Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security components of the CERN farm nodes Vladimír Bahyl CERN - IT/FIO Presented by Thorsten Kleinwort.

Published byMolly Gregory Modified over 8 years ago

Similar presentations

Presentation on theme: "Security components of the CERN farm nodes Vladimír Bahyl CERN - IT/FIO Presented by Thorsten Kleinwort."— Presentation transcript:

1 Security components of the CERN farm nodes Vladimír Bahyl CERN - IT/FIO Vladimir.Bahyl@cern.ch Presented by Thorsten Kleinwort

2 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 2 Outline Current state – Our typical system – Possible risks Protection methods – Security related – Against denial of service Conclusion

3 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 3 A typical farm node 2 CPUs / 1 GB RAM / 20 GB disk 100 Mbit network CERN RedHat Linux 7.3.3 50-70 users 70 primary interactive nodes

4 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 4 Risks Security related: – Exploits to the system to get root – Services started on unprivileged ports – System can be used to scan other nodes originate spam Denial of service: – “Heavy” processes started – Disk filled by “runaway” jobs

5 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 5 Our protection methods Keep the system secure and up-to-date (with CDB & SPMA) Log more verbosely than default Collect the logs centrally Scan for certain patterns in the logs Keep the system accounting Provide secure access methods only Transfer sensitive information securely – E.g. password files – but in general anything; use GPG for encryption Monitor the current state – Disk – quota is enabled – CPU usage – beniced daemon Incident reaction – as quick as possible – No later than the next working day – compromised account is blocked

6 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 6 Log more It is always good to have more information to go back to in case of a need Daemons are configured to log as much data as is convenient – portmap -v netlog – the ultimate kernel module – logs TCP activity – outputs a line whenever a listening socket or an incoming or outgoing connection is established – it logs the program concerned, the session id, process id and user id – it also logs connection details (protocol, local/remote addresses and ports – provides extremely useful data in forensic investigation

7 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 7 Netlog example Incoming connections: Oct 14 21:49:43 node kernel: netlog: info: connect start TCP 172.17.35.98:44073 <- 192.168.161.90:52453 31440 31476 240 pmg_agent Oct 14 21:49:43 node kernel: netlog: info: connect stop TCP 172.17.35.98:44073 <- 192.168.161.90:52453 31440 31476 240 pmg_agent Outgoing connections: Oct 14 18:18:49 node kernel: netlog: info: connect start TCP 172.17.35.98:34434 -> 192.168.11.10:80 22163 23183 1648 wget Oct 14 18:18:52 node kernel: netlog: info: connect stop TCP 172.17.35.98:34434 -> 192.168.11.10:80 22163 23183 1648 wget

8 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 8 Collect the logs Make sure that all daemons log via the syslog facility Combine the logs in a single file – Option in /etc/syslog.conf Process log files locally on each node – Combine the connection data – Remove uninteresting information E.g. node boot messages – Compress Forward to a central place = Oracle database – Do it in regular intervals to prevent loss of data (~ every hour)

9 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 9 Scan for certain patterns For example: – IRC activity IRC servers violate CERN’s computing rules – SUID ptrace exploit attempts 2003/07/23-13:10:38 Uu ? node.cern.ch[172.17.35.98] kernel request_module[net-pf-14]: waitpid(28284,...) failed, errno 512 2002/01/31-01:46:23 Uu ? node.cern.ch[172.17.35.98] kernel ptrcchk: uid=19201 tried ptrace on suid/sgid file /usr/bin/passwd – Generated by a proprietary kernel module – network sniffer 2003/10/03-17:44:54 Uu ? node.cern.ch[172.17.35.98] kernel device eth0 entered promiscuous mode – repeated login failures – etc. This data can use used together with network IDS results

10 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 10 Keep system accounting Also very important element in forensics analysis 3 months of raw data on each node – Will soon be centralized Compressed with bzip2 -9 Parsed, summarized and stored centrally for statistical purposes

11 Vladimir.Bahyl@cern.ch, Autumn HEPiX 2003, Triumf, Vancouver, Canada 11 Conclusion When does it work well ? – Repeated intruder activity When there is a new intrusion pattern we quickly add a new scan pattern – Intruder doesn’t know our infrastructure What are the limits ? – First time when there is a new way to break in we do not know about – Intruder discovers our infrastructure (clusters)

12 12 Questions ? Contact: Vladimir.Bahyl@cern.ch Thank you !

Download ppt "Security components of the CERN farm nodes Vladimír Bahyl CERN - IT/FIO Presented by Thorsten Kleinwort."

Similar presentations

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.

Snort: A Network Intrusion Detection Software Matt Gustafson Becky Smith CS691 Semester Project Spring 2003.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Intrusion Detection Systems and Practices

Intrusion Detection Systems and Practices
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Linux+ Guide to Linux Certification, Second Edition

Linux+ Guide to Linux Certification, Second Edition
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Windows Server 2008 Chapter 11 Last Update 2012.06.07 1.0.0.

Windows Server 2008 Chapter 11 Last Update
Security Guidelines and Management

Security Guidelines and Management
Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.

Presented by Manager, MIS.  GRIDCo’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to GRIDCo’s.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.

4-1 PSe_4Konf.503 EAGLE Getting Started and Configuration.
Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.

Information Systems CS-507 Lecture 40. Availability of tools and techniques on the Internet or as commercially available software that an intruder can.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
COEN 252 Computer Forensics

COEN 252 Computer Forensics
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.

Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.

1 Network File Sharing. 2 Module - Network File Sharing ♦ Overview This module focuses on configuring Network File System (NFS) for servers and clients.
CIS 218 Advanced UNIX 1 User and System Information CIS 218.

CIS 218 Advanced UNIX 1 User and System Information CIS 218.
BUSINESS B1 Information Security.

BUSINESS B1 Information Security.

Similar presentations

Ads by Google