Denise Heagerty, CERN, HEPiX Meeting Oct 20031 HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK,

Slides:



Advertisements
Similar presentations
The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.
Advertisements

Mr C Johnston ICT Teacher
Grid Security Users, VOs, Sites OSG Collaboration Meeting University of Washington Bob Cowles August 23, 2006 Work supported.
INFSO-RI Enabling Grids for E-sciencE Update on LCG/EGEE Security Policy and Procedures David Kelsey, CCLRC/RAL, UK
Security Update at KEK since Oct-2002 Fukuko Yuasa/KEK nwg Kiyoharu Hashimoto/KEK nwg 23 October 2003 HEPiX/HEPNT2003 at TRIUMF.
Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Computer Security Update Bob Cowles, SLAC stanford.edu Presented at HEPiX - TRIUMF 23 Oct 2003 Work supported by U. S. Department of Energy.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
EGI-Engage Recent Experiences in Operational Security: Incident prevention and incident handling in the EGI and WLCG infrastructure.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Laptops and Computer Security Gareth Smith. Current Situation in PPD Standardised on Dells (D400, D600) Total bought to date by department: ~50. Loan.
RomeWorkshop on eInfrastructures 9 December LCG Progress on Policies & Coming Challenges Ian Bird IT Division, CERN LCG and EGEE Rome 9 December.
What if you suspect a security incident or software vulnerability? What if you suspect a security incident at your site? DON’T PANIC Immediately inform:
CERN’s Computer Security Challenge
Proposed mid-term Security Strategies for CERN Prepared by ad-hoc working group members: Lionel Cons, Francois Fluckiger, Denise Heagerty, Jan Iven, Jean-Michel.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
How CERN reacted to the Blaster and Sobig virus attack Christian Boissat, Alberto Pace, Andreas Wagner.
EGEE ARM-2 – 5 Oct LCG Security Coordination Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Module 9: Configuring IPsec. Module Overview Overview of IPsec Configuring Connection Security Rules Configuring IPsec NAP Enforcement.
20-May-03D.P.Kelsey, LCG-1 Security, HEPiX1 Grid Security for LCG-1 HEPiX, NIKHEF, 20 May 2003 David Kelsey CCLRC/RAL, UK
GGF12 – 20 Sept LCG Incident Response Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Safeguarding OECD Information Assets Frédéric CHALLAL Head, Systems Engineering Team OECD.
TECHNOLOGY GUIDE THREE Protecting Your Information Assets.
Security at NCAR David Mitchell February 20th, 2007.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.
1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,
13-Jul-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint LCG/EGEE Security Group) CERN 13 July 2004 David Kelsey CCLRC/RAL,
Note1 (Admi1) Overview of administering security.
9-Sep-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) CERN, 9 September 2003 David Kelsey CCLRC/RAL, UK
23-Oct-03D.P.Kelsey, LCG Security Update, HEPiX1 LCG Security Update HEPiX-HEPNT, TRIUMF, 23 October 2003 David Kelsey CCLRC/RAL, UK
Wireless Network Design Principles Mobility Addressing Capacity Security.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Linda Cornwall CCLRC (RAL) FP6 Security workshop.
LCG/EGEE Security Operations HEPiX, Fall 2004 BNL, 22 October 2004 David Kelsey CCLRC/RAL, UK
15-Dec-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the Joint Security Policy Group) CERN 15 December 2004 David Kelsey CCLRC/RAL,
Module 11: Designing Security for Network Perimeters.
9-Oct-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security (Report from the LCG Security Group) FNAL 9 October 2003 David Kelsey CCLRC/RAL, UK
Grid Security Vulnerability Group Linda Cornwall, GDB, CERN 7 th September 2005
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE Security Coordination Group Dr Linda Cornwall CCLRC (RAL) FP6 Security workshop.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.
Computer Security Status Update FOCUS Meeting, 28 March 2002 Denise Heagerty, CERN Computer Security Officer.
DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.
Security Policy Update WLCG GDB CERN, 14 May 2008 David Kelsey STFC/RAL
IPv6 security for WLCG sites (preparing for ISGC2016 talk) David Kelsey (STFC-RAL) HEPiX IPv6 WG, CERN 22 Jan 2016.
Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.
EGEE-II INFSO-RI Enabling Grids for E-sciencE EGEE and gLite are registered trademarks EGEE and JSPG activities David Kelsey CCLRC/RAL.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
Planning for LCG Emergencies HEPiX, Fall 2005 SLAC, 13 October 2005 David Kelsey CCLRC/RAL, UK
INFSO-RI Enabling Grids for E-sciencE Joint Security Policy Group David Kelsey, CCLRC/RAL, UK 3 rd EGEE Project.
7-May-03D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Issues and Planning or Report from the Security Group CERN, 8 May 2003 David Kelsey CCLRC/RAL, UK.
LCG User, Site & VO Registration in EGEE/LCG Bob Cowles OSG Technical Meeting Dec 15-17, 2004 UCSD.
1 Integrated Site Security Project Denise Heagerty CERN 22 May 2007.
Computer Security Sample security policy Dr Alexei Vernitski.
Internet security for the home Paul Norton MEng(Hons) MIEE Electronic engineer working for Pascall Electronics Ltd. on the Isle of Wight A talk on Internet.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
15-Jun-04D.P.Kelsey, LCG-GDB-Security1 LCG/GDB Security Update (Report from the LCG Security Group) CERN 15 June 2004 David Kelsey CCLRC/RAL, UK
Chapter 40 Internet Security.
Working at a Small-to-Medium Business or ISP – Chapter 8
David Kelsey CCLRC/RAL, UK
Instructor Materials Chapter 7 Network Security
TECHNOLOGY GUIDE THREE
Implementing Network Access Protection
David Kelsey CCLRC/RAL, UK
Security of a Local Area Network
Presentation transcript:

Denise Heagerty, CERN, HEPiX Meeting Oct HEPiX Security Workshop Overview of talks Some extracts of general interest LCG Security Group FNAL, KEK, CERN, SLAC Worrying trends Summary

Denise Heagerty, CERN, HEPiX Meeting Oct HEPiX Security Workshop - Overview Security Updates: LCG (Dave Kelsey) KEK (Fukuko Yuasa) CERN (Denise Heagerty) Recent security events: Recent security holes and their impact (Bob Cowles, SLAC) Response to Blaster and Sobig worms at CERN (Alberto Pace, CERN) System security: Farm nodes (Vlado Bahyl, CERN – presented by Thorsten Kleinwort) Cluster security (Alf Wachsmann, SLAC) Introduction to deploying PKI Alberto Pace, CERN Incident Response Sharing opportunities (Matt Crawford, FNAL) Experience with a Grid incident (Dane Skow, FNAL) Open discussion session Sharing opportunities follow up LCG security risk analysis

Denise Heagerty, CERN, HEPiX Meeting Oct LCG Security Group - Mandate To advise and make recommendations to the Grid Deployment Manager and the GDB on all matters related to LCG-1 Security GDB makes the decisions To continue work on the mandate of GDB WG3 Policies and procedures on Registration, Authentication, Authorization and Security To produce and maintain Implementation Plan (first 3 months, then for 12 months) Acceptable Use Policy/Usage Guidelines LCG-1 Security Policy Where necessary recommend the creation of focussed task- forces made-up of appropriate experts E.g. the “Security Contacts” group (n.b. GDB = Grid Deployment Board)

Denise Heagerty, CERN, HEPiX Meeting Oct LCG Security Group - Membership Experiment representatives/VO managers Alberto Masoni, ALICE Rich Baker, Anders Waananen, ATLAS David Stickland, Greg Graham, CMS Joel Closier, LHCb Site Security Officers Denise Heagerty (CERN), Dane Skow (FNAL) Site/Resource Managers Dave Kelsey (RAL) - Chair Security middleware experts/developers Roberto Cecchini (INFN), Akos Frohner (CERN) LCG management and the CERN LCG team Ian Bird, Ian Neilson Non-LHC experiments/Grids Many sites also involved in other projects Bob Cowles (SLAC)

Denise Heagerty, CERN, HEPiX Meeting Oct LCG Security Group – Documents ( 6 documents approved to date Security and Availability Policy for LCG Prepared jointly with GOC task force Approval of LCG-1 Certificate Authorities Audit Requirements for LCG-1 Rules for Use of the LCG-1 Computing Resources Agreement on Incident Response for LCG-1 User Registration and VO Management 4 more still to be written (by GOC task force) LCG Procedures for Resource Administrators LCG Guide for Network Administrators LCG Procedure for Site Self-Audit LCG Service Level Agreement Guide

6 Matt Crawford, FNAL: The common internet threat model is trusted endpoints on an insecure network. SSL, SSH, ipsec, and a myriad of host vulnerabilities have turned this backwards. We’ve got more communication security than host security.... and it’s natural to believe that a message received on a secure channel can be trusted. See also: “The Internet is Too Secure Already,” by Eric Rescorla. Note: Matt detected passwords on the HEPiX wireless network! Network encryption technology is available, but we’re not all using it… FNAL: The threat model has changed

Denise Heagerty, CERN, HEPiX Meeting Oct KEK: MAC address registration Since Aug. 2003, MAC address registration is required to use KEK network Without the registration, packets are not transferred 4642 MAC address registered The port of the switch is configured dynamically One MAC address belongs to one VLAN Also in the wireless LAN, MAC address registration is required since Apr KEK staff: 150 and Collaborator: Cisco Aironet stations WEP Annual registration renewal

Denise Heagerty, CERN, HEPiX Meeting Oct Security incidents at KEK, Oct ct 2003 Worm : 64%, unix root exploit: 28%

Denise Heagerty, CERN, HEPiX Meeting Oct CERN Incident Summary, 1 Jan Sep Sep Incident Type System compromised (intruder has control) security holes in software (e.g. ssh, kernel, ICQ, IE) Compromised CERN accounts sniffed or guessed passwords Serious Viruses and worms Blaster/Welchia (290), Sobig (12), Slammer(3) Unauthorised use of file servers insufficient access controls, P2P file-sharing 15161Serious SPAM incidents CERN addresses are regularly forged 1196Miscellaneous security alerts Total Incidents

Denise Heagerty, CERN, HEPiX Meeting Oct Blaster/Welchia Infection SLAC 32%VPN 22%DHCP (reg, internal network) 20%Fixed IP On vacation, laptop infected outside, etc. 14%Infected during build / patch 12%Dialup

Denise Heagerty, CERN, HEPiX Meeting Oct Worrying Trends Break-ins are devious and difficult to detect E.g. SucKIT rootkit Worms are spreading within seconds Welchia infected new PCs during installation sequence Poorly secured systems are being targeted Home and privately managed computers are a huge risk Break-ins occur before the fix is out SPAM relays used a new hole before a patch and anti-virus available People are often the weakest link Infected laptops are physically carried on site Users continue to download malware and open tricked attachments Intruders and worms can do more damage When?

Denise Heagerty, CERN, HEPiX Meeting Oct HEPiX Security Workshop - Summary Blaster worm and its variants impacted all sites Hardware address registration is becoming normal Required for access to wireless at TRIUMF meeting site KEK (done), CERN (in progress), FNAL (soon), SLAC (planned), … VPN & portable systems pose a serious security risk security check prior to DHCP network access planned by some sites (FNAL, SLAC, …) Requires client to install software to be effective Security patches need to be timely and enforced e.g. SLAC give deadlines and then force patches, including reboots Visitors cannot rely on home site for patch and anti-virus updates HEPiX Security Workshop provided a useful exchange high quality and a diverse range of talks a security discussion list has been created to continue the good collaboration

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.