Development of the Fermilab Open Science Enclave Policy

Зарегистрируйтесь, чтобы просмотреть полный документ!

Development of the Fermilab Open Science Enclave Policy and Baseline Keith Chadwick Fermilab chadwick@fnal. gov Work supported by the U. S. Department of Energy under contract No. DE-AC 02 -07 CH 11359. 03 -Mar-2008 Fermilab Open Science Enclave

What - Is an Enclave? Minor App General Computing Enclave Major App 03 -Mar-2008 Major App Open Science Enclave All Computers at Fermilab Minor App Fermilab Open Science Enclave 1

How - Do the Enclaves Differ? General Computing Enclave: Systems accessed via Strong Authentication (Kerberos). Windows and Scientific Linux. Interactive+Batch computing. Storage. Strong authentication for batch and interactive use. Strong authentication and X 509 certificate authentication for “file” access. Major and Minor Applications within the Enclave. 03 -Mar-2008 Open Science Enclave: Systems can be accessed via Credentials not issued by Fermilab (DOEgrids). Scientific Linux only. Batch computing “only” - very limited interactive access. X 509 certificate authentication for “batch” computing resource use. X 509 certificate authentication for “file” access. Major and Minor Applications within the Enclave Fermilab Open Science Enclave 2

Why - Purpose of the Baseline The settings in the Fermilab Open Science Enclave (OSE) baseline are intended to: Minimize the exposure of computing resources in the Fermilab Open Science Enclave to known vulnerabilities, and to: Reduce the risk of compromise of computing resources in the General Computing Enclave. 03 -Mar-2008 Fermilab Open Science Enclave 3

OSE Computing Resource Definition A computing resource is administratively defined as being in the Fermilab Open Science Enclave if it meets the following definition: A computing resource must be part of the Open Science Enclave (OSE) if it is managed by Fermilab and allows grid users to install and/or run software using credentials which are not issued and revocable by Fermilab. Other explicitly identified computing resources supporting the operation of the OSE may be designated part of the OSE by Fermilab. “Current” inventory of OSE Computing Resources: http: //fermigrid. fnal. gov/monitor/fermigrid-worker-lists. html 03 -Mar-2008 Fermilab Open Science Enclave 4

Baseline Document The Fermilab OSE baseline was developed by the Fermilab OSE Working Group over a (approximately) four month period: Mine Altunay, Eileen Berman, Keith Chadwick, Matt Crawford, Mike Diesburg, Stu Fuess, Irwin Gaines, Don Petravick, Igor Sfiligoi, Steven Timm & Dan Yocum. The current draft of the Fermilab OSE baseline document is available here: http: //cd-docdb. fnal. gov/cgi-bin/Show. Document? docid=2573 03 -Mar-2008 Fermilab Open Science Enclave 5

Mandatory & Recommended Settings The baseline presents both the minimum (mandatory) and recommended (best practice) levels of security settings. The baseline is supposed to be a “living” document: It is not “written in stone”, Today's copy does have things that need additional work, It will evolve to address issues and threats as they are identified in the future. The forum for discussing the changes to the baseline is the OSE working group: Weekly face-to-face meeting, “fermigrid-security-discuss” email list, “homework” assignments. Output from the OSE working group is presented to the Fermilab Computer Security Executive (CSEXEC) for acceptance or additional work. There is roughly 50% overlap between the OSE WG and the CSEXEC. 03 -Mar-2008 Fermilab Open Science Enclave 6

Areas Covered by the Baseline Physical Security. System Registration. Secure Installation. Daily OS and other updates (CRLs). Policies for Accounts. Pilot Jobs and g. LExec. Network Configuration. File Systems and File Services (NFS, AFS, other). Installation and Configuration of Grid Middleware. Accepted Certificate Authorities. Required use of Central Grid Services (VOMS, GUMS, SAZ). Web Servers, Squid, My. Proxy. Xen, Edge, VOBox Services. Certificates and Certificate Storage. Logging and Auditing. Backup and Recovery. Systems Authorized to Offer “Restricted Central Grid Services”. Detailed assessment of where specific systems are with respect to compliance with the (draft) baseline. 03 -Mar-2008 Fermilab Open Science Enclave 7

Baseline Status The baseline is currently in draft form, awaiting incorporation of comments from the review of the baseline by experimental communities, a review of the revised baseline by the experimental communities and the Computing Division management. Once the baseline is formally accepted by the Computing Division, All systems in the Fermilab Open Science Enclave will be required to (eventually) come into compliance with the baseline. Several Fermilab organizations are already taking steps to move to configurations which are closer to compliance with the baseline. 03 -Mar-2008 Fermilab Open Science Enclave 8

Fin Any Questions? 03 -Mar-2008 Fermilab Open Science Enclave 9

Скачать презентацию Development of the Fermilab Open Science Enclave Policy

f7dbf476b0555977ad1516b7f1ed4f83.ppt

Количество слайдов: 10