1 / 18

Lemon security

Lemon security. Previous security enhancements. user lemon : lemon-db-admin-OraMon will create user lemon (Miro). - OraMon switches to user lemon at its initd script (David). - ReadOnly and heartBeat files will be moved to /var/lib/OraMon (Miro, David)

mikkelsen
Download Presentation

Lemon security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lemon security

  2. Previous security enhancements user lemon: lemon-db-admin-OraMon will create user lemon (Miro). - OraMon switches to user lemon at its initd script (David). - ReadOnly and heartBeat files will be moved to /var/lib/OraMon (Miro, David) - /etc/sysconfig/OraMon is owned by lemon, and is readable by user lemon only (David). Samples insertion access control: control what IPs (taken from CDB) may send samples to OraMon: - Investigate efficiency of using IPchains. Alternatives: per IP groups, (preferred, if possible) or per IP list Sensitive data to CDB 10) When CDB supports secure information via hppts, move sensitive EHD and OraMon config file information (user and password) from rpm to CDB. NCM OraMon component has to be changed accordingly (Gernam)  20) cdb get clusters: Needs to be configured for user/password as well (German).  TBD: how to provide to cdb get clusters and active alarm nodes the user and password of the 2 sql DBs: lemon and cdb

  3. Outline • Miro’s suggestions for OraMon security • David’s related thoughts

  4. Lemon security • Those who have access to CERN machines can openly interfere with Lemon, because it uses unsecure sockets

  5. Miro: security of OraMon As we have discussed before, iptables couldhelp us to restrict the domains, but I would take that a little bitfurther and asked for an authentication mechanism. • use ssl for  encryption and well as for the authentication. • Client (MSA) on install downloads the oramon's public key, createsa challenge and sends its own public key (host's key). It receivesback a reply with encoded clientID or with client's signature. • MSA uses oramon's public key to encrypt the message plusencapsulates the clientID. • oramon will store all of the allowed host's public keys inside database.

  6. Miro: security of OraMon. Cont. Performance overhead: encrypting the samples + having three way authentication would create an overhead… Currently we have about 10kB/s throughput, so having encryption on top of that should not be a problem (even if we scale to 400kB/s). Communication of OraMon to oracle server could over ssl – I think that in OCI oracle supports SSL.

  7. Enhance lemon security now?

  8. Extending OraMon security to lemon security • Sensor  MSA • MSA  OraMon • OraMon  Oracle • Client  Oracle • Client  OraMon (SOAP)

  9. 1) Sensor  MSA • (Since it is) TCP based, ssl may be added

  10. 2) MSA  OraMon • Pertains to many machines  big vulnerability • Requires changes at OraMon and at MSA • Is UDP based, hence SSL can not be used • What should be secured? • What machines speak to OraMon (iptables) • What users speak to OraMon • What applications speak to OraMon (feasible?) • Guideline: Prevent reinventing wheels – use standards, where possible • Candidate standard to secure UDP: IPSec

  11. TCP security alternatives SSL is also known by a new, IETF standard name: Transport Layer Security, or TLS

  12. UDP security alternatives • IPsec: + Is standard • - Complicated. Requires operating system support • SecureUPD: • http://plg.uwaterloo.ca/~aeehassa/home/papers/crypto/secureUDP.htm • - Is not standard

  13. IPSec • Strong security standard • Encryption & Encapsulation • Authentication & Anti-Replay • Key Management & Digital Signatures • Support of Unique Digital Certificates • Interoperability between the various IPSec compliant products • Is supported by Linux – as add-on http://www.freesoft.org/CIE/Topics/141.htm ipsec.doc • http://www.ipsec-howto.org/x180.html: Transport mode vs. tunnel mode • Usage of IPSec implies ‘tailoring’ of it into lemon

  14. OraMon  OracleTCP/IP with SSL Protocol Enables an Oracle application on a client to communicate with remote Oracle databases through TCP/IP and SSL. Oracle Advanced Security product needed in order to use TCP/IP with SSL. SSL stores authentication data, (certificates, private keys), in an Oracle Wallet. When the client initiates a connection to the database server, SSL performs a handshake between the two using the certificate: • The client and database server negotiate a cipher suite--a set of authentication, encryption, and data integrity types--to apply to the messages they exchange. • Depending on its configuration, the database server sends its certificate to the client in a message encrypted with the client's public key. The client decrypts this message by using its own private key, then verifies that the database server's certificate bears the certificate authority's signature. • If required, the client may send the user's certificate to the database server. The certificate ensures that the user's information is correct and that the public key actually belongs to that user. The database server checks the user's certificate to verify that it bears the certificate authority's signature. From http://www.stanford.edu/dept/itss/docs/oracle/9i/network.920/a96580/architec.htm

  15. Oracle Advanced Security • A product that provides security features to protect enterprise networks: • network encryption • authentication • single sign-on services • security protocols • Does CERN have a license for it?

  16. 4) Client  Oracle • Makes sense to learn if Client-Oracle security may be enhanced.

  17. 5) Client  OraMon (SOAP) 1) HTTPS/SSL: Not used by (g)SOAP by default, may be added: http://www.cs.fsu.edu/~engelen/soapdoc2.html#tth_sEc17.19: • Secure SOAP Web Services with HTTPS/SSL • When a Web Service is installed as CGI, it uses standard I/O that is encrypted/decrypted by the Web server that runs the CGI application. • Therefore, HTTPS/SSL support must be configured for the Web server.: • install OpenSSL • Recompile sources with option -DWITH_OPENSSL 2) Digital Signature (SOAP-DSIG): (In addition to SSL) defines syntax and rules for digitally signing SOAP messages and validating signatures. http://www-106.ibm.com/developerworks/webservices/library/ws-soapsec/

  18. Lemon security: Summary • Sensor  MSA • MSA  OraMon: IPSec. Complicated • OraMon  Oracle: Oracle Advanced Security • Client  Oracle • Client  OraMon (SOAP): OpenSSL+SOAP-DSIG?

More Related