Tags:
view all tags
%TOC% NOTE: This information is sensible and should be kept private. The content can't be read if you're not in the TwikiAdminGroup. * Set ALLOWTOPICVIEW = TwikiAdminGroup ---+ Service classification on risk This layered classification implies that a security breach in a certain place should not affect services in upper layers. Users are on the bottom and the more upwards you advance the further they are (and they should). From bottom to up: * The lowest layer is the closest to the users, in fact those on the lowest is where they have rights to execute binaries. * The second layer is composed by production services that are required by the first ones, but users don't have direct access to them (they can only read or write files, but not execute). * The third layer is composed by support services, the infrastructure needed to install and manage the cluster. Users doesn't have anything to do with it, and most services here don't affect production if they're temporarily lost (the exception is Xen hosts). On the other hand, a hacker here can do really nasty things to the production environment, but as long as he doesn't climb to the top layer we can recover. * The fourth layer is composed by critical services that we must rely on, mostly general CSCS services. If this layer is not compromised we can go back to a previous status with the backup. * The top layer is where our own grid syslog server will be, and will just listen to syslog input traffic, nothing else. It's a kind of blackbox and should be the most protected layer, and only be used by us in case of an incident. | *Class* | *Services* | | Palladium | Firewall, Syslog endpoint (blackbox, flight recorder) | | Platinum | (Backup, Syslog, DNS, NTP) @CSCS, Snort, IDS | | Gold | Pub, VPN, Repository, Installation server, NFS, cfengine<br> DHCP, PXE, Xen Hosts, Management ports (ILOMs) | | Silver | Lustre backend, Mon, BDIIs, dCache, LRMS | | Bronze | UIs, WNs, Lcgce, Cream, Arc, VOBoxes | ---+ Network split We've got five different network areas to enforce security both in the installation process and in the remote management ports (ILOMs), and put internet apart from our CSCS public network and LCG network. It is structured as follows: * *Internet* is the lowest security zone, where the attacks come from. The public CSCS network is protected from there with a Firewall (CSCS net and LCG net are protected with different firewalls). * *CSCS Public* network (actually composed by many networks), with ip-ranges 148.187.[3,12,17,18,130,140,224] is owned by CSCS but not managed by Grid team. Here lies service like DNS, nagios, twiki, svn. It is behind a firewall also managed by CSCS. * *LCG Public* network has the range 148.187.64.0/22 and is behind a different firewall managed by us. This is where all our systems are and where we expect attacks to come to. * *Installation* network. With the range 10.10.64.0/22 (mirrored ips from the LCG public network) this private network is there for installation purposes. All physical PhaseC machines have got an ethernet interface to that network. Even though this is a private network it is on the same VLAN as the LCG Public network (it's on the Force10 switches with PhaseB) so we should consider it as secure as the LCG Public network (any compromised machine can just change the IP and switch from one network to the other). * *ILOM* is the most secure network. It's separated from the rest in a different VLAN and only the Xen Hosts are the entry points to it. All the remote administration interfaces are connected there. ---+ Entry points We have to admin this complex network and thus we need entry points to it. These are the machines that have access to the different parts of the system: * Xen hosts. They are connected to all the networks: LCG Public, Installation and ILOM. * Pub virtual machine. This is connected to the three same networks as the xen hosts. This is where the admins will have home directories with their password-protected ssh private keys and it's considered a secure host for that respect. It will also be possible to enter the ILOM network with VPN to be able to access the web applications from outside CSCS. * The installation server is also an entry point to the Installation 10.10 network. Anyway this is in the same VLAN as the LCG Public so it's an entry point just for comodity. ---+ Sysadmin access * All machines in the cluster will have restricted ssh root access only to administrators They will not have user accounts (save for Pub, the entry point). They will only listen on the ssh port to the CSCS ip range. * Administrators should only store their private ssh key on a "considered trusted" host and type the password just there. A trusted host is a host managed by the administrator and must be inside CSCS. All acceses from outside should come first to Pub. -- Main.PabloFernandez - 2010-02-24
Edit
|
Attach
|
Watch
|
P
rint version
|
H
istory
:
r10
|
r7
<
r6
<
r5
<
r4
|
B
acklinks
|
V
iew topic
|
Raw edit
|
More topic actions...
Topic revision: r5 - 2010-03-02
-
PabloFernandez
LCGTier2
Log In
(Topic)
LCGTier2 Web
Create New Topic
Index
Search
Changes
Notifications
Statistics
Preferences
Users
Entry point / Contact
RoadMap
ATLAS Pages
CMS Pages
CMS User Howto
CHIPP CB
Outreach
Technical
Cluster details
Services
Hardware and OS
Tools & Tips
Monitoring
Logs
Maintenances
Meetings
Tests
Issues
Blog
Home
Site map
CmsTier3 web
LCGTier2 web
PhaseC web
Main web
Sandbox web
TWiki web
LCGTier2 Web
Users
Groups
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
Warning: Can't find topic "".""
Account
Log In
Edit
Attach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback