Transcript PRACE - Jules Wolfrat

Overview of PRACE and
PRACE Security
Jules Wolfrat
(SURFsara)
Barcelona, 20 October 2015
1
PRACE aisbl, a persistent pan-European
supercomputing infrastructure
25 members
4 hosting members: France,
Germany, Italy and Spain
Enables world-class science
through large scale simulations
Offers HPC services on
leading edge capability systems
Awards its resources through a
single and fair pan-European
peer review process for
open research
2
4 Hosting Members offering core hours on
6 world-class machines
MareNostrum:
IBM
BSC, Barcelona,
Spain
BioChemistry,
Bioinformatics and
Life Sciences
Universe Sciences
13%
21%
CURIE: Bull Bullx
GENCI/CEA
Bruyères-leChâtel, France
Mathematics and
Computer Sciences
4%
Fundamental Physics
18%
HazelHen: Cray
GAUSS/HLRS,
Stuttgart, Germany
JUQUEEN: IBM
BlueGene/Q
GAUSS/FZJ
Jülich, Germany
Chemical Sciences
and Materials
21%
Earth System
Sciences
Engineering
10%
and Energy
13%
SuperMUC: IBM
GAUSS/LRZ
Garching, Germany
FERMI: IBM BlueGene/Q
CINECA , Bologna, Italy
3
PRACE’s achievements in 5 years
412 scientific projects enabled
10.7 thousand million core hours awarded since 2010 with peer
review, main criterion is scientific excellence. Open R&D access for
industrial users with >50 companies supported
~5000 people trained by 6 PRACE Advanced Training
Centers and others events
18 Pflop/s of peak performance on 6 world-class systems
530 M€ of funding for 2010-2015, access free at the
point of usage
25 members, including 4 Hosting Members
(France, Germany, Italy, Spain with a global funding of 400M€)
4
Access through PRACE Peer Review
Free-of-charge required to publish results at the end of the award period
Open to international projects
Project Access (every 6 months) award period 1 to 3 years
Individual researchers and groups
No restriction on nationality for both researcher and centre
Required to demonstrate technical feasibility of project
Preparatory Access (cut-off date every 3 months)
Optional support from PRACE experts
Prepare proposals for Project Access
5
PRACE Network
• PRACE operates a “private” network,
provided by GÉANT. It is structured as a
star like topology, connecting PRACE
systems with other systems from
partners
• Most sites connected with 10 Gb/s
wavelength
• 1 site connected with 1 Gb/s
GÈANT L2 VPN Service
• Several sites connected with 1 Gb/s
shared Ipsec GRE tunnel
• Human Brain Project (HBP) also uses
the PRACE network (MoU signed)
OC
RE
UK FUN REN
ER
ET ATE
NA
R
RedI
ris
TGC
C
SU
RFn
et
GÉA
NT2
Pion
ier
Central
PRACE
router
DFN/G
ÉANT
Frankf
urt
D
F
N
GAR
R
IP
se
c
Ga
te
wa
y
Bulgaria / NCSA
Cyprus / CastoRC
Czech Republic / V
Greece
Ireland
Norway
Serbia
Switzerland / CSCS
Turkey / UHeM
Hungary / NIIF
JuQ
uee
n
10 Gb/s wavelength
10 Gb/s Ethernet IP
1 Gb/s IPsec Tunnels (Shared)
1 Gb/s GÈANT+ L2 VPN Service
6
PRACE services
• Data services, using the PRACE network
• Job submission with UNICORE
• User information (e.g. X.509 certificates) is shared for remote
access
• Incidents at one site can have impact on other systems, more
than for independent sites, so the need for collaboration
7
PRACE Security Forum
Coordinates security activities
•
•
Define Policies and Procedures - to build “A trust model that
allows smooth interoperation of the distributed PRACE
services”;
Risk reviews - to define and maintain “An agreed list of software
and protocols that are considered robust and secure enough to
implement the minimal security requirements”;
Operational security – coordination of incident handling
•
All partners are member of the Security Forum
•
8
Policies and Procedures
• PRACE Acceptable Use Policy (AUP), user
administration policies, incident response policy, etc.;
•
Provide Best Practice documentation by partners
–
Problem can be the language and the confidentiality;
e.g. a partner may indicate which documentation is
available and if it can be provided on request
•
Collaboration with EGI, EUDAT, WLCG, XSEDE
through SCI
•
Representation in EUGridPMA as Relying Party
9
Risk reviews
•
•
Risk reviews are part of the Change Management
procedure for PRACE services
Risk review procedure based on guidelines from
the German BSI (Federal Office for Information
Security), BSI-Standard 100-2:
Https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/BSIStandards/standard_1002_e_pdf.pdf?__blob=publicationFile.
• Using the IT-Grundschutz Catalogues for threats
and safeguards:
https://www.bsi.bund.de/EN/Topics/ITGrundschutz/ITGrundschutzCatalogues/itgrundschutzcatalogues_node.html
• Section “threat catalogue deliberate acts”
• Examples: Globus Online, UNICORE FTP
• Exchange of information within SCI?
10
Operational Security – coordination
•
•
•
•
•
•
All operational sites must be subscribed to the e-mail list for
reporting about incidents, preferably with generic addresses,
e.g. local CSIRT team
Site contact information maintained on the wiki (names, phone
numbers, e-mail addresses)
No elaborate policy for reporting incidents
Major incidents are discussed by video/phone conferences
Site with information about an incident (or thinks something is
wrong) is responsible to take action, e.g. ask for a video/phone
conference
Also subscribers from EGI CSIRT and EUDAT on PRACE list
11
Operational Security
•
•
•
•
High level of trust between sites that they behave well, e.g.
patch policy, firewall set-up, local CSIRT, etc.
Requirements should be better documented with increasing
number of sites; SCI document is a good reference
Implementation of audits? The need to provide effort by partners
must be justified
Sharing information on vulnerabilities
–
–
Information on vulnerabilities are distributed through several channels, e.g.
OS specific lists, US-cert
Can be overwhelming for sites, classification and customization for our
environments can be helpful. Effort needed must be justified.
12
Collaboration opportunities
•
Share information about Policies and Procedures – as a SCI
/WISE activity
•
Share Best Practice information
•
Risk reviews: work together if there is common interest
•
Incident handling: exchange information if needed, harmonize
procedures
13