Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.

Similar presentations


Presentation on theme: "Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC."— Presentation transcript:

1 Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC

2 12/04/98Bob Cowles - SLAC2 Background Over 3000 hosts respond to ping –1200 over NT machines –800 over Unix machines Business Services Division –PeopleSoft Financials & Human Resources –WinNT workstations; Oracle DB on Unix 150 W/S in central offices 50 W/S in departments distributed around Lab

3 12/04/98Bob Cowles - SLAC3 Crisis -> Response Serious intrusion in June 1998 –Over 20 Unix hosts compromised (root) –Over 40 user accounts used Response –Cut off from Internet for a week –Changed all passwords –Applied deferred security patches –Increased packet filtering

4 12/04/98Bob Cowles - SLAC4 Challenge - Priorities Prevent unauthorized access to business systems and confidential data Protect accelerator control systems Protect physics data and programs

5 12/04/98Bob Cowles - SLAC5 Challenge - Constraints Implement security measures consistent with the research mission –Open –Collaborative Credible response to vulnerabilities –Password compromise –Local admin & PC mode of thinking

6 12/04/98Bob Cowles - SLAC6 Threat Analysis Attack on Oracle DB –Alter data –Read personal or confidential data –Denial of Service External Attack Internal (authenticated user) Attack Adapt to new threats over next 2 years

7 12/04/98Bob Cowles - SLAC7 Countermeasures I External –Filter out NT networking protocols –Strengthen passwords (passfilt) Internal –Emphasize SP3 + Hotfixes –Promote SMS and central mgmt tools –Proposed significant tightening of all NT W/S

8 12/04/98Bob Cowles - SLAC8 Problems I General revolt at proposal –“Personal Computer” –Inadequate support –Non-standard configurations –Inventive requirements One size does not fit all

9 12/04/98Bob Cowles - SLAC9 Countermeasures II Use Business Services Division as a pilot –Significantly increase restrictions on NT –Use latest technology to provide: safety functionality Examined many alternatives –Filtering routers, firewalls, VPNs, IDS, etc.

10 12/04/98Bob Cowles - SLAC10 Problems II Latest technology is very immature (!) and vendors don’t understand it Required features in the next release (RSN) Solutions require –Lots of inter-group cooperation & coordination –Very easy to have 3-4 inadequate solutions for the same problem BSD users are all over the Lab

11 12/04/98Bob Cowles - SLAC11 Strawman I Use VLANs to put all users “together” Very heavy filtering on internal router Many users have two workstations –Communicate externally & with rest of Lab No tight controls on configuration –Communicate with PeopleSoft applications Centrally maintained Standard configuration

12 12/04/98Bob Cowles - SLAC12 BSDnet Rest of SLAC Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman I BSD Domain Cntlr

13 12/04/98Bob Cowles - SLAC13 Strawman I :-( Cost of additional W/S and network equip. Fear of “yellow cables” Loss of desktop space - user reaction Confusing relationship between domains Concerns about “piped” cross authentication (e.g. new web browsers)

14 12/04/98Bob Cowles - SLAC14 BSDnet Rest of SLAC Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman II BSD Domain Cntlr

15 12/04/98Bob Cowles - SLAC15 Strawman II :-( Very difficult to packet filter properly (SQL*Net uses ephemeral ports) Possible performance issues with Two-tier PeopleSoft client Questionable protection in time of intrusion

16 12/04/98Bob Cowles - SLAC16 BSDnet Rest of SLAC WTS Server Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman III BSD Domain Cntlr

17 12/04/98Bob Cowles - SLAC17 Strawman III :-( Still problems during/immediately after intrusion –Mission critical functions –Access to BIS web server required WTS is new technology –What if it fails? –What if it can’t handle the load?

18 12/04/98Bob Cowles - SLAC18 BSDnet Secure BSDnet Rest of SLAC WTS +Citrix Farm Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01 UserMC UserYYUserXX Plan A BSD Domain Cntlr

19 12/04/98Bob Cowles - SLAC19 BSDnet Secure BSDnet Rest of SLAC WTS +Citrix Farm Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI “Air Gap” User01 UserMC UserYYUserXX Plan A - Intrusion BSD Domain Cntlr

20 12/04/98Bob Cowles - SLAC20 Plan A :-) Mission critical work can be done using what works now WTS+Citrix provides add’l flexibility and security options Token cards will provide two-factor authentication IDS will watch for what gets past filters Patrick

21 12/04/98Bob Cowles - SLAC21 Current Status Testing WTS farm with live users Developing specifications for configration on user machines (apps, registry, etc.) Network hardware being installed Estimated completion - April 1

22 12/04/98Bob Cowles - SLAC22 Comments? What have we overlooked? What are YOU doing in this area? How do you handle user administrated W/S? Feedback is appreciated!


Download ppt "Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC."

Similar presentations


Ads by Google