NetworkSecurity Talking Points - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

NetworkSecurity Talking Points

Description:

... a grid proxy (time limited) from private key. Proxy can be validated ... Proxy is transferred to a site as the identity of the user. If the proxy is valid ... – PowerPoint PPT presentation

Number of Views:146
Avg rating:3.0/5.0
Slides: 16
Provided by: philippap
Category:

less

Transcript and Presenter's Notes

Title: NetworkSecurity Talking Points


1
Network/Security Talking Points
  • ECI Workshop
  • NSF
  • 6-7 Dec 2004

2
Major Topics for Discussion
  • Networking Trends Bigger, Faster Cheaper but
    its the software, stupid
  • Security Concerns
  • User Identification
  • Role-based Authorization
  • Data integrity
  • Data Security
  • Privacy

3
Networking in the 21st Century
  • National 10-gigabit research networks
  • TeraGrid, National LambaRail
  • Internet2 backbone to go beyond 10 Gigabits
  • International connections at 10 Gbits and
    growing
  • Shared/distributed datasets can be quite large
  • Networking and application software have a long
    ways to go to effectively utilize this this
    resource

4
National Lambda Rail
  • Consortium of GigaPOPs that collectively own
    1000s of miles of fiber
  • Multiple 10-gigabit networks running on this
    fiber (DWDM)

NLR Map Source John Silvester, Dave Reese, Tom
West, CENIC
5
Driving Observations
  • Aggregate carrying capacity of fiber is doubling
    faster than yearly
  • DWDM (long-haul), CWDM (Metro, Campus)
  • Each fiber carries multiple signals
    differentiated by color
  • System network interface increases by O(10)
    every 5 years
  • This is on Moores curve, not on the fiber curve
  • Over the next decade, the external bandwidth to
    a collection of machines (cluster) roughly
    matches their aggregate BW
  • Value of the external network changes
  • Aside NIC bandwidth approaches memory bandwidth

6
Reality The Clogged (and ossified) Internet
File Transport, NASA EOSDIS
Source Bernard Minster, SIO, UCSD
7
Critical Networking Challenge
  • Observe that networks are getting significantly
    faster
  • Learn to design software for this future
    environment
  • MIT Athena Project took this exact approach with
    X-Windows

8
Security
  • User Identification
  • Globus team proposed 10 years ago that public key
    cryptography and user credential management was
    an essential building block for mutually
    authenticating single sign on grids (GSI)
  • Right technology
  • Too hard for users with the current state of
    tools (this is improving)

9
How Single Sign On Works (Abbreviated)
  • User requests a public/private key pair from a
    certificate authority (CA)
  • CA issues pair to user, records the footprint and
    makes the user responsible for management
  • User creates a grid proxy (time limited) from
    private key. Proxy can be validated with the
    users public key.
  • Proxy is transferred to a site as the identity of
    the user
  • If the proxy is valid
  • If the site trusts the issuer of the users
    certificate
  • If the site can match the valid identity to a
    local account
  • If the local account is in good standing
  • Then, the user is signed onto the grid resource

10
Identity Management is Step 0
  • Real-world problems
  • Explicit certificate management by users is
    untenable
  • Users lose passwords
  • Users lose private/public keypairs
  • Users mistakenly transmit passwords in the clear
    because private key is on a shared resource (eg.
    NFS share).
  • Sites read too much into what a certificate
    Certifies
  • Emerging common solution
  • A grid certificate bank holds private/public
    keypairs
  • Using only a small number of access mechanisms,
    the bank will generate a proxy on behalf of the
    user (e.g. MyProxy or CAS)
  • Users only see username/passwords
  • This is only the initialization step, Grids still
    have to understand what roles a particular user
    has.

11
Identity Management Challenge 1
  • It is easy to build Certificate Authorities (eg.
    One for NEON, one GEON, one for Teragrid, )
  • It is more difficult to get other sites to accept
    the a foreign CA signing policy
  • Identity Trust/Transformation Systems (Eg.
    Shibboleth) can ease this.
  • ?? For all grid based science
  • Build or Buy a CA?
  • Second challenge, what happens when a user has
    multiple certificates? (E.g. which passport does
    a dual citizen use to enter a country)
  • Third Challenge what do you read into the
    identity provided by a certificate?

12
Authorization
  • Identity just says who, not what is allowed
  • Role-based authorization is one essential
  • A dearth of tools of exist in this area

13
Data Integrity
  • How do you validate data that resides in an
    archive
  • Do not believe that magnetic storage systems (eg.
    Disk) dont mangle bits . bit rot is real.
  • How do you validate data that is coming from
    sensors ?
  • How do you provide data provenance for derived
    data?

14
Data Security
  • End-to-End Encryption is the only type of
    encryption that can be reasoned about
    (transmission security)
  • How do you audit who has accessed/changed data?
  • User (and machine) authorization (eg. Derived
    from GSI credentials) is critical
  • Can you watermark digital data so that the
    original source is embedded in the complete set

15
Data Privacy
  • Can outsiders determine who has accessed what on
    the grid?
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "NetworkSecurity Talking Points" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!