Presentation is loading. Please wait.

Presentation is loading. Please wait.

IT Security for the LHCb experiment 3rd Control System Cyber-Security Workshop (CS)2/HEP ICALEPCS – Grenoble Enrico Bonaccorsi, (CERN)

Published byStephany Nash Modified over 8 years ago

Similar presentations

Presentation on theme: "IT Security for the LHCb experiment 3rd Control System Cyber-Security Workshop (CS)2/HEP ICALEPCS – Grenoble Enrico Bonaccorsi, (CERN)"— Presentation transcript:

1 IT Security for the LHCb experiment 3rd Control System Cyber-Security Workshop (CS)2/HEP ICALEPCS – Grenoble Enrico Bonaccorsi, (CERN) enrico.bonaccorsi@cern.chenrico.bonaccorsi@cern.ch Loic Brarda, (CERN) loic.brarda@cern.chloic.brarda@cern.ch Mohamed Chebbi, (CERN) mohamed.chebbi@cern.chmohamed.chebbi@cern.ch Niko Neufeld, (CERN) niko.neufeld@cern.chniko.neufeld@cern.ch

2 Outline LHCb intro IT Security – several point of view o Security risks o Physical and host local security approach. o Protected perimeter o Network security implementation Central Log System Data Security Log and data analysis Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld2

3 LHCb Completely isolated network o Data acquisition system o Experiment Control System Heterogeneus Enviroment o Collaboration o 2000 Servers and embedded systems o 200 Active users o Different vendors o Custom System “self- developed“ o Manageability VS strict security o Security and users impact Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld3

4 IT Security several point of view Physical Security Local Security Network Local Security Network Security Data Security Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld4 Local and Remote Access High Availability Preemptive measures External connectivity Management of Application and Operating Systems Industrial security

5 Security risks Interruption in Data Acquisition Unauthorized modification/destruction to data and systems Unauthorized disclosure of data Denial of service 5Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

6 Security risks (2) Users Behavior o Theft of authentication credentials o Lack of awareness, caralessness or negligence o Unfair and fraudulent behavior o Human errors Attack and misconfiguration o Virus – Malware – Trojan – Backdoor – Rootkits - Worm – Hiding in encrypted sessions - etc o Sabotage o Unauthorized access o Information o Human errors Environmental o Theft of devices that contain data o Destructive events (earthquakes, fire, flood, etc) Intentional, accidental, due to negligence o Human errors 6Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

7 Security Policy Security policies have been produced following the CERN CNIC recommendations: o https://edms.cern.ch/file/1062503/2/Security_Baseline_for_File_Hosting.pdf https://edms.cern.ch/file/1062503/2/Security_Baseline_for_File_Hosting.pdf o https://edms.cern.ch/file/1062500/2/Security_Baseline_for_Servers.pdf https://edms.cern.ch/file/1062500/2/Security_Baseline_for_Servers.pdf o https://edms.cern.ch/file/1062502/2/Security_Baseline_for_Web_Hosting.p df https://edms.cern.ch/file/1062502/2/Security_Baseline_for_Web_Hosting.p df 7

8 Physical and host local security approach Physical: o Authorization required to access Point 8 o Biometric required to access the underground area Local o Private personal account for each LHCb user Few shared account are still in use o PAM/Domain Policies used to restrict access to critical servers between LHCb groups o IPMI access protected by router ACL o Applications centrally managed by Quattor/System Center Deployment Services o No internet routing allowed except for few gateway server o Only WEB access granted through an HTTP proxy Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld8

9 Inner networks Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld9 Traffic isolation using VLANs, 802.1q, Layer2 filtering and ACL LCG and TN accessible only from few hosts No internet connectivity Only LHCb laptop allowed

10 Network Security implementation General public and log in services/ Terminal services o RDP windows remote desktops o SSH gateways o NX linux remote desktops o Web services Network segmentation and trusted zones o level of trust based on three tiers the sensitivity of the data being processed Anomaly & Intrusion detection 10Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

11 Central Log System All the windows and Linux servers send their logs to a clustered log server High Availability granted by o Active/Active two node cluster system o Raid 1 on each cluster node for the local disk o Filesystem replica over network between nodes o Backup on CASTOR Logs exported to the users by NFS 11Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

12 Data Security Shared filesystem o served by a cluster of five nodes on redundant hardware o High Availability granted by Cluster of NFS/SMB servers that export the filesystem to the entire experiment o Data protection: Short term based on different storage raid set using RSYNC for immediate user access (file deleted by mistake by the user, etc) Long Term based on tape using CASTOR for… ever? Backup sent to CASTOR and stored on type Servers and Control PCs o High availability granted by RAID 1 SW RAID used when HW raid is not available o Daily Backup based on Tivoli (Thanks to IT dep. ) 12Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

13 Network Intrusion/Anomaly Detection System Boundary networks traffic mirrored and analyzed ISO/IEC 18043:2006(E) Selection, deployment and operations of intrusion detection system Snort for NIDS NTOP for Anomaly Detection 13Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

14 Performance 14Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

15 Questions? 15Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

16 Backup slide 16

17 Snort Log data Analysis Raw logs generated: Ntop – Suspiciuous (Syslog) Ntop – Others (pcap) Snort > Barnyard > Alerts (Syslog) Snort – Packets (pcap) Barnyhard to offload output processing Parsing Visual – Links Graphs Correlation to crosscheck to exclude false positives Centralized Analysis console is not strictly necessary Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld

18 18

Download ppt "IT Security for the LHCb experiment 3rd Control System Cyber-Security Workshop (CS)2/HEP ICALEPCS – Grenoble Enrico Bonaccorsi, (CERN)"

Similar presentations

5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:

Chapter 10: Data Centre and Network Security Proxies and Gateways * Firewalls * Virtual Private Network (VPN) * Security issues * * * * Objectives:
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Securing the Borderless Network March 21, 2000 Ted Barlow.

Securing the Borderless Network March 21, 2000 Ted Barlow.
Security+ Guide to Network Security Fundamentals

Security+ Guide to Network Security Fundamentals
Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.

Security Presented by : Qing Ma. Introduction Security overview security threats password security, encryption and network security as specific.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
IS Network and Telecommunications Risks

IS Network and Telecommunications Risks
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.

Security Overview. 2 Objectives Understand network security Understand security threat trends and their ramifications Understand the goals of network.
Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.

Firewalls Presented By Hareesh Pattipati. Outline Introduction Firewall Environments Type of Firewalls Future of Firewalls Conclusion.
By Edith Butler Fall 2008. Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.

By Edith Butler Fall Our Security Ways we protect our valuables: Locks Security Alarm Video Surveillance, etc.
Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.

Network Infrastructure Security. LAN Security Local area networks facilitate the storage and retrieval of programs and data used by a group of people.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Network Security. Trust Relationships (Trust Zones) High trust (internal) = f c (once you gain access); g p Low trust ( ) = more controls; fewer privileges.

Similar presentations

Ads by Google