Docstoc

CERN Security

Document Sample
CERN Security Powered By Docstoc
					            HEPiX Security Workshop

   Overview of talks
   Some extracts of general interest
       LCG Security Group
       FNAL, KEK, CERN, SLAC
   Worrying trends
   Summary




                     Denise Heagerty, CERN, HEPiX Meeting Oct 2003   1
              HEPiX Security Workshop - Overview

   Security Updates:
       LCG (Dave Kelsey)
       KEK (Fukuko Yuasa)
       CERN (Denise Heagerty)
   Recent security events:
       Recent security holes and their impact (Bob Cowles, SLAC)
       Response to Blaster and Sobig worms at CERN (Alberto Pace, CERN)
   System security:
       Farm nodes (Vlado Bahyl, CERN – presented by Thorsten Kleinwort)
       Cluster security (Alf Wachsmann, SLAC)
   Introduction to deploying PKI
       Alberto Pace, CERN
   Incident Response
       Sharing opportunities (Matt Crawford, FNAL)
       Experience with a Grid incident (Dane Skow, FNAL)
   Open discussion session
       Sharing opportunities follow up
       LCG security risk analysis


                          Denise Heagerty, CERN, HEPiX Meeting Oct 2003    2
             LCG Security Group - Mandate

   To advise and make recommendations to the Grid Deployment
    Manager and the GDB on all matters related to LCG-1 Security
       GDB makes the decisions
   To continue work on the mandate of GDB WG3
       Policies and procedures on Registration, Authentication, Authorization and
        Security
   To produce and maintain
       Implementation Plan (first 3 months, then for 12 months)
       Acceptable Use Policy/Usage Guidelines
       LCG-1 Security Policy
   Where necessary recommend the creation of focussed task-
    forces made-up of appropriate experts
       E.g. the “Security Contacts” group
(n.b. GDB = Grid Deployment Board)

                        Denise Heagerty, CERN, HEPiX Meeting Oct 2003                3
             LCG Security Group - Membership

   Experiment representatives/VO managers
       Alberto Masoni, ALICE
       Rich Baker, Anders Waananen, ATLAS
       David Stickland, Greg Graham, CMS
       Joel Closier, LHCb
   Site Security Officers
       Denise Heagerty (CERN), Dane Skow (FNAL)
   Site/Resource Managers
       Dave Kelsey (RAL) - Chair
   Security middleware experts/developers
       Roberto Cecchini (INFN), Akos Frohner (CERN)
   LCG management and the CERN LCG team
       Ian Bird, Ian Neilson
   Non-LHC experiments/Grids
       Many sites also involved in other projects
       Bob Cowles (SLAC)


                         Denise Heagerty, CERN, HEPiX Meeting Oct 2003   4
           LCG Security Group – Documents
           (http://cern.ch/proj-lcg-security)

6 documents approved to date
  Security and Availability Policy for LCG
       Prepared jointly with GOC task force
  Approval of LCG-1 Certificate Authorities
  Audit Requirements for LCG-1
  Rules for Use of the LCG-1 Computing Resources
  Agreement on Incident Response for LCG-1
  User Registration and VO Management
4 more still to be written (by GOC task force)
  LCG Procedures for Resource Administrators
  LCG Guide for Network Administrators
  LCG Procedure for Site Self-Audit
  LCG Service Level Agreement Guide
                     Denise Heagerty, CERN, HEPiX Meeting Oct 2003   5
             FNAL: The threat model has changed

Matt Crawford, FNAL:
The common internet threat model is trusted endpoints on an

insecure network.
   SSL, SSH, ipsec, and a myriad of host vulnerabilities have turned
this backwards. We’ve got more communication security than host
security.
... and it’s natural to believe that a message received on a secure channel can be
trusted.

   See also: “The Internet is Too Secure Already,” by Eric Rescorla.

Note: Matt detected passwords on the HEPiX wireless network! Network
encryption technology is available, but we’re not all using it…


                                                                                      6
             KEK: MAC address registration

   Since Aug. 2003, MAC address registration is required to use KEK
    network
       Without the registration, packets are not transferred
       4642 MAC address registered
   The port of the switch is configured dynamically
       One MAC address belongs to one VLAN
   Also in the wireless LAN, MAC address registration is required
    since Apr. 2002.
       KEK staff: 150 and Collaborator: 728
       68 Cisco Aironet stations
       WEP
       Annual registration renewal




                         Denise Heagerty, CERN, HEPiX Meeting Oct 2003   7
           Security incidents at KEK, Oct 2002 - 0ct 2003

34
32
30
28
26
24                                                                                   Others
22                                                                                   SPAM
20
18                                                                                   Exploit
16                                                                                   Worm
14
12
10
 8
 6
 4
 2
 0
     02/10 02/11 02/12 03/01 03/02 03/03 03/04 03/05 03/06 03/07 03/08 03/09 03/10



         Worm : 64%, unix root exploit: 28%
                          Denise Heagerty, CERN, HEPiX Meeting Oct 2003                    8
            CERN Incident Summary,
            1 Jan 2001- 30 Sep 2003
2001   2002   2003   Incident Type
              -Sep
59     31     26     System compromised (intruder has control)
                                 security holes in software (e.g. ssh, kernel, ICQ, IE)

42     25     27     Compromised CERN accounts
                                 sniffed or guessed passwords
11     21     305    Serious Viruses and worms
                                 Blaster/Welchia (290), Sobig (12) , Slammer(3)
13     21     119    Unauthorised use of file servers
                                 insufficient access controls, P2P file-sharing

15     16     1      Serious SPAM incidents
                                 CERN email addresses are regularly forged

11     9      6      Miscellaneous security alerts

151    123    484    Total Incidents

                     Denise Heagerty, CERN, HEPiX Meeting Oct 2003                         9
          Blaster/Welchia Infection Sources @ SLAC

   32%      VPN
   22%      DHCP (reg, internal network)
   20%      Fixed IP
               On vacation, laptop infected outside, etc.

   14%      Infected during build / patch
   12%      Dialup




                   Denise Heagerty, CERN, HEPiX Meeting Oct 2003   10
            Worrying Trends
   Break-ins are devious and difficult to detect
       E.g. SucKIT rootkit
   Worms are spreading within seconds
       Welchia infected new PCs during installation sequence
   Poorly secured systems are being targeted
       Home and privately managed computers are a huge risk
   Break-ins occur before the fix is out
       SPAM relays used a new hole before a patch and anti-virus available
   People are often the weakest link
       Infected laptops are physically carried on site
       Users continue to download malware and open tricked attachments
   Intruders and worms can do more damage
       When?

                       Denise Heagerty, CERN, HEPiX Meeting Oct 2003     11
             HEPiX Security Workshop - Summary

   Blaster worm and its variants impacted all sites
   Hardware address registration is becoming normal
       Required for access to wireless at TRIUMF meeting site
       KEK (done), CERN (in progress), FNAL (soon), SLAC (planned), …
   VPN & portable systems pose a serious security risk
       security check prior to DHCP network access planned by some sites (FNAL,
        SLAC, …)
       Requires client to install software to be effective
   Security patches need to be timely and enforced
       e.g. SLAC give deadlines and then force patches, including reboots
       Visitors cannot rely on home site for patch and anti-virus updates
   HEPiX Security Workshop provided a useful exchange
       high quality and a diverse range of talks
       a security discussion list has been created to continue the good collaboration

                         Denise Heagerty, CERN, HEPiX Meeting Oct 2003             12

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:4
posted:9/14/2012
language:English
pages:12