Computing Services & the Grid David Baker Oz Parchment Introduction • Context • Security • Network Issues • Accounting • Personnel • User Support Computing Services at Southampton University • Mission statement - To provide support and manage computing, data communications and telephony services within available resources so as to enable the University to deliver excellence in teaching, learning and research • What do we do; – – – – – – – Customer Base: ~30,000 Students & Staff E-Mails: 2,000,000+ emails per month Web-Serving: 6,000,000 page requests per month 1000+ Public workstations. Computational services 700,000+ phone-calls per month Infrastructure for the above Computing Services & the Grid • Computing Services has taken on the challenge of the Grid! – The Grid facilitates collaborative opportunities in research – Host University Grid infrastructure – Staff to manage & support Grid Where do you fit into the picture? • Centres who host Grid Services • Grid Services hosted by academic departments. • Only client users at your institute Security Issues List of Issues • User Authentication • User Authorisation • Security • Firewalls • Network Security • Data Security • Service Access Controls User Authentication • Assigning trustable digital identity to user – Passport Agency!!! • Certificate Authority (CA) – issue X.509 digital cert. to e-Science programme participants – e-Science CA at RAL • Applicants validated by nominated rep. of project or regional centre – Registration Authority (RA) – Issues of Scalability User Authorisation • Managing access by authenticated users to grid resources • Revocation Policy – Who and How? • Account application form signed by local authorisation agent • Need to build trust relationships between agents? – Users only need to make one application? – Only sign one set of terms & conditions? Site Security Policies • Globus includes provisions for – Secure communications (via SSL) – Strict authentication (via certs.) • Certificates on users file-store? – But what can the user run whilst on your machine? • Must ensure Grid machines are secured against non-Globus attacks – Piggy Backing – Security by obscurity not possible any longer Firewalls: Sysadmins ONLY friend • Internet firewalls considered a key component of network security • Network traffic generated by Globus – – – – Gatekeeper – 2119 GRIS/GIIS – 2135 GridFTP – 2811 GSI-Enabled ssh – 22 • Globus uses a random non-privilege port range for dataretrieval – GLOBUS_TCP_PORT_RANGE Firewalls (2) • Individual ports not that difficult to manage – Not much extra work • Globus requires ~100+ non-privilege ports – Maybe more required for production grid? • Access Control – Limit access to services that run on your Grid • GridFTP to certain sites; GASS to others Firewalls (3) • Globus packaging techniques makes security management more interesting – GridFTP • Based on wu-ftp; Numerous CERT advisories – GSI-SSH • Based on OpenSSH; Some CERT advisories • Service Termination policies – How should a vulnerable service be terminated. Data Security • Globus does not prevent your from running a specific command. • Can Grid users be confident that their data is secure on your system? • Can any user be confident their data is secure? • System security – Restricted paths? – Restricted shells? Access to non-grid systems & services • Need to limit Grid users access rights • No access to non-grid machines/equipment? • No access to non-grid services – e.g. email? • Maybe: – Take special measures re: account setup? – Don’t supply account password? Infrastructure Requirements Infrastructure Requirements • Choice of middleware – currently GT 2.0 • Keep in step with other centres – Upgrades to major system components needs to be synchronised across service providers. • Report resources to UK GIIS • Protect licensed software – Don’t invalidate site licenses Infrastructure Requirements Network Issues • Network Bandwidth – Internally – Externally • Firewall throughput • Web Caches – Web Service thru port 80 • Network QoS – Real time data capture – AccessGrid Network Issues • Network connectivity & bandwidth • Where are the resources located: – Between your institute and remote institutes – Within your institute LeNSE (2.4Gbps) 155Mbps 2 Mbps Rc 1 Gbps 1Gbps <100 Mbps 10 Mbps Rb 1 Gbps Ra Firewalls (will ‘throttle’ traffic) Rd Accounting Accounting • • Account for resource usage: – Long term planning – Accountability – Recovering costs Fair sharing policies. – Are you getting what you’ve bought? Personnel Personnel There are manpower issues • Depends on level of involvement: – May need to recruit additional staff – Additional training for existing staff – At the very least someone needs to know User Support User Support • Depends on centre’s involvement with grid. – How deeply involved are you? – How deeply involved do you want to get? • Think about how information is disseminated – Who needs to know? • Internally • Externally – What do they need to know? • Pass unresolved issues to Grid Support Centre Service Level Agreement What can grid users expect from your centre? • Hardware availability • Software availability • Data Storage • Backup policies • Help desk priorities Useful links • The Globus Project – www.globus.org • UK Grid Support Centre – www.grid-support.ac.uk • Global Grid Forum – www.gridforum.org • National e-Science Centre – www.nesc.ac.uk Conclusion • Many issues need to be resolved • Your input is important – Grid is still developing – This meeting is only be the beginning • Great opportunities for researchers at your Institutions