Presentation is loading. Please wait.

Presentation is loading. Please wait.

NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead.

Published byDarren Nathaniel Beasley Modified over 8 years ago

Similar presentations

Presentation on theme: "NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead."— Presentation transcript:

1 NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead

2 Will discuss... Historical management/security challenges with WWB network ORA migration to more manageable/secure network topology (was 1/3 complete) Migration acceleration plans to be done by April 16th, 2004 FY04 plans

3 ORA network topology migration was under way Because of the way the WWB network developed over the past decade... ORA IT was interlaced with IT from SSD and NCEP on 8 different network segments in WWB and FB4 No choke point for our IT without affecting SSD and NCEP. Difficult to manage IP addresses. ORA IT was listed in 3 different DNS domains: nesdis.noaa.gov, ncep.noaa.gov, wwb.noaa.gov Confusion ORA had no DNS (forward or reverse) control over these domains Security problems when forward and reverse mappings do not agree ORA IT was not firewalled ORA had no network autonomy Delayed network changes because going through OSDPD, SSD, and/or NCEP We were about 1/3 finished with a migration plan to... Migrate to only two network segments containing only ORA IT. All Windows on one, everything else on the other. Creates choke points. Eases IP address management. Using VLAN technology. Establish and control our own DNS segments, orbit.nesdis.noaa.gov, and orbit1.nesdis.noaa.gov Gives us sole control of our forward and reverse DNS. Solves reverse mapping problem. Move these two network segments behind the WWB firewall NCEP can now easily apply firewall rules for ORA IT via these two network segments Gain some autonomy Because of effects of migration on scientists' work, we were moving gradually.

4 ORASSDNCEPORANCEP ORASSD switch 140.90.132 network segment ncep.noaa.gov DNS domainnesdis.noaa.gov DNS domainwwb.noaa.gov DNS domain 8th floor NCEPORA NCEPORA NCEPORA switch 140.90.197 network segment nesdis.noaa.gov DNS domain 7th floor ncep.noaa.gov DNS domain SSDORASSD ORA switch 140.90.195 network segment nesdis.noaa.gov DNS domain 5th floor wwb.noaa.gov DNS domain NCEPORA NCEPORA NCEPORA switch 140.90.191 network segment nesdis.noaa.gov DNS domain 1st floor ncep.noaa.gov DNS domain router WWB Network Before VLAN Use

5 ORASSDNCEPORANCEP ORASSD switch ORA network segment 1 ncep.noaa.gov DNS domainorbit.nesdis.noaa.gov DNS domainwwb.noaa.gov DNS domain 8th floor NCEPORA NCEPORA NCEPORA switch orbit1.nesdis.noaa.gov DNS domain 7th floor ncep.noaa.gov DNS domain SSDORASSD ORA switch 5th floor wwb.noaa.gov DNS domain NCEPORA NCEPORA NCEPORA switch 1st floor ncep.noaa.gov DNS domain firewall WWB Network Now Using VLANs and Firewall SSD network segmentNCEP network segment ORA network segment 2ORA network segment 1 ORA network segment 2 ORA network segment 1 orbit1.nesdis.noaa.gov DNS domain orbit.nesdis.noaa.gov DNS domain NCEP network segment SSD network segment

6 ORA switch ORA network segment 1 orbit.nesdis.noaa.gov DNS domain ORA switch orbit1.nesdis.noaa.gov DNS domain SSD switch wwb.noaa.gov DNS domain NCEP switch ncep.noaa.gov DNS domain firewall Virtual View ORA network segment 2 NCEP network segments SSD network segments

7 Now accelerating migration. By Friday, April 16, 2004 we will... Patch Update computers to latest patch levels Implement patch management Restrict Reset passwordsComplete Remove group accountsComplete Disallow blank SSH keysComplete Remove Windows users’ elevated privileges Firewall Implement WWB firewall for UNIX network segmentComplete Implement WWB firewall for Windows network segment Restrict access from non-WWB computersComplete Migrate Migrate UNIX/Linux, VMS, and Mac computers to secure UNIX domain Migrate Windows 2000 & XP computers to secure Windows domain Test Run Harris STAT vulnerability scanning tool Inventory Inventory networked IT, operating system versions and patch levels

8 Patch Update computers to latest patch levels Red Hat LinuxTotal: 111To Do: 3 SGI IrixTotal: 13To Do: 4 HP HP-UXTotal: 3To Do: 2 Sun SolarisTotal: 4To Do: 0 Windows 2000 ServersTotal: 4To Do: 0 Windows XP desktops/notebooksTotal: 145To Do: 0 Windows NT ServersTotal: 2To Do: 0, removed from net by April 16th Windows NT desktops/notebooksTotal: 61 To Do: 0, removed from net by April 16th VMSTotal: 4To Do: 4 MacTotal: 10To Do: 5 357 18 Implement patch management System administrators subscribe to manufacturers patch notification lists System administrators receive notifications from NCIRT, FedCIRT, etc. System administrators check manufacturers web sites daily for new vulnerabilities and patches Patches tested If no problems, applied within 72 hours, document If problems, mitigate, analyze risk, decide whether to apply, document Red Hat Linux Use AutoRPM to query NCIRT daily for updates. Logs kept automatically Windows XP Use Auto Update to query Microsoft daily for updates. Logs kept automatically Other operating systems done by hand. Logs kept by hand. Specific system administrators will be responsible for checking specific OSes and will report daily

9 Restrict Reset passwords Worried about sniffed passwords and stolen encrypted password files from incident Disabled all passwords Have users come to system administrators for new passwords Where able, checking in place to enforce strong passwords Must be changed every 90 days We try to crack our passwords to find weak ones before outsiders do Remove group accounts Were used for collaboration Can't share passwords, per DOC policy Disallow blank SSH keys Were used by scientists/programmers for automated file transfers New scripts check for, and block them Involved in UMD, NASA connections during this incident Remove Windows users’ elevated privileges Were used to allow users to install local printers, compilers, etc. System administrators must now install all system software Users have "User" privilege Notebook users need "Net" privilege to change network settings when away from WWB

10 Firewall Implement WWB firewall for UNIX network segment All UNIX, Linux, VMS, Mac computers on one network segment. Creates choke point. Allow only inbound DNS, HTTP, Anonymous FTP, and Email traffic to their respective servers Will investigate a DMZ for these servers in the near future Implement WWB firewall for Windows network segment All Windows computers on one network segment. Creates choke point. Allow only inbound DNS traffic to our DNS servers Will investigate a DMZ for these servers in the near future Restrict access from non-WWB computers We were allowing SSH/SCP connections from specific remote machines to specific ORA machines to ease scientists' work. Now turned off. Will discuss VPN use with NCIRT. We have one established, but now turned off. Implementing an SSH gateway in the near future Will discuss an SCP gateway with NCIRT, investigate implementations, alternatives Migrate Migrate UNIX/Linux, VMS, and Mac computers to secure UNIX domain All UNIX, Linux, VMS, Mac computers on one network segment All UNIX, Linux, VMS, Mac computers in orbit.nesdis.noaa.gov DNS domain. Gives us DNS control. Migrate Windows 2000 & XP computers to secure Windows domain All Windows computers on one network segment All Windows computers in orbit1.nesdis.noaa.gov DNS domain. Gives us DNS control. Removing remaining Windows NT domain, 2 servers, 62 desktops and notebooks

11 Test Run Harris STAT vulnerability scanning tool Next run will be Friday, April 16th, after this two week plan is complete It is run regularly as part of the C&A process There are problems with this tool Inventory Inventory networked IT, operating system versions and patch levels Already have this available in various forms, will pull it together

12 FY04 Plans Re-implement VPN if possible. Must discuss with NCIRT. By May 7, 2004 Implement SSH gateway to allow but control remote login access By May 31, 2004 Implement an SCP gateway to allow but control remote file transfers. Must discuss with NCIRT, investigate. By June 30, 2004 Implement Microsoft System Management Server (SMS) to provide better Windows patch management and administration. Had already purchased necessary HW and SW. By May 31, 2004 Update McAfee Virus Scan to Enterprise 7 version. Implement EPolicy Orchestrator. By June 15, 2004 Secure ORA email server protocols. Use SSL for IMAP, SMTP, and LDAP. Use HTTPS in lieu of HTTP. By May 31, 2004 Replace UNIX/Linux NIS (Network Information Service) information sharing scheme with a more secure internal LDAP directory By June 30, 2004 Investigate and re-structure ORA WWB IT onto an independent, firewalled network. Include DMZ for DNS, Web, FTP, email, and VPN servers. All controlled by ORA. By October 31, 2004

Download ppt "NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead."

Similar presentations

Current Security Threats WMO CBS ET-CTS Toulouse, France 26-30 May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.

Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University

Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
CNIL Report April 4 th, 2005. CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.

CNIL Report April 4 th, CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.

SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Chapter 13 Chapter 13: Managing Internet and Network Interoperability.

Chapter 13 Chapter 13: Managing Internet and Network Interoperability.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost 127.0.0.1 (loopback address)  Internal networks 

Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Payment Card Industry (PCI) Data Security Standard

Payment Card Industry (PCI) Data Security Standard
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,

HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
Introduction to Computer Administration System Administration

Introduction to Computer Administration System Administration
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.

1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.

Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Section 6.1 Explain the development of operating systems Differentiate between operating systems Section 6.2 Demonstrate knowledge of basic GUI components.

Section 6.1 Explain the development of operating systems Differentiate between operating systems Section 6.2 Demonstrate knowledge of basic GUI components.

Similar presentations

Ads by Google