Presentation is loading. Please wait.

Presentation is loading. Please wait.

Denise Heagerty, CERN, HEPiX Meeting Oct 20031 HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Denise Heagerty, CERN, HEPiX Meeting Oct 20031 HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,"— Presentation transcript:

1 Denise Heagerty, CERN, HEPiX Meeting Oct 20031 HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK, CERN, SLAC Worrying trends Summary

2 Denise Heagerty, CERN, HEPiX Meeting Oct 20032 HEPiX Security Workshop - Overview Security Updates: LCG (Dave Kelsey) KEK (Fukuko Yuasa) CERN (Denise Heagerty) Recent security events: Recent security holes and their impact (Bob Cowles, SLAC) Response to Blaster and Sobig worms at CERN (Alberto Pace, CERN) System security: Farm nodes (Vlado Bahyl, CERN – presented by Thorsten Kleinwort) Cluster security (Alf Wachsmann, SLAC) Introduction to deploying PKI Alberto Pace, CERN Incident Response Sharing opportunities (Matt Crawford, FNAL) Experience with a Grid incident (Dane Skow, FNAL) Open discussion session Sharing opportunities follow up LCG security risk analysis

3 Denise Heagerty, CERN, HEPiX Meeting Oct 20033 LCG Security Group - Mandate To advise and make recommendations to the Grid Deployment Manager and the GDB on all matters related to LCG-1 Security GDB makes the decisions To continue work on the mandate of GDB WG3 Policies and procedures on Registration, Authentication, Authorization and Security To produce and maintain Implementation Plan (first 3 months, then for 12 months) Acceptable Use Policy/Usage Guidelines LCG-1 Security Policy Where necessary recommend the creation of focussed task- forces made-up of appropriate experts E.g. the “Security Contacts” group (n.b. GDB = Grid Deployment Board)

4 Denise Heagerty, CERN, HEPiX Meeting Oct 20034 LCG Security Group - Membership Experiment representatives/VO managers Alberto Masoni, ALICE Rich Baker, Anders Waananen, ATLAS David Stickland, Greg Graham, CMS Joel Closier, LHCb Site Security Officers Denise Heagerty (CERN), Dane Skow (FNAL) Site/Resource Managers Dave Kelsey (RAL) - Chair Security middleware experts/developers Roberto Cecchini (INFN), Akos Frohner (CERN) LCG management and the CERN LCG team Ian Bird, Ian Neilson Non-LHC experiments/Grids Many sites also involved in other projects Bob Cowles (SLAC)

5 Denise Heagerty, CERN, HEPiX Meeting Oct 20035 LCG Security Group – Documents ( http://cern.ch/proj-lcg-security) 6 documents approved to date Security and Availability Policy for LCG Prepared jointly with GOC task force Approval of LCG-1 Certificate Authorities Audit Requirements for LCG-1 Rules for Use of the LCG-1 Computing Resources Agreement on Incident Response for LCG-1 User Registration and VO Management 4 more still to be written (by GOC task force) LCG Procedures for Resource Administrators LCG Guide for Network Administrators LCG Procedure for Site Self-Audit LCG Service Level Agreement Guide

6 6 Matt Crawford, FNAL: The common internet threat model is trusted endpoints on an insecure network. SSL, SSH, ipsec, and a myriad of host vulnerabilities have turned this backwards. We’ve got more communication security than host security.... and it’s natural to believe that a message received on a secure channel can be trusted. See also: “The Internet is Too Secure Already,” by Eric Rescorla. Note: Matt detected passwords on the HEPiX wireless network! Network encryption technology is available, but we’re not all using it… FNAL: The threat model has changed

7 Denise Heagerty, CERN, HEPiX Meeting Oct 20037 KEK: MAC address registration Since Aug. 2003, MAC address registration is required to use KEK network Without the registration, packets are not transferred 4642 MAC address registered The port of the switch is configured dynamically One MAC address belongs to one VLAN Also in the wireless LAN, MAC address registration is required since Apr. 2002. KEK staff: 150 and Collaborator: 728 68 Cisco Aironet stations WEP Annual registration renewal

8 Denise Heagerty, CERN, HEPiX Meeting Oct 20038 Security incidents at KEK, Oct 2002 - 0ct 2003 Worm : 64%, unix root exploit: 28%

9 Denise Heagerty, CERN, HEPiX Meeting Oct 20039 CERN Incident Summary, 1 Jan 2001- 30 Sep 2003 200120022003 -Sep Incident Type 593126System compromised (intruder has control) security holes in software (e.g. ssh, kernel, ICQ, IE) 422527Compromised CERN accounts sniffed or guessed passwords 1121305Serious Viruses and worms Blaster/Welchia (290), Sobig (12), Slammer(3) 1321119Unauthorised use of file servers insufficient access controls, P2P file-sharing 15161Serious SPAM incidents CERN email addresses are regularly forged 1196Miscellaneous security alerts 151123484Total Incidents

10 Denise Heagerty, CERN, HEPiX Meeting Oct 200310 Blaster/Welchia Infection Sources @ SLAC 32%VPN 22%DHCP (reg, internal network) 20%Fixed IP On vacation, laptop infected outside, etc. 14%Infected during build / patch 12%Dialup

11 Denise Heagerty, CERN, HEPiX Meeting Oct 200311 Worrying Trends Break-ins are devious and difficult to detect E.g. SucKIT rootkit Worms are spreading within seconds Welchia infected new PCs during installation sequence Poorly secured systems are being targeted Home and privately managed computers are a huge risk Break-ins occur before the fix is out SPAM relays used a new hole before a patch and anti-virus available People are often the weakest link Infected laptops are physically carried on site Users continue to download malware and open tricked attachments Intruders and worms can do more damage When?

12 Denise Heagerty, CERN, HEPiX Meeting Oct 200312 HEPiX Security Workshop - Summary Blaster worm and its variants impacted all sites Hardware address registration is becoming normal Required for access to wireless at TRIUMF meeting site KEK (done), CERN (in progress), FNAL (soon), SLAC (planned), … VPN & portable systems pose a serious security risk security check prior to DHCP network access planned by some sites (FNAL, SLAC, …) Requires client to install software to be effective Security patches need to be timely and enforced e.g. SLAC give deadlines and then force patches, including reboots Visitors cannot rely on home site for patch and anti-virus updates HEPiX Security Workshop provided a useful exchange high quality and a diverse range of talks a security discussion list has been created to continue the good collaboration

Download ppt "Denise Heagerty, CERN, HEPiX Meeting Oct 20031 HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,"

Similar presentations

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.
Mr C Johnston ICT Teacher

Mr C Johnston ICT Teacher
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.

Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Security Update at KEK since Oct-2002 Fukuko Yuasa/KEK nwg Kiyoharu Hashimoto/KEK nwg 23 October 2003 HEPiX/HEPNT2003 at TRIUMF.

Security Update at KEK since Oct-2002 Fukuko Yuasa/KEK nwg Kiyoharu Hashimoto/KEK nwg 23 October 2003 HEPiX/HEPNT2003 at TRIUMF.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Computer Security Update Bob Cowles, SLAC stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy.

Computer Security Update Bob Cowles, SLAC stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
First Community Bank www.fcbnm.com Prevx Safe Online Rollout & Best Practice Presentation.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Laptops and Computer Security Gareth Smith. Current Situation in PPD Standardised on Dells (D400, D600) Total bought to date by department: ~50. Loan.

Laptops and Computer Security Gareth Smith. Current Situation in PPD Standardised on Dells (D400, D600) Total bought to date by department: ~50. Loan.
RomeWorkshop on eInfrastructures 9 December 2003 - 1 LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.

RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:

What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
CERN’s Computer Security Challenge

CERN’s Computer Security Challenge
Proposed mid-term Security Strategies for CERN Prepared by ad-hoc working group members: Lionel Cons, Francois Fluckiger, Denise Heagerty, Jan Iven, Jean-Michel.

Proposed mid-term Security Strategies for CERN Prepared by ad-hoc working group members: Lionel Cons, Francois Fluckiger, Denise Heagerty, Jan Iven, Jean-Michel.

Similar presentations

Ads by Google