Tags:
view all tags

NOTE: This information is sensible and should be kept private. The content can't be read if you're not in the TwikiAdminGroup.

Service classification on risk

This layered classification implies that a security breach in a certain place should not affect services in upper layers. Users are on the bottom and the more upwards you advance the further they are (and they should). From bottom to up:

  • The lowest layer is the closest to the users, in fact those on the lowest is where they have rights to execute binaries.
  • The second layer is composed by production services that are required by the first ones, but users don't have direct access to them (they can only read or write files, but not execute).
  • The third layer is composed by support services, the infrastructure needed to install and manage the cluster. Users doesn't have anything to do with it, and most services here don't affect production if they're temporarily lost (the exception is Xen hosts). On the other hand, a hacker here can do really nasty things to the production environment, but as long as he doesn't climb to the top layer we can recover.
  • The fourth layer is composed by critical services that we must rely on, mostly general CSCS services. If this layer is not compromised we can go back to a previous status with the backup.
  • The top layer is where our own grid syslog server will be, and will just listen to syslog input traffic, nothing else. It's a kind of blackbox and should be the most protected layer, and only be used by us in case of an incident.

Class Services
Palladium Firewall, Syslog endpoint (blackbox, flight recorder)
Platinum (Backup, Syslog, DNS, NTP) @CSCS, Snort, IDS
Gold Pub, VPN, Repository, Installation server, NFS, cfengine
DHCP, PXE, Xen Hosts, Management ports (ILOMs)
Silver Lustre backend, Mon, BDIIs, dCache, LRMS
Bronze UIs, WNs, Lcgce, Cream, Arc, VOBoxes

Network split

We've got five different network areas to enforce security both in the installation process and in the remote management ports (ILOMs), and put internet apart from our CSCS public network and LCG network. It is structured as follows:

  • Internet is the lowest security zone, where the attacks come from. The public CSCS network is protected from there with a Firewall (CSCS net and LCG net are protected with different firewalls).
  • CSCS Public network (actually composed by many networks), with ip-ranges 148.187.[3,12,17,18,130,140,224] is owned by CSCS but not managed by Grid team. Here lies service like DNS, nagios, twiki, svn. It is behind a firewall also managed by CSCS.
  • LCG Public network has the range 148.187.64.0/22 and is behind a different firewall managed by us. This is where all our systems are and where we expect attacks to come to.
  • Installation network. With the range 10.10.64.0/22 (mirrored ips from the LCG public network) this private network is there for installation purposes. All physical PhaseC machines have got an ethernet interface to that network. Even though this is a private network it is on the same VLAN as the LCG Public network (it's on the Force10 switches with PhaseB) so we should consider it as secure as the LCG Public network (any compromised machine can just change the IP and switch from one network to the other).
  • ILOM is the most secure network. It's separated from the rest in a different VLAN and only the Xen Hosts are the entry points to it. All the remote administration interfaces are connected there.

Entry points

We have to admin this complex network and thus we need entry points to it. These are the machines that have access to the different parts of the system:

  • Xen hosts. They are connected to all the networks: LCG Public, Installation and ILOM.
  • Pub virtual machine. This is connected to the three same networks as the xen hosts. This is where the admins will have home directories with their password-protected ssh private keys and it's considered a secure host for that respect. It will also be possible to enter the ILOM network with VPN to be able to access the web applications from outside CSCS.
  • The installation server is also an entry point to the Installation 10.10 network. Anyway this is in the same VLAN as the LCG Public so it's an entry point just for comodity.

Sysadmin access

  • All machines in the cluster will have restricted ssh root access only to administrators They will not have user accounts (save for Pub, the entry point). They will only listen on the ssh port to the CSCS ip range.
  • Administrators should only store their private ssh key on a "considered trusted" host and type the password just there. A trusted host is a host managed by the administrator and must be inside CSCS. All acceses from outside should come first to Pub.

-- PabloFernandez - 2010-02-24

Edit | Attach | Watch | Print version | History: r10 | r7 < r6 < r5 < r4 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r5 - 2010-03-02 - PabloFernandez
 
Warning: Can't find topic "".""

  • Edit
  • Attach
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback