Security middleware

1
Security middleware

• Andrew McNab
• University of Manchester

2
Outline

• GridSite features in gLite 1.2
• Some features in detail
• HTTP Downgrade
• Web service support
• suexec and gsexec
• Secmon boxes

6 July 2005
Security middleware
3
GridSite in gLite 1.2

• Up to date VOMS support
• Attribute Certificates from gLite/LCG VOMS
• XML access policies written in GACL or XACML
• File access / scripts / services controlled by
  X.509, GSI Proxy, VOMS AC, DN List credentials.
• HTTP Downgrade
• Authentication via HTTPS bulk file copy via HTTP
• gsexec
• Run scripts/services in Unix user sandboxes

6 July 2005
Security middleware
4
HTTP Downgrade

• This is mostly code from last summer
• Renewed interest in bulk HTTP so we're revisiting
  it
• Idea is to offer similar functionality to GridFTP
  but using standard HTTP(S) tools
• HTTPS control channel used for authentication
• Returns a one-time passcode as a cookie
• HTTP GET or PUT request made with passcode
• Similar to unencrypted GridFTP data channel
• But with Apache performance benefits sendfile()
  etc

6 July 2005
Security middleware
5
HTTP Downgrade (2)

• Intend to add support for third-party copies
• Use COPY method from RFC 2518 (WebDAV)
• Passcode used to authenticate the remote leg of
  the copy
• Add HTTP header with client's estimate of Round
  Trip Time
• Used by server to select correct TCP window size
• Work ongoing with networking (Richard
  Hughes-Jones etc) to demonstrate performance of
  HTTP on WANs
• Evangelise about this a bit more...
• eg GridSite's htcp command now used by EGEE WMS

6 July 2005
Security middleware
6
Web Service support

• GridSite architecture can provide security for
  Web Service tools like gSOAP, with CGI Web
  Services
• We also provide the C/C implementation of the
  EGEE / JRA3 Delegation portType
• Java implementation by funded part of JRA3
• mod_gridsite delegation CGI used by EGEE WMS
• Apache/FastCGI GridSite (security) gSOAP
  (SOAP/WS)
• Delegated credentials stored in the filesystem
• Allows sharing between different CGI languages

6 July 2005
Security middleware
7
suexec and gsexec

• Apache has traditionally provided a wrapper to
  run CGIs as other Unix users
• Start as root, process as apache, CGI as joeuser
• We've modified this to run CGI scripts and
  services as pool Unix users
• Either per-client the cert in the browser
  determines which pool user
• Or per-directory all the CGIs in my directory
  run as the same pool user

6 July 2005
Security middleware
8
suexec / gsexec (2)

• This allows us to sandbox CGI-based services by
  ensuring that the pool users are of sufficiently
  low privilege
• Different clients or service owners can't
  interfere with each other
• Access control is still via GACL/XACML policy
  files
• X.509, GSI Proxy, VOMS, DN List credentials
• We can now offer third-party hosting of
  services
• Give a user or VO access to a privileged
  directory
• They deploy their C/C/Perl/Python services
  remotely

6 July 2005
Security middleware
9
GRACE

• In adding support for Web Services to GridSite,
  we started to offer non-Java ways of building
  service-orientated grids
• We're now at the point where this is being taken
  up
• Clearly, this community has a big investment in
  languages other than Java
• But many other scientists and admins do
  too
• So again, want to start evangelising about this
  model
• GRACE GRidsite/Apache/CGI-scripts/Executables

6 July 2005
Security middleware
10
SECMON boxes

• Had hoped to have SECMON box prototype ready for
  this meeting
• Expect DVD images available in the next week or
  two
• Aim is to provide a simple to install security
  monitoring box that just sits in the corner of
  your machine room
• Sites don't need to install anything special on
  CE etc being monitored
• Remote administration / monitoring done by
  Tier-2/Tier-1 staff, but site retains root

6 July 2005
Security middleware
11
SECMON design

• Want to keep things as simple as possible
• Unix syslog already provides almost all of what
  we need
• Always installed
• Logs from services/daemons and kernel (port scans
  etc)
• Logging interfaces for scripts, C/C etc
• One line added to syslog.conf can direct the
  messages over the network to local SECMON box
• So we need to provide remote config tools and
  remote access to log files

6 July 2005
Security middleware
12
secmon.conf

• All configuration in one place
• All local choices can be recovered from this file
• May want to freeze SECMON hard drive to use as
  evidence for the Police, so this may be important
• secmon.conf currently defines
• firewall rules for syslogd, sshd and httpd
• services to log (globus-gatekeeper etc)
• X.509 DNs of people with different privilege
  levels

6 July 2005
Security middleware
13
Implementation

• secmond runs as root
• monitors secmon.conf for changes
• updates config files as a result
• filters syslog messages into log files according
  to service name (sshd, httpd, globus-gatekeeper
  etc)
• Admin CGI (secmon-admin.cgi) runs as user apache
• manages secmon.conf
• RSS CGI (secmon-rss.cgi) runs as user apache
• All remote access controlled by GridSite/GACL
  policies

6 July 2005
Security middleware
14
RSS Access

• RSS is widely used to allow clients to pull
  categorised, chronological data (like news
  headlines) out of webservers, in a programmatic
  way
• Well matched to transporting syslog type alert
  messages
• secmon-rss.cgi queried by service name, severity
  and/or date range
• Only pull out the level of detail we need
• Seeks / bisects / reads log file directly to find
  messages
• Access control currently via X.509/GSI Proxy only

6 July 2005
Security middleware
15
Summary

• The current version of GridSite is part of the
  latest gLite release process
• We're providing a system which is used by other
  middleware, not just websites
• Non-Web Service tools from GridSite (htcp etc)
  are starting to be used too
• SECMON box prototype is almost ready

6 July 2005
Security middleware