Goal

Get recommendations and best practices to operate perfSONAR in a deployment in a secure manner

Background

Following initial discussions regarding scope of the below-mentioned perfSONAR security audit task with GÉANT security team (led by Marcin Wolski) and subsequent discussion within the perfsonar-leads group, the scope has been narrowed down to recommendations and best practices to operate perfSONAR in a deployment in a secure manner. In order to set expectations and agree on a set of acceptance criteria for this task, let us have a meeting during the coming weeks

With over 1400 pS nodes around the world, it is of paramount importance that pS group stay up-to-date on security practices, to ensure continued reliability and robustness pS' operation

Requirements

 The aim of this exercise is to work together to get recommendations for security best practices to operate pS. This includes process, policies and best practices - documentation to operate pS node in secure manner. pS is different from few other software as it is a multi-deployment appliance:

• Includes the auto-update element, which enables pS deployments to be updated with any new software automatically once every day.
• There are already some Security Considerations listed by pS group on its website, such as access to nodes, IPTables, host management using IDS, etc., but we are looking to expand this with this exercise.
• Vulnerabilities are handled at the earliest by the development team, and an announcement is made on perfsonar-user list with regard to the severity if it and if/how much does it affect a pS deployment

All the above considered - we would like to improve the process, and hence this exercise 

Key actors in the process

Input documents

Documentation on security that I am aware of, I have shared with you previously. Here are those links once again:

•  Security considerations: http://www.perfsonar.net/deploy/security-considerations/
•  Automated management: http://www.perfsonar.net/deploy/automated-management/
•  Current vulnerability management: http://www.perfsonar.net/deploy/vulnerability-archive/

Schedule

• Until end of April, i.e. end of GN4-1:
  • Go through all security-related documentation on perfsonar.net website, and arrange for infrastructure to deploy perfSONAR toolkit
• From GN4-2/May onwards:
  • Install perfSONAR toolkit and review the default security policies, settings, and make recommendations based on the process
  • Go through Vulnerability Management process and list practices for improvisation

Communication between the teams

• GÉANT security team will, in the first instance, contact GÉANT perfSONAR team, for e.g. if any clarifications are required. The GÉANT perfSONAR team in turn will keep the rest of global perfSONAR team updated with any discussions that occur, either by way of email or during weekly developers call
• If any security-related topic of interest is flagged on any perfsonar mailing list, someone from the pS global team will co-ordinate among themselves to inform the GÉANT security team about it, should they need to consider it in relation to policy setting

Documentation

Maintenance and updates

Automated management: http://www.perfsonar.net/deploy/automated-management/

Security considerations: http://www.perfsonar.net/deploy/security-considerations/

Different installation packages: http://docs.perfsonar.net/install_options.html , and also Installation procedure.

Deployment map of perfSONAR nodes: http://stats.es.net/ServicesDirectory/  

Vulnerability management process  

Current vulnerability management: http://www.perfsonar.net/deploy/vulnerability-archive/

More information about deployment can be found here: http://www.perfsonar.net/deploy/ , and generic user guide - which may be too detailed and lot of it out of scope for this exercise, but still given here if you have any specific questions - is here: http://docs.perfsonar.net/index.html

Security audit report