Security at CERN
Download
Report
Transcript Security at CERN
Computer Security @ CERN
Introduction
Oslo University Visit
Dr. D.R. Myers, CERN CSO
13.01.2009
Outline
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• The Internet is dangerous and users are gullible
• CERN security context and user community
• Organizational Structure and Current Status
• Controls and Network Infrastructure for Controls (CNIC)
• Central PC Management
• Integrated Site Security for Grids (ISSeG) Project
• Key Issues
• Following Talks: Technical Infrastructure & GRID
CERN Context - 1
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Very many users:
► Staff + Fellows + Students
(~3000)
► Contractors
(~1000)
► External visitors
(~6000 over a year)
• Very diverse applications:
►Office/admin
(Business)
►Design and physics analysis
(Academic)
►Engineering, Data Acquisition &Control
(Industrial)
• Internet access unavoidable
► Collaborating Institutes
► On-Call staff and remote maintenance
CERN Context - 2
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Threats:
► Was “script kiddies”, now criminals
► Insiders (accidental or deliberate)
Vulnerable web sites; World-readable passwords, …
► Increasing number of “0-day exploits”
• Risks:
► Loss of time, data and/or reputation;
► h/w damage
• Goal: Protect site but minimize restrictions
Security risks are everywhere!
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
220-<<<<<<>==< Haxed by A¦0n3 >==<>>>>>>
220- ¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸
220-/
220-|
Welcome to this fine str0
220-|
Today is: Thursday 12 January, 2006
220-|
220-|
Current througput: 0.000 Kb/sec
220-|
Space For Rent: 5858.57 Mb
220-|
220-|
Running: 0 days, 10 hours, 31 min. and 31 sec.
220-|
Users Connected : 1 Total : 15
220-|
220^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^°º¤ø,¸¸,ø¤º°^
Hacked oscilloscope
(running Win XP SP2)
Confidential data
unprotected
Passwords findable
on Google:
What about yours?
Be Vigilant & Stay Alert !!!
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
Email addresses
can easily be faked !
Stop “Phishing” attacks:
No legitimate person will
EVER ask for your
credentials !
Do not trust your web
browser !
http://cern.ch/security
Organizational Structure
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• CERN Computer Security Officer & Deputy
• Small security section in IT
► CSO and 3 (2) staff plus Fellow and Technical Student(s)
• Security Escalation Coordination (SEC) team
► Members of CSO plus two from other groups (Grid + Linux)
• Security Rota (“Guys On Duty”)
► Four people from IT groups working 1 week in 4
► 1-2 hours/day to check logs, deal with Firewall requests, etc.
• Computing Rules: //cern.ch/ComputingRules/
► Rules (OC5) must be signed by all users
Incidents
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
Timeline for Security Incidents: January 2003 - January 2008
250
Botnets:
IRC based attackers
(ALL platforms)
Number of incidents
Total Incidents
Blaster Worm
variants
(Windows)
200
150
100
50
Suckit Rootkits
(LINUX)
0
Jan-03
Jul-03
Systems exposed
in firewall caused
Change
in trend
Compromised
Machines
Jan-04
Jul-04
Jan-05
Non-centrally managed laptops
caused most compromises
Jul-05
Jan-06
Jul-06
Jan-07
Jul-07
Internet usage caused most compromises
Jan-08
Current Status
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Compromised machines and accounts:
► Used to collect passwords (including off-site), launch attacks, …
► Mainly due to Internet use & insufficient rigour in sys admin
• Insecure Web sites
• Confidential information not stored safely
• Increase in use of unauthorised applications (e.g.P2P)
• Detection requires daily review of alerts by experts
• Incident resolution is often complex
• Threats & targets evolving
Four Security Themes
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Computer Centre
Protect central services
• Controls
Separation of networks, ...
• Desktops
Central management
• GRID
Policy & Operational Coordination
Security Concerns
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Users inadvertently installing Trojan code
► E.g. via private downloads or visiting infected web sites
►“Think before you click!!!”
• Attacks on vulnerable applications
► Particularly locally-developed Web applications
► Attacks can initiate from inside as well as outside the main firewall
• Security holes leading to service disruptions
► 0day exploits are difficult to prevent - no patches exist by definition
► Systems need to be hardened (minimum configurations)
► Passwords should not be stored on insecure file systems!
CNIC
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
Computing and Network Infrastructure for Controls
• Problem: Control systems now use commercial PCs, PLCs and TCP/IP
• Consequences: Control Systems vulnerable to viruses and attacks
• Risks: Down-time or physical damage of accelerators and experiments
• Constraints:
► Off-site access to control systems by external experts is essential
► Can only patch production systems when these are not in use
•
Actions Taken: Set up CNIC Working Group
► Build tools for o/s maintenance and network domain management
► Designate those responsible for all domains and equipment
► Define policies for authorization and use of controls networks
► Define rules and mechanisms for inter-domain communications.
CNIC: Separation of Networks I
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Segregate networks dedicated
to sensitive data or equipment
• Restrict access to PLCs
[Requires Router capability]
• Restrict Internet access to
authorized connections
[Requires impact analysis]
• Restrict Intranet access to
authorized “trusted” devices:
~500 in Computer Centre
~100s in AB & AT
~100 due to lack of TN
• Can never reach zero...
DNS Mail Web WLAN
Campus network
Firewall /
Gateway
Firewall / Gateway
Application
Gateway
Admin. network
Controls networks
CNIC: Separation of Networks II
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Use “Application Gateways”
if not connected to target n/w
• Well-managed machines
DNS Mail Web WLAN
• Hide what is not
authorized
Campus network
• Tool to maintain record of
who owns what and handle
authorization of connections.
• Assure asset management
(significant cost…)
Firewall /
Gateway
Firewall / Gateway
Application
Gateway
Admin. network
Controls networks
Central PC Management (CNIC)
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Privately managed PCs more likely to cause incidents
• “One-size-fits-all” management inappropriate
• Tools for Linux and Windows to define sets of PCs
linked to those responsible
• Delegation of authority
to local administrator
• CMF for Windows
now used for all
centrally-managed PCs
Better management of
systems & applications
• No computer on TN compromised since January 2006
Integrated Site Security for Grids
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
•
•
•
•
ISSeG EC FP6 project included CERN, FZK (D) & STFC (UK)
Goal: Improve general site security at Grid sites
Time Scale: February 2006 to March 2008
Resources
► 194 person months (117 funded), Maximum EC contribution 1086 k€
• Integrated Site Security rests on three pillars:
Technical, Administrative, Educational
• Project Structure:
► Develop expertise, test at CERN and FZK, document
► Compare policies and controls at CERN, FZK and STFC
Analyze requirements and obtain feedback from EGEE sites and experts
► Develop a set of targeted practical recommendations based on experience
► Develop training material and give presentations to obtain feedback
► Develop a Web site to make all material available: WWW.ISSEG.EU
• Material handed over to EGEE-III (OSCT)
Legal Framework
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
Operational Circular No 5 defines the rules for the use
of CERN’s computing facilities.
Personnel should read and understand OC5
Personnel are obliged to sign it electronically
Personnel are obliged to follow the rules!
http://cern.ch/ComputingRules
Responsibility
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
Security is a hierarchical responsibility
and that means
YOU ARE ALSO RESPONSIBLE !
User Responsibilities
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Protect against unauthorised access to systems and
accounts
► passwords must not be divulged or easily guessable
► protect access to unattended equipment
• Report any unauthorised computer access
► E-Mail: [email protected]
► http://cern.ch/security
• Respect confidentiality and copyrights
► illegal or pirated data (software, music, video, etc) is not permitted
• Personal use remains within defined rules
► rules for personal use are defined in annex of OC5
Rules for Personal Use
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
Personal use is tolerated or allowed provided that:
► frequency and duration is limited and minimal resources used
► activity is not illegal, political, commercial, inappropriate,
offensive or detrimental to official duties
Tolerated:
► personal e-mail
► personal browsing of web pages and news groups
► Skype with conditions http://cern.ch/security/skype/
NOT permitted:
► consultation of pornographic web sites
► installation and/or use of non-CERN software, such as peerto-peer applications (e.g. KaZaA), IRC, etc. Restrictions are
documented at http://cern.ch/security/software-restrictions.
Summary
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
• Security is a moving target and requires following
• Analysis of incidents requires highly competent
experts
• Security should be designed in, not added on
• Most incidents caused by human actions
• Incident detection and resolution is highly skilled
• Need improved tools for Intrusion Detection and …
• Reduce number of “trusted” machines on TN (CNIC)
• Regularly review assets, risks and policies.
Wrap Up
Dr. Stefan Lüders
― DESY ― 20.
[email protected]
— (CERN
“OsloIT/CO)
University”
— Februar
slide2007
‹#›
More Information at
//cern.ch/security/
Questions