1 / 12

HEPiX Security Workshop

HEPiX Security Workshop. Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK, CERN, SLAC Worrying trends Summary. HEPiX Security Workshop - Overview. Security Updates: LCG (Dave Kelsey) KEK (Fukuko Yuasa) CERN (Denise Heagerty) Recent security events:

stester
Download Presentation

HEPiX Security Workshop

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HEPiX Security Workshop • Overview of talks • Some extracts of general interest • LCG Security Group • FNAL, KEK, CERN, SLAC • Worrying trends • Summary Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  2. HEPiX Security Workshop - Overview • Security Updates: • LCG (Dave Kelsey) • KEK (Fukuko Yuasa) • CERN (Denise Heagerty) • Recent security events: • Recent security holes and their impact (Bob Cowles, SLAC) • Response to Blaster and Sobig worms at CERN (Alberto Pace, CERN) • System security: • Farm nodes (Vlado Bahyl, CERN – presented by Thorsten Kleinwort) • Cluster security (Alf Wachsmann, SLAC) • Introduction to deploying PKI • Alberto Pace, CERN • Incident Response • Sharing opportunities (Matt Crawford, FNAL) • Experience with a Grid incident (Dane Skow, FNAL) • Open discussion session • Sharing opportunities follow up • LCG security risk analysis Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  3. LCG Security Group - Mandate • To advise and make recommendations to the Grid Deployment Manager and the GDB on all matters related to LCG-1 Security • GDB makes the decisions • To continue work on the mandate of GDB WG3 • Policies and procedures on Registration, Authentication, Authorization and Security • To produce and maintain • Implementation Plan (first 3 months, then for 12 months) • Acceptable Use Policy/Usage Guidelines • LCG-1 Security Policy • Where necessary recommend the creation of focussed task-forces made-up of appropriate experts • E.g. the “Security Contacts” group (n.b. GDB = Grid Deployment Board) Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  4. LCG Security Group - Membership • Experiment representatives/VO managers • Alberto Masoni, ALICE • Rich Baker, Anders Waananen, ATLAS • David Stickland, Greg Graham, CMS • Joel Closier, LHCb • Site Security Officers • Denise Heagerty (CERN), Dane Skow (FNAL) • Site/Resource Managers • Dave Kelsey (RAL) - Chair • Security middleware experts/developers • Roberto Cecchini (INFN), Akos Frohner (CERN) • LCG management and the CERN LCG team • Ian Bird, Ian Neilson • Non-LHC experiments/Grids • Many sites also involved in other projects • Bob Cowles (SLAC) Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  5. LCG Security Group – Documents(http://cern.ch/proj-lcg-security) 6 documents approved to date • Security and Availability Policy for LCG • Prepared jointly with GOC task force • Approval of LCG-1 Certificate Authorities • Audit Requirements for LCG-1 • Rules for Use of the LCG-1 Computing Resources • Agreement on Incident Response for LCG-1 • User Registration and VO Management 4 more still to be written (by GOC task force) • LCG Procedures for Resource Administrators • LCG Guide for Network Administrators • LCG Procedure for Site Self-Audit • LCG Service Level Agreement Guide Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  6. FNAL: The threat model has changed Matt Crawford, FNAL: • The common internet threat model is trusted endpoints on an insecure network. • SSL, SSH, ipsec, and a myriad of host vulnerabilities have turned this backwards. We’ve got more communication security than host security. • ... and it’s natural to believe that a message received on a secure channel can be trusted. • See also: “The Internet is Too Secure Already,” by Eric Rescorla. Note: Matt detected passwords on the HEPiX wireless network! Network encryption technology is available, but we’re not all using it…

  7. KEK: MAC address registration • Since Aug. 2003, MAC address registration is required to use KEK network • Without the registration, packets are not transferred • 4642 MAC address registered • The port of the switch is configured dynamically • One MAC address belongs to one VLAN • Also in the wireless LAN, MAC address registration is required since Apr. 2002. • KEK staff: 150 and Collaborator: 728 • 68 Cisco Aironet stations • WEP • Annual registration renewal Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  8. Security incidents at KEK, Oct 2002 - 0ct 2003 Worm : 64%, unix root exploit: 28% Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  9. CERN Incident Summary, 1 Jan 2001- 30 Sep 2003 Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  10. Blaster/Welchia Infection Sources @ SLAC • 32% VPN • 22% DHCP (reg, internal network) • 20% Fixed IP On vacation, laptop infected outside, etc. • 14% Infected during build / patch • 12% Dialup Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  11. Worrying Trends • Break-ins are devious and difficult to detect • E.g. SucKIT rootkit • Worms are spreading within seconds • Welchia infected new PCs during installation sequence • Poorly secured systems are being targeted • Home and privately managed computers are a huge risk • Break-ins occur before the fix is out • SPAM relays used a new hole before a patch and anti-virus available • People are often the weakest link • Infected laptops are physically carried on site • Users continue to download malware and open tricked attachments • Intruders and worms can do more damage • When? Denise Heagerty, CERN, HEPiX Meeting Oct 2003

  12. HEPiX Security Workshop - Summary • Blaster worm and its variants impacted all sites • Hardware address registration is becoming normal • Required for access to wireless at TRIUMF meeting site • KEK (done), CERN (in progress), FNAL (soon), SLAC (planned), … • VPN & portable systems pose a serious security risk • security check prior to DHCP network access planned by some sites (FNAL, SLAC, …) • Requires client to install software to be effective • Security patches need to be timely and enforced • e.g. SLAC give deadlines and then force patches, including reboots • Visitors cannot rely on home site for patch and anti-virus updates • HEPiX Security Workshop provided a useful exchange • high quality and a diverse range of talks • a security discussion list has been created to continue the good collaboration Denise Heagerty, CERN, HEPiX Meeting Oct 2003

More Related