Presentation is loading. Please wait.

Presentation is loading. Please wait.

EGEE is a project funded by the European Union under contract IST-2003-508833 Security Monitoring Miguel Cárdenas Montes Security Contact SWE Federation.

Published byMervin Melton Modified over 9 years ago

Similar presentations

Presentation on theme: "EGEE is a project funded by the European Union under contract IST-2003-508833 Security Monitoring Miguel Cárdenas Montes Security Contact SWE Federation."— Presentation transcript:

1 EGEE is a project funded by the European Union under contract IST-2003-508833 Security Monitoring Miguel Cárdenas Montes Security Contact SWE Federation miguel.cardenas@ciemat.es Athens Meeting, 18-22 April 2005 www.eu-egee.org

2 Athens, April 18-22, 2005 - 2 Security Monitoring The Road Map Getting started with Nagios + Tripwire + Chkrootkit + SNMP. In the way, the problems arise. Advices for the next steps.

3 Athens, April 18-22, 2005 - 3 Security Monitoring What we wanted? Our aim was the study, evaluation and implementation of an effective security system monitoring using Open Source software. So, we used: Nagios is a system designed for the monitoring of computers, detection of failures in services and sending notifications out to administrative contacts. Tripwire is an intrusion detection tool. Chkrootkit is a detector of rootkits. SNMP is a protocol, specially designed for monitoring.

4 Athens, April 18-22, 2005 - 4 Security Monitoring The implementation Our monitoring system is working more than one year ago. It give us a lot of information both via email and web interface, detecting failures in services and security. Similar systems were implemented at the UAM, UB, PIC and USC. A how-to to easy the implementation was created & spread.

5 Athens, April 18-22, 2005 - 5 Security Monitoring What we cover with the monitoring? Number of superuser accounts (uid=0). Users with empty password. Mode of NIC interface (promiscuous or not). Hidden files in /dev directory. Modifications over the most critical binaries. Installation of a rootkit. And other parameters or system variables.

6 Athens, April 18-22, 2005 - 6 Security Monitoring Retrieve information from the nodes I Several modus were used to retrieve the information of the status of a variable from the node to the central platform. For example, by a ssh connection a script is executed in the remote node and its exit is published in the console of Nagios. A second way was executing the script by snmpd, and store its exit at the MIB tree.

7 Athens, April 18-22, 2005 - 7 Security Monitoring Retrieve information from the nodes II Into the both preceding cases, the information is discovered as reponse of a previous request from the central platform. With this structure the monitoring was completally satisfactory, but...

8 Athens, April 18-22, 2005 - 8 Security Monitoring In the way, the problems arise

9 Athens, April 18-22, 2005 - 9 Security Monitoring The problems False positive (false alarms emerging) started to appear when the system load averages of CPU started to climb up and climb up. Only the worker nodes has usually loads of 3 and higher, but they are the most frequent elements into our farm. For the other elements (CE, SE,...), we haven't usually found problems of false positives.

10 Athens, April 18-22, 2005 - 10 Security Monitoring The origins of problems I In our oppinion, the origins of the false alarms are related with time-outs. The request arrives to the WN, but the response comes to the central platform too late and the waiting time has concluded. This is clearly related with the CPU load of WN, but it is unchangeable for us. Our institutes bought them for that task. Well, the only strategy is to change the modus of regaining the information.

11 Athens, April 18-22, 2005 - 11 Security Monitoring The origins of problems II The load of the central platform, which gathers all information, has never given us problems. Even if we are using a old computer (pentium III), its load always has been between reasonable margins.

12 Athens, April 18-22, 2005 - 12 Security Monitoring Baby-sitting I Based on our experience, we could affirm that a continuous effort is required to maintain up-to-day and tune the configurations. For example, after each update of the software a reconfiguration of some parameters is mandatory. If not, we will start to received a lot of alerts from the monitoring system.

13 Athens, April 18-22, 2005 - 13 Security Monitoring Baby-sitting II For a big installation, a daily dedication is necessary, even one person only for that task. A little reflection, at EGEE there are very big and small centres, and their situation is very different. Could a small centre hire somebody only for these tasks?

14 Athens, April 18-22, 2005 - 14 Security Monitoring Recapitulation of problems The way of retrieve de information is totally incompatible with worker nodes supporting a high load. A great amount of work hours is necessary to maintain up-to-day the system monitoring.

15 Athens, April 18-22, 2005 - 15 Security Monitoring Advices and solutions

16 Athens, April 18-22, 2005 - 16 Security Monitoring Solutions: Baby-sitting To solve the baby-sitting problems, the way is to automatize as much as possible all tasks related with instalation, configuration and further reconfigurations.

17 Athens, April 18-22, 2005 - 17 Security Monitoring Solutions: False-positives I For the problem of the false positives, we are projecting to change the way of retrieve the information from the monitored nodes. We have found two ways to explore: Use snmptrap better than snmpget. Use other monitoring tool like Samhain as our colleague Romain Wartel has proposed.

18 Athens, April 18-22, 2005 - 18 Security Monitoring Solutions: False-positives II In both cases, snmptrap and Samhain, we are changing the way of gaining the information. In snmptrap, the nodes send the information without previous request. And with Samhain a daemon running at monitored nodes sends status information periodically. In any case, a new test period is opening now.

19 Athens, April 18-22, 2005 - 19 Security Monitoring Ευχαριστώ Thank you very much Muchas gracias Merci beaucoup Muito obrigado Vielen Dank

Download ppt "EGEE is a project funded by the European Union under contract IST-2003-508833 Security Monitoring Miguel Cárdenas Montes Security Contact SWE Federation."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Report of Liverpool HEP Computing during 2007 Executive Summary. Substantial and significant improvements in the local computing facilities during the.

Report of Liverpool HEP Computing during 2007 Executive Summary. Substantial and significant improvements in the local computing facilities during the.
1 CHEP 2000, 10.02.2000Roberto Barbera Roberto Barbera (*) Grid monitoring with NAGIOS WP3-INFN Meeting, Naples, 29.11.2002 (*) Work in collaboration with.

1 CHEP 2000, Roberto Barbera Roberto Barbera (*) Grid monitoring with NAGIOS WP3-INFN Meeting, Naples, (*) Work in collaboration with.
June 2010 At A Glance The Room Alert Adapter software in conjunction with AVTECH Room Alert™ devices assists in monitoring computer room environments as.

June 2010 At A Glance The Room Alert Adapter software in conjunction with AVTECH Room Alert™ devices assists in monitoring computer room environments as.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
DataGrid is a project funded by the European Union 22 September 2003 – n° 1 EDG WP4 Fabric Management: Fabric Monitoring and Fault Tolerance

DataGrid is a project funded by the European Union 22 September 2003 – n° 1 EDG WP4 Fabric Management: Fabric Monitoring and Fault Tolerance
K.Harrison CERN, 23rd October 2002 HOW TO COMMISSION A NEW CENTRE FOR LHCb PRODUCTION - Overview of LHCb distributed production system - Configuration.

K.Harrison CERN, 23rd October 2002 HOW TO COMMISSION A NEW CENTRE FOR LHCb PRODUCTION - Overview of LHCb distributed production system - Configuration.
Distributed Systems Management What is management? Strategic factors (planning, control) Tactical factors (how to do support the strategy practically).

Distributed Systems Management What is management? Strategic factors (planning, control) Tactical factors (how to do support the strategy practically).
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 8: Implementing and Managing Printers.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Network Management Management Tools –Desirable features Management Architectures Simple Network Management Protocol.

Network Management Management Tools –Desirable features Management Architectures Simple Network Management Protocol.
Executive Dashboard Systems Secure CITI Adam Zagorecki April 30, 2004.

Executive Dashboard Systems Secure CITI Adam Zagorecki April 30, 2004.
 Network Management  Network Administrators Jobs  Reasons for using Network Management Systems  Analysing Network Data  Points that must be taken.

 Network Management  Network Administrators Jobs  Reasons for using Network Management Systems  Analysing Network Data  Points that must be taken.
Hands-On Microsoft Windows Server 2008 Chapter 11 Server and Network Monitoring.

Hands-On Microsoft Windows Server 2008 Chapter 11 Server and Network Monitoring.
CH 13 Server and Network Monitoring. Hands-On Microsoft Windows Server 20082 Objectives Understand the importance of server monitoring Monitor server.

CH 13 Server and Network Monitoring. Hands-On Microsoft Windows Server Objectives Understand the importance of server monitoring Monitor server.
McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.
Windows Server 2008 Chapter 11 Last Update 2012.06.07 1.0.0.

Windows Server 2008 Chapter 11 Last Update
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Network Problems and Solutions M. Sc. Juan Carlos Olivares Rojas

Network Problems and Solutions M. Sc. Juan Carlos Olivares Rojas
© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company www.jblearning.com All rights reserved. Security Strategies in Linux Platforms and.

© 2013 Jones and Bartlett Learning, LLC, an Ascend Learning Company All rights reserved. Security Strategies in Linux Platforms and.

Similar presentations

Ads by Google