DJRA1.6 FINAL RELEASE OF NEW GRID MIDDLEWARE SERVICES



Similar documents
Security Information Management

Cesario Di Sarno. Security Information and Event Management in Critical Infrastructures

Towards Smart and Intelligent SDN Controller

ARDA Experiment Dashboard

Technical. Overview. ~ a ~ irods version 4.x

Intrusion Detection Systems

Online Network Traffic Security Inspection Using MMT Tool

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

Developing SOA solutions using IBM SOA Foundation

Beyond Check The Box

DevOps Course Content

Information Technology Policy

Monitoring Clusters and Grids

Implementing Large-Scale Autonomic Server Monitoring Using Process Query Systems. Christopher Roblee Vincent Berk George Cybenko

Basic & Advanced Administration for Citrix NetScaler 9.2

Intrusion Detection in AlienVault

Course Title: Penetration Testing: Security Analysis

White Paper Cybercom & Axiomatics Joint Identity & Access Management (R)evolution

TEST AUTOMATION FRAMEWORK

Advanced Administration for Citrix NetScaler 9.0 Platinum Edition

Abstract. 1. Introduction Current Environment. University of California, Los Alamos National Laboratory. Telephone Fax

Avid. Interfacing with Avid inews. Including inews Web Services Version 1.0

Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention

Course 55004A: Installing and Configuring System Center 2012 Operations Manager

System Specification. Author: CMU Team

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

55004A: Installing and Configuring System Center 2012 Operations Manager

The Ontological Approach for SIEM Data Repository

Data Mining For Intrusion Detection Systems. Monique Wooten. Professor Robila

Intrusion Detection Systems

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

ΕΠΛ 674: Εργαστήριο 5 Firewalls

Remote Authentication and Single Sign-on Support in Tk20

Next Level. Elevated to the. 22 nd Chaos Communication Congress. Alien8 - Matthias Petermann

White Paper. Time for Integrated vs. Bolted-on IT Security. Cyphort Platform Architecture: Modular, Open and Flexible

Testing Network Security Using OPNET

Security: Best Practice and Monitoring

AN APPROACH TO DEVELOPING BUSINESS PROCESSES WITH WEB SERVICES IN GRID

Decomposition into Parts. Software Engineering, Lecture 4. Data and Function Cohesion. Allocation of Functions and Data. Component Interfaces

On the use of Honeypots for Detecting Cyber Attacks on Industrial Control Networks

SANS Top 20 Critical Controls for Effective Cyber Defense

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Performance Evaluation of Intrusion Detection Systems

Alarm Clustering for Intrusion Detection Systems in Computer Networks

Software-Defined Networking Architecture Framework for Multi-Tenant Enterprise Cloud Environments

owncloud Architecture Overview

NETWORK SECURITY (W/LAB) Course Syllabus

APPLICATION OF MULTI-AGENT SYSTEMS FOR NETWORK AND INFORMATION PROTECTION

MODEL OF SOFTWARE AGENT FOR NETWORK SECURITY ANALYSIS

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Transformation of honeypot raw data into structured data

Joshua Beeman University Information Security Officer October 17, 2011

Deploying ACLs to Manage Network Security

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

A NOVEL APPROACH FOR PROTECTING EXPOSED INTRANET FROM INTRUSIONS

Building A Secure Microsoft Exchange Continuity Appliance

Chapter 14 Analyzing Network Traffic. Ed Crowley

How To Protect A Network From Attack From A Hacker (Hbss)

A Quantitative Approach to Security Monitor Deployment

Data Center Virtualization and Cloud QA Expertise

FLAB, Warden3 and friends

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

HP OO 10.X - SiteScope Monitoring Templates

Resource Management and Containment for Active Services

VOL. 2, NO. 1, January 2012 ISSN ARPN Journal of Science and Technology ARPN Journals. All rights reserved

IT Architecture Review. ISACA Conference Fall 2003

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

Apigee Edge API Services Manage, scale, secure, and build APIs and apps

Federated Threat Data Sharing with the Collective Intelligence Framework (CIF)

Real-time Network Monitoring and Security Platform for Securing Next-Generation Network. Assoc. Prof. Dr. Sureswaran Ramadass

File S1: Supplementary Information of CloudDOE

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

IBX Business Network Platform Information Security Controls Document Classification [Public]

Using MySQL for Big Data Advantage Integrate for Insight Sastry Vedantam

Introduction of Intrusion Detection Systems

Data Analysis Load Balancer

Intrusion Log Sharing University of Wisconsin-Madison

Dynamic Honeypot Construction

The syslog-ng Store Box 3 F2

Architecture Guidelines Application Security

Evaluation of different Open Source Identity management Systems

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Hack Proofing Your Organization

NETWORK SECURITY HACKS *

Alfresco Enterprise on AWS: Reference Architecture

Cisco Advanced Services for Network Security

High Level Design Distributed Network Traffic Controller

Complete Web Application Security. Phase1-Building Web Application Security into Your Development Process

Automating Attack Analysis Using Audit Data. Dr. Bruce Gabrielson (BAH) CND R&T PMO 28 October 2009

A Review on Network Intrusion Detection System Using Open Source Snort

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

Information Technology Services Classification Level Range C Reports to. Manager ITS Infrastructure Effective Date June 29 th, 2015 Position Summary

Tk20 Network Infrastructure

Wedge Networks: Transparent Service Insertion in SDNs Using OpenFlow

Transcription:

3.9. ACTIVE SECURITY INFRASTRUCTURE (ASI) 3.9.1. Overview The aim of the Active Security task is to consider security measures for an interactive framework. To date Grid security activities have largely focused on prevention mechanisms, i.e., authorization, authentication, and secure communications. This task focuses on the areas of detection (e.g. intrusion detection), and reaction, i.e., taking action to prevent, or to recover from, a security incident. 3.9.2. Source code Source: https://savannah.fzk.de/cgi-bin/viewcvs.cgi/?root=jra-asi 3.9.3. Binary Release RPMs are currently available for Scientific Linux v3 and v4. Security Monitoring http://savannah.fzk.de/autobuild/sl3/module-active-security.html http://savannah.fzk.de/autobuild/sl4/module-active-security.html Control Engine: http://savannah.fzk.de/autobuild/sl3/module-active-security-control-engine.html http://savannah.fzk.de/autobuild/sl4/module-active-security-control-engine.html Alert Analysis: http://savannah.fzk.de/autobuild/sl3/module-active-security.html http://savannah.fzk.de/autobuild/sl4/module-active-security.html 3.9.4. Documentation and manuals Manuals: Brochure: http://www.cs.tcd.ie/stuart.kenny/index.php?activesecurity http://www.cs.tcd.ie/stuart.kenny/i2g/brochures/i2g-technicalbrochure_active_security.pdf 3.9.5. Release Validation Release validation status can be obtained from the validation page: http://www.lip.pt/computing/projects/i2g/vrm-inteugrid/results.php All components have been submitted for, and have subsequently passed, test and validation. PUBLIC Page 70 of 89

Testing of the Security Monitoring and Alert Analysis components was carried out by Marek Ciglan, and a report on this testing can be found here: https://wiki.fzk.de/i2g/index.php/i2g_active_security_infrastructure Control Engine component testing was performed by Lukasz Skital, and this component passed validation in November 07. 3.9.6. Current Architecture and Main Features As described in DJRA1.1 the Active Security architecture, see Figure 1, is divided into two layers: Monitoring and control layer Analysis layer The Relational Grid Monitoring Architecture (R-GMA) (http://hepunx.rl.ac.uk/egee/jra1-uk/) developed within the EGEE project provides the communication between the two layers. Figure 1 Active Security Services architecture 3.9.6.1. Monitoring and Control Layer (Site Level) The Monitoring and Control layer contains two components: Security Monitoring and the Control Engine. The Security Monitoring component is responsible for monitoring the state of security of a site, and for reporting detected security events to the Grid Operations Centre. The monitoring is performed by standard security tools which have been R-GMA enabled. The Control Engine performs the role of a Policy Decision Point (PDP) at a site. Grid policies, generated by the analysis layer form the input to the Control Engine. The Control Engine evaluates requests for guidance, PUBLIC Page 71 of 89

returning a decision based on the applicable Grid policies. This decision can also contain a description of any action that should be taken in order to mitigate the risk of a potential security incident. 3.9.6.2. Security Monitoring Figure 2 shows the structure of the Security Monitoring component (SM). This component is composed of multiple security monitoring tools that have been R-GMA enabled. By this we mean that the tool has been extended to allow any detected security events to be published to the R-GMA information system. This is done through the use of the R-GMA API, which is available in several languages, namely Java, C, Perl and Python. In order to store events detected by the SM three R-GMA tables have been defined. These are: ASIAnalyzer, to store information on the monitoring tool (analyzer) that detected the event; ASIAlert, to store information on events detected; ASIService, to store information specific to the service that the event was detected for, e.g., port and protocol. The structure of these tables has been modelled on the Intrusion Detection Message Exchange Format (IDMEF) standard. This is to allow for additional monitoring tools to be easily added to the SM. In order for the security events detected and published by the SM to be collected at the operations centre an R-GMA SecondaryProducer is used. A SecondaryProducer aggregates streams from multiple Producers and stores the information into a MySQL database. By running a SecondaryProducer at the Operations Centre that queries for the events being published by the SM, events can be aggregated from all the grid sites to form a security alert archive that is itself able to be queried via the R-GMA. A SecondaryProducer implementation is provided as part of the Alert Analysis component. Figure 2 Security Monitoring In this release two example tools are used, Snort (http://www.snort.org), an open-source networkbased intrusion detection system, and the Prelude Log Monitoring Lackey (Prelude-LML) for host- PUBLIC Page 72 of 89

based intrusion detection through log analysis (https://trac.prelude-ids.org/wiki/preludelml). Figure 3 shows a possible deployment of the SM within a site. Within a typical Grid site the monitored hosts would be the worker nodes. The network traffic and log messages would be analyzed on a security monitoring host, which could be either a dedicated machine, or an existing resource such as the R- GMA services host (MON-box). Figure 3 Security Monitoring deployment 3.9.6.3. Control Engine Figure 4 shows the structure of the Control Engine component (CE). This component is implemented as a web service that provides a Policy Decision Point at sites by making use of the Sun XACML (extensible Access Control Markup Language) implementation (http://sunxacml.sourceforge.net). PUBLIC Page 73 of 89

Figure 4 Control Engine In order to distribute policies to Control Engines located at each Grid site the policy is published to the ASIPolicy R-GMA table. By querying this table the Control Engine automatically receives the policy and stores it locally. The Control Engine updates all locally stored policies each time a change is made to the ASIPolicy table. The set of locally stored policies are used by the Control Engine when answering requests for guidance from service agents installed on nodes to be controlled by Active Security. Agents send XACML requests to the Control Engine, which then evaluates the request against all applicable policies and returns an XACML response. This response contains a decision, either permit or deny, and an optional obligation. This obligation is used to inform the service agent of any action that should be taken when enforcing the decision. The Control Engine would be hosted on a single node within a Grid site, either a dedicated security monitoring host, which could also contain the security monitoring component, or an existing resource such as the R-GMA services host. The service agents would be installed on any node over which control is required, typically the worker nodes and computing element. 3.9.6.4. Analysis Layer (Operations Level) The purpose of the Alert Analysis component is to filter and analyse the alerts contained in the security alert archive in order to detect patterns that signify an attempted attack on the Grid infrastructure. As a significant number of alerts are generated and logged it is preferable to automate this analysis as much as possible. An attack on the Grid infrastructure can be composed of a series of steps, where each step follows on from the previous. The Alert Analysis component attempts to join alerts into high-level attack scenarios, and if successful, generates a single high-priority Grid-Alert, composed from multiple lower-priority alerts. The Alert Analysis component (AA) has been implemented using the STAT framework (http://www.cs.ucsb.edu/~seclab/projects/stat/index.html). STAT is a technique for modelling high- PUBLIC Page 74 of 89

level descriptions of computer attacks as a series of state changes from an initial secure state to a target compromised state. Attack scenarios are described using STATL, a state/transition based attack language. Figure 5 shows the structure of the AA. Figure 5 Alert Analysis component The AA is composed of the STAT Core and two extension modules, an R-GMA event provider and an R-GMA response module. An R-GMA event provider supplies the stream of events by querying R- GMA for any events published to the ASIAlert table. An IDMEF language extension provided as part of the STAT framework is re-used for processing the events received from the R-GMA event provider. A suite of initial Grid attack scenarios have been provided. The STAT Core performs the analysis of events by matching an incoming stream of events against a set of scenario plugins. The set of available scenarios can be easily extended, and it is intended to include additional examples as they are defined. The R-GMA response module allows for the publishing of a Grid-Alert to the R-GMA. This occurs when an event or series of events matches a scenario defined in one of the available Grid-Attack scenario plugins. Figure 6 Grid Policy Consumer PUBLIC Page 75 of 89

A Grid-Alert published by the AA in response to a detected Grid attack can contain an optional Obligation field. This field corresponds to the Obligation attribute contained within an XACML policy. The AA also contains a Grid policy consumer (see Figure 6), the role of which is to extract the obligation field from any generated Grid-Alerts, and to then modify and republish the Grid policy to which the obligation applies. It is this act of republishing that triggers the Control Engines to update their local copies of the Grid policies. This process is illustrated in Figure 7. Figure 7 Active Security sequence diagram 3.9.6.5. Known Issues and Limitations The main issue to date has been the lack of authorization functionality in R-GMA. This has restricted the deployment of the security monitoring tools, as to be fully deployed it must be ensured that only authorized users may access (i.e., query from and publish to) the Active Security R-GMA tables. By working with the R-GMA developers, the developers of ASI have now implemented an authorization mechanism for R-GMA. This has been integrated with the R-GMA code base, and it is hoped that this will be made available in the next R-GMA release. This is a major contribution from int.eu.grid to R- GMA. PUBLIC Page 76 of 89

3.9.7. Performed Tests A description of testing carried out on the Active Security Infrastructure deployed on the int.eu.grid development testbed can be found here: http://www.cs.tcd.ie/stuart.kenny/i2g/brochures/i2g-active-security_use_case.pdf The purpose of this test was to show how the monitoring and analysis components function together to detect an attack across multiple Grid sites. In this case the attack was simulated using a simple portscan of hosts. A description of a second use case, which includes all components of the Active Security Infrastructure, is given in: http://www.cs.tcd.ie/stuart.kenny/i2g/brochures/i2g-active-security_use_case_2_v2.pdf PUBLIC Page 77 of 89

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information