UK SYSMAN Sep 98 Minutes

UK HEP System Managers Meeting Number 2, 30th September 1998. UCL.

Draft Minutes
(last modified 2-Nov-1998)
Chris Brew

Attending:

Chair - Bob Cranfield(UCL). Secretary - Chris Brew(RAL).

D Kelsey(RAL), J Gordon(RAL), A Sansum(RAL), A Flavell(Glasgow), R Hughes-Jones(Manchester), L Lowe(Birmingham), J Hill(Cambridge), D Martin(Glasgow), R Henderson(Lancaster), P Gronbech(Oxford), M Landon(QMW), S George(RHBNC), P Clarke(UCL)

Apologies

Brunel, Edinburgh, IC, Sheffield.

Organisational Matters for this and Future Meetings.

It was noted that the draft of the next CNAP report is due at the end of the year and the system mangers should be submitting something for inclusion in that.

Terms of Reference.

The group will discuss topical issues for Computing in High Energy Physics in the UK. It will also advise CNAP via the (proposed) two members of this group who are also on CNAP.

Full terms of reference can be found on the sysman web pages: http://hepnts1.rl.ac.uk/sysman/may98/sysmanorg.html

Attendance.

It is hoped that attendance at these meetings will be one or two people for each UK HEP site.

Frequency and Location.

It is envisaged that there will be three meetings per year:

One meeting of two days to be held annually at RAL
Two meetings of one day which will move around the institutes.

The next meeting will probably be a one day meeting held around the beginning of next year.

It was also mentioned that RAL will be hosting HEPiX just after Easter 1999.

Communication.

The Mailing list set up by John Gordon after the last meeting is a successful and useful resource and it will be continued. Chris Brew will look at the possibility of setting up a hypernews system, though there was some debate as to whether this was necessary.

The question was raised as to whether the group could showcase video conferencing by conducting business over it, but it was pointed out that our organisation is one of the worst cases for video conferencing (many to many communication). It may be useful for point to point consultations or presentations (one to many) in the future but no action will be taken yet.

Circulation of Minutes etc.

These minutes will be posted to the sysman web page after each meeting and a notification posted to the SYSMAN list.

It was pointed out that the CNAP minutes are available on the web: http://hepnts1.rl.ac.uk/CNAP/

HTASC.

Dave Kelsey gave a brief introduction to the HEP-CCC Technical Advisory Sub-Committee (HTASC) of which he has just taken over the Chair. Its remit is to Advise HEP-CCC on future requirements in all areas of computing and networking in the form of clear recommendations with the technical, financial, strategic and "political" implications spelled out. In addition to Dave chairing the committee, the UK representative on HTASC is Alan Flavell.

Video Conferencing - Richard Hughes-Jones.

(PDF file of slides available here)

This was a progress report on the tests of entry level VC products conducted with Jeff Fayers.

The tests involved using VIC and RAT with the Winnov Videum Pro video capture card with Windows 95/NT.

The latest versions of this software are available from the UKERNA web and there are good write ups of its use at Glasgow and CERN.

The tests involved looking at the network load for various configurations of the software. With the conclusion being that a reasonable link required a network bandwidth of 400 kilobytes/s

A report on the entry level tests can be found at ppewww.ph.gla.ac.uk/vcrec

The question was raised as to whether this hardware/software could be used under Linux. Whilst this is theoretically possible the testers did not have the Linux expertise to test this. Maybe someone with more Linux experience could join in the testing?

Priority Topics and Input to CNAP.

The group should look at issues of general concern to the HEP SYSMAN community (discussed at meetings and on the e-mail list) and report on those issues both to CNAP and to the wider HEP community.

There are many potential issues the most pressing at the moment appearing to be:

What is the effect on institutes of large experiments choices of operating systems? Can the institutes influence those choices?
What is the future of Linux in HEP research? Can it be used as the only Unix available at some sites, abandoning proprietary Unix variants?
What are the issues involved in running AFS on Linux?
How can we reduce the effort required of Sysmans?

Security - Andrew Sansum.

(PDF file of slides available here)

Andrew gave a talk on his experiences and discoveries over the last months as the RAL Unix security Advisor. Overheads for the talk can be found on the web at (get Talk and URL)

The main points raised in the talk are that system managers now need to be constantly vigilant, they need to have security procedures in place and most of all, they need a plan for what will happen if an when they are compromised.

Firewalls - Richard Hughes-Jones.

(PDF file of slides available here)

Richard talked about his experiences setting up a departmental firewall after the Manchester hacking incident. He gave some background on the types of firewall available and what can be achieved with them. Copies of his overheads are available on the web at (get URL)

The main point to arise from the talk and the following discussion is that although it looks easy to define rules as to what should get through your firewall there are always more exceptions needed to allow your users to work.

Interactive Sessions and Password Security - Alan Flavell.

(PDF file of slides available here)

Alan introduced the topic and gave a brief talk on the secure shell (SSH). There followed a general discussion on SSH policy and usage. The overheads are available on the web at (include)

The main topic of the discussion which will be continued on the e-mail list was whether SSH should be used with .rhosts/.shosts/host.equiv files to allow passwordless logins, both for user convenience and for remote batch submission. It was pointed out the this could leave the community more, rather than less, exposed as crackers could roam around linked systems by-passing much of the monitoring.

It must be remembered that SSH is not a magic bullet. It has to be used in conjunction with other security measures too be effective.

The possibility of keeping a central list of host keys was also raised. This was generally thought to be a good idea at least for those clusters like the CERN wgs where key collection is not trivial. It was undecided who would take this on.

Intrusion Notification and UK HEP Security policy.

It was decide to encourage CNAP to send a letter to the heads of UK HEP groups outlining why security was now an issue and suggesting that they might want to think about having formal security policies.

It was decided that a HEP site suffering for a hacking incident should contact Andrew Sansum in the first place (he will set up a procedure for this and announce it to the mailing list) and he will then co-ordinate the passing on of that information.

It was felt that there should be a UK wide policy of what should happen at sites when this notification is received but no decisions were made. Andrew is already drawing up a policy on what will happen on CSF and this will be circulated shortly.

It was also felt that possibly UK HEP should produce a common security document outlining the issues and procedures. This will be looked into.

Actions.

RC to draft letter for Group Leaders (via CNAP).
AS to provide contact info for intrusions.
RC to organise statment /recommendations on security by the end of the year for CNAP report.

Next Meeting.

To be arranged in the new year.