IT Security for the LHCb experiment 3rd Control System Cyber-Security Workshop (CS)2/HEP ICALEPCS – Grenoble Enrico Bonaccorsi, (CERN)

Slides:

Advertisements

Similar presentations

5-Network Defenses Dr. John P. Abraham Professor UTPA.

Advertisements

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Securing the Borderless Network March 21, 2000 Ted Barlow.

Security+ Guide to Network Security Fundamentals

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

IS Network and Telecommunications Risks

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

The Difficult Road To Cybersecurity Steve Katz, CISSP Security Risk Solutions Steve Katz, CISSP Security.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Chapter 2 Information Security Overview The Executive Guide to Information Security manual.

NW Security and Firewalls Network Security

Introduction to Telecommunications by Gokhale CHAPTER 9 NETWORK MANAGEMENT.

CERN’s Computer Security Challenge

OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

SECURITY ZONES. Security Zones  A security zone is a logical grouping of resources, such as systems, networks, or processes, that are similar in the.

11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.

OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.

Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

Note1 (Admi1) Overview of administering security.

Virtualization for the LHCb Online system CHEP Taipei Dedicato a Zio Renato Enrico Bonaccorsi, (CERN)

Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.

Chapter 2 Securing Network Server and User Workstations.

Module 11: Designing Security for Network Perimeters.

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Securing networks and systems Aleksandr Lenin. Outline Networking (recap) – Networks, Isolation domains: VLAN, subnets – CIDR/VLSM, Network zoning Firewalls.

Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,

Safe’n’Sec IT security solutions for enterprises of any size.

Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.

CPT 123 Internet Skills Class Notes Internet Security Session B.

Joe Budzyn Jeff Goeke-Smith Jeff Utter. Risk Analysis  Match the technologies used with the security need  Spend time and resources covering the most.

“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.

IS3220 Information Technology Infrastructure Security

INFORMATION SECURITY AND CONTROL. SECURITY: l Deter l Detect l Minimize l Investigate l Recover.

SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Onsite CRM Security

CompTIA Security+ Study Guide (SY0-401)

Securing Network Servers

Security Of Information Systems

ISSeG Integrated Site Security for Grids WP2 - Methodology

Working at a Small-to-Medium Business or ISP – Chapter 8

Configuring Windows Firewall with Advanced Security

Securing the Network Perimeter with ISA 2004

Enrico Bonaccorsi, (CERN) Loic Brarda, (CERN) Gary Moine, (CERN)

Firewall – Survey Purpose of a Firewall Characteristic of a firewall

Security in Networking

CompTIA Security+ Study Guide (SY0-401)

برنامج أمن أنظمة الحاسب

Designing IIS Security (IIS – Internet Information Service)

Mohammad Alauthman Computer Security Mohammad Alauthman

Presentation transcript:

IT Security for the LHCb experiment 3rd Control System Cyber-Security Workshop (CS)2/HEP ICALEPCS – Grenoble Enrico Bonaccorsi, (CERN) Loic Brarda, (CERN) Mohamed Chebbi, (CERN) Niko Neufeld, (CERN)

Outline LHCb intro IT Security – several point of view o Security risks o Physical and host local security approach. o Protected perimeter o Network security implementation Central Log System Data Security Log and data analysis Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld2

LHCb Completely isolated network o Data acquisition system o Experiment Control System Heterogeneus Enviroment o Collaboration o 2000 Servers and embedded systems o 200 Active users o Different vendors o Custom System “self- developed“ o Manageability VS strict security o Security and users impact Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld3

IT Security several point of view Physical Security Local Security Network Local Security Network Security Data Security Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld4 Local and Remote Access High Availability Preemptive measures External connectivity Management of Application and Operating Systems Industrial security

Security risks Interruption in Data Acquisition Unauthorized modification/destruction to data and systems Unauthorized disclosure of data Denial of service 5Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

Security risks (2) Users Behavior o Theft of authentication credentials o Lack of awareness, caralessness or negligence o Unfair and fraudulent behavior o Human errors Attack and misconfiguration o Virus – Malware – Trojan – Backdoor – Rootkits - Worm – Hiding in encrypted sessions - etc o Sabotage o Unauthorized access o Information o Human errors Environmental o Theft of devices that contain data o Destructive events (earthquakes, fire, flood, etc) Intentional, accidental, due to negligence o Human errors 6Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

Security Policy Security policies have been produced following the CERN CNIC recommendations: o o o df df 7

Physical and host local security approach Physical: o Authorization required to access Point 8 o Biometric required to access the underground area Local o Private personal account for each LHCb user Few shared account are still in use o PAM/Domain Policies used to restrict access to critical servers between LHCb groups o IPMI access protected by router ACL o Applications centrally managed by Quattor/System Center Deployment Services o No internet routing allowed except for few gateway server o Only WEB access granted through an HTTP proxy Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld8

Inner networks Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld9 Traffic isolation using VLANs, 802.1q, Layer2 filtering and ACL LCG and TN accessible only from few hosts No internet connectivity Only LHCb laptop allowed

Network Security implementation General public and log in services/ Terminal services o RDP windows remote desktops o SSH gateways o NX linux remote desktops o Web services Network segmentation and trusted zones o level of trust based on three tiers the sensitivity of the data being processed Anomaly & Intrusion detection 10Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

Central Log System All the windows and Linux servers send their logs to a clustered log server High Availability granted by o Active/Active two node cluster system o Raid 1 on each cluster node for the local disk o Filesystem replica over network between nodes o Backup on CASTOR Logs exported to the users by NFS 11Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

Data Security Shared filesystem o served by a cluster of five nodes on redundant hardware o High Availability granted by Cluster of NFS/SMB servers that export the filesystem to the entire experiment o Data protection: Short term based on different storage raid set using RSYNC for immediate user access (file deleted by mistake by the user, etc) Long Term based on tape using CASTOR for… ever? Backup sent to CASTOR and stored on type Servers and Control PCs o High availability granted by RAID 1 SW RAID used when HW raid is not available o Daily Backup based on Tivoli (Thanks to IT dep. ) 12Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

Network Intrusion/Anomaly Detection System Boundary networks traffic mirrored and analyzed ISO/IEC 18043:2006(E) Selection, deployment and operations of intrusion detection system Snort for NIDS NTOP for Anomaly Detection 13Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

Performance 14Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

Questions? 15Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

Backup slide 16

Snort Log data Analysis Raw logs generated: Ntop – Suspiciuous (Syslog) Ntop – Others (pcap) Snort > Barnyard > Alerts (Syslog) Snort – Packets (pcap) Barnyhard to offload output processing Parsing Visual – Links Graphs Correlation to crosscheck to exclude false positives Centralized Analysis console is not strictly necessary Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

18