Download presentation
Presentation is loading. Please wait.
Published byVictor Maxwell Modified over 9 years ago
1
Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009
2
Overview Security service challenge 3 (SSC 3) Security incident handling procedure Security monitoring Security training and dissemination 16/10/2015Mingchao Ma, RAL2
3
SSC3 EGEE Tier1 sites have been tested twice by OSCT; Regional runs at Tier2 sites done by ROC security officers –UKI, SEE, Benelux and Italy completed Regional run at OSG done Regional run at NDGF planned 16/10/2015Mingchao Ma, RAL3
4
16/10/2015Mingchao Ma, RAL 4 SSC3 Result – Tier1 Sites
5
SSC3: Analysis All sites (besides one) improved Sites that scored good in the first run improved in the second run Sites that did not score very well in the first run improved a lot Most sites (besides one) enjoyed the opportunity to test their response capabilities and even reveal operational problems 16/10/2015Mingchao Ma, RAL 5
6
16/10/2015Mingchao Ma, RAL6 SSC3 Result – UKI Tier2 Sites
7
SSC - Plans To run a modified SSC3 –Ex: treat IP W.X.Y.Z as malicious Storage SSC –Under discussion –Some concerns on the logging capabilities of Storage middleware Re-run SSC3 on Tier2 sites 16/10/2015Mingchao Ma, RAL7
8
Incident Handling Security Incident Response Policy –http://www.jspg.org/wiki/Security_Incident_Response_Policy (draft)http://www.jspg.org/wiki/Security_Incident_Response_Policy The revised EGEE incident handling procedure –In final stage –http://indico.cern.ch/materialDisplay.py?contribId=12&sessionId=1&materialI d=0&confId=56981http://indico.cern.ch/materialDisplay.py?contribId=12&sessionId=1&materialI d=0&confId=56981 –Change of reporting channels for reporting incident for support –Specify timeframe of each steps E.g. to report incident within 4 hours after detection –Templates for reporting a incident Both GridPP and NGS incident procedures will be modified in line with EGEE incident procedure 16/10/2015Mingchao Ma, RAL8
9
GridPP Incident Handling Procedure Communication channel –Was –A list of security contact emails –Change to: for incident alert/report/notification for discussion/support Feedback/Comments are welcome! 16/10/2015Mingchao Ma, RAL9
10
NGS Incident Handle Procedure 16/10/2015Mingchao Ma, RAL10 Communication channel –Was and –Change to: for incident alert/report/notification for discussion/support Feedback/Comments are welcome!
11
Cross-Grid Incident Handling GRID-SEC –A coordinated response to cross-grid security incidents, follows the NSP-SEC model, –http://cern.ch/grid-sechttp://cern.ch/grid-sec –A closed mailing list hosted by NCSA, USA –To strengthen communication between a small group of experts at connected academic grids –Maximum two representatives from the same Grid infrastructure –Currently include: OSG, TeraGrid, NDGF and EGEE 16/10/2015Mingchao Ma, RAL11
12
Cooperation between Grid (OSCT) and NREN CSIRTs Collected a list of NREN CSIRT contacts information To participate NREN CSIRTs activities To encourage the cooperation between ROC security contact and local NREN CSIRT team(s) Also encourage the cooperation between site security contacts and their organization security/CSIRT teams Consider to become a trusted introducer? (eg. EGEE OSCT) 16/10/2015Mingchao Ma, RAL12
13
Security Monitoring Some SAM security tests available –CRL and file permission checks –Results only available to security contacts Port the test to the Nagios-based framework –ROC (or even project/VO) level Nagios will perform the test –Results must be encrypted, access policy defined –Focus on project/ROC level monitoring –More information can be found in https://twiki.cern.ch/twiki/pub/LCG/OSCT- EGEEIII-tasks/security-monitoring-v0.12.pdf Further security probes to be developed –Call for Nagios-based security probe Based on risk analysis and/or previous incidents 16/10/2015Mingchao Ma, RAL13
14
Patch Monitoring - Pakiti The Pakiti software is freely available from sourceforge –www.sf.net/projects/pakiti –used by some sites/ROCs (RAL Tier1, NIKHEF, SEE ROC) –currently being re-designed, significant changes expected during this summer Pakiti campaign –Many sites not applying security patches (vanilla SL3 distributions!), a wide range exploits exist in the wild –OSCT is establishing a Pakiti server to collect and evaluate information about the sites’patching status –we only use the “public” interface, by sending a job –any authorized user can do the same The middle-term goal is to move the Pakiti framework to Nagios 16/10/2015Mingchao Ma, RAL14
15
Traceability of users Tools to analyze log files –Collecting information about actions of particular user –Focused on site-level, to be performed by sysadmins –Work in progress – some “filters” already available Tools to analyze data from the L&B database –grid/VO level –Complete information about user’s activities on the grid –Intended for VO managers –Work planned, not started yet More info at –http://indico.cern.ch/getFile.py/access?contribId=6&sessionId=4&resId=1&materialId=sli des&confId=49905http://indico.cern.ch/getFile.py/access?contribId=6&sessionId=4&resId=1&materialId=sli des&confId=49905 16/10/2015Mingchao Ma, RAL15
16
Security Training & Dissemination gLite Service reference cards –https://twiki.cern.ch/twiki/bin/view/EGEE/ServiceReferenceC ards 16/10/2015Mingchao Ma, RAL16 gLite-AMGA - ARDA Metadata CataloggLite-AMGA glite-BDII - Berkeley Database Information Indexglite-BDII glite-CREAM_CE - gLite CREAM Computing Elementglite-CREAM_CE glite-DPM - Disk Pool Managerglite-DPM glite-FTS - File Transfer Serviceglite-FTS glite-LFC - LCG File Catalogglite-LFC gLite-LB - Logging and Bookkeeping servicegLite-LB glite-MON - Monitoring System Collector Serverglite-MON glite-PX - MyProxy serverglite-PX glite-UI - User Interfaceglite-UI glite-VOBOX - Virtual Organisation Nodeglite-VOBOX glite-VOMS - Virtual Organisation Membership Systemglite-VOMS gLite-WMS - Workload Management ServicegLite-WMS glite-WN - Worker Nodeglite-WN lcg-CE - LCG Computing Elementslcg-CE gLExec - gLExec (both for WN and CE)gLExec
17
Service reference cards Each service card has a “security information” section –Access control Mechanism description (authentication & authorization) –How to block/ban a user –Network Usage –Firewall configuration –Security recommendations –Security incompatibilities –List of externals (packages are NOT maintained by Red Hat or by gLite) –Other security relevant comments 16/10/2015Mingchao Ma, RAL17
18
Security Trainings Target system managers and administrators, NOT end users; No dedicated budget for security training; –Incorporate training into other conferences/events; Past training events –EGEE’07, 1st -5th October 2007, Budapest –EGEE’08, 22nd -26th September 2008, Istanbul –Security training at Laboratory APC, France, 2nd -3rd April 2009 –Security training at ISGC 2009, Taipei, 19th April 2009 Upcoming training events –Security workshop at RAL, UK, 1st July, 2009 –GridKa School at Karlsruhe, Germany 31st Aug.- 4th Sep. 2009 –EGEE’09, 21-25 September 2009, Barcelona Some ROCs are planning trainings in their regions as well 16/10/2015Mingchao Ma, RAL18
19
16/10/2015Mingchao Ma, RAL19
20
Security Page Still in very early stage, will be hosted at OSCT website Topics cover –Security policies, procedures –Security monitoring –Middleware security –OS security –Network security –Trust (CA, PKI and IGTF) –Forensics –… … TERENA training material 16/10/2015Mingchao Ma, RAL20
21
Question? 16/10/2015Mingchao Ma, RAL21
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.