This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
IT Security for the LHCb experiment
3rd Control System Cyber-Security Workshop (CS)2/HEP
• Physical:o Authorization required to access Point 8o Biometric required to access the underground area
• Localo Private personal account for each LHCb user
• Few shared account are still in useo PAM/Domain Policies used to restrict access to critical servers between LHCb
groupso IPMI access protected by router ACLo Applications centrally managed by Quattor/System Center Deployment Serviceso No internet routing allowed except for few gateway servero Only WEB access granted through an HTTP proxy
Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld
9
Inner networks
Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld
• Traffic isolation using VLANs, 802.1q, Layer2 filtering and ACL
• LCG and TN accessible only from few hosts
• No internet connectivity
• Only LHCb laptop allowed
10
Network Security
implementation
• General public and log in services/ Terminal serviceso RDP windows
remote desktopso SSH gatewayso NX linux remote
desktopso Web services
• Network segmentation and trusted zoneso level of trust based
on three tiers the sensitivity of the data being processed
Central Log System• All the windows and Linux servers send their logs
to a clustered log server• High Availability granted by
o Active/Active two node cluster systemo Raid 1 on each cluster node for the local disko Filesystem replica over network between nodeso Backup on CASTOR
• Logs exported to the users by NFS
Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld
12
Data Security• Shared filesystem
o served by a cluster of five nodes on redundant hardwareo High Availability granted by Cluster of NFS/SMB servers that export the
filesystem to the entire experimento Data protection:
• Short term based on different storage raid set using RSYNC for immediate user access (file deleted by mistake by the user, etc)
• Long Term based on tape using CASTOR for… ever? • Backup sent to CASTOR and stored on type
• Servers and Control PCso High availability granted by RAID 1
• SW RAID used when HW raid is not availableo Daily Backup based on Tivoli (Thanks to IT dep. )
Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld
13
Network Intrusion/Anomaly Detection System
• Boundary networks traffic mirrored and analyzed
• ISO/IEC 18043:2006(E)Selection, deployment and operations of intrusion detection system
• Snort for NIDS• NTOP for Anomaly
Detection
Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld
14
Performance
Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld
15
Questions?
Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld
Barnyhard to offload output processingParsingVisual – Links GraphsCorrelation to crosscheck to exclude false positivesCentralized Analysis console is not strictly
necessary
Enrico Bonaccorsi, Loic Brarda, Mohamed Chebbi, Niko Neufeld