HEPiX Security Workshop

1
HEPiX Security Workshop

• Overview of talks
• Some extracts of general interest
• LCG Security Group
• FNAL, KEK, CERN, SLAC
• Worrying trends
• Summary

2
HEPiX Security Workshop - Overview

• Security Updates
• LCG (Dave Kelsey)
• KEK (Fukuko Yuasa)
• CERN (Denise Heagerty)
• Recent security events
• Recent security holes and their impact (Bob
  Cowles, SLAC)
• Response to Blaster and Sobig worms at CERN
  (Alberto Pace, CERN)
• System security
• Farm nodes (Vlado Bahyl, CERN presented by
  Thorsten Kleinwort)
• Cluster security (Alf Wachsmann, SLAC)
• Introduction to deploying PKI
• Alberto Pace, CERN
• Incident Response
• Sharing opportunities (Matt Crawford, FNAL)
• Experience with a Grid incident (Dane Skow, FNAL)
• Open discussion session
• Sharing opportunities follow up
• LCG security risk analysis

3
LCG Security Group - Mandate

• To advise and make recommendations to the Grid
  Deployment Manager and the GDB on all matters
  related to LCG-1 Security
• GDB makes the decisions
• To continue work on the mandate of GDB WG3
• Policies and procedures on Registration,
  Authentication, Authorization and Security
• To produce and maintain
• Implementation Plan (first 3 months, then for 12
  months)
• Acceptable Use Policy/Usage Guidelines
• LCG-1 Security Policy
• Where necessary recommend the creation of
  focussed task-forces made-up of appropriate
  experts
• E.g. the Security Contacts group
• (n.b. GDB Grid Deployment Board)

4
LCG Security Group - Membership

• Experiment representatives/VO managers
• Alberto Masoni, ALICE
• Rich Baker, Anders Waananen, ATLAS
• David Stickland, Greg Graham, CMS
• Joel Closier, LHCb
• Site Security Officers
• Denise Heagerty (CERN), Dane Skow (FNAL)
• Site/Resource Managers
• Dave Kelsey (RAL) - Chair
• Security middleware experts/developers
• Roberto Cecchini (INFN), Akos Frohner (CERN)
• LCG management and the CERN LCG team
• Ian Bird, Ian Neilson
• Non-LHC experiments/Grids
• Many sites also involved in other projects
• Bob Cowles (SLAC)

5
LCG Security Group Documents(http//cern.ch/pro
j-lcg-security)

• 6 documents approved to date
• Security and Availability Policy for LCG
• Prepared jointly with GOC task force
• Approval of LCG-1 Certificate Authorities
• Audit Requirements for LCG-1
• Rules for Use of the LCG-1 Computing Resources
• Agreement on Incident Response for LCG-1
• User Registration and VO Management
• 4 more still to be written (by GOC task force)
• LCG Procedures for Resource Administrators
• LCG Guide for Network Administrators
• LCG Procedure for Site Self-Audit
• LCG Service Level Agreement Guide

6
FNAL The threat model has changed

• Matt Crawford, FNAL
• The common internet threat model is trusted
  endpoints on an insecure network.
• SSL, SSH, ipsec, and a myriad of host
  vulnerabilities have turned this backwards.
  Weve got more communication security than host
  security.
• ... and its natural to believe that a message
  received on a secure channel can be trusted.
• See also The Internet is Too Secure Already,
  by Eric Rescorla.
• Note Matt detected passwords on the HEPiX
  wireless network! Network encryption technology
  is available, but were not all using it

7
KEK MAC address registration

• Since Aug. 2003, MAC address registration is
  required to use KEK network
• Without the registration, packets are not
  transferred
• 4642 MAC address registered
• The port of the switch is configured dynamically
• One MAC address belongs to one VLAN
• Also in the wireless LAN, MAC address
  registration is required since Apr. 2002.
• KEK staff 150 and Collaborator 728
• 68 Cisco Aironet stations
• WEP
• Annual registration renewal

8
Security incidents at KEK, Oct 2002 - 0ct 2003
Worm 64, unix root exploit 28
9
CERN Incident Summary, 1 Jan 2001- 30 Sep 2003
2001 2002 2003 -Sep Incident Type
59 31 26 System compromised (intruder has control) security holes in software (e.g. ssh, kernel, ICQ, IE)
42 25 27 Compromised CERN accounts sniffed or guessed passwords
11 21 305 Serious Viruses and worms Blaster/Welchia (290), Sobig (12) , Slammer(3)
13 21 119 Unauthorised use of file servers insufficient access controls, P2P file-sharing
15 16 1 Serious SPAM incidents CERN email addresses are regularly forged
11 9 6 Miscellaneous security alerts
151 123 484 Total Incidents
10
Blaster/Welchia Infection Sources _at_ SLAC

• 32 VPN
• 22 DHCP (reg, internal network)
• 20 Fixed IP
• On vacation, laptop infected outside, etc.
• 14 Infected during build / patch
• 12 Dialup

11
Worrying Trends

• Break-ins are devious and difficult to detect
• E.g. SucKIT rootkit
• Worms are spreading within seconds
• Welchia infected new PCs during installation
  sequence
• Poorly secured systems are being targeted
• Home and privately managed computers are a huge
  risk
• Break-ins occur before the fix is out
• SPAM relays used a new hole before a patch and
  anti-virus available
• People are often the weakest link
• Infected laptops are physically carried on site
• Users continue to download malware and open
  tricked attachments
• Intruders and worms can do more damage
• When?

12
HEPiX Security Workshop - Summary

• Blaster worm and its variants impacted all sites
• Hardware address registration is becoming normal
• Required for access to wireless at TRIUMF meeting
  site
• KEK (done), CERN (in progress), FNAL (soon), SLAC
  (planned),
• VPN portable systems pose a serious security
  risk
• security check prior to DHCP network access
  planned by some sites (FNAL, SLAC, )
• Requires client to install software to be
  effective
• Security patches need to be timely and enforced
• e.g. SLAC give deadlines and then force patches,
  including reboots
• Visitors cannot rely on home site for patch and
  anti-virus updates
• HEPiX Security Workshop provided a useful
  exchange
• high quality and a diverse range of talks
• a security discussion list has been created to
  continue the good collaboration