Presentation is loading. Please wait.

Presentation is loading. Please wait.

Setting up a Grid-CERT Experiences of an academic CSIRT TERENA Networking Conference 2007 21 - 24 May, Lyngby, Denmark Klaus Möller DFN-CERT Services GmbH.

Published byStephany Clark Modified over 8 years ago

Similar presentations

Presentation on theme: "Setting up a Grid-CERT Experiences of an academic CSIRT TERENA Networking Conference 2007 21 - 24 May, Lyngby, Denmark Klaus Möller DFN-CERT Services GmbH."— Presentation transcript:

1 Setting up a Grid-CERT Experiences of an academic CSIRT TERENA Networking Conference 2007 21 - 24 May, Lyngby, Denmark Klaus Möller DFN-CERT Services GmbH

2 2© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Agenda Introduction CSIRTs D-Grid initiative Organisational Challenges Making yourself known Incident reporting International cooperation Technical Challenges Grid software expertise Software vulnerabilities

3 3© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Introduction Computer Security Incident Response Team (CSIRT) Aka CERT, IRT, CIRT, SIRT, etc. Primary task: Helping organizations in dealing with IT security incidents (i. e. “hacking”) Local Site Security Teams: Directly at an organisation Often part of local network or system administration group Coordinating Teams: Responsible for a (larger) network of an organisation, ISP, or country

4 4© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Introduction D-Grid Initiative Six (initially five) community projects furthering Grid computing in specific areas One integration project Among other tasks: Set-up of Grid-specific CSIRT Services

5 5© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Introduction CSIRT Services

6 6© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Introduction Adapting services for Grid needs Alerts and warnings Incident handling How to detect and analyze Grid incidents Vulnerability Handling Promote security best practices with writers/vendors of Grid software Security-related information dissemination Develop and distribute security best practices for Grid administrators

7 7© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Organizational Challenges Making yourself known First task when establishing a CSIRT: Make yourself known to the constituency DFN-CERT is already well known However: This does not extend into Grid- communities Easy to solve through the D-Grid Initiative Platform for exchange, simply go there and discuss matters with the community partners Otherwise, it would have been difficult just to find out which Grid-communities exist But does not cover Grids outside the initiative

8 8© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Organizational Challenges Finding Security Contacts With an incident, you typically have an event (like portscans or SPAM) and an IP-address Find the responsible person for the IP- address Traditionally: Use the WHOIS service There is no database about which IP- addresses belong to which Grid Grid and local site security team may not be identical New ways of reporting incidents needed Mailing list proposal by Open Science Grid

9 9© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Organizational Challenges Incident reporting

10 10© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Organizational Challenges Incident reporting Reporting through site security team: Directly involves local site security team Data often incomplete a coordinating CSIRT level Registration with CSIRT is a bottleneck Reporting through Grid incident mailing list: Fast, automatic information of all Grid members Only as good as Grid mailing list database Local site security team may not be involved automatically Message content must not make a site, job or user identifiable :(

11 11© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Organizational Challenges International cooperation Try to pool CSIRTs experience together Terenas TF-CSIRT: European CSIRT forum FIRST: International CSIRT forum BoF at joint FIRST - TF-CSIRT meeting in January 2006 Pre working group stage Grid security since September 2006 part of the TF-CSIRT terms of reference A lot of initial interest, but little active cooperation so far

12 12© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Technical Challenges To help securing their infrastructure CSIRTs have to develop an understanding about the software used in Grids, especially How to securely configure Grid software How Grid software interacts with other software How to detect break-ins How to estimate the damage from a break-in No or very little experience at other CSIRTs So no opportunity of learning from them Even in the Grid-communities, few people truly understand Grid software

13 13© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Technical Challenges Software Audit Manipulate User Mapping Database Manipulate job mapping Sniff unencrypted traffic within site Extrapolate from known attacks on other systems Works only with smaller software packages (UNICORE) Beyond the resources of academic CSIRTs for larger packages (gLite, Globus) Also: Test setup chosen by CSIRT may not be representative

14 14© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Technical Challenges Penetration testing of existing Grid sites Black box test (no prior knowledge) Basic standard tools: nmap, netcat, OpenSSL Attackers can locate Grid sites and identify to which Grid they belong (server gives list of acceptable X.509 client Cas during SSL handshake) Grid services can be identified, even if running on non-standard port numbers (nmap signatures) Even with custom Linux distributions, services remain open that are not needed (finger) or are configured in an insecure way (SSH protocol version 1)

15 15© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Technical Challenges Leveraging penetration test results Use CSIRT infrastructures for network monitoring Directly observe attackers or suspicious traffic Automatic alerts to constituency Network telescopes Observe traffic flows to ports used by Grid software So far, very little traffic has been seen Honeypots (in planing) Directly observe attacks Start with low interaction honeypots Has to be SSL-capable

16 16© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Technical Challenges Software vulnerabilities Grid software vulnerabilities in the CVE database 2005: 1 (Sun Grid Engine) 2006: 7 (Globus Toolkit, Sun Grid Engine, OpenPBS/Torque) Grid software per se not more secure than anything else This does not count vulnerabilities in software the Grid software is build upon OpenSSL, Apache, etc.

17 17© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Technical Challenges Software vulnerabilities Grid software vendors don't follow standard practices No published point of contact for reporting security problems No open way of disseminating security information, i. e. open security announcement mailing list Unsigned advisories Unsigned software packages: MD5/SHA-1 checksums are not good enough Initial contact with some vendors has been made

18 18© 2007 DFN-CERT Services GmbH / Setting up a Grid-CERT Conclusions DFN-CERTs “Grid-CERT” operational since December 2006 So far, only a few incidents could be classified as Grid-related Most involve stolen X.509 certificates One false alarm at a cluster site However: Many community projects are not yet operational Some solutions are not optimal but will have to do for the beginning New developments may change the picture

19 Thank you ! Questions ?

Download ppt "Setting up a Grid-CERT Experiences of an academic CSIRT TERENA Networking Conference 2007 21 - 24 May, Lyngby, Denmark Klaus Möller DFN-CERT Services GmbH."

Similar presentations

The Access Grid Ivan R. Judson 5/25/2004.

The Access Grid Ivan R. Judson 5/25/2004.
Computer Emergency Response Teams

Computer Emergency Response Teams
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.

Snort & ACID. UTSA IS 6973 Computer Forensics SNORT.
CERT Polska Experiences in incident handling The CLOSER Project Mirosław Maj Chisinau, 11/10/2004.

CERT Polska Experiences in incident handling The CLOSER Project Mirosław Maj Chisinau, 11/10/2004.
TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.

TechSec WG: Related activities overview Information and discussion TechSec WG, RIPE-45 May 14, 2003 Yuri Demchenko.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Computing and Data Infrastructure for Large-Scale Science Deploying Production Grids: NASA’s IPG and DOE’s Science Grid William E. Johnston

Computing and Data Infrastructure for Large-Scale Science Deploying Production Grids: NASA’s IPG and DOE’s Science Grid William E. Johnston
Manuka project IEEE IA Workshop June 10, 2004. Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.

Manuka project IEEE IA Workshop June 10, Agenda Introduction Inspiration to Solution Manuka Use SE Approach Conclusion.
Security administrators The experts need better tools too!

Security administrators The experts need better tools too!
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Computer Networks IGCSE ICT Section 4.

Computer Networks IGCSE ICT Section 4.
Polska Infrastruktura Informatycznego Wspomagania Nauki w Europejskiej Przestrzeni Badawczej Security Best Practices: Applying Defense-in-depth Strategy.

Polska Infrastruktura Informatycznego Wspomagania Nauki w Europejskiej Przestrzeni Badawczej Security Best Practices: Applying Defense-in-depth Strategy.
Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.

Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.
LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.

LINUX Security, Firewalls & Proxies. Course Title Introduction to LINUX Security Models Objectives To understand the concept of system security To understand.
Www.egi.eu EGI-Engage www.egi.eu Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.

EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
CCIRN meeting, Cairns, 3 July 2004 Computer security co-operation in Europe Karel Vietsch Based on materials provided by TERENA TF-CSIRT.

CCIRN meeting, Cairns, 3 July 2004 Computer security co-operation in Europe Karel Vietsch Based on materials provided by TERENA TF-CSIRT.
Cloud Computing for the Enterprise November 18th, 2011. This work is licensed under a Creative Commons.

Cloud Computing for the Enterprise November 18th, This work is licensed under a Creative Commons.
Peter Burnett Head of Information Sharing National Infrastructure Security Co-ordination Centre.

Peter Burnett Head of Information Sharing National Infrastructure Security Co-ordination Centre.

Similar presentations

Ads by Google