1 / 21

Security Update

Security Update. Mingchao Ma HEPSYSMAN - Security 1 st July 2009. Overview. Security service challenge 3 (SSC 3) Security incident handling procedure Security monitoring Security training and dissemination. SSC3. EGEE Tier1 sites have been tested twice by OSCT;

morley
Download Presentation

Security Update

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security Update Mingchao Ma HEPSYSMAN - Security1st July 2009

  2. Overview • Security service challenge 3 (SSC 3) • Security incident handling procedure • Security monitoring • Security training and dissemination Mingchao Ma, RAL

  3. SSC3 • EGEE Tier1 sites have been tested twice by OSCT; • Regional runs at Tier2 sites done by ROC security officers • UKI, SEE, Benelux and Italy completed • Regional run at OSG done • Regional run at NDGF planned Mingchao Ma, RAL

  4. SSC3 Result – Tier1 Sites Mingchao Ma, RAL

  5. SSC3: Analysis • All sites (besides one) improved • Sites that scored good in the first run improved in the second run • Sites that did not score very well in the first run improved a lot • Most sites (besides one) enjoyed the opportunity to test their response capabilities and even reveal operational problems Mingchao Ma, RAL

  6. SSC3 Result – UKI Tier2 Sites Mingchao Ma, RAL

  7. SSC - Plans • To run a modified SSC3 • Ex: treat IP W.X.Y.Z as malicious • Storage SSC • Under discussion • Some concerns on the logging capabilities of Storage middleware • Re-run SSC3 on Tier2 sites Mingchao Ma, RAL

  8. Incident Handling • Security Incident Response Policy • http://www.jspg.org/wiki/Security_Incident_Response_Policy (draft) • The revised EGEE incident handling procedure • In final stage • http://indico.cern.ch/materialDisplay.py?contribId=12&sessionId=1&materialId=0&confId=56981 • Change of reporting channels • for reporting incident • for support • Specify timeframe of each steps • E.g. to report incident within 4 hours after detection • Templates for reporting a incident • Both GridPP and NGS incident procedures will be modified in line with EGEE incident procedure Mingchao Ma, RAL

  9. GridPP Incident Handling Procedure • Communication channel • Was • A list of security contact emails • Change to: for incident alert/report/notification for discussion/support • Feedback/Comments are welcome! Mingchao Ma, RAL

  10. NGS Incident Handle Procedure • Communication channel • Was and • Change to: for incident alert/report/notification for discussion/support • Feedback/Comments are welcome! Mingchao Ma, RAL

  11. Cross-Grid Incident Handling • GRID-SEC • A coordinated response to cross-grid security incidents, follows the NSP-SEC model, • http://cern.ch/grid-sec • A closed mailing list hosted by NCSA, USA • To strengthen communication between a small group of experts at connected academic grids • Maximum two representatives from the same Grid infrastructure • Currently include: OSG, TeraGrid, NDGF and EGEE Mingchao Ma, RAL

  12. Cooperation between Grid (OSCT) and NREN CSIRTs • Collected a list of NREN CSIRT contacts information • To participate NREN CSIRTs activities • To encourage the cooperation between ROC security contact and local NREN CSIRT team(s) • Also encourage the cooperation between site security contacts and their organization security/CSIRT teams • Consider to become a trusted introducer? (eg. EGEE OSCT) Mingchao Ma, RAL

  13. Security Monitoring • Some SAM security tests available • CRL and file permission checks • Results only available to security contacts • Port the test to the Nagios-based framework • ROC (or even project/VO) level Nagios will perform the test • Results must be encrypted, access policy defined • Focus on project/ROC level monitoring • More information can be found in https://twiki.cern.ch/twiki/pub/LCG/OSCT-EGEEIII-tasks/security-monitoring-v0.12.pdf • Further security probes to be developed • Call for Nagios-based security probe • Based on risk analysis and/or previous incidents Mingchao Ma, RAL

  14. Patch Monitoring - Pakiti • The Pakiti software is freely available from sourceforge • www.sf.net/projects/pakiti • used by some sites/ROCs (RAL Tier1, NIKHEF, SEE ROC)‏ • currently being re-designed, significant changes expected during this summer • Pakiti campaign • Many sites not applying security patches (vanilla SL3 distributions!), a wide range exploits exist in the wild • OSCT is establishing a Pakiti server to collect and evaluate information about the sites’patching status • we only use the “public” interface, by sending a job • any authorized user can do the same • The middle-term goal is to move the Pakiti framework to Nagios Mingchao Ma, RAL

  15. Traceability of users • Tools to analyze log files • Collecting information about actions of particular user • Focused on site-level, to be performed bysysadmins • Work in progress – some “filters” already available • Tools to analyze data from the L&B database • grid/VO level • Complete information about user’s activities on the grid • Intended for VO managers • Work planned, not started yet • More info at • http://indico.cern.ch/getFile.py/access?contribId=6&sessionId=4&resId=1&materialId=slides&confId=49905 Mingchao Ma, RAL

  16. Security Training & Dissemination • gLite Service reference cards • https://twiki.cern.ch/twiki/bin/view/EGEE/ServiceReferenceCards • gLite-AMGA - ARDA Metadata Catalog • glite-BDII - Berkeley Database Information Index • glite-CREAM_CE - gLite CREAM Computing Element • glite-DPM - Disk Pool Manager • glite-FTS - File Transfer Service • glite-LFC - LCG File Catalog • gLite-LB - Logging and Bookkeeping service • glite-MON - Monitoring System Collector Server • glite-PX - MyProxy server • glite-UI - User Interface • glite-VOBOX - Virtual Organisation Node • glite-VOMS - Virtual Organisation Membership System • gLite-WMS - Workload Management Service • glite-WN - Worker Node • lcg-CE - LCG Computing Elements • gLExec - gLExec (both for WN and CE) Mingchao Ma, RAL

  17. Service reference cards • Each service card has a “security information” section • Access control Mechanism description (authentication & authorization) • How to block/ban a user • Network Usage • Firewall configuration • Security recommendations • Security incompatibilities • List of externals (packages are NOT maintained by Red Hat or by gLite) • Other security relevant comments Mingchao Ma, RAL

  18. Security Trainings • Target system managers and administrators, NOT end users; • No dedicated budget for security training; • Incorporate training into other conferences/events; • Past training events • EGEE’07, 1st -5th October 2007, Budapest • EGEE’08, 22nd -26th September 2008, Istanbul • Security training at Laboratory APC, France, 2nd -3rd April 2009 • Security training at ISGC 2009, Taipei, 19th April 2009 • Upcoming training events • Security workshop at RAL, UK, 1st July, 2009 • GridKa School at Karlsruhe, Germany 31st Aug.- 4th Sep. 2009 • EGEE’09, 21-25 September 2009, Barcelona • Some ROCs are planning trainings in their regions as well Mingchao Ma, RAL

  19. Mingchao Ma, RAL

  20. Security Page • Still in very early stage, will be hosted at OSCT website • Topics cover • Security policies, procedures • Security monitoring • Middleware security • OS security • Network security • Trust (CA, PKI and IGTF) • Forensics • … … • TERENA training material Mingchao Ma, RAL

  21. Question? Mingchao Ma, RAL

More Related