wiki:GENIOperationsTrial/GENISecurityCheckStitch

Version 1 (modified by lnevers@bbn.com, 9 years ago) (diff)

--

CHK-### GENI Stitching Security Checks

The Internet2 (I2) GENI Stitching Computation Service (SCS) is currently being run as a GENI production service and supported by Internet2 the GENI Meta Operations Center (GMOC). The SCS service provides GENI Network Stitching path information between GENI sites.

1.0 GENI Stitching Security Check

1.1 Goals of Stitching Security Check

The SCS server is located at the Internet2 GMOC, where it undergoes standard GMOC security checks. This page captures an outline of security checks activities executed by the GMOC which include:

  • Regularly watch for critical Common Vulnerabilities and Exposures (CVE)s and apply the patches accordingly.
  • There are no log reviews on the SCS host (geni-scs.net.internet2.edu) for the SCS service.
  • Server emails are sent to a mailing list for archival purposes, but they are not reviewed regularly, but archive is accessible if needed.
  • The SCS host geni-scs.net.internt2.edu is monitored for disk, IPMI, load, memory usage, as well as process monitoring such as ntp and the SCS proces.
  • Default deny IPTables policy is in place to reject all. Filters allow the SCS, monitoring, and SSH connections only.
  • SSH access is limited to a very small subset of IP addresses. Only 3 bastion hosts, 1 backup host, and 1 Rancid collector host are allowed to SSH to the SCS host. All hosts allowed to SSH are in the Peripheral Component Interconnect (PCI) scope.
  • Daily log reviews, and tripwire scans are run on these PCI Peripheral Component Interconnect hosts.
  • The GENI SCS host resides in the GlobalNOC address space where there are active vulnerability scans that run monthly, as described in the GMOC Vulnerability Scanners page.

1.2 Steps for Stitching Security Check

No steps are captured in this page, GMOC procedures should be followed.

1.3 Stitching Security Check - Pass Criteria

Pass criteria is defined in GMOC procedures.

1.4 Stitching Security Check - Fail Criteria and Escalation

Fail criteria is defined in GMOC procedures.

Escalation: GMOC