Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009.

Published byVictor Maxwell Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009."— Presentation transcript:

1 Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009

2 Overview Security service challenge 3 (SSC 3) Security incident handling procedure Security monitoring Security training and dissemination 16/10/2015Mingchao Ma, RAL2

3 SSC3 EGEE Tier1 sites have been tested twice by OSCT; Regional runs at Tier2 sites done by ROC security officers –UKI, SEE, Benelux and Italy completed Regional run at OSG done Regional run at NDGF planned 16/10/2015Mingchao Ma, RAL3

4 16/10/2015Mingchao Ma, RAL 4 SSC3 Result – Tier1 Sites

5 SSC3: Analysis All sites (besides one) improved Sites that scored good in the first run improved in the second run Sites that did not score very well in the first run improved a lot Most sites (besides one) enjoyed the opportunity to test their response capabilities and even reveal operational problems 16/10/2015Mingchao Ma, RAL 5

6 16/10/2015Mingchao Ma, RAL6 SSC3 Result – UKI Tier2 Sites

7 SSC - Plans To run a modified SSC3 –Ex: treat IP W.X.Y.Z as malicious Storage SSC –Under discussion –Some concerns on the logging capabilities of Storage middleware Re-run SSC3 on Tier2 sites 16/10/2015Mingchao Ma, RAL7

8 Incident Handling Security Incident Response Policy –http://www.jspg.org/wiki/Security_Incident_Response_Policy (draft)http://www.jspg.org/wiki/Security_Incident_Response_Policy The revised EGEE incident handling procedure –In final stage –http://indico.cern.ch/materialDisplay.py?contribId=12&sessionId=1&materialI d=0&confId=56981http://indico.cern.ch/materialDisplay.py?contribId=12&sessionId=1&materialI d=0&confId=56981 –Change of reporting channels for reporting incident for support –Specify timeframe of each steps E.g. to report incident within 4 hours after detection –Templates for reporting a incident Both GridPP and NGS incident procedures will be modified in line with EGEE incident procedure 16/10/2015Mingchao Ma, RAL8

9 GridPP Incident Handling Procedure Communication channel –Was –A list of security contact emails –Change to: for incident alert/report/notification for discussion/support Feedback/Comments are welcome! 16/10/2015Mingchao Ma, RAL9

10 NGS Incident Handle Procedure 16/10/2015Mingchao Ma, RAL10 Communication channel –Was and –Change to: for incident alert/report/notification for discussion/support Feedback/Comments are welcome!

11 Cross-Grid Incident Handling GRID-SEC –A coordinated response to cross-grid security incidents, follows the NSP-SEC model, –http://cern.ch/grid-sechttp://cern.ch/grid-sec –A closed mailing list hosted by NCSA, USA –To strengthen communication between a small group of experts at connected academic grids –Maximum two representatives from the same Grid infrastructure –Currently include: OSG, TeraGrid, NDGF and EGEE 16/10/2015Mingchao Ma, RAL11

12 Cooperation between Grid (OSCT) and NREN CSIRTs Collected a list of NREN CSIRT contacts information To participate NREN CSIRTs activities To encourage the cooperation between ROC security contact and local NREN CSIRT team(s) Also encourage the cooperation between site security contacts and their organization security/CSIRT teams Consider to become a trusted introducer? (eg. EGEE OSCT) 16/10/2015Mingchao Ma, RAL12

13 Security Monitoring Some SAM security tests available –CRL and file permission checks –Results only available to security contacts Port the test to the Nagios-based framework –ROC (or even project/VO) level Nagios will perform the test –Results must be encrypted, access policy defined –Focus on project/ROC level monitoring –More information can be found in https://twiki.cern.ch/twiki/pub/LCG/OSCT- EGEEIII-tasks/security-monitoring-v0.12.pdf Further security probes to be developed –Call for Nagios-based security probe Based on risk analysis and/or previous incidents 16/10/2015Mingchao Ma, RAL13

14 Patch Monitoring - Pakiti The Pakiti software is freely available from sourceforge –www.sf.net/projects/pakiti –used by some sites/ROCs (RAL Tier1, NIKHEF, SEE ROC)‏ –currently being re-designed, significant changes expected during this summer Pakiti campaign –Many sites not applying security patches (vanilla SL3 distributions!), a wide range exploits exist in the wild –OSCT is establishing a Pakiti server to collect and evaluate information about the sites’patching status –we only use the “public” interface, by sending a job –any authorized user can do the same The middle-term goal is to move the Pakiti framework to Nagios 16/10/2015Mingchao Ma, RAL14

15 Traceability of users Tools to analyze log files –Collecting information about actions of particular user –Focused on site-level, to be performed by sysadmins –Work in progress – some “filters” already available Tools to analyze data from the L&B database –grid/VO level –Complete information about user’s activities on the grid –Intended for VO managers –Work planned, not started yet More info at –http://indico.cern.ch/getFile.py/access?contribId=6&sessionId=4&resId=1&materialId=sli des&confId=49905http://indico.cern.ch/getFile.py/access?contribId=6&sessionId=4&resId=1&materialId=sli des&confId=49905 16/10/2015Mingchao Ma, RAL15

16 Security Training & Dissemination gLite Service reference cards –https://twiki.cern.ch/twiki/bin/view/EGEE/ServiceReferenceC ards 16/10/2015Mingchao Ma, RAL16 gLite-AMGA - ARDA Metadata CataloggLite-AMGA glite-BDII - Berkeley Database Information Indexglite-BDII glite-CREAM_CE - gLite CREAM Computing Elementglite-CREAM_CE glite-DPM - Disk Pool Managerglite-DPM glite-FTS - File Transfer Serviceglite-FTS glite-LFC - LCG File Catalogglite-LFC gLite-LB - Logging and Bookkeeping servicegLite-LB glite-MON - Monitoring System Collector Serverglite-MON glite-PX - MyProxy serverglite-PX glite-UI - User Interfaceglite-UI glite-VOBOX - Virtual Organisation Nodeglite-VOBOX glite-VOMS - Virtual Organisation Membership Systemglite-VOMS gLite-WMS - Workload Management ServicegLite-WMS glite-WN - Worker Nodeglite-WN lcg-CE - LCG Computing Elementslcg-CE gLExec - gLExec (both for WN and CE)gLExec

17 Service reference cards Each service card has a “security information” section –Access control Mechanism description (authentication & authorization) –How to block/ban a user –Network Usage –Firewall configuration –Security recommendations –Security incompatibilities –List of externals (packages are NOT maintained by Red Hat or by gLite) –Other security relevant comments 16/10/2015Mingchao Ma, RAL17

18 Security Trainings Target system managers and administrators, NOT end users; No dedicated budget for security training; –Incorporate training into other conferences/events; Past training events –EGEE’07, 1st -5th October 2007, Budapest –EGEE’08, 22nd -26th September 2008, Istanbul –Security training at Laboratory APC, France, 2nd -3rd April 2009 –Security training at ISGC 2009, Taipei, 19th April 2009 Upcoming training events –Security workshop at RAL, UK, 1st July, 2009 –GridKa School at Karlsruhe, Germany 31st Aug.- 4th Sep. 2009 –EGEE’09, 21-25 September 2009, Barcelona Some ROCs are planning trainings in their regions as well 16/10/2015Mingchao Ma, RAL18

19 16/10/2015Mingchao Ma, RAL19

20 Security Page Still in very early stage, will be hosted at OSCT website Topics cover –Security policies, procedures –Security monitoring –Middleware security –OS security –Network security –Trust (CA, PKI and IGTF) –Forensics –… … TERENA training material 16/10/2015Mingchao Ma, RAL20

21 Question? 16/10/2015Mingchao Ma, RAL21

Download ppt "Security Update Mingchao Ma HEPSYSMAN - Security 1 st July 2009."

Similar presentations

INFSO-RI-508833 Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK

INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org JRA3 2 nd EU Review Input David Groep NIKHEF.

INFSO-RI Enabling Grids for E-sciencE JRA3 2 nd EU Review Input David Groep NIKHEF.
SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.

SSC2 and Update on Multi-user Pilot Jobs Framework Mingchao Ma, STFC – RAL HEPSysMan Meeting 20/06/2008.
INFSO-RI-508833 Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes

INFSO-RI Enabling Grids for E-sciencE Incident Response Policies and Procedures Carlos Fuentes
Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:

Operational Security Working Group Topics Incident Handling Process –OSG Document Review & Comments:
SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.

SOS EGEE ‘06 GGF Security Auditing Service: Draft Architecture Brian Tierney Dan Gunter Lawrence Berkeley National Laboratory Marty Humphrey University.
OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.

OSG Operations and Interoperations Rob Quick Open Science Grid Operations Center - Indiana University EGEE Operations Meeting Stockholm, Sweden - 14 June.
BINP/GCF Status Report BINP LCG Site Registration Oct 2009

BINP/GCF Status Report BINP LCG Site Registration Oct 2009
EGEE ARM-2 – 5 Oct 2004 - 1 LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.

EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.

Publication and Protection of Site Sensitive Information in Grids Shreyas Cholia NERSC Division, Lawrence Berkeley Lab Open Source Grid.
EGEE-II INFSO-RI-031688 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.

EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks Simply monitor a grid site with Nagios J.
Enabling Grids for E-sciencE www.eu-egee.org EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.

Enabling Grids for E-sciencE EGEE III Security Training and Dissemination Mingchao Ma, STFC – RAL, UK OSCT Barcelona 2009.
INFSO-RI-508833 Enabling Grids for E-sciencE www.eu-egee.org SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.

INFSO-RI Enabling Grids for E-sciencE SA1: Cookbook (DSA1.7) Ian Bird CERN 18 January 2006.
GGF12 – 20 Sept 2004 - 1 LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.

GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
LCG Introduction John Gordon, SFTC GDB December 2 nd 2009.

LCG Introduction John Gordon, SFTC GDB December 2 nd 2009.
Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.

Security Area in GridPP2 4 Mar 2004 Security Area in GridPP2 “Proforma-2 posts” overview Deliverables – Local Access – Local Usage.
Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager

Responsibilities of ROC and CIC in EGEE infrastructure A.Kryukov, SINP MSU, CIC Manager Yu.Lazin, IHEP, ROC Manager
GridPP Deployment & Operations GridPP has built a Computing Grid of more than 5,000 CPUs, with equipment based at many of the particle physics centres.

GridPP Deployment & Operations GridPP has built a Computing Grid of more than 5,000 CPUs, with equipment based at many of the particle physics centres.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE www.eu-egee.org EGEE and gLite are registered trademarks WMSMonitor: a tool to monitor gLite WMS/LB.

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks WMSMonitor: a tool to monitor gLite WMS/LB.
EGEE-III INFSO-RI-222667 Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

EGEE-III INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks David Kelsey RAL/STFC,

Similar presentations

Ads by Google