First meeting between perfSONAR team (of leads and dev leads from the global group), and the GÉANT Security team.
Background: a need that was identified by the perfSONAR team for recommendations from an expert group regarding operating perfSONAR in a secure manner.
A pre-meeting was held between GÉANT security team and perfSONAR team members from GÉANT on 08/03, at the annual GÉANT Symposium
Introduction of attendees - All
Purpose of the meeting
To review and get recommendations on best practices to operate perfSONAR. With over 1400 pS nodes around the world, it is of paramount importance that pS group stay up-to-date on security practices, to ensure continued reliability and robustness pS' operation
Eric and others agreed with this
GÉANT Security Team - presentation about task - Marcin Wolski
Sent to the group earlier via email
pS security recommendations exercise - what pS group wants out of this exercise
The aim of this exercise is to work together to get recommendations for security best practices to operate pS. This includes process, policies and best practices - documentation to operate pS node in secure manner. pS is different from few other software as it is a multi-deployment appliance:
Includes the auto-update element, which enables pS deployments to be updated with any new software automatically once every day.
There are already some Security Considerations listed by pS group on its website, such as access to nodes, IPTables, host management using IDS, etc., but we are looking to expand this with this exercise.
Vulnerabilities are handled at the earliest by the development team, and an announcement is made on perfsonar-user list with regard to the severity if it and if/how much does it affect a pS deployment
All the above considered - we would like to improve the process, and hence this exercise
Discussion with GÉANT security team
Define acceptance criteria, division into work items
GÉANT Security team will:
Until end of April, i.e. end of GN4-1:
Go through all security-related documentation on perfsonar.net website, and arrange for infrastructure to deploy perfSONAR toolkit
From GN4-2/May onwards:
Install perfSONAR toolkit and review the default security policies, settings, and make recommendations based on the process
Go through Vulnerability Management process and list practices for improvisation
Communication between the teams
GÉANT security team will, in the first instance, contact GÉANT perfSONAR team, for e.g. if any clarifications are required. The GÉANT perfSONAR team in turn will keep the rest of global perfSONAR team updated with any discussions that occur, either by way of email or during weekly developers call
If any security-related topic of interest is flagged on any perfsonar mailing list, someone from the pS global team will co-ordinate among themselves to inform the GÉANT security team about it, should they need to consider it in relation to policy setting
Shared space needed which is accessible to both teams (perfSONAR global team, GÉANT security team)
Required to store information such as progress of tasks, documentation (in-progress, draft, review, or final), discussions/decisions, or even admin tasks such as meeting notes, or next meeting dates etc.
Trupti will ask GÉANT IT team if GÉANT wiki (confluence; eduGAIN-enabled access) can be used for this exercise
And setup a page for non- GÉANT, i.e. rest of pS global team, participants
Other possibility includes the perfSONAR github wiki (https://github.com/perfsonar/project/wiki), but need to discuss with rest of pS group if it is the right platform at this stage
Done - this wiki page will be used for collaboration on this task.
