120 likes | 124 Views
HEPiX Security Workshop. Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK, CERN, SLAC Worrying trends Summary. HEPiX Security Workshop - Overview. Security Updates: LCG (Dave Kelsey) KEK (Fukuko Yuasa) CERN (Denise Heagerty) Recent security events:
E N D
HEPiX Security Workshop • Overview of talks • Some extracts of general interest • LCG Security Group • FNAL, KEK, CERN, SLAC • Worrying trends • Summary Denise Heagerty, CERN, HEPiX Meeting Oct 2003
HEPiX Security Workshop - Overview • Security Updates: • LCG (Dave Kelsey) • KEK (Fukuko Yuasa) • CERN (Denise Heagerty) • Recent security events: • Recent security holes and their impact (Bob Cowles, SLAC) • Response to Blaster and Sobig worms at CERN (Alberto Pace, CERN) • System security: • Farm nodes (Vlado Bahyl, CERN – presented by Thorsten Kleinwort) • Cluster security (Alf Wachsmann, SLAC) • Introduction to deploying PKI • Alberto Pace, CERN • Incident Response • Sharing opportunities (Matt Crawford, FNAL) • Experience with a Grid incident (Dane Skow, FNAL) • Open discussion session • Sharing opportunities follow up • LCG security risk analysis Denise Heagerty, CERN, HEPiX Meeting Oct 2003
LCG Security Group - Mandate • To advise and make recommendations to the Grid Deployment Manager and the GDB on all matters related to LCG-1 Security • GDB makes the decisions • To continue work on the mandate of GDB WG3 • Policies and procedures on Registration, Authentication, Authorization and Security • To produce and maintain • Implementation Plan (first 3 months, then for 12 months) • Acceptable Use Policy/Usage Guidelines • LCG-1 Security Policy • Where necessary recommend the creation of focussed task-forces made-up of appropriate experts • E.g. the “Security Contacts” group (n.b. GDB = Grid Deployment Board) Denise Heagerty, CERN, HEPiX Meeting Oct 2003
LCG Security Group - Membership • Experiment representatives/VO managers • Alberto Masoni, ALICE • Rich Baker, Anders Waananen, ATLAS • David Stickland, Greg Graham, CMS • Joel Closier, LHCb • Site Security Officers • Denise Heagerty (CERN), Dane Skow (FNAL) • Site/Resource Managers • Dave Kelsey (RAL) - Chair • Security middleware experts/developers • Roberto Cecchini (INFN), Akos Frohner (CERN) • LCG management and the CERN LCG team • Ian Bird, Ian Neilson • Non-LHC experiments/Grids • Many sites also involved in other projects • Bob Cowles (SLAC) Denise Heagerty, CERN, HEPiX Meeting Oct 2003
LCG Security Group – Documents(http://cern.ch/proj-lcg-security) 6 documents approved to date • Security and Availability Policy for LCG • Prepared jointly with GOC task force • Approval of LCG-1 Certificate Authorities • Audit Requirements for LCG-1 • Rules for Use of the LCG-1 Computing Resources • Agreement on Incident Response for LCG-1 • User Registration and VO Management 4 more still to be written (by GOC task force) • LCG Procedures for Resource Administrators • LCG Guide for Network Administrators • LCG Procedure for Site Self-Audit • LCG Service Level Agreement Guide Denise Heagerty, CERN, HEPiX Meeting Oct 2003
FNAL: The threat model has changed Matt Crawford, FNAL: • The common internet threat model is trusted endpoints on an insecure network. • SSL, SSH, ipsec, and a myriad of host vulnerabilities have turned this backwards. We’ve got more communication security than host security. • ... and it’s natural to believe that a message received on a secure channel can be trusted. • See also: “The Internet is Too Secure Already,” by Eric Rescorla. Note: Matt detected passwords on the HEPiX wireless network! Network encryption technology is available, but we’re not all using it…
KEK: MAC address registration • Since Aug. 2003, MAC address registration is required to use KEK network • Without the registration, packets are not transferred • 4642 MAC address registered • The port of the switch is configured dynamically • One MAC address belongs to one VLAN • Also in the wireless LAN, MAC address registration is required since Apr. 2002. • KEK staff: 150 and Collaborator: 728 • 68 Cisco Aironet stations • WEP • Annual registration renewal Denise Heagerty, CERN, HEPiX Meeting Oct 2003
Security incidents at KEK, Oct 2002 - 0ct 2003 Worm : 64%, unix root exploit: 28% Denise Heagerty, CERN, HEPiX Meeting Oct 2003
CERN Incident Summary, 1 Jan 2001- 30 Sep 2003 Denise Heagerty, CERN, HEPiX Meeting Oct 2003
Blaster/Welchia Infection Sources @ SLAC • 32% VPN • 22% DHCP (reg, internal network) • 20% Fixed IP On vacation, laptop infected outside, etc. • 14% Infected during build / patch • 12% Dialup Denise Heagerty, CERN, HEPiX Meeting Oct 2003
Worrying Trends • Break-ins are devious and difficult to detect • E.g. SucKIT rootkit • Worms are spreading within seconds • Welchia infected new PCs during installation sequence • Poorly secured systems are being targeted • Home and privately managed computers are a huge risk • Break-ins occur before the fix is out • SPAM relays used a new hole before a patch and anti-virus available • People are often the weakest link • Infected laptops are physically carried on site • Users continue to download malware and open tricked attachments • Intruders and worms can do more damage • When? Denise Heagerty, CERN, HEPiX Meeting Oct 2003
HEPiX Security Workshop - Summary • Blaster worm and its variants impacted all sites • Hardware address registration is becoming normal • Required for access to wireless at TRIUMF meeting site • KEK (done), CERN (in progress), FNAL (soon), SLAC (planned), … • VPN & portable systems pose a serious security risk • security check prior to DHCP network access planned by some sites (FNAL, SLAC, …) • Requires client to install software to be effective • Security patches need to be timely and enforced • e.g. SLAC give deadlines and then force patches, including reboots • Visitors cannot rely on home site for patch and anti-virus updates • HEPiX Security Workshop provided a useful exchange • high quality and a diverse range of talks • a security discussion list has been created to continue the good collaboration Denise Heagerty, CERN, HEPiX Meeting Oct 2003