Monday, November 10, 2008

caGrid / TeraGrid Security & Interoperability Concerns

>> From what I understand so far caGrid 1.2 uses Globus 4.0.3 Java WS-CORE and Globus in caGrid 1.2 is as up-to-date as possible, but not necessarily hardened. Is this right?

Yes. Frankly I’d be surprised to learn that TeraGrid is running modified Globus code that has not been contributed back given the significant overlap in personnel on those projects. However, if you’d like to follow up with them on specifics we’d be happy to work with you to assess any applicability to caGrid. I’m sure what they were referring to was something like the GSI OpenSSH libraries which TeraGrid uses to allow Globus credentials to be used via ssh. As I’m sure you are aware, the ubiquity and power of ssh makes it a prime candidate for potential attack and there is a large active community analyzing and addressing any such vulnerabilities. It is important for an infrastructure like TeraGrid to stay up to date with any such ssh patches, and those trickle down to the Globus libraries which use them. As stated before, we use no such libraries as we only use SSL for securing the communication channel of web service calls. While obviously this is still critically important, its scope and therefore potential for exploit is significantly less (e.g. you can’t run arbitrary commands on the remote machine). As Steve mentioned, we monitor the Globus releases and community security advisories to ensure our infrastructure is not vulnerable.

>> It seems that caGrid 1.2 is installed at NCI, so it has meet the federal guidlines that are required to have it installed at a place like NCI, right?

Yes, that is correct. Before we deploy the grid we have to go through a series of vulnerability scans.

No comments: