1 / 18

FNAL Configuration Management

FNAL Configuration Management. Jack Schmidt Cyber Security Workshop May 23-24 th 2006 . Configuration Management. Antivirus services for Windows, Linux, Macintosh Patching services for Windows, Linux, Macintosh. AV. AV Policy

page
Download Presentation

FNAL Configuration Management

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FNAL Configuration Management Jack Schmidt Cyber Security Workshop May 23-24th 2006

  2. Configuration Management • Antivirus services for Windows, Linux, Macintosh • Patching services for Windows, Linux, Macintosh CD/CSS/CSI Fermi National Accelerator Lab

  3. AV • AV Policy • All Systems that offer windows services must run AV (Samba servers, shares) • All Windows desktops and servers must run anti virus • AV Baseline • Defines AV service as a NIST Major Application • Provides service settings for clients (workstations/servers) and AV servers CD/CSS/CSI Fermi National Accelerator Lab

  4. Windows AV • Central Windows AV Service • Uses Symantec Enterprise (only AV, no firewall) • Built on cluster for failover* • AV Server contacts Symantec every 15 minutes for updates • Clients contact FNAL server every 30 minutes • Clients contact Symantec daily* • Clients available for all windows systems on the FNAL network (DOE/University owned) except home-owned systems. • Service managed by Domain Administrators CD/CSS/CSI Fermi National Accelerator Lab

  5. Linux AV • Linux AV Service • No central service at this time* • Scientific Linux Fermi (SLF) distributed with ClamAV RPM • Samba servers required to run centrally supported AV software (ClamAv or Symantec) CD/CSS/CSI Fermi National Accelerator Lab

  6. Macintosh AV • Macintosh AV Service • Working with Symantec on using Windows central service. • Currently distribute client with no configuration settings* • Samba servers required to run centrally supported AV software (ClamAv or Symantec) CD/CSS/CSI Fermi National Accelerator Lab

  7. Windows Patching • Windows Patching Service • Designed by Windows Policy Committee • Patches reviewed and rated • Three Tier Solution: • Local Method • Site SMS Service* • Site WSUS Service • Site SMS & WSUS service managed by Domain Admins CD/CSS/CSI Fermi National Accelerator Lab

  8. Windows Patching • Microsoft Patch Flow • Domain Administrators examine patches on patch Tuesday. • Review patches with Computer Security Team (CST) • Patches rated/required date set: • FNAL Mandatory. Required for system to be on network • FNAL Recommended CD/CSS/CSI Fermi National Accelerator Lab

  9. To: banditos@fnal.gov; Subject: May, 2006 Microsoft Patches MANDATORY Patches: Due Date: None at this time RECOMMENDED Patches: Due Date: 6-15-2006 The following is a link to the May, 2006 Microsoft list of critical and important patches. http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx Except for any patches that have been deemed Mandatory by CST, these patches should be applied within one month at your earliest convenience using patch deployment tools. If you are a subscriber to the central lab SMS facility, additional information can be found at http://#####/private/sms/patchrollup/ An announcement to all SMS OU administrators will be sent out once a SMS package is available. If you need the patches, you can also obtain them from \\#####\fermi-rollup. Please note: The above patches have been flagged as either important or critical from Microsoft and should be installed on Windows systems at your earliest convenience. Some or all of the above may become mandated by CST and could become mandatory to allow your system to be on the Fermilab campus network. -- The Windows Domain Admins CD/CSS/CSI Fermi National Accelerator Lab

  10. Windows Patching • Microsoft Patch Flow (cont): • Domain Admins build SMS packages • Workstation/Server Admins distribute to systems by given date • CST may require central rollout of patch by Domain Admins • WSUS applies mandatory patch to systems after due date • Active Directory GPO points domain systems at our WSUS instead of Microsoft Update. CD/CSS/CSI Fermi National Accelerator Lab

  11. Windows Patching • Other Windows Patches • Notification via CIAC or vendor. Windows Policy Committee monitors lists. • Domain Admins meet with CST. Review importance of patch. • Patch rated/required date set • SMS package made available to Workstation/Server Admins for distribution CD/CSS/CSI Fermi National Accelerator Lab

  12. Windows Patching • Patch Tracking: • SMS queries used to track patch rollout no matter method used. • How Are We Doing? • Much better than visiting each system! • Delegated patch distribution a mixed bag: dependant on skill set of local admins. • Pushing for central rollout of all patches. CD/CSS/CSI Fermi National Accelerator Lab

  13. Linux Patching • Linux Patching Service • Designed by Our Linux Gurus • Errata review process • Service managed by SLF* Experts • FNAL uses YUM to distribute errata. SLF comes with YUM preconfigured for FNAL servers. *SL Scientific Linux (http://www.scientificlinux.org) SLF Scientific Linux Fermi CD/CSS/CSI Fermi National Accelerator Lab

  14. Linux Patching • SL(F) Errata Flow • Errata examined by SL(F) maintainers • Review errata with Computer Security Team (CST) • Errata rated/required date set. • Errata built by SL maintainers and released to SL community for testing. • After SL testing/feedback, errata moved to SLF servers and distributed. CD/CSS/CSI Fermi National Accelerator Lab

  15. Linux Patching • Linux Errata Flow(cont): • Clients check for errata from distribution servers nightly. • Clients check for mandatory errata hourly* CD/CSS/CSI Fermi National Accelerator Lab

  16. Linux Patching • Errata Tracking: • Building inventory system based on OCSInventory NG • How Are We Doing? • Central patching via YUM has been in use for years. Works well. • Local Admins have the ability to disable YUM updates. • SL Caveat. Must build errata from source, can’t use commercial patching solutions CD/CSS/CSI Fermi National Accelerator Lab

  17. Macintosh Patching • Mac users must patch their own systems • No defined patch identification policy • Testing Central patching solutions • SMS add-ons (Vintella/Quest) • Apple Workgroup Server CD/CSS/CSI Fermi National Accelerator Lab

  18. Questions? CD/CSS/CSI Fermi National Accelerator Lab

More Related