Presentation on theme: "Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC."— Presentation transcript:
Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC
12/04/98Bob Cowles - SLAC2 Background Over 3000 hosts respond to ping –1200 over NT machines –800 over Unix machines Business Services Division –PeopleSoft Financials & Human Resources –WinNT workstations; Oracle DB on Unix 150 W/S in central offices 50 W/S in departments distributed around Lab
12/04/98Bob Cowles - SLAC3 Crisis -> Response Serious intrusion in June 1998 –Over 20 Unix hosts compromised (root) –Over 40 user accounts used Response –Cut off from Internet for a week –Changed all passwords –Applied deferred security patches –Increased packet filtering
12/04/98Bob Cowles - SLAC4 Challenge - Priorities Prevent unauthorized access to business systems and confidential data Protect accelerator control systems Protect physics data and programs
12/04/98Bob Cowles - SLAC5 Challenge - Constraints Implement security measures consistent with the research mission –Open –Collaborative Credible response to vulnerabilities –Password compromise –Local admin & PC mode of thinking
12/04/98Bob Cowles - SLAC6 Threat Analysis Attack on Oracle DB –Alter data –Read personal or confidential data –Denial of Service External Attack Internal (authenticated user) Attack Adapt to new threats over next 2 years
12/04/98Bob Cowles - SLAC7 Countermeasures I External –Filter out NT networking protocols –Strengthen passwords (passfilt) Internal –Emphasize SP3 + Hotfixes –Promote SMS and central mgmt tools –Proposed significant tightening of all NT W/S
12/04/98Bob Cowles - SLAC8 Problems I General revolt at proposal –“Personal Computer” –Inadequate support –Non-standard configurations –Inventive requirements One size does not fit all
12/04/98Bob Cowles - SLAC9 Countermeasures II Use Business Services Division as a pilot –Significantly increase restrictions on NT –Use latest technology to provide: safety functionality Examined many alternatives –Filtering routers, firewalls, VPNs, IDS, etc.
12/04/98Bob Cowles - SLAC10 Problems II Latest technology is very immature (!) and vendors don’t understand it Required features in the next release (RSN) Solutions require –Lots of inter-group cooperation & coordination –Very easy to have 3-4 inadequate solutions for the same problem BSD users are all over the Lab
12/04/98Bob Cowles - SLAC11 Strawman I Use VLANs to put all users “together” Very heavy filtering on internal router Many users have two workstations –Communicate externally & with rest of Lab No tight controls on configuration –Communicate with PeopleSoft applications Centrally maintained Standard configuration
12/04/98Bob Cowles - SLAC12 BSDnet Rest of SLAC Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman I BSD Domain Cntlr
12/04/98Bob Cowles - SLAC13 Strawman I :-( Cost of additional W/S and network equip. Fear of “yellow cables” Loss of desktop space - user reaction Confusing relationship between domains Concerns about “piped” cross authentication (e.g. new web browsers)
12/04/98Bob Cowles - SLAC14 BSDnet Rest of SLAC Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman II BSD Domain Cntlr
12/04/98Bob Cowles - SLAC15 Strawman II :-( Very difficult to packet filter properly (SQL*Net uses ephemeral ports) Possible performance issues with Two-tier PeopleSoft client Questionable protection in time of intrusion
12/04/98Bob Cowles - SLAC16 BSDnet Rest of SLAC WTS Server Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman III BSD Domain Cntlr
12/04/98Bob Cowles - SLAC17 Strawman III :-( Still problems during/immediately after intrusion –Mission critical functions –Access to BIS web server required WTS is new technology –What if it fails? –What if it can’t handle the load?
12/04/98Bob Cowles - SLAC18 BSDnet Secure BSDnet Rest of SLAC WTS +Citrix Farm Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01 UserMC UserYYUserXX Plan A BSD Domain Cntlr
12/04/98Bob Cowles - SLAC19 BSDnet Secure BSDnet Rest of SLAC WTS +Citrix Farm Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI “Air Gap” User01 UserMC UserYYUserXX Plan A - Intrusion BSD Domain Cntlr
12/04/98Bob Cowles - SLAC20 Plan A :-) Mission critical work can be done using what works now WTS+Citrix provides add’l flexibility and security options Token cards will provide two-factor authentication IDS will watch for what gets past filters Patrick
12/04/98Bob Cowles - SLAC21 Current Status Testing WTS farm with live users Developing specifications for configration on user machines (apps, registry, etc.) Network hardware being installed Estimated completion - April 1
12/04/98Bob Cowles - SLAC22 Comments? What have we overlooked? What are YOU doing in this area? How do you handle user administrated W/S? Feedback is appreciated!