View
217
Download
0
Embed Size (px)
Citation preview
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
1
HEPiX Security Workshop
Overview of talks Some extracts of general interest
LCG Security Group FNAL, KEK, CERN, SLAC
Worrying trends Summary
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
2
HEPiX Security Workshop - Overview
Security Updates: LCG (Dave Kelsey) KEK (Fukuko Yuasa) CERN (Denise Heagerty)
Recent security events: Recent security holes and their impact (Bob Cowles, SLAC) Response to Blaster and Sobig worms at CERN (Alberto Pace, CERN)
System security: Farm nodes (Vlado Bahyl, CERN – presented by Thorsten Kleinwort) Cluster security (Alf Wachsmann, SLAC)
Introduction to deploying PKI Alberto Pace, CERN
Incident Response Sharing opportunities (Matt Crawford, FNAL) Experience with a Grid incident (Dane Skow, FNAL)
Open discussion session Sharing opportunities follow up LCG security risk analysis
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
3
LCG Security Group - Mandate
To advise and make recommendations to the Grid Deployment Manager and the GDB on all matters related to LCG-1 Security
GDB makes the decisions To continue work on the mandate of GDB WG3
Policies and procedures on Registration, Authentication, Authorization and Security
To produce and maintain Implementation Plan (first 3 months, then for 12 months) Acceptable Use Policy/Usage Guidelines LCG-1 Security Policy
Where necessary recommend the creation of focussed task-forces made-up of appropriate experts
E.g. the “Security Contacts” group
(n.b. GDB = Grid Deployment Board)
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
4
LCG Security Group - Membership
Experiment representatives/VO managers Alberto Masoni, ALICE Rich Baker, Anders Waananen, ATLAS David Stickland, Greg Graham, CMS Joel Closier, LHCb
Site Security Officers Denise Heagerty (CERN), Dane Skow (FNAL)
Site/Resource Managers Dave Kelsey (RAL) - Chair
Security middleware experts/developers Roberto Cecchini (INFN), Akos Frohner (CERN)
LCG management and the CERN LCG team Ian Bird, Ian Neilson
Non-LHC experiments/Grids Many sites also involved in other projects Bob Cowles (SLAC)
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
5
LCG Security Group – Documents(http://cern.ch/proj-lcg-security)
6 documents approved to date Security and Availability Policy for LCG
Prepared jointly with GOC task force Approval of LCG-1 Certificate Authorities Audit Requirements for LCG-1 Rules for Use of the LCG-1 Computing Resources Agreement on Incident Response for LCG-1 User Registration and VO Management4 more still to be written (by GOC task force) LCG Procedures for Resource Administrators LCG Guide for Network Administrators LCG Procedure for Site Self-Audit LCG Service Level Agreement Guide
6
Matt Crawford, FNAL:The common internet threat model is trusted endpoints on an insecure network.
SSL, SSH, ipsec, and a myriad of host vulnerabilities have
turned this backwards. We’ve got more communication
security than host security.... and it’s natural to believe that a message received on a secure channel can be trusted.
See also: “The Internet is Too Secure Already,” by Eric Rescorla.
Note: Matt detected passwords on the HEPiX wireless network! Network encryption technology is available, but we’re not all using it…
FNAL: The threat model has changed
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
7
KEK: MAC address registration
Since Aug. 2003, MAC address registration is required to use KEK network
Without the registration, packets are not transferred 4642 MAC address registered
The port of the switch is configured dynamically One MAC address belongs to one VLAN
Also in the wireless LAN, MAC address registration is required since Apr. 2002.
KEK staff: 150 and Collaborator: 728 68 Cisco Aironet stations WEP Annual registration renewal
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
8
02468
10121416182022242628303234
02/ 10 02/ 11 02/ 12 03/ 01 03/ 02 03/ 03 03/ 04 03/ 05 03/ 06 03/ 07 03/ 08 03/ 09 03/ 10
OthersSPAMExploitWorm
Security incidents at KEK, Oct 2002 - 0ct 2003
Worm : 64%, unix root exploit: 28%
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
9
CERN Incident Summary, 1 Jan 2001- 30 Sep 2003
2001 2002 2003-Sep
Incident Type
59 31 26 System compromised (intruder has control) security holes in software (e.g. ssh, kernel, ICQ, IE)
42 25 27 Compromised CERN accounts sniffed or guessed passwords
11 21 305 Serious Viruses and worms Blaster/Welchia (290), Sobig (12) , Slammer(3)
13 21 119 Unauthorised use of file servers insufficient access controls, P2P file-sharing
15 16 1 Serious SPAM incidents CERN email addresses are regularly forged
11 9 6 Miscellaneous security alerts
151 123 484 Total Incidents
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
10
Blaster/Welchia Infection Sources @ SLAC
32% VPN 22% DHCP (reg, internal network) 20% Fixed IP
On vacation, laptop infected outside, etc.
14% Infected during build / patch 12% Dialup
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
11
Worrying Trends
Break-ins are devious and difficult to detect E.g. SucKIT rootkit
Worms are spreading within seconds Welchia infected new PCs during installation sequence
Poorly secured systems are being targeted Home and privately managed computers are a huge risk
Break-ins occur before the fix is out SPAM relays used a new hole before a patch and anti-virus
available People are often the weakest link
Infected laptops are physically carried on site Users continue to download malware and open tricked
attachments Intruders and worms can do more damage
When?
Denise Heagerty, CERN, HEPiX Meeting Oct 2003
12
HEPiX Security Workshop - Summary
Blaster worm and its variants impacted all sites Hardware address registration is becoming normal
Required for access to wireless at TRIUMF meeting site KEK (done), CERN (in progress), FNAL (soon), SLAC (planned), …
VPN & portable systems pose a serious security risk security check prior to DHCP network access planned by some sites
(FNAL, SLAC, …) Requires client to install software to be effective
Security patches need to be timely and enforced e.g. SLAC give deadlines and then force patches, including reboots Visitors cannot rely on home site for patch and anti-virus updates
HEPiX Security Workshop provided a useful exchange high quality and a diverse range of talks a security discussion list has been created to continue the good
collaboration