fnal configuration management n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
FNAL Configuration Management PowerPoint Presentation
Download Presentation
FNAL Configuration Management

Loading in 2 Seconds...

play fullscreen
1 / 18

FNAL Configuration Management - PowerPoint PPT Presentation


  • 105 Views
  • Uploaded on

FNAL Configuration Management. Jack Schmidt Cyber Security Workshop May 23-24 th 2006 . Configuration Management. Antivirus services for Windows, Linux, Macintosh Patching services for Windows, Linux, Macintosh. AV. AV Policy

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'FNAL Configuration Management' - page


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
fnal configuration management

FNAL Configuration Management

Jack Schmidt

Cyber Security Workshop

May 23-24th 2006

configuration management
Configuration Management
  • Antivirus services for Windows, Linux, Macintosh
  • Patching services for Windows, Linux, Macintosh

CD/CSS/CSI

Fermi National Accelerator Lab

slide3
AV
  • AV Policy
    • All Systems that offer windows services must run AV (Samba servers, shares)
    • All Windows desktops and servers must run anti virus
  • AV Baseline
    • Defines AV service as a NIST Major Application
    • Provides service settings for clients (workstations/servers) and AV servers

CD/CSS/CSI

Fermi National Accelerator Lab

windows av
Windows AV
  • Central Windows AV Service
    • Uses Symantec Enterprise (only AV, no firewall)
    • Built on cluster for failover*
    • AV Server contacts Symantec every 15 minutes for updates
    • Clients contact FNAL server every 30 minutes
    • Clients contact Symantec daily*
    • Clients available for all windows systems on the FNAL network (DOE/University owned) except home-owned systems.
    • Service managed by Domain Administrators

CD/CSS/CSI

Fermi National Accelerator Lab

linux av
Linux AV
  • Linux AV Service
    • No central service at this time*
    • Scientific Linux Fermi (SLF) distributed with ClamAV RPM
    • Samba servers required to run centrally supported AV software (ClamAv or Symantec)

CD/CSS/CSI

Fermi National Accelerator Lab

macintosh av
Macintosh AV
  • Macintosh AV Service
    • Working with Symantec on using Windows central service.
    • Currently distribute client with no configuration settings*
    • Samba servers required to run centrally supported AV software (ClamAv or Symantec)

CD/CSS/CSI

Fermi National Accelerator Lab

windows patching
Windows Patching
  • Windows Patching Service
    • Designed by Windows Policy Committee
    • Patches reviewed and rated
    • Three Tier Solution:
      • Local Method
      • Site SMS Service*
      • Site WSUS Service
    • Site SMS & WSUS service managed by Domain Admins

CD/CSS/CSI

Fermi National Accelerator Lab

windows patching1
Windows Patching
  • Microsoft Patch Flow
    • Domain Administrators examine patches on patch Tuesday.
    • Review patches with Computer Security Team (CST)
    • Patches rated/required date set:
      • FNAL Mandatory. Required for system to be on network
      • FNAL Recommended

CD/CSS/CSI

Fermi National Accelerator Lab

slide9
To: banditos@fnal.gov;

Subject: May, 2006 Microsoft Patches

MANDATORY Patches:

Due Date: None at this time

RECOMMENDED Patches:

Due Date: 6-15-2006

The following is a link to the May, 2006 Microsoft list of critical and important patches.

http://www.microsoft.com/technet/security/bulletin/ms06-may.mspx

Except for any patches that have been deemed Mandatory by CST, these patches should be applied within one month at your earliest convenience using patch deployment tools. If you are a subscriber to the central lab SMS facility, additional information can be found at

http://#####/private/sms/patchrollup/

An announcement to all SMS OU administrators will be sent out once a SMS package is available. If you need the patches, you can also obtain them from \\#####\fermi-rollup.

Please note: The above patches have been flagged as either important or critical from Microsoft and should be installed on Windows systems at your earliest convenience. Some or all of the above may become mandated by CST and could become mandatory to allow your system to be on the Fermilab campus network.

-- The Windows Domain Admins

CD/CSS/CSI

Fermi National Accelerator Lab

windows patching2
Windows Patching
  • Microsoft Patch Flow (cont):
    • Domain Admins build SMS packages
    • Workstation/Server Admins distribute to systems by given date
      • CST may require central rollout of patch by Domain Admins
    • WSUS applies mandatory patch to systems after due date
      • Active Directory GPO points domain systems at our WSUS instead of Microsoft Update.

CD/CSS/CSI

Fermi National Accelerator Lab

windows patching3
Windows Patching
  • Other Windows Patches
    • Notification via CIAC or vendor. Windows Policy Committee monitors lists.
    • Domain Admins meet with CST. Review importance of patch.
    • Patch rated/required date set
    • SMS package made available to Workstation/Server Admins for distribution

CD/CSS/CSI

Fermi National Accelerator Lab

windows patching4
Windows Patching
  • Patch Tracking:
    • SMS queries used to track patch rollout no matter method used.
  • How Are We Doing?
    • Much better than visiting each system!
    • Delegated patch distribution a mixed bag: dependant on skill set of local admins.
    • Pushing for central rollout of all patches.

CD/CSS/CSI

Fermi National Accelerator Lab

linux patching
Linux Patching
  • Linux Patching Service
    • Designed by Our Linux Gurus
    • Errata review process
    • Service managed by SLF* Experts
    • FNAL uses YUM to distribute errata. SLF comes with YUM preconfigured for FNAL servers.

*SL Scientific Linux (http://www.scientificlinux.org)

SLF Scientific Linux Fermi

CD/CSS/CSI

Fermi National Accelerator Lab

linux patching1
Linux Patching
  • SL(F) Errata Flow
    • Errata examined by SL(F) maintainers
    • Review errata with Computer Security Team (CST)
    • Errata rated/required date set.
    • Errata built by SL maintainers and released to SL community for testing.
    • After SL testing/feedback, errata moved to SLF servers and distributed.

CD/CSS/CSI

Fermi National Accelerator Lab

linux patching2
Linux Patching
  • Linux Errata Flow(cont):
    • Clients check for errata from distribution servers nightly.
    • Clients check for mandatory errata hourly*

CD/CSS/CSI

Fermi National Accelerator Lab

linux patching3
Linux Patching
  • Errata Tracking:
    • Building inventory system based on OCSInventory NG
  • How Are We Doing?
    • Central patching via YUM has been in use for years. Works well.
    • Local Admins have the ability to disable YUM updates.
    • SL Caveat. Must build errata from source, can’t use commercial patching solutions

CD/CSS/CSI

Fermi National Accelerator Lab

macintosh patching
Macintosh Patching
  • Mac users must patch their own systems
  • No defined patch identification policy
  • Testing Central patching solutions
    • SMS add-ons (Vintella/Quest)
    • Apple Workgroup Server

CD/CSS/CSI

Fermi National Accelerator Lab

questions
Questions?

CD/CSS/CSI

Fermi National Accelerator Lab