Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of...
Transcript of Challenges of Securing a Petascale Cluster C_SIParCS_2011.pdfIdentify security challenges of...
Challenges of Securing a Petascale Cluster
Christian ServinThe University of Texas at El PasoComputational Sciences Program
Mentor: Irfan Elahi
1Wednesday, July 27, 2011
Project Overview
• Security Challenges in Clusters
• Security Baseline/Requirements
• Case Study: TeraGrid
• Proposed Security Model
• Implementation, Analysis, and Testing
2Wednesday, July 27, 2011
• Clusters:
• Diverse User Community
• Data Sharing
• High Performance Computing
• Different File Systems
Challenges in Large Clusters vs Other Environments
3Wednesday, July 27, 2011
Computer Security
4Wednesday, July 27, 2011
Computer Security
Confidentiality
4Wednesday, July 27, 2011
Integrity
Computer Security
Confidentiality
4Wednesday, July 27, 2011
Integrity
Computer Security
Confidentiality
Usability
4Wednesday, July 27, 2011
Integrity
Computer Security
Confidentiality
Usability
4Wednesday, July 27, 2011
ObjectiveIdentify security challenges of securing open
science large HPC supercomputers as compared with stand-alone servers. Also, to provide a
security design that provides the perfect balance between security and usability
An Ancient Fortress on an Island
www.englishrussia.com
5Wednesday, July 27, 2011
• High Bandwidth Connections
• Extensive Computational Power
• Massive Storage Capacity
• Firewall Between Nodes
• Storage Trust (Implicit Trust)
• Limited Encryption
Stand-alone vs Cluster
6Wednesday, July 27, 2011
Security Layers to Consider
• External Network
• Supercomputer (cluster)
• Internal Network
• Host (node)
Login Login IO Login
Service
. . .
Compute Nodes
ServiceMaster
External Network
. . .
Gateway Nodes
Internal Network
Hosts
Other Attack
Dragon Image: www.historicfibers.com
Attacker
7Wednesday, July 27, 2011
Security Layers to Consider
• External Network
• Supercomputer (cluster)
• Internal Network
• Host (node)
Login Login IO Login
Service
. . .
Compute Nodes
ServiceMaster
External Network
. . .
Gateway Nodes
Internal Network
Hosts
Other Attack
Dragon Image: www.historicfibers.com
Attacker
7Wednesday, July 27, 2011
Security Layers to Consider
• External Network
• Supercomputer (cluster)
• Internal Network
• Host (node)
Login Login IO Login
Service
. . .
Compute Nodes
ServiceMaster
External Network
. . .
Gateway Nodes
Internal Network
Hosts
Other Attack
Dragon Image: www.historicfibers.com
Attacker
7Wednesday, July 27, 2011
Security Layers to Consider
• External Network
• Supercomputer (cluster)
• Internal Network
• Host (node)
Login Login IO Login
Service
. . .
Compute Nodes
ServiceMaster
External Network
. . .
Gateway Nodes
Internal Network
Hosts
Other Attack
Dragon Image: www.historicfibers.com
Attacker
7Wednesday, July 27, 2011
Case Study: TeraGrid Cluster
• Host
✓ Configuration Management
✓ Unnecessary Services
✓ Protect Shared File System
• Network
✓ Prevent IP Address spoofing
✓ Prevent source routing
✓ Block services that cannot be access controlled at host level
8Wednesday, July 27, 2011
• Auditing
✓ Have Monitoring and Events Detection
✓ Have Centralized logs
✓ Have Process Accounting
Case Study: TeraGrid (2)
9Wednesday, July 27, 2011
• Configured a Cluster of Five Nodes
• Configured the network on a Local Area Network (LAN)
• Installed Ubuntu Server
• Security Model was Implemented, Analyzed and Tested
Installation and Configuration Experiments
10Wednesday, July 27, 2011
Compute Compute
ServiceMaster/Login
Intruder
Experiment Configuration
11Wednesday, July 27, 2011
Con
figur
atio
n
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
Con
figur
atio
n
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
Con
figur
atio
nM
onito
ring
Too
ls
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
Con
figur
atio
nM
onito
ring
Too
ls
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
Con
figur
atio
nM
onito
ring
Too
lsD
ecis
ion
Mak
er
Security ModelOperating System Setup
Network Configuration
File SystemScheduler
12Wednesday, July 27, 2011
Con
figur
atio
nM
onito
ring
Too
lsD
ecis
ion
Mak
er
Security ModelOperating System Setup
Network Configuration
File System
Monitoring System
Intrusion Detection Sys
logs
Scheduler
12Wednesday, July 27, 2011
Con
figur
atio
nM
onito
ring
Too
lsD
ecis
ion
Mak
er
Security ModelOperating System Setup
Network Configuration
File System
Fuzzy LogicInterval
ComputationMulti Criteria
Decision Making
Decision Engine
Monitoring System
Intrusion Detection Sys
logs
Scheduler
12Wednesday, July 27, 2011
Personal Challenges
• OS Server Installation
• Linux novice
• Networking
• Network File System
• Services configuration
13Wednesday, July 27, 2011
Summary
• Identify unique challenges of securing large HPC clusters
• Study the TeraGrid security baseline
• Provide a secure architecture
• Built a cluster with 5 nodes
• Implemented, analyzed, and tested on cluster
14Wednesday, July 27, 2011
Future Work
• Establish benchmarks for a security and usability setup environment.
• Incorporate uncertainty models based on monitored records
15Wednesday, July 27, 2011
• Participated in the CSG Summer Workshop
• Participated & observed the Bluefire upgrade
• Attended various vendor conference conference calls meetings
• Observed & Learned in day by day SSG activities
Other SIParCS Achievements
16Wednesday, July 27, 2011
Special Thanks
17Wednesday, July 27, 2011
Questions
Thank you for your attention
• Christian Servin
• http://www.cs.utep.edu/christians/
18Wednesday, July 27, 2011