Experiences at a Tier 1, grid-security - GridKa School 2007 - FZK

newshumansvilleΔιαχείριση Δεδομένων

16 Δεκ 2012 (πριν από 4 χρόνια και 10 μήνες)

122 εμφανίσεις

Experiences at a Tier 1,grid-security
Sven Gabriel
GMSS GbR
gmssgbr@googlemail.com
14.Sept.2007
Introduction
Site Setup – If I would have to setup a New Site
No Security Framework
Existing Security Framework
Problems we had
Middleware Component
If you have a Guest
Summary
Introduction/Problem
I
Disclaimer:My views/comments/beliefs,as strange as they
are,are my own.
I
I am not a security expert
I
Problems:
I
Giving a presentation about Site-Details without giving
away sensitive information.
I
Same is true for documentation (for example wiki)
I
Security needs time
I
Starting from an already existing security framework
(GridKa) vs.New Site/no security framework
Introduction/This talk will not cover
I
Linux Hardening -see ISSeG Checklist.
Introduction/This talk will not cover
I
Linux Hardening -see ISSeG Checklist.
I
Security issues of special software packages
I
Security issues of gLite-Services
I
Discusion of gLite Security Mechanisms like
Authentication,Certificates,gsi,glexec,LCAS,FQAN
If I had to set up a new Site
I
Plan the Management carefully
I
Strictly separate networks for management and operations
(vlans?)
I
Workernodes in private network
I
Minimize number of bridging devices
I
Think about some configuration tools (cfengine,quattor) -no
home-grown-scripts
I
Is virtualization an opt?
I
Set up a firewall (central and/or on each Middleware
Server)
I
How to access the Managment and Middleware
Components (ssh)
I
Minimize access to the Servers (especially Management
Part)
Middleware-Part
Maintained Services from Jan.2005 – Now
Jan
Apr
2005
Aug
Jan
Apr
2006
Aug
2.2
2.3
2.4
2.5
2.6
(2.7)
glite-3
CE,Mon
SE-C,WNs
+ RB,TL-BDII
+ PX,LFC,CE-2,SE-d,FTS
VO-Boxes
+ def.SE:d-Cache
glite
CE/RB
Middleware-Part
I
Problems most obvious ones:
I
OS:Make sure to switch off not needed services (sendmail,
apache,mysql,inetd not needed on WNs)
I
If using yaim,take care that site-info-def is only readable by
root
I
Be careful managing VOs/users with yaim –old users are
not removed
I
Don’t allow batch system job submission from the WN’s
I
Don’t allow user processes to continue running in the WNs
after job has finished (post job scripts)
I
Don’t Allow incoming connections to the WNs (open ports)
(NAT for r-gma)
I
MDS grises (ldap server on port 2135) are by default
writable from anyone
Management-Part
I
Routers,Switches,Cacti-Server,Firewall,DHCP,NTP,
DNS...Servers
I
Usualy has a much longer life time than
Middleware-Services
I
Only very limited number of persons should have access
I
Only very limited number of Services are nedded
I
sshd-log and secure-log should therefore be easy to
control
Which House?
http://www1.umn.edu/oit/img/assets/5630/WhichHouse.pdf
Which House?
http://www1.umn.edu/oit/img/assets/5630/WhichHouse.pdf
I
ssh
I
only ssh Protocol 2
I
dont’ allow root login,”PermitRootLogin no”
I
ssh-keys,”PasswordAuthentication no”
I
reduce the number of allowed users,”AllowUsers
myuser@*.mydomain”
I
for this you need some management tool with own security
infrastructure f.e.cfengine
Existing Security Framework
I
Problems:
I
Different levels of security awareness,many people
involved
I
You might have to adopt the Software to the specific Site
I
Changes to the Site very difficult/slow
I
Management tools probably without security infrastructure
I
Pro
I
You can use existing components/infrastructure
I
Many People,specialists for firewall,network etc
I
Help for most questions
Security problem,example:Postgres-DB-Problem
I
Middleware Component requires the Postgresql DB
I
Postgresql was installed from the Distro (Suse *) -provided
packages
I
Postgresql needs a ”local” user,the suse packages create
that user with a default password,and also enabled to login
I
the Result:careless admin ends up with a local user
postgresl + default password which can login via ssh
I
ssh scans quickly find that user
I
Once in-site FZK some other Passwords where found.
Was Tun wenns brennt
I
Isolate the maschine,disconnect from any network
I
Don’t shut down the system,you might loose information
I
Try to get as much information as possible,i.e.
I
How did the attacker get into the System
I
When
I
What has he done -just trying to collect passwords?
installed a root kit?
Howto exclude users
I
Using LCAS
I
Add his/her certificate DN to
ROOT
INSTALL/etc/lcas/ban
users.db.
I
Example:For example to ban the user Sven Gabriel add
the line:”/O=GermanGrid/OU=FZK/CN=Sven Gabriel”
I
This of course has to be done on all Servers with
gridmapfile based authentication (CEs,RBs,...)
I
Again,think about cfengine
Summary/Thanks
I
Use a administration tool cfengine,quattor,.....
I
Reduce possible ways in,control them.
I
Secure/limit the access to the Management Part in
particular.
I
Keep your site updated.
I
Save your time and take care of security now.
I
Use the ISSeG Checklists
I
http:isseg-training.web.cern.ch
I
Thanks
I
Ariel,Marc,Marcus