HEPiX Autumn 2003
Download
1 / 63

Overview - PowerPoint PPT Presentation


  • 232 Views
  • Updated On :

HEPiX Autumn 2003 Triumf, Vancouver Mainly Windows issues. Gareth Smith. RAL PPD. Overview. HEPiX/HEPNT web pages at: http://wwwhepix.web.cern.ch/wwwhepix/ Contain links to this and recent meetings. Summary by Alan Silverman Videos of presentations as well as slides. 73 attendees

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Overview' - medwin


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

HEPiX Autumn 2003

Triumf, Vancouver

Mainly Windows issues.

Gareth Smith. RAL PPD.


Overview l.jpg
Overview

  • HEPiX/HEPNT web pages at:

    http://wwwhepix.web.cern.ch/wwwhepix/

    Contain links to this and recent meetings.

    • Summary by Alan Silverman

    • Videos of presentations as well as slides.

  • 73 attendees

  • Vendor talks/exhibits

    (RedHat, Microsoft, Parnasus, Ibrix)


Timetable l.jpg
Timetable

  • HEPiX-HEPNT first three days.

    • (first day largely site reports).

  • ‘Large Systems SIG’ /Security Workshop Thursday/Friday.

    • Parallel sessions Friday morning.


Windows in site reports 1 l.jpg
Windows in Site reports (1)

  • Oxford University

    • WTS (2000, 2003), Exchange (to 2003)

    • 200 PCs Win 2000 / XP.

  • SLAC

    • XP migration about complete (total 1700 systems).

    • Exchange from 5.5 to 2003.

  • TRIUMF

    • Use of SAMBA, WTS 2003 starting, Docushare.


Windows in site reports 2 l.jpg
Windows in Site reports (2)

  • LAL

    • IN2P3 forest across multiple sites (7 labs so far, 4 to join).

    • SMS for upgrades

  • CERN

    • New PCs with WXP (and/or LINUX)

    • Mail migration from Solaris servers to Exchange

    • Pilot WTS 2003; WebDAV

    • CPU cycles from Windows Screen saver for simulation.


Windows in site reports 3 l.jpg
Windows in Site reports (3)

  • GSI

    • Windows 200 AD. Testing W2003.

  • DESY

    • Test migration to Windows XP summer 2003.

    • Install via RIS.

  • JLAB

    • Windows 2000 domain upgrade done.

  • NIKHEF

    • SUS used to update.

    • Install via RIS or GHOST


First experiences using windows terminal services on server 2003 l.jpg

First Experiences using Windows Terminal Services on Server 2003

Alberto Pace for the IS group


Terminal service pilot at cern l.jpg
Terminal Service Pilot at CERN

  • Approved by CERN Management on June 2003

  • 3 standard computers

    • desktop 2.4 GHz, 1 GB RAM, 40 GB mirrored disk

    • Usual scale out architecture

    • Built-in load balancing

  • Supported freeware clients

    • Linux Redhat, Solaris being tested

    • Mac OS X

    • All recent Windows versions (98, Me, 2000, XP)

  • Thin clients simple to install & use

    • Internet Explorer 4 is enough on Windows

    • Simpler than the current ongoing effort on supporting Hummingbird Exceed


Options that were dropped l.jpg
Options that were dropped

  • Platform-independent clients

    • HOBLink JWT Java applet, http://www.hob.de/www_us/

    • Not freeware, License cost prohibitive

  • Citrix ICA (http://www.citrix.com/)

    • Uniquely X11 based

    • No additional client software required on UNIX clients

    • Performance issue

    • Complex Licensing mode


Linux clients l.jpg
Linux clients

  • rdesktop

    • freeware client

    • www.rdesktop.org

    • Source available

    • Compiled on Redhat standard IT version and Mandrake 9.0

  • tsclient

    • freeware front-end for rdesktop (XP look)

    • www.gnomepro.com/tsclient


Discussion with user representatives l.jpg
Discussion with user representatives

  • A large majority of delegates requested to continue and extend the service

  • Continue the standard service for the core applications

    • A subset of the existing one

  • Envisage the possibility of having instances of TS nodes centrally maintained where a particular service provider could install his own software

    • LHCB build service

    • AB/CO controls applications, with managed JVM

    • ST/MA Asset Tracking and Maintenance Management

    • EP/SFT for several custom applications

    • IT/PS for some engineering applications

    • TH to read mail attachments for non-windows users


The proposed standard service l.jpg
The proposed “standard Service”

  • Core set of applications for the standard service

    • Microsoft Office XP with Frontpage

    • Office XP Professional Multilanguage Pack (French, German, Italian)

    • Adobe Acrobat, Distiller, PDFMaker, Adobe PostScript Printer Driver

    • Putty 0.53b

    • CERN Client Printing Package

    • CERN Phonebook 2000

    • Zephyr

    • Symantec Antivirus Client

  • To be discussed

    • ActiveState Perl

    • Python

    • Visual Studio .NET

    • OpenAfs

      • OpenAFS has been one of the most welcome application but it had several technical issues

    • Microsoft MS Project 98 / MS Project 2002


Conclusion l.jpg
Conclusion

  • A step forward in Linux / Windows / Mac integration

  • Freeware clients exists for all platforms

    • (except legacy Mac OS 8-9)

  • STOP or GO decision in November, based on manpower cost

    • LONG TERM COMMITMENT of 0.5 – 1 FTE


Web based file systems and webdav gateway services to cern dfs file system l.jpg

Web-based file systems and WebDAV gateway services to CERN DFS file system

Alexandre Lossent, Alberto Pace


The web is part of the solution l.jpg
The “Web” is part of the solution DFS file system

  • Standard extensions to the HTTP protocol allow managing files on web servers as if these would be part of the local file system

  • HTTP Extensions for Distributed Authoring (WebDAV IETF RFC 2518) have been widely adopted on all major OS

  • Several commercial and public-domain implementations exists


Webdav l.jpg
WebDAV DFS file system

  • Web Distributed Authoring and Versioning

  • IETF RFC 2518 (February 1999)

    • http://ietf.org/rfc/rfc2518.txt

  • An extension to the HTTP protocol

    • New verbs (PROPFIND, MKCOL, LOCK...), headers and status codes

    • Uses XML to format information

  • Initially designed as a way to author web sites

    • Redundant with FPSE in the Windows world

    • Versioning is limited to file locking (check in/out)

    • Can be used as a low-end network filesystem

  • WebDAV Home page

    • http://webdav.org

    • See it also for related open-source projects


Webdav today l.jpg
WebDAV DFS file system today

  • File access:

    • Create / delete files and folders

    • Read / write files

    • Copy / Move / Delete / rename files and folders

  • Document locking

    • prevent the overwrite problem, where two or more collaborators write to the same resource without first merging changes

    • Allow implementation of offline folders

  • Properties

    • XML properties provide storage for arbitrary metadata


Webdav tomorrow l.jpg
WebDAV tomorrow ? DFS file system

  • Access control

    • Set / View / Modify Access Control lists using http

  • Versioning and Configuration Management

    • The V in WebDAV means “Versioning”

    • Document check-out, check-in

    • Retrieval of the history list

    • Offline files and folders

  • Other advanced features

    • Symbolic links

    • Ordered collections

    • Aggregated operations


Webdav servers l.jpg
WebDAV servers DFS file system

  • Supported by all common web servers

    • Apache module mod_dav

    • WebDAV package in PHP PEAR

  • Built-in support in IIS 5 and 6

    • Need to activate appropriate HTTP verbs: PUT (write setting), PROPFIND (directory browsing setting)

    • Permissions are managed by NTFS ACLs

    • Microsoft adds a header to the WebDAV protocol for a HTTP GET to return a script’s output or its source (source access setting)


Webdav servers21 l.jpg
WebDAV servers DFS file system

  • Supported by all common web servers

    • Apache module mod_dav

    • WebDAV package in PHP PEAR

  • Built-in support in IIS 5 and 6

    • Need to activate appropriate HTTP verbs: PUT (write setting), PROPFIND (directory browsing setting)

    • Permissions are managed by NTFS ACLs

    • Microsoft adds a header to the WebDAV protocol for a HTTP GET to return a script’s output or its source (source access setting)


Summary l.jpg
Summary DFS file system

  • Use of WebDAV as interoperable network filesystem possible today

    • Can be applied to collaborative tools as well (Exchange)

  • Takes advantage of HTTP and XML ubiquity

    • Excellent level of interoperability for file access

    • Really reachable from any device / anywhere

  • Very simple to implement

  • But...

    • Still few implementation glitches

    • https support is still limited

    • Not a high-performance file system

    • Not a replacement for native file system (eg NTFS)

    • Permission management still require custom implementations


Cern print manager l.jpg

CERN Print Manager DFS file system

Michel Jouvin

LAL / IN2P3

[email protected]


Cern print manager approach l.jpg
CERN Print Manager Approach DFS file system

  • 1 central database describing all printers

    • Printer server (in a dedicated DNS zone)

    • Driver to be used for each printer

      • Per OS version (currently W95, WNT, W2K)

    • Printer default settings

  • 1 client with 3 main components

    • PrntTray : Printing Control Center (main application)

    • LPRServ : LPR client (ability to show LPR transactions)

    • PrinterWizard : add/remove printers, change defaults


Client prnttray gui l.jpg
Client : PrntTray GUI DFS file system


Multi sites configuration l.jpg
Multi-sites Configuration DFS file system

  • Allow to switch between different sets of parameters

    • Central database locations, LPR parameters, …

  • No conflict between sites

    • Differents directories for data files

    • Differents registry paths

  • Site definition in an INI file

    • Client can be distributed with several sites preconfigured

    • Easy addition of a new site


More information l.jpg
More information DFS file system

  • [email protected]

  • http://printpackage.web.cern.ch/PrintPackage


Installation of w2k wxp using the unattended sourceforge net project l.jpg

Installation of W2K/WXP using the DFS file systemunattended.sourceforge.netproject

Rosario Esposito1

Francesco Maria Taurino1,2

Gennaro Tortone1

INFN - Napoli1INFM - UDR Napoli2

HEPiX/HEPNT 2003 – Vancouver


Unattended installation systems 2 3 l.jpg
Unattended installation systems DFS file system[2/3]

Unattended.sourceforge.net

It’s an OpenSource project to manage unattended installations of Windows 2K/XP workstations

  • Advantages:

    • No need of Windows and Active Directory at server side

    • Supports a large number of network adapters

    • Customizable partition scheme

    • No need of .msi format to deploy applications

HEPiX/HEPNT 2003 – Vancouver


Unattended installation systems 3 3 l.jpg
Unattended installation systems DFS file system[3/3]

Unattended.sourceforge.net

  • Disadvantages:

    • No user-friendly interfaces

    • Tuning of some perl scripts and batch files is required at server side to obtain a good site dependent installation system

    • No support for disk imaging based installations

HEPiX/HEPNT 2003 – Vancouver


Conclusion31 l.jpg
Conclusion DFS file system

  • Unattended.sourceforge.net is a valid alternative for Remote Installation Service (~OpenRIS !), primarily in a Unix-oriented server environment

  • It’s completely FREE and presents all of the advantages (and flaws) of an OpenSource project

  • It has interesting features, like the extreme flexibility of installation scripts

  • It’s not the optimal choice in the case of homogeneous hardware

  • No support for application deployment after the installation

HEPiX/HEPNT 2003 – Vancouver


Windows and unix interoperability tips tricks and secrets l.jpg

Windows and UNIX Interoperability DFS file system - tips, tricks, and secrets

Peter Skjøtt Larsen

Lead PM

Microsoft Corporation


Client options for unix code l.jpg
Client Options for UNIX code DFS file system

  • A number of alternatives exist today:

    • Improved UNIX clients with better applications

      • Better desktops apps for Linux, etc.

    • UNIX like environments on Win32 API

      • Cygwin, uwin, mks

    • UNIX emulation on Windows Kernel

      • Microsoft Services for Unix

    • Virtual Machines

      • Microsoft Virtual Server

    • Windows like environment on UNIX

      • Wine


All the comforts of home l.jpg
All the comforts of home … DFS file system

  • Replaces Posix subsystem (in Windows)

  • C Shell and Korn shell

  • Single-rooted file system

  • Symbolic links

  • Win32® programs

  • Terminals and other devices

  • Services and daemons

  • Man pages

  • X windows


Windows and sfu l.jpg

Windows DFS file system

Win32 Subsystem

Interix Subsystem

Windows Kernel

win32k.sys

NFSClient Server Gateway

Other device drivers

CDFS

FAT

NTFS

Hardware Abstraction Layer

Windows And SFU

UNIX

Applications

Windows

Appli-

cations

X11

R6

server

Windows

Appli-

cations

Motif

UN

I

X

S

D

K

(gcc)

Open Source

tools: Apache,

Tcl/Tk, bash, etc.

Windows

GUI

X11

UNIX, XPG,

POSIX.2

commands

& utilities

UNIX

shells

Windows system

admin, commands

& networking

Windows

command

Shell

SFU/Interix

telnetd

3rd Party

BSD

Sockets

winsock

Windows APIs

UNIX /POSIX APIs

Color Legend


Managed co existence with virtual server l.jpg

Cmd DFS file system& Util

Cmd& Util

Cmd& Util

Gui

X11

Gui

Shell

Shell

Shell

Managed Co-Existencewith Virtual Server

Windows APP

NT 4.0 APP

UNIX APP

Virtual Server

Windows 2003 API

NT 4.0 API

UNIX API

Windows 2003 Kernel

NT 4.0 Kernel

UNIX Kernel

Virtual Server

Hardware Abstraction Layer


Virtualization results l.jpg
Virtualization DFS file systemResults

  • Linux app runs in the Windows environment with integrated …

    • User file store

    • Security context

    • Command execution environment

  • Access Linux transparently from Windows

  • Linux / UNIX apps run out of the box

  • Performance acceptable for many classes of apps


Slide38 l.jpg

More info … DFS file system

  • http://www.microsoft.com/windows2000/migrate/unix

    Email …

  • [email protected]

  • [email protected]


Windows discussion 1 l.jpg
Windows Discussion (1) DFS file system

  • Software Update Services.

    • Good results reported.

    • Care if using more than one way to update (SUS, SMS etc.). Varied internal mechanisms to decide if patch applied….

    • Need to reboot when requiredby SUS otherwise possibility of SUS blocking and not caching more updates.

    • Synchronize with Microsoft’s updates (Tuesdays).

    • Maybe issues of handling Windows 2000 and XP clients at same time.


Windows discussion 2 l.jpg
Windows Discussion (2) DFS file system

  • Suggestion of putting personal firewalls on all systems….

    • (Felt to be too complicated).

  • SLAC have contracted Microsoft to write a dll that will synchronize passwords between Active Directory and Kerberos.

    [email protected] – mailing list.

    [email protected] – to join.


Computer security update l.jpg

Computer Security Update DFS file system

Bob Cowles, SLAC

[email protected]

Presented at HEPiX - TRIUMF

23 Oct 2003

Work supported by U. S. Department of Energy contract DE-AC03-76SF00515


Slide42 l.jpg

SLAC Computer Security DFS file system

Thinking evil thoughts

Protecting from evil deeds


Slide43 l.jpg

Slammer Impact DFS file system


Slide44 l.jpg

MSBlaster DFS file system

Released

MSBlaster

at SLAC


Microsoft @ stanford l.jpg
Microsoft @ Stanford DFS file system

  • Universities tend to be a worst case

  • Diverse, unmanaged

    • Population

    • Hardware

    • Software

  • Unlikely to fit into AD model

  • Stanford had 8000 machines compromised by Blaster BEFORE students returned for classes


Conclusions l.jpg
Conclusions DFS file system

[Unchanged from last year]

  • Poor administration is still a major problem

  • Firewalls cannot substitute for patches

  • Multiple levels of virus/worm protection are necessary

  • Clue is more important than open source


Cern s computer security challenge l.jpg

CERN’s Computer Security Challenge DFS file system

Denise Heagerty,

CERN Computer Security Officer



Site security actions in progress l.jpg
Site Security: actions in progress DFS file system

  • Hardware address registration enforced for computers using DHCP (wireless, portables)

    • Allows the user to be informed of problems

    • Started for some buildings, rest of site before Xmas

  • Off-site FTP closure

    • Firewall block planned for 20 Jan 2004

  • AFS password expiry enforcement

    • Forced annual password changes + email warnings

    • Already enforced for Windows/Mail passwords

  • Network connection Rules

    • Defines acceptable network and security practice

    • System admins must agree before connecting systems


Worrying trends l.jpg
Worrying Trends DFS file system

  • Break-ins are devious and difficult to detect

    • E.g. SucKIT rootkit

  • Worms are spreading within seconds

    • Welchia infected new PCs during installation sequence

  • Poorly secured systems are being targeted

    • Home and privately managed computers are a huge risk

  • Break-ins occur before the fix is out

    • SPAM relays used a new hole before a patch and anti-virus available

  • People are often the weakest link

    • Infected laptops are physically carried on site

    • Users continue to download malware and open tricked attachments

  • Intruders and worms can do more damage

    • When?


What more can be done l.jpg
What more can be done? DFS file system

  • Restrict/eliminate direct modem access

    • Firewall protection has proved to be necessary

    • Modem access is provided by ISPs

  • Reduce the need for VPN to access CERN services

    • Offer popular services to the general Internet: mail, authenticated web sites, file access, …

  • Further enhance firewall protections

    • database driven and based on requirements

  • Enhance system and application security

    • Some patches need deadlines and forced reboots

    • Security & anti-virus updates should not rely on home site access

    • Personal firewalls can reduce risk and buy time

  • Improve security awareness

    • Common messages across the HEP community would help


How cern reacted to the blaster and sobig virus attack l.jpg

How CERN reacted to the DFS file systemBlaster and Sobig virus attack

Christian Boissat, Alberto Pace, Andreas Wagner


Cern results and effort involved l.jpg
CERN results and effort involved DFS file system

Infected Systems: Blaster/Welchia (~300), Sobig (12)

(At end of August in FTE weeks)

NB: Does not include effort in other Divisions

The hotfix webpage was visited 12’200 times in August

The emergency measures page 2600 times in second half of August


Conclusion54 l.jpg
Conclusion DFS file system

  • Despite this “negative” presentation, all CERN Central computing services and its network continued to work without interruption

  • Standard users (more than 95 %) also continued to work as usual

  • Unmanaged computers were heavily affected

    • Many visitor computers were not up-to-date for virus and patches

    • Owners of unregistered computers could not be contacted and informed

    • This is the lesson to learn

  • However, this has triggered additional efforts to further improve patch distribution methods and to reduce further the deployment time

    • Everybody now takes security more seriously and we did not need a catastrophic disaster to achieve this


A walk through a grid security incident l.jpg

A walk through a Grid Security Incident DFS file system

HEPiX

Vancouver, October 24,2004

Dane Skow, Fermilab


Afs and user private keys l.jpg
AFS and User Private Keys DFS file system

  • Many users have home areas in AFS.

  • Many users do not understand how AFS access control lists work.

     It is easy for users to leave their private keys world readable in AFS space.

  • Should one proactively create a .globus directory in all users $HOME with the proper permissions ?

  • What about SSH RSA keys, browser credential caches, PGP keys, …


The stats l.jpg
The Stats DFS file system

  • Of 18 directories, 14 were world readable. 11 had valid certificates.

  • After 40 days, 8 had still not been revoked. 3 directories were still readable. 1 new exposure had occurred.

  • Distribution of sources

    5 DOEGrids

    5 DOESciencegrids

    1 Princeton self-signed


Opportunities for collective incident response and prevention l.jpg
Opportunities for collective incident response DFS file system... and prevention

  • Matt Crawford

  • Fermilab

  • HEPiX, October 2003


Collective incident response l.jpg
Collective DFS file systemIncident Response

  • Receive report or detect activity.

  • Gather additional information.

  • Evaluate.

  • Take immediate steps, if indicated.

  • Estimate effects on/implications for other sites.

  • Plan corrective action.

  • Notify (or consult) management.

  • Notify affected and other concerned parties.

  • Carry out corrective plan.

  • Assess performance and current security posture.


A problem statement l.jpg
A Problem Statement DFS file system

  • The common internet threat model is trusted endpoints on an insecure network.

  • SSL, SSH, ipsec, and a myriad of host vulnerabilities have turned this backwards. We’ve got more communication security than host security.

    • ... and it’s natural to believe that a message received on a secure channel can be trusted.

  • See also: “The Internet is Too Secure Already,” by Eric Rescorla.


Live it l.jpg
Live It? DFS file system

  • That’s not so bad, in relative terms.

    • At the last meeting, 6x the people exposed 18x the passwords in the same time period.

    • The bad news: that was GGF.


Security discussion l.jpg
Security Discussion DFS file system

  • Concern about GRID firewall holes.

  • Idea of information page(s) for visitors to a site.

  • Set-up e-mail list for Security information.

    • (Contact [email protected]).

    • Note: This is not for Security alerts.

  • Need laptops updated before they leave home institute.

    • And ability to update them when away.


Lots of other interesting talks l.jpg
Lots of Other Interesting Talks DFS file system

  • Root Kit Protection and Detection

  • SPAM fighting (two talks – GSI, Triumf)

  • Console management on farms

  • ……..

    Next meeting in Edinburgh.


ad