denise heagerty, cern, hepix meeting oct 20031 hepix security workshop overview of talks some...

Denise Heagerty, CERN, HEPiX Meeting Oct 2003

1

HEPiX Security Workshop

Overview of talks Some extracts of general interest

LCG Security Group FNAL, KEK, CERN, SLAC

Worrying trends Summary


2

HEPiX Security Workshop - Overview

Security Updates: LCG (Dave Kelsey) KEK (Fukuko Yuasa) CERN (Denise Heagerty)

Recent security events: Recent security holes and their impact (Bob Cowles, SLAC) Response to Blaster and Sobig worms at CERN (Alberto Pace, CERN)

System security: Farm nodes (Vlado Bahyl, CERN – presented by Thorsten Kleinwort) Cluster security (Alf Wachsmann, SLAC)

Introduction to deploying PKI Alberto Pace, CERN

Incident Response Sharing opportunities (Matt Crawford, FNAL) Experience with a Grid incident (Dane Skow, FNAL)

Open discussion session Sharing opportunities follow up LCG security risk analysis


3

LCG Security Group - Mandate

To advise and make recommendations to the Grid Deployment Manager and the GDB on all matters related to LCG-1 Security

GDB makes the decisions To continue work on the mandate of GDB WG3

Policies and procedures on Registration, Authentication, Authorization and Security

To produce and maintain Implementation Plan (first 3 months, then for 12 months) Acceptable Use Policy/Usage Guidelines LCG-1 Security Policy

Where necessary recommend the creation of focussed task-forces made-up of appropriate experts

E.g. the “Security Contacts” group

(n.b. GDB = Grid Deployment Board)


4

LCG Security Group - Membership

Experiment representatives/VO managers Alberto Masoni, ALICE Rich Baker, Anders Waananen, ATLAS David Stickland, Greg Graham, CMS Joel Closier, LHCb

Site Security Officers Denise Heagerty (CERN), Dane Skow (FNAL)

Site/Resource Managers Dave Kelsey (RAL) - Chair

Security middleware experts/developers Roberto Cecchini (INFN), Akos Frohner (CERN)

LCG management and the CERN LCG team Ian Bird, Ian Neilson

Non-LHC experiments/Grids Many sites also involved in other projects Bob Cowles (SLAC)


5

LCG Security Group – Documents(http://cern.ch/proj-lcg-security)

6 documents approved to date Security and Availability Policy for LCG

Prepared jointly with GOC task force Approval of LCG-1 Certificate Authorities Audit Requirements for LCG-1 Rules for Use of the LCG-1 Computing Resources Agreement on Incident Response for LCG-1 User Registration and VO Management4 more still to be written (by GOC task force) LCG Procedures for Resource Administrators LCG Guide for Network Administrators LCG Procedure for Site Self-Audit LCG Service Level Agreement Guide

6

Matt Crawford, FNAL:The common internet threat model is trusted endpoints on an insecure network.

SSL, SSH, ipsec, and a myriad of host vulnerabilities have

turned this backwards. We’ve got more communication

security than host security.... and it’s natural to believe that a message received on a secure channel can be trusted.

See also: “The Internet is Too Secure Already,” by Eric Rescorla.

Note: Matt detected passwords on the HEPiX wireless network! Network encryption technology is available, but we’re not all using it…

FNAL: The threat model has changed


7

KEK: MAC address registration

Since Aug. 2003, MAC address registration is required to use KEK network

Without the registration, packets are not transferred 4642 MAC address registered

The port of the switch is configured dynamically One MAC address belongs to one VLAN

Also in the wireless LAN, MAC address registration is required since Apr. 2002.

KEK staff: 150 and Collaborator: 728 68 Cisco Aironet stations WEP Annual registration renewal


8

02468

10121416182022242628303234

02/ 10 02/ 11 02/ 12 03/ 01 03/ 02 03/ 03 03/ 04 03/ 05 03/ 06 03/ 07 03/ 08 03/ 09 03/ 10

OthersSPAMExploitWorm

Security incidents at KEK, Oct 2002 - 0ct 2003

Worm : 64%, unix root exploit: 28%


9

CERN Incident Summary, 1 Jan 2001- 30 Sep 2003

2001 2002 2003-Sep

Incident Type

59 31 26 System compromised (intruder has control) security holes in software (e.g. ssh, kernel, ICQ, IE)

42 25 27 Compromised CERN accounts sniffed or guessed passwords

11 21 305 Serious Viruses and worms Blaster/Welchia (290), Sobig (12) , Slammer(3)

13 21 119 Unauthorised use of file servers insufficient access controls, P2P file-sharing

15 16 1 Serious SPAM incidents CERN email addresses are regularly forged

11 9 6 Miscellaneous security alerts

151 123 484 Total Incidents


10

Blaster/Welchia Infection Sources @ SLAC

32% VPN 22% DHCP (reg, internal network) 20% Fixed IP

On vacation, laptop infected outside, etc.

14% Infected during build / patch 12% Dialup


11

Worrying Trends

Break-ins are devious and difficult to detect E.g. SucKIT rootkit

Worms are spreading within seconds Welchia infected new PCs during installation sequence

Poorly secured systems are being targeted Home and privately managed computers are a huge risk

Break-ins occur before the fix is out SPAM relays used a new hole before a patch and anti-virus

available People are often the weakest link

Infected laptops are physically carried on site Users continue to download malware and open tricked

attachments Intruders and worms can do more damage

When?


12

HEPiX Security Workshop - Summary

Blaster worm and its variants impacted all sites Hardware address registration is becoming normal

Required for access to wireless at TRIUMF meeting site KEK (done), CERN (in progress), FNAL (soon), SLAC (planned), …

VPN & portable systems pose a serious security risk security check prior to DHCP network access planned by some sites

(FNAL, SLAC, …) Requires client to install software to be effective

Security patches need to be timely and enforced e.g. SLAC give deadlines and then force patches, including reboots Visitors cannot rely on home site for patch and anti-virus updates

HEPiX Security Workshop provided a useful exchange high quality and a diverse range of talks a security discussion list has been created to continue the good

collaboration