perfSONAR User Q&A and Other Discussion

[Brian Tierney <>]

I'm wondering if anyone has tested a host IDS such as OSSec or rkhunter on a 
perfSONAR node, to see if there is any performance impact.

This might be a good thing to add to perfSONAR nodes.


On Jun 27, 2013, at 6:32 AM, Jason Zurawski 
<>
 wrote:

> Hey Roderick;
> 
> As an FYI the LHCOPN document was produced by external parties, but the 
> suggestions are sound depending on the policy set forth by the operating 
> institution.  Note the date is about 2 years ago, so some of the items they 
> are working around could have been addressed in subsequent releases.  
> 
> Earlier this year we published some information on ways to allow the 
> toolkit to work better with firewalls:
> 
>  http://psps.perfsonar.net/toolkit/firewalls.html
> 
> Coupled with this, the latest release has a stub iptables file that can be 
> used to implement host based filtering if that is so desired.   
> 
> One thing that I think we discussed (not sure if it was implemented) was 
> putting in some SSH protections like these: 
> http://codeghar.wordpress.com/2010/04/25/secure-your-ssh/. Many people 
> already implement the throttling suggestions, and that meets the checkbox 
> for security on that service in many cases.  It may also make sense to 
> disallow root logins, or empty passwords (once the machine is setup).  
> Those are a little harder for us to do by default, but certainly could work 
> well.  
> 
> As a part of a broader campus/network security plan, its always a good idea 
> to consider the use of systems that watch for strange behavior (tripwire, 
> bro), and lots of sites do this already.  
> 
> Trying to integrate federated login techniques to the performance node has 
> been shown to work, I know some locations have installed the kerberos from 
> the CentoOS repos, and configured it as they would any other system.
> 
> Lastly, if sites are using a non-pemanent install (like a live CD), they 
> often can get away with calling this an 'appliance', and thus a reboot can 
> be used to clean out the system in the event that something bad does happen.
> 
> In general, our stance remains that to get accurate measurements of the 
> network, the performance node should be free of infrastructure that will 
> limit performance.  There is value in seeing 'what the users see' however, 
> so users have to have their connectivity dragged through devices that limit 
> performance, the performance node should do so as well.  
> 
> Hope this helps;
> 
> -jason
> 
> On Jun 27, 2013, at 7:53 AM, Roderick Mooi wrote:
> 
>> Hi everyone,
>> 
>> What advice/recommendations are available for securing perfSONAR servers 
>> and/or the toolkit itself?
>> 
>> I've previously used this guide:
>> https://twiki.cern.ch/twiki/pub/LHCOPN/PerfsonarPS/perfSONAR-PS_Security_Guidelines.pdf
>>  
>> 
>> Are there any updates or other resources or recommendations particularly 
>> for v3.3?
>> 
>> Thanks very much!
>> 
>> Regards,
>> 
>> Roderick
>> 
>> 
>> -- 
>> This message is subject to the CSIR's copyright terms and conditions, 
>> e-mail legal notice, and implemented Open Document Format (ODF) standard. 
>> The full disclaimer details can be found at 
>> http://www.csir.co.za/disclaimer.html.
>> 
>> This message has been scanned for viruses and dangerous content by 
>> MailScanner, 
>> and is believed to be clean.
>> 
>> Please consider the environment before printing this email.