david groep nikhef amsterdam pdp & grid ensuring availability security, protection, trust,...
TRANSCRIPT
![Page 1: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/1.jpg)
David GroepNikhefAmsterdamPDP & Grid
Ensuring AvailabilitySecurity, Protection, Trust,
walking the line between paranoia and laisser-faire in a highly connected world
![Page 2: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/2.jpg)
David GroepNikhefAmsterdamPDP & Grid
![Page 3: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/3.jpg)
David GroepNikhefAmsterdamPDP & Grid‘De wereld draait door’ – VARA, 8 december 2010 – http://dewerelddraaitdoor.vara.nl/
![Page 4: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/4.jpg)
David GroepNikhefAmsterdamPDP & Grid
Distributed Denial of Service (DDoS)
![Page 5: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/5.jpg)
David GroepNikhefAmsterdamPDP & Grid
![Page 6: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/6.jpg)
David GroepNikhefAmsterdamPDP & Grid
Just A Machine @Nikhef
NoteThese were ‘white hat’ challenges performed as part of controlled network validation and scaling tests – so do not try this yourself!
![Page 7: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/7.jpg)
David GroepNikhefAmsterdamPDP & Grid
Stoomboot: data retrieval rate
stoomboot AWS price: 1.6MUS$ setup + 86.5 kUS$/month @400 TB/month
![Page 8: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/8.jpg)
David GroepNikhefAmsterdamPDP & Grid
Compute-to-data-traffic NDPF/Grid
BiG Grid: network utilisation at the central Facilities @ Nikhef
![Page 9: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/9.jpg)
David GroepNikhefAmsterdamPDP & Grid
the Netherlands Tier 1 for wLCG is a service by BiG Grid, the Dutch e-Science Grid
![Page 10: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/10.jpg)
David GroepNikhefAmsterdamPDP & Grid
372 sites globally10 – 40 Gbps network296 000 CPU cores140 000 TByte storage
Data source: gSTAT, December 2010, http://gstat.egi.eu/Image source: wLCG, http://cern.ch/lcg/
![Page 11: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/11.jpg)
David GroepNikhefAmsterdamPDP & Grid
Need to stand up to analysis load◦ Analysis is a denial-of-service attack!◦ high-bandwidth infrastructure needed◦ even then
only sustainable with ‘right’ access pattern...
but for the rest of the world, we are a potential threat – when abused◦ cluster & network has monetary value in
and of itself◦ infected systems typically used in criminal
contexts
Security and Availability
![Page 12: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/12.jpg)
David GroepNikhefAmsterdamPDP & Grid
price in US$ per 1000 bots
per houron an ADSL link
NDPF@AWS?• 3-yr reserved
discounted rate ...
• only compute, not even storage!
setup * 2.3 MUS$monthly 202 k US$* every 3 years
![Page 13: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/13.jpg)
David GroepNikhefAmsterdamPDP & Grid
need to secure our resources
allow you, the ‘right people’, in
whilst keeping out the ‘bad guys’
is about both security and availability
![Page 14: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/14.jpg)
David GroepNikhefAmsterdamPDP & Grid
“Firewall” by Sandy Smith, www.computersforart.org
![Page 15: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/15.jpg)
David GroepNikhefAmsterdamPDP & Grid
“Firewall” by Sandy Smith, www.computersforart.org
![Page 16: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/16.jpg)
David GroepNikhefAmsterdamPDP & Grid
... keeping out the ‘bad guys’
Site Access Controlsoftware
developmentwhite and
blacklistsgrid-aware securityvulnerability
assessmentCSIRT: Incident
Responsemonitoring &
forensicscommunicationssecurity exercises
2009 and 2010 comparedSven Gabriel: Security Service Challenges
LCG T1’s CSIRT
response scores
![Page 17: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/17.jpg)
David GroepNikhefAmsterdamPDP & Grid
... the ‘right people’, ...
![Page 18: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/18.jpg)
David GroepNikhefAmsterdamPDP & Grid
Before the Grid ...
![Page 19: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/19.jpg)
David GroepNikhefAmsterdamPDP & Grid
... the ‘right people’, ...
![Page 20: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/20.jpg)
David GroepNikhefAmsterdamPDP & Grid
Grid Identity and Community
![Page 21: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/21.jpg)
David GroepNikhefAmsterdamPDP & Grid
graphic: Open Grid Services Architecture, © Global Grid Forum 2005, GFD.30
![Page 22: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/22.jpg)
David GroepNikhefAmsterdamPDP & Grid
‘but we know who we are – we’re us!’
allow you, ...
simple computer identities depend on the system involved
... but for the grid we need a global identity
![Page 23: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/23.jpg)
David GroepNikhefAmsterdamPDP & Grid
Your Global Identity
Authentication• each person globally unique name• forever persistent• traceable to a real person
Authorization• based on the unique AuthN ID• grants or denies access• VO & Site joint security responsible
![Page 24: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/24.jpg)
David GroepNikhefAmsterdamPDP & Grid
![Page 25: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/25.jpg)
David GroepNikhefAmsterdamPDP & Grid
Where ever you are ... IGTF!
International Grid Trust Federation – http://www.igtf.net/EUGridPMA – https://www.eugridpma.org/
![Page 26: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/26.jpg)
David GroepNikhefAmsterdamPDP & Grid
Federated Identity – we no longer run alone!
grid structure was not too much different!
Single sign-on across academia and research
the no. 1 ICT request from the ESFRI projects
![Page 27: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/27.jpg)
David GroepNikhefAmsterdamPDP & Grid
web-SSO federations have matured
HR and ICT processes aligned integration of ‘high-value grid’
& web federation now becomes reality
... and we keep running ...
Federation peers rely on and trust home institutes to manage their users
Trust has become global: accounts get high, global value
![Page 28: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/28.jpg)
David GroepNikhefAmsterdamPDP & Grid
SSO for everything!
![Page 29: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/29.jpg)
David GroepNikhefAmsterdamPDP & Grid
Access to new federated servicesSame login for most services
◦ Desktops and login.nikhef.nl◦ Email and spam filter settings◦ Instant Grid certificates and access to
wLCG◦ Elsevier – Science Direct◦ ... windows and more web applications
planned as wellNew applications require better
controls◦ account registration and expiration
requirementsneeded to keep our infra secure and remain trustworthy for our global federation partners
SSO for You
https://sso.nikhef.nl/
![Page 30: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/30.jpg)
David GroepNikhefAmsterdamPDP & Grid
http://ca.dutchgrid.nl/tcs/ or https://sso.nikhef.nl/
![Page 31: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/31.jpg)
David GroepNikhefAmsterdamPDP & Grid
Your Certificate in 5 Clicks ... and in120 Seconds
for the longer-term future, we are working on completely hiding this ...
https://tcs-escience-portal.terena.org/ & https://www.terena.org/activities/tcs/
![Page 32: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/32.jpg)
David GroepNikhefAmsterdamPDP & Grid
Yes: unfortunately – security is needed
Yes: we are an interesting target... and we strive to become even more so!
@Nikhef we support development of security software and processes aiming atuser friendliness and still remain effective
Security & Availability Take-Away
allow you, the ‘right people’, inwhilst keeping out the ‘bad guys’
![Page 33: David Groep Nikhef Amsterdam PDP & Grid Ensuring Availability Security, Protection, Trust, walking the line between paranoia and laisser-faire in a highly](https://reader036.vdocuments.us/reader036/viewer/2022062417/551a74cb550346b52d8b50e7/html5/thumbnails/33.jpg)
David GroepNikhefAmsterdamPDP & Grid
Image: MasterJM taken at Uni Bielefeld, DEfound at: http://www.schneier.com/blog/archives/2005/02/the_weakest_lin.html