Lemon security

Previous security enhancements user lemon: lemon-db-admin-OraMon will create user lemon (Miro). - OraMon switches to user lemon at its initd script (David). - ReadOnly and heartBeat files will be moved to /var/lib/OraMon (Miro, David) - /etc/sysconfig/OraMon is owned by lemon, and is readable by user lemon only (David). Samples insertion access control: control what IPs (taken from CDB) may send samples to OraMon: - Investigate efficiency of using IPchains. Alternatives: per IP groups, (preferred, if possible) or per IP list Sensitive data to CDB 10) When CDB supports secure information via hppts, move sensitive EHD and OraMon config file information (user and password) from rpm to CDB. NCM OraMon component has to be changed accordingly (Gernam) 20) cdb get clusters: Needs to be configured for user/password as well (German). TBD: how to provide to cdb get clusters and active alarm nodes the user and password of the 2 sql DBs: lemon and cdb

Outline Miro’s suggestions for OraMon security David’s related thoughts

Lemon security Those who have access to CERN machines can openly interfere with Lemon, because it uses unsecure sockets

Miro: security of OraMon As we have discussed before, iptables could help us to restrict the domains, but I would take that a little bit further and asked for an authentication mechanism. use ssl for encryption and well as for the authentication. Client (MSA) on install downloads the oramon's public key, creates a challenge and sends its own public key (host's key). It receives back a reply with encoded clientID or with client's signature. MSA uses oramon's public key to encrypt the message plus encapsulates the clientID. oramon will store all of the allowed host's public keys inside database.

Miro: security of OraMon. Cont. Performance overhead: encrypting the samples + having three way authentication would create an overhead… Currently we have about 10kB/s throughput, so having encryption on top of that should not be a problem (even if we scale to 400kB/s). Communication of OraMon to oracle server could over ssl – I think that in OCI oracle supports SSL.

Enhance lemon security now?

Extending OraMon security to lemon security 1.Sensor  MSA 2.MSA  OraMon 3.OraMon  Oracle 4.Client  Oracle 5.Client  OraMon (SOAP)

1) Sensor  MSA (Since it is) TCP based, ssl may be added

2) MSA  OraMon Pertains to many machines  big vulnerability Requires changes at OraMon and at MSA Is UDP based, hence SSL can not be used What should be secured? –What machines speak to OraMon (iptables) –What users speak to OraMon –What applications speak to OraMon (feasible?) Guideline: Prevent reinventing wheels – use standards, where possible Candidate standard to secure UDP: IPSec

TCP security alternatives SSL is also known by a new, IETF standard name: Transport Layer Security, or TLS

UDP security alternatives IPsec: + Is standard - Complicated. Requires operating system support SecureUPD: - Is not standard

IPSec Strong security standard –Encryption & Encapsulation –Authentication & Anti-Replay –Key Management & Digital Signatures –Support of Unique Digital Certificates –Interoperability between the various IPSec compliant products Is supported by Linux – as add-on ipsec.doc ipsec.doc Transport mode vs. tunnel mode Usage of IPSec implies ‘tailoring’ of it into lemon

OraMon  Oracle TCP/IP with SSL Protocol Enables an Oracle application on a client to communicate with remote Oracle databases through TCP/IP and SSL. Oracle Advanced SecurityOracle Advanced Security product needed in order to use TCP/IP with SSL. SSL stores authentication data, (certificates, private keys), in an Oracle Wallet. When the client initiates a connection to the database server, SSL performs a handshake between the two using the certificate: –The client and database server negotiate a cipher suite--a set of authentication, encryption, and data integrity types--to apply to the messages they exchange. –Depending on its configuration, the database server sends its certificate to the client in a message encrypted with the client's public key. The client decrypts this message by using its own private key, then verifies that the database server's certificate bears the certificate authority's signature. –If required, the client may send the user's certificate to the database server. The certificate ensures that the user's information is correct and that the public key actually belongs to that user. The database server checks the user's certificate to verify that it bears the certificate authority's signature. From

Oracle Advanced Security A product that provides security features to protect enterprise networks: –network encryption –authentication –single sign-on services –security protocols Does CERN have a license for it?

4) Client  Oracle Makes sense to learn if Client-Oracle security may be enhanced.

5) Client  OraMon (SOAP) 1) HTTPS/SSL: Not used by (g)SOAP by default, may be added: : –Secure SOAP Web Services with HTTPS/SSL When a Web Service is installed as CGI, it uses standard I/O that is encrypted/decrypted by the Web server that runs the CGI application. Therefore, HTTPS/SSL support must be configured for the Web server.: –install OpenSSL –Recompile sources with option -DWITH_OPENSSL 2) Digital Signature (SOAP-DSIG): (In addition to SSL) defines syntax and rules for digitally signing SOAP messages and validating signatures.

Lemon security: Summary 1.Sensor  MSA 2.MSA  OraMon: IPSec. Complicated 3.OraMon  Oracle: Oracle Advanced Security Oracle Advanced Security 4.Client  Oracle 5.Client  OraMon (SOAP): OpenSSL+SOAP-DSIG?