Special Interest Group (SIG) report

Security

Bonnie Hall

by Bonnie Hall

rule

. The CUG Security Special Interest Group (SecSIG) is an organization of Cray users who are interested in any and all aspects of SGI/Cray Research system security. Cray users are encouraged to contact the SecSIG with requests for information or future conference topics whenever the need arises.

There have been some changes in the Cray User Group recently. First, some of you may notice that we are now the "Security SIG" instead of the former "Security MIG (Mutual Interest Group)." The decision was made to reform the CUG SIC/MIG organizations into the more common SIG structure. We hope that this move will allow for greater flexibility as the organization matures.

The next change that has gone into effect is the frequency of meetings. Instead of the twice-a-year schedule that the CUG has always followed, we plan to go to one annual meeting in the spring. We hope we can strengthen the program with this move by lessening the load on the experts and travel budgets.

There has been quite a bit of discussion about "CUG Lite" meetings in North America in the fall to complement the new annual schedule. Perhaps we can springboard off the fall Supercomputing conference. Please let us know your needs for the future of the SecSIG, and we will try to oblige.

The SecSIG sponsored several talks at the 1997 Silicon Valley CUG. Jay McCauley of Silicon Graphics stopped by our business meeting and spoke to us about security futures in IRIX. Here is an overview of what we can expect:

  • Kerberos V5 is available to domestic (U.S.) IRIX installations. It is fully interoperable with the UNICOS version of Kerberos V4.

  • The IRIX add-on security package, Common Security Protocol (CSP) 1.0, will include a least privilege mechanism based on approximately 45 privilege "capabilities." About 100 system programs will require capabilities, mostly network calls.

  • The B1 evaluated IRIX system will be released this fall.

  • At this time, group routing capabilities are not planned because there would be a major performance hit for all socket-based communication. (Several Cray users mentioned that they'd like to get this item on a wish list for Cellular IRIX. Perhaps it can be made available as an add-on for those sites that are willing to take the performance hit to have the functionality?)

  • Password user exits are under development.

  • By year end '97, we can expect to see "pluggable authentication modules" that will provide sets of exits to allow implementation of various authentication schemes in future releases of IRIX.

  • Network File System (NFS) ID mapping type functionality will be obtained via a "naming mechanism" that will provide scalable, general-purpose ID mapping.

  • Plans are to have a fully integrated IRIX/UNICOS system by year end '98. The new system will be called "Cellular IRIX," and the goal is to include the "best of breed" from each system.

The IRIX SIG sponsored a talk by Gabriel Broner (SGI/Cray) focusing on Joint SGI/Cray Research operating system directions. Cellular IRIX will support UNICOS security features, including Multi-Level Security, or MLS (which may be handled as a third-party product); the User Database (UDB); and DCE/DFS. There was no reference to Audit Log plans at this time. At the Summer '98 CUG in Stuttgart, the SecSIG will have more explicit information on future security directions

The SecSIG also sponsored two site talks, papers from which will be available in the CUG Proceedings.

  • Bonnie Hall of Exxon Upstream Technical Computing gave a talk, "Cray Security Administration: Tricks of the Trade." This talk proposed ways to manage a large UNIX-based system in a secure manner and gave examples of scripts to use for implementing security mechanisms on a UNICOS machine.

  • Frank Lovato and Mike Miller of the Navy Oceanographic Office gave a talk, "The Saga of the One-Way Wire or, You Can't Get There from Here." This talk explained their unique solution to sharing unclassified data with their classified system using NFS Cray MLS, and Cray Workstation Access Lists (WALs).

The SecSIG is committed to providing useful security information to all Cray sites at all CUG conferences. Future plans include site representatives from both Cray Research and SGI to keep us abreast of all security issues in the evolving systems.

It is essential to have input from the various Cray sites to provide a good program! If your site is interested in SGI/Cray Research supercomputing security, we'd like to hear from you. The deadline for papers for the Stuttgart CUG in Summer '98 is currently set to November 3, 1997. Abstracts for papers may be submitted via the form on the CUG home page at http://www.cug.org. If you do not have access to the Internet, you may submit an abstract for a Security paper to any of the SecSIG's contacts listed below.

Please send us suggestions for topics, comments, opinions, questions, abstracts, etc, etc! We need your input to assemble a program that you will find useful and informative. You can click on our names on our Web page off the CUG home page, send us e-mail, send us snail mail, call us, fax us, visit us, whatever! Your participation in any form is greatly appreciated :-)

SecSIG chair:
Bonnie Hall
Exxon Upstream Technical Computing Company
P.O. Box 4449, Houston, TX. 77210-4449
bonnie.l.hall@exxon.sprint.com
voice: 713-966-6031 fax: 713-965-7477

U.S. Deputy:
Frank Lovato
Naval Oceanographic Office
1002 Balch Blvd., Stennis Space, MS. 39529-50
lovato@navo.hpc.mil
voice: 601-688-5091 fax: 601-689-0400

European Deputy:
Philippe Martinez
phm@armoise.saclay.cea.fr

rule

Contents || CUG home

Comments to: lester@ucar.edu