Presentation is loading. Please wait.

Presentation is loading. Please wait.

INFSO-RI-508833 Enabling Grids for E-sciencE Workshop WLCG Security for Grid Sites Louis Poncet System Engineer SA3 - OSCT.

Published byAdrian Clark Modified over 8 years ago

Similar presentations

Presentation on theme: "INFSO-RI-508833 Enabling Grids for E-sciencE Workshop WLCG Security for Grid Sites Louis Poncet System Engineer SA3 - OSCT."— Presentation transcript:

1 INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Workshop WLCG Security for Grid Sites Louis Poncet System Engineer SA3 - OSCT

2 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 2 Summary Introduction Security begins during the Os installation Managing up-to-date services Firewalls –Per host –For the network SAM security tests Log file usage Conclusion

3 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 3 Introduction Why site security is fundamental : –A malicious user gaining grid access can use all resources –Any site can be a point of entry to our grid We need heterogeneous monitoring of the activities –Permit us to find more problems We need to work together to improve grid security –Large scale deployment increases the security risks One site insecure = grid insecure Resources have to be allocated for the security activities at all sites in the project

4 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 4 Installation of a secure system Choosing native tools of the Os is rarely a wrong choice. –Anaconda is the tool to install Redhat linux. Anaconda install trough a kickstart config file which : –Only install what is require for the service –Provides a good root access policy –Run an update as soon as possible –Install a local firewall –Deactivate or uninstall all native but unneeded services –Require an “keep certificate and server ssh keys” reinstallation process -To avoid the possibility of a Man in the middle ssh attack –Local tools (monitoring etc...) –A Kickstart file per type of service

5 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 5 Managing up-to-date services Problem : –Will this upgrade create problems with the middleware? We have to classify updates : –Security / improvement of OS / upgrade of the middleware functionally Security updates should be allow a temporary break in the service, or risk has to be minimized –firewall configuration –users access –configuration of the buggy software The limit between usability and security has to be defined in a realistic way, (risk assessment)

6 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 6 Managing up-to-date services Using auto-update on services nodes Regular comparison of what should be install and what is installed Regular monitoring of packages conflicts Updates which need a reboot are another problem : – When can I reboot without breaking the service -The scheduling of the reboot and the job management at Sites can be complicated A procedure for updates HAS to be defined by the Site striking a compromise between users and admins

7 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 7 Rules for a secure system The localization of services –Each computing centre is unique and the size, will define how to localize the installation of the service A security policy per site is required, matching project rules and national law –Procedure should exist for each case: -Normal production monitoring -Urgent upgrade -If under attack

8 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 8 Up-to-date in GD YUM/APT auto update scripts are running on all our nodes (every 4 hours) Pakiti runs to check that security packages are up-to- date In case of a kernel upgrade the root of the machine receives a mail for a reboot request We are using two reliable external repositories for the modules that we do not manage directly –A few packages are not in the linux distribution but can be found in project repositories like jpackage and dags

9 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 9 Firewalls / IDS Firewalls : –Local -Each node should have a local firewall that authorizes only the required connections and detect network scans –Network -The network firewall should give access from the external network to services –Iptable properly configured can became a monitoring system by itself. -Unwanted connections can be detected IDS : –An intrusion detection system monitors unwanted activities on the network, the limit of it is the quantity of data

10 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 10 Firewalls / IDS

11 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 11 SAM security test SAM is running on production services every 4 hours Today, 2 security tests are running on WNs with SAM –For Checking the validity of timestamps : -The “CRL Timestamps” -http://grid.cyfronet.pl/sam-doc/CE/CE-wn-sec-crl.htmlhttp://grid.cyfronet.pl/sam-doc/CE/CE-wn-sec-crl.html –For checking the ACL of sensible places on Wns -Searching files writable for other CE-wn-sec-fp -https://lxn1181.cern.ch:8443/sam-val/docs/CE-wn-sec-fp.htmlhttps://lxn1181.cern.ch:8443/sam-val/docs/CE-wn-sec-fp.html

12 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 12 Log files Logs are mandatory to keep a trace of what happened An attacks second or third step is to stop and erase logging of actions on the machine The usage of a sys log server to centralize the logs of all services reduces the risk of loosing all the traces of the alarm How to use them? There is so much data that i can’t find the needle in haystack Tools can help you! I am using Splunk which gives you everything you need to debug

13 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 13 Conclusion Every site is unique you have to set security procedures at yours All the points that were in the presentation are really simple and must be applied We have to work together to improve the quality of our site security Reading O’reilly book about security and system administration is cheaper than repairing a hacker attack All comments are welcome

14 Louis Poncet - CERN GD Enabling Grids for E-sciencE INFSO-RI-508833 14 Question

Download ppt "INFSO-RI-508833 Enabling Grids for E-sciencE Workshop WLCG Security for Grid Sites Louis Poncet System Engineer SA3 - OSCT."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.

Overview of local security issues in Campus Grid environments Bruce Beckles University of Cambridge Computing Service.
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Site Security and Administration Steve Cobrin.

Site Security and Administration Steve Cobrin.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.

Lesson 8-Information Security Process. Overview Introducing information security process. Conducting an assessment. Developing a policy. Implementing.
Chapter 2 Applying Practical Automation Speaker : Chuang-Hung Shih Date : 2010.3.09.

Chapter 2 Applying Practical Automation Speaker : Chuang-Hung Shih Date :
CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.

CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.
October,18-22 2004 Scientific Linux INFN/Trieste B.Gobbo – Compass R.Gomezel - T.Macorini - L.Strizzolo INFN - Trieste.

October, Scientific Linux INFN/Trieste B.Gobbo – Compass R.Gomezel - T.Macorini - L.Strizzolo INFN - Trieste.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.

Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.

1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.

SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Training and Dissemination Enabling Grids for E-sciencE www.eu-egee.org Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.

Training and Dissemination Enabling Grids for E-sciencE Jinny Chien, ASGC 1 Training and Dissemination Jinny Chien Academia Sinica Grid.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org Integration and Testing, SA3 Markus Schulz CERN IT JRA1 All-Hands Meeting 22 nd - 24 nd March.

INFSO-RI Enabling Grids for E-sciencE Integration and Testing, SA3 Markus Schulz CERN IT JRA1 All-Hands Meeting 22 nd - 24 nd March.

Similar presentations

Ads by Google