BoF: Securing HPC without Air Gapping - (SHAG)
Abstract
HPC systems typically offer users direct access to the host operating system, thus any local vulnerability can be immediately exploited. Meanwhile, there are continuously new exploits discovered which are potentially exposing the HPC system. This problem is even exacerbated by the need to support a predefined software stack, including a scheduler, like Slurm, or parallel filesystems like BeeGFS or Lustre, which are usually not compatible with the newest Linux kernel and therefore prohibiting early adoption. This exposure was demonstrated when in late 2019 hackers got access to a single user account and started on a single HPC system to escalate their privileges.
In order to prevent those incidents, different compute centers tackle IT security from different angles, for instance by blocking ssh connections from other centers to prevent a hoping of attackers or by requiring two-factor authentication. In addition, some centers deploy an intrusion detection system or utilize a number of different networks to isolate management nodes from compute nodes. However the big challenge is to find the correct balance between security and functionality for the users, particularly in Tier-3 systems.
Despite all those exiting angles on security, the HPC community does not tap into the potential of an agreed on HPC security guideline (best practices + patterns for it security). Currently this potential is scattered among the different HPC sites. In this BoF, we want to bring together the community to identify how to overcome the challenges and foster a critical discussion for this often neglected topic.
The BoF takes place as part of ISC HPC.
Date | May 24th 2023, 13:00-14:00 | ||
Venue | CCH, Hamburg | ||
Contact | Trevor Khwam Tabougua |
This BoF is powered by the NHR, the Virtual Institute for I/O, DECICE and KISSKI.
Organisation
The BoF is organised by
- Trevor Khwam Tabougua (GWDG) trevor-khwam.tabougua@gwdg.de
- Julian Kunkel (Georg-August-Universität Göttingen/GWDG), julian.kunkel@gwdg.de
- Fabian Lingenhöl (KIT)
Agenda
- 13:00 Welcome – Trevor Khwam Tabougua, Julian Kunkel, Fabian Lingenhöl – Slides
- Lightning talks bootstrapping the discussion
- Challenges with HPC securiy – Trevor Khwam Tabougua – Slides
- 2FA + SSH: A creative solution for secure, user-friendly HPC authentication – Fabian Lingenhöl – Slides
- Discussion of the Security Concepts at NHR@Göttingen from 1000 feets – Hendrik Nolte – Slides
- Zero trust ingredients for a modern datacenter – CJ Newburn – Slides
- 13:20 Interactive survey followed by a discussion
- Admin questionnaire (links are now closed)
- User questionnaire (links are now closed)