMENT:This discribes the software for the grid portal environment .source code and applications for two of the main gro=id protocals.resource and datamanagement.the software ws written by apache jetspeed and IBMwebspherebportal sphere.
SCHEDULER:schedulers are at the foundation of thee ny grid system.their job is to schedule programme or jobs in clusters of of maachine among others.and it also includes sun grid engine,(Sge),condorand others.and also includes managedd job factory service providede by troubleshootuing& globus toolkit.
OGSA:Open grid service architecture is the middle-tier software that glues client and scheduler service together.this includes overview of ogsa,service models,interfaces,factories,lifetime management,service discovery,notifications
. VIRTUAL ORGANIZATION: Two or more
bullet that can take any application and run
organizations that share resources become
it a 1000 times faster withoutthe need for
VO.The policies governing access to those
buying any more machines or software. Not
resource vary according to the actual
every application issuitable or enabled for
organizations
involved,creating
running
environmemnt
of
providers
an
on
a
grid.
Some
kinds
of
and
applications simplycannot be parallelized.
consumers.resources are made available by
For others, it can take a large amount of
owners withconstraints on when,where and
work to modifythem to achieve faster
what can be done on them.Resources
throughput. The configuration of a grid can
consumers may also place constraints on
greatly affect the performance, reliability,
properties of the resources they are prepared
and security of an organization’s computing
to work with.For example ,a consumer may
infrastructure. For all of these reasons, it is important for the users to understand how far the grid has evolved today and
accept resource over a secure channel only. WHAT CAN GRID COMPUTING CANNOT DO: A word of caution should be given to the overly enthusiastic. The grid is not a silver :SECURITY IN GRID COMPUTING:
which features are coming tomorrow or in the distant future.
as to whether or not any requested access or
FUNDAMENTALS IN GRID SECURITY: Security requires the three fundamental
operation is allowed within .
services: authentication, authorization,and
of verifying the validity of a claimed
encryption. A grid resource must be
individual and identifying who he or she
authenticated before any checks can be done
is.Authentication is not limited to human
Authentication Authentication is the process
beings; services,
applications, and other entities may be required to authenticate also. Access control Assurance that each user or computer that uses the service is permitted to do what he or she asks for. The process of authorization is often used as a synonym for access control, but it also includes granting the access or rights to perform some actions
SYMMENTIC: Symmetric key encryption is based on the use of one shared secret key to
perform
both
the
encryption
and
decryption of data. To ensure that the data is only read by the two parties (sender and receiver), the key has to be distributed securely between the two parties and no others. If someone should gain access to the
based on access rights. Data integrity Data integrity assures that the data is not altered or destroyed in an unauthorized manner. Data confidentiality Sensitive information must not be revealed to parties that it was not meant for. Data confidentiality is often also referred to as privacy. Key management Key management deals with the secure generation,distribution,authentication, and storage of keys used in cryptography. SYMMENTIC AND ANTI SYMMENTIC KEYS ENCRYPTION: _ Data Encryption Standard (DES): 56-bit key plus 8 parity bits, developed by IBM in the middle 1970s
secret key that is used to encrypt the data, they
would
be
able
to
decrypt
the
information. This form of encryption is much faster than asymmetricencryption Here are some commonly used examples of a symmetric key cryptosystem:
ANTI SYMMENTIC KEY ENCRYPTION: The asymmetric key pair is generated by a
_ Triple-DES: 112-bit key plus 16 parity bits
computation which starts by finding two
or 168-bit key plus 24 parity bits
vary large prime numbers. Even though the
(that is, two to three DES keys) _ RC2 and RC4: Variable-sized key, often 40 to 128 bits long To summarize, secret key cryptography is
public key is widely distributed, it is
fast for both the encryption and decryption
key. The security is derived from the fact
processe . However, secure distribution and
that it is very difficult to factor numbers
management
exceeding
guarantee.
of
keys
is
difficult
to
practically impossible for computers to calculate the private key from the public
hundreds
of
digits.This
mathematical algorithm improves security, but requires
a long
encryption
time,
especially for large amounts of data. For this
key between the two parties,and all further
reason, public key encryption is used to
encryption
securely transmit a symmetric encryption
symmetric key.
is
performed
using
this
Figure 3-1 Symmetric key encryption using a shared secret key
CERTIFICATE AUTHORITIES:
AND
DIGITAL
CERTIFICATE:A properly implemented Certificate Authority (CA) has many responsibilities. responsibilities.These should be followed diligently to achieve good security. The primary responsibilities are: _ Positively identify entities requesting certificates _ Issuing, removing, and archiving certificates
_ Protecting the Certificate Authority server _ Maintaining a namespace of unique names for certificate owners _ Serve signed certificates to those needing to authenticate entities _ Logging activity DIGITAL: Digital certificates are digital documents that associate a grid resource with its specific public key. A certificate is a data structure containing a public key and
pertinent details about the key owner. A certificate is considered to be a tamper-proof electronic ID when it signed by the Certification
Authority
for
the
grid
environment. Digital certificates, also called X.509 certificates, act very much like passports;they
provide
a
means
of
identifying grid resources. Unlike passports, digital certificates are used to identify grid resources.
GRID SECURITY POLOCIES AND PROCEDURE:
build a CA, but unfortunately none of the
CA AUTHORITY A PKI must be operated in accordance with
some of the basic policies and expectations
defined policies. The deployment of a PKI system in an organization requires the development
of
security
policies
and
processes for that organization. The demo CA that is provided within the Globus
policies. In this section, we will examine that a CA would normally be responsible for. For any type of 76 Introduction to Grid Computing with Globus production CA duties, it is suggested that you examine a commercial vendor To providetheseservices for you
Toolkit provides the software in order to . CONTROL REVIEW: When building any new environment or mplementing a new software application, it is always a good idea to perform a security health check. A security health check will help determine how these new changes will
affect
the
overall
security
of
the
environment and any other areas of change. This can help provide guidance on the overall use of security controls or how you are
managing
security
within
your
environment. A review of your security
controls can help you better understand how
will provide an in-depth review of the site
security
security controls in place and the related
works
administration,
for
your
toolsets,
passwords,
auditing,
and
processes used within the organization.
monitoring within your environment. This GRID SECURITY INFRASTRUCTURE:
require additional security. In a grid
Apart from the different GSI components
environment,this is no different. The use of
and technologies, there are many other
firewalls within a grid design helps restrict
infrastructure security components that are
network.access to computers. The firewall is
needed to secure the grid.
an
Physical security Once again, the
securityinfrastructure, so it needs to be security
of
grid
infrastructure is based on other common
important
piece
of
the
carefully analyzed and understood before it is implemented.
security fundamentals. The basics involve solid physical security practices for all grid computers. The physical environment of a system is also considered a part of theinfrastructure. physical access should be controlled and ispart of the security policies that need to be defined For maximum security, the network segment where the PKI-sensitive servermachines are installed should be physically and logically separated from the rest of the network. Ideally, the separation is done through a firewall that Is transparent only for PKI-related traffic. Normally, PKI traffic is reduced to using only a few TCP/IP ports. GRID FIREWALLSFirewalls can be used within networked environment to logically separate different sets of computers that
OPERATING SYSTEM: A review of the configuration files for each operating
system
and
middleware
component within the scope of the project determines how each effectively allows authorized users access based on your security policy and prevents and detects unauthorized access attempts at all times. You should: _ Remove any unnecessary processes from the servers. If the grid server does not need sendmail or an FTP server running, these processes should be disabled. _ Remove any unnecessary users or groups. Introduction to Grid Computing with Globus _ Use strong passwords for all users on the grid server. _ Update your server with the latest updates and security FixPacks. This includes all software the has been installed as well.
_ Restrict access to the /.globus directory. _ Consider using host IDS to monitor important directories on the server. _ Enable logging and auditing for the server. _ Use a uniform operating system build whenever possible. _ Enable file level restrictions on important files within the server. _ Make periodic reviews of the operating system every other month to ensure that nothing major has changed. _ Enable anti-virus protection. HOST INTRUSION DETECION: A recommended option for further securing your grid computers is to invest in a host intrusion detection (IDS) product. As with POTENTIAL GRID SECURITY RISK:
any
software
application
that
stores
important files within the local workstation, host intrusion detection can add a greater defense for anyone manipulating files on the workstation thatshould not be doing so. Intrusion detection functions include: _ Monitoring and analyzing both user and system activities _ Analyzing system configurations and vulnerabilities _ Assessing system and file integrity _ Ability to recognize typical patterns of attacks _ Analysis of abnormal activity patterns _ Tracking user policy violations and understand that with any networked environment there is going to be some risk
potential:
involved.
Building a PKI environment will provide the
Impersonation: Obtaining a certificate through fraudulent means (either user or organization).
necessary services along with the GSI to design a secure grid solution. This, however, does not guarantee that there are not any security risks. Within this section, we will examine somen possible vulnerabilities to watch out for during your security design. This is by no means a laundry list for all security vulnerabilities or a cookbook for
Theft of private key: Unauthorized use of a private key associated with a validcertificate. Compromise of root CA private key: Using a CA key to sign fraudulentcertificates or destroying a private key.
building a srcure infrastructure.
Automatic Trust Decisions: Automated trust decisions can also automate fraud.
PKI vulnerabilitiesJust because you have
Grid server vulnerabilities
built a PKI environment does not mean that your networkis completely secure. There are still many vulnerabilities to be aware of. It isnecessary to always keep an open mind
Any server or workstation that participates in the grid is a potential vulnerability to an external or internal hacker. Knowing this, it is very important to protect and isolate any
grid
computer
from
any
network
or
Any modification of the gridmap file.
resources that do not need explicit access to
Latest operating system FixPacks. Any
the grid. Good physical security will limit
application FixPacks.
the exposure of anybody walking up to the server and accessing the console. Protect any directories of the /.globus directory. Theft of the digital certificate and private key (along with the private key phrase). Any application vulnerabilities or processes that are running on the grid
APPLICATIONS AND LIMITATIONS OF GRID COMPUTING: Distributed data management • Compute resources for simulations • Coupling distributed data with simulation Virtual resources and virtual organizations for collaboration: Reliability: High-end conventional computing systems use expensive hardware to increase reliability.
VIRTUAL ORGANIZATION THROUGH GEOGRAPHICALLY.
PRESENT AND GENERATION OF GRIDS:
FUTURE
provide guidance for theGrid user, the Grid application developer, and the Grid resource
Today, grid systems are still at the early
provider. While a given scenario can
stages
well
provide practical guidance for design and
performing, and automatically recoverable
deployment, additional insightis gained by
virtual data sharing and storage. We will see
recognizing the general, rapidly-emerging
products that take on this task in a grid
issuessuch as the need for restricted
setting, federating data of all kinds, and
delegation (giving onlysubset of your rights
achieving better performance, integration
to something that will act on yourbehalf)
with scheduling, reliability, and capacity.
that can be seen running through many of
Autonomic computing has the goal to make
the scenarios.
of
providing
a
reliable,
the administrator’s job easier by automating the various complicated tasks involved in managing a grid. These include identifying problems in real time and quickly initiating corrective actions before they seriously impair the grid. CONCLUSION: Computational Grids are rapidly emerging as a practical means by which to perform new science and new applications. The goal of this paper was not to discuss the particularsecurity mechanisms or policies of systems such as Legion,Globus, or any other existing system, but rather to describeGrid security that transcends existing approaches. Each scenarioin this paper is designed to
There are many subtle security implications involved in the many emerging Grid usage scenarios. Both the resource provider and the resource consumer should under stand, from
a
security
perspective,
what
is
expected from each other and what might happen if these expectations are not met. Without this understanding, the transition from experimental systems into production systems will soon be curtailed by explicit security
violations
or
more
subtly
a
compromise of information that a user had believed was securely kept private. REFERENCES: TEXTBOOKS: GRID COMPUTING A Monograph by D JANAKIRAM GRID COMPUTING for by VLADIMIR SILVA
Research
DEVELOPERS
Introduction to GRID COMPUING with globus By IBM.com/redbooks WEBSITES: AN INTERNATIONAL WORK SHOP PAPER ON Security Implications of Typical Grid Computing Usage Scenarios by Marty Humphrey, Mary R. Thompson http://www.wikipedia.com/ www.amazon.com www.grid.org www.ibm.com/redbooks
Related Documents
A Technical Paper Presentation On1
June 2020 0
Technical Presentation
December 2019 4
Technical Presentation
July 2020 3
Technical Paper
June 2020 5
Avant > Technical Paper Presentation Contest 1
November 2019 0