Presentation is loading. Please wait.

Presentation is loading. Please wait.

NCAR National Center for Atmospheric Research 1 Security At NCAR Pete Siemsen National Center for Atmospheric Research November 22, 1999.

Published byIrene Wilcox Modified over 9 years ago

Similar presentations

Presentation on theme: "NCAR National Center for Atmospheric Research 1 Security At NCAR Pete Siemsen National Center for Atmospheric Research November 22, 1999."— Presentation transcript:

1 NCAR National Center for Atmospheric Research 1 Security At NCAR Pete Siemsen National Center for Atmospheric Research November 22, 1999

2 NCAR National Center for Atmospheric Research 2 NCAR’s Environment Academic research institution But no students Collaboration with 63 member Universities ~1500 university (external) users Diverse, widespread field projects ~2500 networked devices internal to NCAR ~1500 internal users

3 NCAR National Center for Atmospheric Research 3 Obstacles to Security Security not taken seriously Considered low priority (few resources) Doesn’t mesh well with NCAR’s goals Security is a lose-lose proposition! Too little security: it’s your fault · We got hacked, you should’ve done more Too much security: it’s your fault · I can’t get my work done, you should do less When it works, no one notices

4 NCAR National Center for Atmospheric Research 4 Motivation to Get Serious About Security We experienced increasing malicious attacks More hackers hacking Availability of hacker “kits” · Easy to get · Don’t require network expertise –(URLs will be shown later ;-) We had some strong advocates

5 NCAR National Center for Atmospheric Research 5 Getting Started

6 NCAR National Center for Atmospheric Research 6 NCAR Security Committee We created a committee to develop policy Sysadmins from all NCAR Divisions Policy process delivers institutional buy-in 2-hour meetings once a month Lots of cooperation, little authority

7 NCAR National Center for Atmospheric Research 7 The Security Policy Need a policy that defines vulnerabilities how much security is needed level of inconvenience that is tolerable solutions We recommended a full-time Security Administrator for the institution http://www.ncar.ucar.edu/csac

8 NCAR National Center for Atmospheric Research 8 Define Scope of Problem Decide which types of attacks are problems Examples: Hacker spoofing of source IP address Hacker scanning for weaknesses · TCP/UDP ports, INETD services Hackers sniffing passwords Hacker exploitation of buggy operating systems · Inconsistent/tardy OS patching

9 NCAR National Center for Atmospheric Research 9 Define Scope of Solution What we won’t do Not feasible to secure every computer Over-reliance on timely OS security fixes Can’t prohibit internal “personal” modems Attacks from within aren’t a big problem What we will do Reduce external attacks from the Internet

10 NCAR National Center for Atmospheric Research 10 Basic Solutions at NCAR One-time passwords Switched LANs Router packet filtering Application-proxy gateways

11 NCAR National Center for Atmospheric Research 11 One-Time Passwords

12 NCAR National Center for Atmospheric Research 12 One-time Passwords A.K.A. Challenge-Response Requires little calculator things (~$50/per) Prevents password sniffing We use it on critical devices Routers, ATM Switches, Ethernet Switches, Remote Access Servers, Server hosts (root accounts) At the least, do this!

13 NCAR National Center for Atmospheric Research 13 Switched LANs

14 NCAR National Center for Atmospheric Research 14 Switched LANs Reduces packet eavesdropping Get this for “free” with switched network

15 NCAR National Center for Atmospheric Research 15 Packet Filtering

16 NCAR National Center for Atmospheric Research 16 Router-Based Filters Used to construct router-based firewall around your internal network (and/or between internal networks) Main security implementation tool Routers check each inbound packet against filter criteria and accept or reject Filters reject dangerous packets Filters accept all useful packets

17 NCAR National Center for Atmospheric Research 17

18 NCAR National Center for Atmospheric Research 18

19 NCAR National Center for Atmospheric Research 19 Packet Filtering At NCAR Cisco access-lists filter on IP address source, destination, ranges Interfaces: inbound and/or outbound Protocols, TCP ports, etc. We filter only inbound packets Performance is an issue We have Cisco 7507 routers Using RSP4 CPUs

20 NCAR National Center for Atmospheric Research 20 Filter Stance: Strong or Weak? Strong Deny everything, except for the good stuff Weak Allow everything, except for the bad stuff NCAR chose a Strong stance

21 NCAR National Center for Atmospheric Research 21 Firewall Flexibility Needed Some NCAR Divisions wanted... All hosts on some subnets to be “outside” firewall Just some hosts “outside” firewall in each subnet Our solution… Some whole IP subnets bypassed by firewall filters Part of every IP subnet bypassed by firewall filters

22 NCAR National Center for Atmospheric Research 22 Firewall Flexibility Needed Excluded/bypassed subnets are called exposed subnets; all others are called protected subnets Excluded/bypassed hosts are called exposed hosts; all other hosts are called protected hosts “protected” means NO connections are allowed from outside the firewall

23 NCAR National Center for Atmospheric Research 23

24 NCAR National Center for Atmospheric Research 24 Implementing Flexibility Rules to define exposed subnets Filters bypass all hosts on selected subnets permit ip any 128.117.1.0 0.0.0.255 One of these rules for each exposed subnet This works best when subnets are assigned according to organizational topology

25 NCAR National Center for Atmospheric Research 25 Implementing Flexibility Rules to define exposed hosts Bypass a fixed set of hosts on all subnets permit ip any 128.117.0.0 0.0.255.15 Divisions had to re-address some hosts before the filter was installed

26 NCAR National Center for Atmospheric Research 26 Example Filter Statistics 41 lines (rules) in NCAR’s access-list Hits, 28 days after filter was installed: 3 MP Denied because of spoofing 17 MP Denied because of “catchall” 71 MP Permitted to exposed networks 100MP Permitted to exposed hosts

27 NCAR National Center for Atmospheric Research 27 Exposed Hosts Example: Web servers, data source machines, etc. Must meet stringent security standards to avoid being compromised and used as launch pads for attacking protected hosts OS restricts set of network services allowed Must keep up with OS patches

28 NCAR National Center for Atmospheric Research 28 Application-Proxy Gateways

29 NCAR National Center for Atmospheric Research 29

30 NCAR National Center for Atmospheric Research 30 What They Are & Do Provides proxy access to protected hosts for insecure services like FTP, Telnet, X11 Central access and monitoring point Authenticates users OS is kept VERY secure Patches kept up to date Unneeded services turned off No “direct” use by users

31 NCAR National Center for Atmospheric Research 31 Security Administrator

32 NCAR National Center for Atmospheric Research 32 Security Administrator Provides focus for security for the entire institution Helps deal with break-ins Central point of contact Tracks CERT advisories for sysadmins Advocates security solutions, like ssh Scans exposed hosts for standards violations Generally helps/educates sysadmins

33 NCAR National Center for Atmospheric Research 33 Impacts of NCAR’s Security

34 NCAR National Center for Atmospheric Research 34 Benefits >95% of NCAR hosts are protected Outbound Telnet, HTTP, etc. still work Most users don’t notice any changes Relatively cheap and easy Dial-in users are “inside”, no changes

35 NCAR National Center for Atmospheric Research 35 Drawbacks UDP is blocked Some services are no longer available Inbound pings are blocked !!! To use FTP, must use passive mode, or use an exposed host, or proxy through the Gateway DNS and email can get REAL complicated

36 NCAR National Center for Atmospheric Research 36 Drawbacks (cont.) Password sniffing still possible outside of firewall Ignores attacks from within Modems in offices are a huge hole Bypasses authentication in our secure modem pool

37 NCAR National Center for Atmospheric Research 37 Wrapup

38 NCAR National Center for Atmospheric Research 38 Security is Never “Done” How do you know if you’re being hacked? “Silent” attacks very hard to detect “Noisy” attacks hard to distinguish from other network (or host) problems Network keeps changing Software keeps changing Hackers keep advancing

39 NCAR National Center for Atmospheric Research 39 Security is Never “Done” (cont.) Policy and security mechanisms must keep Security committee continues to meet

40 NCAR National Center for Atmospheric Research 40 Conclusion NCAR struck a balance between: Convenience and Security Politics and Technology Cost and Quality Seems to work for us Installed it “just in time” Filters were installed just as attacks were getting unbearable

Download ppt "NCAR National Center for Atmospheric Research 1 Security At NCAR Pete Siemsen National Center for Atmospheric Research November 22, 1999."

Similar presentations

1 Campus Network Security and Security Repercussions Pete Siemsen National Center for Atmospheric Research July 28 th, 2002.

1 Campus Network Security and Security Repercussions Pete Siemsen National Center for Atmospheric Research July 28 th, 2002.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 

Personal Info 1 Prepared by: Mr. NHEAN Sophan  Presenter: Mr. NHEAN Sophan  Position: Desktop Support  Company: Khalibre Co,. Ltd 
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
Winter 20021 CMPE 155 Week 7. Winter 20022 Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.

Winter CMPE 155 Week 7. Winter Assignment 6: Firewalls What is a firewall? –Security at the network level. Wide-area network access makes.
Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.

Firewalling Techniques Prabhaker Mateti. ACK Not linux specific Not linux specific Some figures are from 3com Some figures are from 3com.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.

5/4/01EMTM 5531 EMTM 553: E-commerce Systems Lecture 7b: Firewalls Insup Lee Department of Computer and Information Science University of Pennsylvania.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.

1 Computer System Evolution Central Data Processing System: - with directly attached peripherals (card reader, magnetic tapes, line printer). Local Area.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : 97077200 7 August 1999 The Chinese University.

Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
Firewall Slides by John Rouda

Firewall Slides by John Rouda
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Similar presentations

Ads by Google