Lemon security - Indico

Download Report

Transcript Lemon security - Indico

Lemon security
Previous security enhancements
user lemon: lemon-db-admin-OraMon will create user lemon (Miro).
- OraMon switches to user lemon at its initd script (David).
- ReadOnly and heartBeat files will be moved to /var/lib/OraMon (Miro, David)
- /etc/sysconfig/OraMon is owned by lemon, and is readable by user lemon only (David).
Samples insertion access control: control what IPs (taken from CDB) may send
samples to OraMon:
- Investigate efficiency of using IPchains. Alternatives:
per IP groups, (preferred, if possible)
or per IP list
Sensitive data to CDB
10) When CDB supports secure information via hppts,
move sensitive EHD and OraMon config file information (user and password) from rpm to CDB.
NCM OraMon component has to be changed accordingly (Gernam)
20) cdb get clusters: Needs to be configured for user/password as well (German).
TBD: how to provide to cdb get clusters and active alarm nodes the user and password
of the 2 sql DBs: lemon and cdb
Outline
• Miro’s suggestions for OraMon security
• David’s related thoughts
Lemon security
• Those who have access to CERN
machines can openly interfere with
Lemon, because it uses unsecure sockets
Miro: security of OraMon
As we have discussed before, iptables could
help us to restrict the domains, but I would take that a little bit
further and asked for an authentication mechanism.
• use ssl for encryption and well as for the authentication.
• Client (MSA) on install downloads the oramon's public key, creates
a challenge and sends its own public key (host's key). It receives
back a reply with encoded clientID or with client's signature.
• MSA uses oramon's public key to encrypt the message plus
encapsulates the clientID.
• oramon will store all of the allowed host's public keys inside
database.
Miro: security of OraMon. Cont.
Performance overhead:
encrypting the samples + having three way
authentication would create an overhead…
Currently we have about 10kB/s throughput, so having
encryption on top of that should not be a problem
(even if we scale to 400kB/s).
Communication of OraMon to oracle server could
over ssl – I think that in OCI oracle supports
SSL.
Enhance lemon security now?
Extending OraMon security
to lemon security
1.
2.
3.
4.
5.
Sensor  MSA
MSA  OraMon
OraMon  Oracle
Client  Oracle
Client  OraMon (SOAP)
1) Sensor  MSA
• (Since it is) TCP based, ssl may be added
2) MSA  OraMon
•
•
•
•
Pertains to many machines  big vulnerability
Requires changes at OraMon and at MSA
Is UDP based, hence SSL can not be used
What should be secured?
– What machines speak to OraMon (iptables)
– What users speak to OraMon
– What applications speak to OraMon (feasible?)
• Guideline: Prevent reinventing wheels
– use standards, where possible
• Candidate standard to secure UDP: IPSec
TCP security alternatives
SSL is also known by a new, IETF standard name: Transport Layer Security, or TLS
UDP security alternatives
• IPsec: + Is standard
- Complicated. Requires operating system support
• SecureUPD:
http://plg.uwaterloo.ca/~aeehassa/home/papers/crypto/secureUDP.htm
- Is not standard
IPSec
• Strong security standard
– Encryption & Encapsulation
– Authentication & Anti-Replay
– Key Management & Digital Signatures
– Support of Unique Digital Certificates
– Interoperability between the various IPSec compliant products
• Is supported by Linux – as add-on
http://www.freesoft.org/CIE/Topics/141.htm ipsec.doc
• http://www.ipsec-howto.org/x180.html:
Transport mode vs. tunnel mode
• Usage of IPSec implies ‘tailoring’ of it into lemon
OraMon  Oracle
TCP/IP with SSL Protocol
Enables an Oracle application on a client to communicate with remote Oracle databases
through TCP/IP and SSL.
Oracle Advanced Security product needed in order to use TCP/IP with SSL.
SSL stores authentication data, (certificates, private keys), in an Oracle Wallet.
When the client initiates a connection to the database server,
SSL performs a handshake between the two using the certificate:
–
–
–
The client and database server negotiate a cipher suite--a set of authentication, encryption,
and data integrity types--to apply to the messages they exchange.
Depending on its configuration, the database server sends its certificate to the client in a
message encrypted with the client's public key. The client decrypts this message by using its
own private key, then verifies that the database server's certificate bears the certificate
authority's signature.
If required, the client may send the user's certificate to the database server. The certificate
ensures that the user's information is correct and that the public key actually belongs to that
user.
The database server checks the user's certificate to verify that it bears the certificate
authority's signature.
From http://www.stanford.edu/dept/itss/docs/oracle/9i/network.920/a96580/architec.htm
Oracle Advanced Security
• A product that provides security features to
protect enterprise networks:
– network encryption
– authentication
– single sign-on services
– security protocols
• Does CERN have a license for it?
4) Client  Oracle
• Makes sense to learn if Client-Oracle
security may be enhanced.
5) Client  OraMon (SOAP)
1) HTTPS/SSL: Not used by (g)SOAP by default, may be
added:
:
– Secure SOAP Web Services with HTTPS/SSL
• When a Web Service is installed as CGI, it uses standard I/O
that is encrypted/decrypted by the Web server that runs the
CGI application.
• Therefore, HTTPS/SSL support must be configured for the
Web server.:
http://www.cs.fsu.edu/~engelen/soapdoc2.html#tth_sEc17.19
– install OpenSSL
– Recompile sources with option -DWITH_OPENSSL
2) Digital Signature (SOAP-DSIG):
(In addition to SSL) defines syntax and rules for digitally signing
SOAP messages and validating signatures.
http://www-106.ibm.com/developerworks/webservices/library/ws-soapsec/
Lemon security: Summary
1.
2.
3.
4.
5.
Sensor  MSA
MSA  OraMon: IPSec. Complicated
OraMon  Oracle: Oracle Advanced Security
Client  Oracle
Client  OraMon (SOAP): OpenSSL+SOAP-DSIG?