CERN IT Department CH-1211 Genève 23 Switzerland www.cern.ch/it IT Forum, June 2011 Software and Hardware Inventory Initiatives Computer Security Team,

Slides:

Advertisements

Similar presentations

SUS Feature Pack for SMS Michel Jouvin LAL / IN2P3

Advertisements

The Free IT Management App & Community. What Do I Have? How Do I Keep Track of Everything? Is Everything Working? How Do I Fix IT? IT Admin What IT Pros.

Content Overview Update Process Additional Tools.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Computer Security: Principles and Practice

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

CERN - IT Department CH-1211 Genève 23 Switzerland t Oracle and Streams Diagnostics and Monitoring Eva Dafonte Pérez Florbela Tique Aires.

Maintaining and Updating Windows Server 2008

Kaspersky Open Space Security: Release 2 World-class security solution for your business.

Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.

Automating Linux Installations at CERN G. Cancio, L. Cons, P. Defert, M. Olive, I. Reguero, C. Rossi IT/PDP, CERN presented by G. Cancio.

1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.

Patch Management Strategy

Module 16: Software Maintenance Using Windows Server Update Services.

CERN IT Department CH-1211 Genève 23 Switzerland t Next generation of virtual infrastructure with Hyper-V Michal Kwiatek, Juraj Sucik, Rafal.

Introducing Kerio Control Unified Threat Management Solution Release date: June 1, 2010 Kerio Technologies, Inc.

Client Management. Introduction In a typical organization there are a lot of client machines used for day to day operations Client management is a necessary.

FNAL Configuration Management Jack Schmidt Cyber Security Workshop May th 2006.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Module 1: Installing Windows XP Professional. Overview Manually Installing Windows XP Professional Automating a Windows XP Professional Installation Using.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

IGEL UMS Product Marketing Manager October 2011 Florian Spatz Universal Management Suite.

Tim Vander Kooi Systems

© 2010 VMware Inc. All rights reserved Patch Management Module 13.

Successful Deployment and Solid Management … Close Relatives Tim Sinclair, General Manager, Windows Enterprise Management.

1. There are different assistant software tools and methods that help in managing the network in different things such as: 1. Special management programs.

CERN’s Computer Security Challenge

PATCH MANAGEMENT: Issues and Practical Solutions Presented by: ISSA Vancouver Chapter March 4, 2004.

Patch Management Only part of the solution….. Bob Isaak Mar 04, 2004.

October, Scientific Linux INFN/Trieste B.Gobbo – Compass R.Gomezel - T.Macorini - L.Strizzolo INFN - Trieste.

Honeypot and Intrusion Detection System

User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.

CERN - IT Department CH-1211 Genève 23 Switzerland Service Level Status (SLS) What it does The default SLS.

FNAL System Patching Design Jack Schmidt, Al Lilianstrom, Andy Romero, Troy Dawson, Connie Sieh (Fermi National Accelerator Laboratory) Introduction FNAL.

SMS 2003 Deployment and Managing Windows Security Rafal Otto Internet Services Group Department of Information Technology CERN 26 May 2016.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Working with Windows 7 at CERN Michał Budzowski.

PC MANAGER MEETING January 23, Agenda  Next Meeting  Training  Windows Policy  Main Topic: Windows AV Service Review.

Time lag between discovering issue and resolving Difficult to find solutions and patches that can help resolve issue Service outages expensive and.

Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.

CERN IT Department CH-1211 Genève 23 Switzerland t Windows Desktop Applications Life-cycle Management Sebastien Dellabella, Rafal Otto Internet.

Brian Arkills Software Engineer, LDAP geek, AD guy, Chief Troublemaking Officer Windows HiEd Conference 2006 Managed Workstations: UW Nebula.

CERN IT Department CH-1211 Genève 23 Switzerland t Evolution of virtual infrastructure with Hyper-V Juraj Sucik, Slavomir Kubacka Internet.

1 Objectives Windows Firewalls with Advanced Security Bit-Lock Update and maintain your clients using Windows Server Update Service Microsoft Baseline.

NiceFC and CMF Introduction Ivan Deloose IT-IS Custom Windows Services for Controls Applications.

One Platform, One Solution: eToken TMS 5.1 Customer Presentation November 2009.

Maintaining and Updating Windows Server Monitoring Windows Server It is important to monitor your Server system to make sure it is running smoothly.

Uwe Lüthy Solution Specialist, Core Infrastructure Microsoft Corporation Integrated System Management.

Operating Systems & Information Services CERN IT Department CH-1211 Geneva 23 Switzerland t OIS Update on Windows 7 at CERN & Remote Desktop.

Small Business Security Keith Slagle April 24, 2007.

Microsoft Management Seminar Series SMS 2003 Change Management.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

CERN - IT Department CH-1211 Genève 23 Switzerland t Operating systems and Information Services OIS Proposed Drupal Service Definition IT-OIS.

CERN IT Department CH-1211 Genève 23 Switzerland t Next generation of virtual infrastructure with Hyper-V Juraj Sucik, Michal Kwiatek, Rafal.

CERN - IT Department CH-1211 Genève 23 Switzerland CERN - IT Department CH-1211 Genève 23 Switzerland Request and Incident.

2: Operating Systems Networking for Home & Small Business.

Application Migration Fritz Ohman Alphageek

IBM Control Desk Enabling the Enterprise App Store –

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

GFI LANguard Matt Norris Dave Hone Chris Gould. GFI LANguard: Description Through the performances of the three (3) cornerstones of vulnerability management:

Planning Server Deployments Chapter 1. Server Deployment When planning a server deployment for a large enterprise network, the operating system edition.

Maintaining and Updating Windows Server 2008 Lesson 8.

Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,

Scientific Linux Inventory Project (SLIP) Troy Dawson Connie Sieh.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – IT Security.

CERN IT Department CH-1211 Genève 23 Switzerland M.Schröder, Hepix Vancouver 2011 OCS Inventory at CERN Matthias Schröder (IT-OIS)

INFSO-RI Enabling Grids for E-sciencE Workshop WLCG Security for Grid Sites Louis Poncet System Engineer SA3 - OSCT.

Patch Management Module 13.

Self-service enrollment for Windows desktops

Unit 27: Network Operating Systems

Nessus Vulnerability Scanning

Presentation transcript:

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Software and Hardware Inventory Initiatives Computer Security Team, Steve Traylen (IT-PES), Matthias Schröder (IT-OIS), Michał Kwiatek (IT-OIS)

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Agenda: – Goals and motivation – Computer Security background – Linux desktops – Quattor-managed Linux Clusters – Mac desktops – Windows computers – Feedback 2 Software and Hardware Inventory Initiatives

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Software and Hardware Inventory Initiatives Goals: Monitor the state and evolution of computers on the CERN site – Software and Hardware – Mac, Linux and Windows – Computer Centre and Personal Computers 3

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Motivation: Efficient Service Management – Ease software deployment – Precondition for Change Management Ease User Support – Provide tools to Service Desk Protect computers from security risks – Improve (automate) our insight in software vulnerabilities across CERN – Keep computers up to date – Promptly respond to new threats 4 Software and Hardware Inventory Initiatives

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Timely updating and patching is our 1st line of protection! Computer Security Team Software and Hardware Inventory Initiatives

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Background Any unprotected/unpatched/outdated computer connected to the Internet is likely to be infected within minutes! From OC5: “The user shall take the necessary precautions to protect his personal computer or work station against unauthorized access.” Timely updating and patching is the 1 st line of protection! This applies for MS Windows, but also to Linux and Macs. Worse: Attacks are moving away from the O/S and targeting now the application level. A central patch monitoring portal allows every user and service manager (as well as the Security Team ) to understand the security posture of their computer and servers. Areas for improvement and vulnerable computer/servers can be spotted in real-time and the corresponding user/manager can be quickly informed and asked for mitigation. 6 Computer Security Background

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Linux Desktops Matthias Schröder (IT-OIS) OS Patch Deployment Monitoring

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Background About active 4k nodes on site Automatic updates enabled by default – But easy to disable… – Kernel updates require reboot – Conflicts can block updates Basic configuration done via lcm – Ncm-components and local profiles – Relies on SW updates for changes No further central management No central backups 8 Scientific Linux Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Current situation OCS-inventory – Open source inventory software – Available for Mac, Linux, Windows and more – Data collectors running on clients Little load on client Available for many OS Configured via ncm-component – Reporting to central server Hardware of nodes Installed software Running kernel Keeps only snapshot User activity is not reported – Installed on all updating nodes 9 Scientific Linux Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 OCS host listing 10 Scientific Linux Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 OCS Summary Example 11 Scientific Linux Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 OCS Node Info Example 12 Scientific Linux Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Future steps Deployment started spring 2011 Next: – Develop queries for data mining – Extend CERN specific info 13 Scientific Linux Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Quattor-managed Linux Clusters Steve Traylen (IT-PES) Software and Hardware Inventory Initiatives

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Quattor Managed Background CERN CC contains quattor configured hosts: – SLC4 : SLC5 : SLC6 = 301 : 7375 : 32 – RHEL4 : RHEL5 : RHEL6 = 242 : 283 : 3 Managed as 117unique clusters. – Each cluster is pinned to an SLC snapshot date. e.g OSDATE= – Each cluster has it’s own package update policy. – Today time range of OSes are > 1 year. Quattor configuration only prescriptive. – It does what you ask, no matter what. 15 Quattor-managed Linux Clusters

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Quattor Current situation OSDATE Monitoring of CDB Clusters – Monthly sent per cluster to each IT-Contact. – e.g lxplus: Cluster: lxplus Minimum OSDATE within lxplus is XX Most frequently occurring OSDATE within lxplus is XX Of a total 117 clusters lxplus is calculated as number 13 in the ordered list of most up to date clusters. This monitors configuration only not reality. – This monitoring is very imprecise, reality may be worse. General details on the OSDATE mechanism: Quattor-managed Linux Clusters

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Quattor Managed Future steps Package Level Inventory – We need to know what is installed. For both security and operational reasons. – Results to be cluster neutral and correlated with RedHat CVE guidelines. Traditionally Pakiti has been solution. Pakiti produces a list of outstanding CVEs per node. OCSagents are being deployed across CC. – OCSagents collect everything Pakiti needs. An OCS collector can be added to report limited CDB data. – e.g cluster name, clustersub name. – Allow joins of OCS to existing DBs: CDB, SDB, …. 17 Quattor-managed Linux Clusters

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Quattor Managed Future steps Run Pakiti engine on extracted results of OCS database. – Pakiti client itself dropped, a duplication of collection. Web Interface for Pakiti results: – Views needed for security team and cluster managers. – Evaluate if Pakiti web-interface can be used or adapted. Early attempts were unusable, batch deluge results. – Evaluate if an existing CERN aware web-interface can be adapted to pakiti results. e.g. cluman, desktop DB (see later). – Create a new web-interface which is e-group, cdb cluster aware. Monthly Report – A monthly report of CVEs per cluster can be generated. Quattor and non-managed will be treated equally. – Pakiti results for SLC desktops will also be available. 18 Quattor-managed Linux Clusters

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Mac Desktops Matthias Schröder (IT-OIS) OS Patch Deployment Monitoring

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Background About 2k active clients on site System and main apps check for updates – But users can de-activate this – Users only reminded that updates available No central management No central configuration No central back-ups 20 Mac Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Current situation K2 to monitor usage of licensed SW – Only on nodes using licensed SW – Rather complete monitoring Hardware Software Can monitor usage of selected SW – Requires license per node 21 Mac Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 K2 Node List 22 Mac Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 K2 Licence Information 23 Mac Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 K2 Software List 24 Mac Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Future steps Plan to install OCS Inventory on all nodes – Gradual process Share OCS Server with Linux Need to keep K2 for licensed SW 25 Mac Desktops

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Windows Computers Michal Kwiatek (IT-OIS) Software and Hardware Inventory Initiatives

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Windows Background Windows computers at CERN: – 6000 Centrally Managed – 1500 Locally Managed – 1500 not in the CERN domain 27 Windows Computers Not in the CERN Domain In the CERN Domain Managed Centrally Locally

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Windows Background Windows computers that belong to the CERN domain are managed with CMF CMF enables: – Deployment of the desired software configuration, incuding patches – When necessary, delegation of software deployment tasks to Local Administrators (ex. Experiments, Controls) – Reporting of the actual configuration of Windows Computers Requires manual configuration for unsupported apps 28 Windows Computers

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Windows Background Every day, we actively assess the risk of security exploits of CERN computers 29 Windows Computers History of computers reinstalled because of detected security problems (per week)

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Windows Background To manage software lifecycle, we must understand configurations across CERN 30 Windows Computers

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Windows Current Situation 6000 Centrally Managed PCs and Servers – Monthly deployment of patches for OS and supported applications – alerts for owners of computers running unsupported applications with known security vulnerabilities 1500 Locally Managed computers – Monthly recomendation to Local Admins concerning patch deployment – alerts for Local Admins when their computers run a configuration with a known security flaw (ex. unsupported OS, no Antivirus) 1500 computers which are not in the CERN domain – Computers belonging to short-term visitors, managed by their respective owners (IT has no control) 31 Windows Computers

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Windows Current Situation Microsoft patch deployment follow-up 32 Windows Computers

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Windows Current Situation Follow-up for unsupported applications 33 Windows Computers

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Future Steps DesktopDB – Initially designed to keep history of desktop configurations across all OS – Now extended to quattor-managed clusters in the Computer Centre 34 Windows Computers CMFOCS DesktopDB

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Future Steps DesktopDB – Evolution of SW and HW configurations – Across all OS: Windows, Mac and Linux Including Quattor-managed Linux Clusters – Prototype for ITIL CMDB data source Service Desk tool 35

CERN IT Department CH-1211 Genève 23 Switzerland IT Forum, June 2011 Feedback? Software and Hardware Inventory Initiatives