NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead.

Slides:



Advertisements
Similar presentations
Current Security Threats WMO CBS ET-CTS Toulouse, France May 2008 Allan Darling, NOAA’s National Weather Service WMO CBS ET-CTS Toulouse, France.
Advertisements

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
System and Network Security Practices COEN 351 E-Commerce Security.
Data Security Issues in IR Eileen Driscoll Institutional Planning and Research Cornell University
CNIL Report April 4 th, CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Chapter 13 Chapter 13: Managing Internet and Network Interoperability.
Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
Enumeration. Local IP addresses Local IP addresses (review)  Some special IP addresses  localhost (loopback address)  Internal networks 
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Payment Card Industry (PCI) Data Security Standard
COEN 252: Computer Forensics Router Investigation.
HalFILE 3.0 Active Directory Integration. halFILE 3.0 AD – What is it? Centralized organization of network objects and security – servers, computers,
Introduction to Computer Administration System Administration
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
1 Chapter 6 Network Security Threats. 2 Objectives In this chapter, you will: Learn how to defend against packet sniffers Understand the TCP, UDP, and.
Principles of Computer Security: CompTIA Security + ® and Beyond, Second Edition © 2010 Baselines Chapter 14.
Section 6.1 Explain the development of operating systems Differentiate between operating systems Section 6.2 Demonstrate knowledge of basic GUI components.
BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Virtual Company Group 8 Presentation Date: June /04/2017
1 Infrastructure Hardening. 2 Objectives Why hardening infrastructure is important? Hardening Operating Systems, Network and Applications.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
DECS Community IT DIVISION OF ENGINEERING COMPUTING SERVICES Michigan State University College of Engineering.
Common Cyber Defenses Tom Chothia Computer Security, Lecture 18.
COMP1321 Digital Infrastructure Richard Henson February 2014.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Module 11: Remote Access Fundamentals
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
2  Supervisor : MENG Sreymom  SNA 2012_Group4  Group Member  CHAN SaratYUN Sinot  PRING SithaPOV Sopheap  CHUT MattaTHAN Vibol  LON SichoeumBEN.
Note1 (Admi1) Overview of administering security.
Turning Windows 7 into a Web Server Ch 28. Understanding Internet Information Services.
Topics Network topology Virtual LAN Port scanners and utilities Packet sniffers Weak protocols Practical exercise.
Small Business Security Keith Slagle April 24, 2007.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.
TCOM Information Assurance Management System Hacking.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
| nectar.org.au NECTAR TRAINING Module 5 The Research Cloud Lifecycle.
Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
R. Krempaska, October, 2013 Wir schaffen Wissen – heute für morgen Controls Security at PSI Current Status R. Krempaska, A. Bertrand, C. Higgs, R. Kapeller,
JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999.
Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Computer Security Sample security policy Dr Alexei Vernitski.
Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.
Overview Microsoft Windows XP Pro (SP2) Microsoft Windows Server 2003 User accounts and groups File sharing and file permissions Password/Lockout Policy.
Introduction to System Administration. System Administration  System Administration  Duties of System Administrator  Types of Administrators/Users.
COMP1321 Digital Infrastructure Richard Henson March 2016.
Information Technology Services Julio Valdes Center for Teaching, Learning and Technology Corinna Lo
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
STAR IT Environment Update All Hands Meeting June 2, 2006.
WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct
Common System Exploits Tom Chothia Computer Security, Lecture 17.
Chapter 7. Identifying Assets and Activities to Be Protected
Enumeration.
Introduction to Operating Systems
Critical Security Controls
Chapter 6 Application Hardening
Unit 27: Network Operating Systems
Chapter 27: System Security
Connecting Remotely Winter 2014.
Implementing Client Security on Windows 2000 and Windows XP Level 150
Presentation transcript:

NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead

Will discuss... Historical management/security challenges with WWB network ORA migration to more manageable/secure network topology (was 1/3 complete) Migration acceleration plans to be done by April 16th, 2004 FY04 plans

ORA network topology migration was under way Because of the way the WWB network developed over the past decade... ORA IT was interlaced with IT from SSD and NCEP on 8 different network segments in WWB and FB4 No choke point for our IT without affecting SSD and NCEP. Difficult to manage IP addresses. ORA IT was listed in 3 different DNS domains: nesdis.noaa.gov, ncep.noaa.gov, wwb.noaa.gov Confusion ORA had no DNS (forward or reverse) control over these domains Security problems when forward and reverse mappings do not agree ORA IT was not firewalled ORA had no network autonomy Delayed network changes because going through OSDPD, SSD, and/or NCEP We were about 1/3 finished with a migration plan to... Migrate to only two network segments containing only ORA IT. All Windows on one, everything else on the other. Creates choke points. Eases IP address management. Using VLAN technology. Establish and control our own DNS segments, orbit.nesdis.noaa.gov, and orbit1.nesdis.noaa.gov Gives us sole control of our forward and reverse DNS. Solves reverse mapping problem. Move these two network segments behind the WWB firewall NCEP can now easily apply firewall rules for ORA IT via these two network segments Gain some autonomy Because of effects of migration on scientists' work, we were moving gradually.

ORASSDNCEPORANCEP ORASSD switch network segment ncep.noaa.gov DNS domainnesdis.noaa.gov DNS domainwwb.noaa.gov DNS domain 8th floor NCEPORA NCEPORA NCEPORA switch network segment nesdis.noaa.gov DNS domain 7th floor ncep.noaa.gov DNS domain SSDORASSD ORA switch network segment nesdis.noaa.gov DNS domain 5th floor wwb.noaa.gov DNS domain NCEPORA NCEPORA NCEPORA switch network segment nesdis.noaa.gov DNS domain 1st floor ncep.noaa.gov DNS domain router WWB Network Before VLAN Use

ORASSDNCEPORANCEP ORASSD switch ORA network segment 1 ncep.noaa.gov DNS domainorbit.nesdis.noaa.gov DNS domainwwb.noaa.gov DNS domain 8th floor NCEPORA NCEPORA NCEPORA switch orbit1.nesdis.noaa.gov DNS domain 7th floor ncep.noaa.gov DNS domain SSDORASSD ORA switch 5th floor wwb.noaa.gov DNS domain NCEPORA NCEPORA NCEPORA switch 1st floor ncep.noaa.gov DNS domain firewall WWB Network Now Using VLANs and Firewall SSD network segmentNCEP network segment ORA network segment 2ORA network segment 1 ORA network segment 2 ORA network segment 1 orbit1.nesdis.noaa.gov DNS domain orbit.nesdis.noaa.gov DNS domain NCEP network segment SSD network segment

ORA switch ORA network segment 1 orbit.nesdis.noaa.gov DNS domain ORA switch orbit1.nesdis.noaa.gov DNS domain SSD switch wwb.noaa.gov DNS domain NCEP switch ncep.noaa.gov DNS domain firewall Virtual View ORA network segment 2 NCEP network segments SSD network segments

Now accelerating migration. By Friday, April 16, 2004 we will... Patch Update computers to latest patch levels Implement patch management Restrict Reset passwordsComplete Remove group accountsComplete Disallow blank SSH keysComplete Remove Windows users’ elevated privileges Firewall Implement WWB firewall for UNIX network segmentComplete Implement WWB firewall for Windows network segment Restrict access from non-WWB computersComplete Migrate Migrate UNIX/Linux, VMS, and Mac computers to secure UNIX domain Migrate Windows 2000 & XP computers to secure Windows domain Test Run Harris STAT vulnerability scanning tool Inventory Inventory networked IT, operating system versions and patch levels

Patch Update computers to latest patch levels Red Hat LinuxTotal: 111To Do: 3 SGI IrixTotal: 13To Do: 4 HP HP-UXTotal: 3To Do: 2 Sun SolarisTotal: 4To Do: 0 Windows 2000 ServersTotal: 4To Do: 0 Windows XP desktops/notebooksTotal: 145To Do: 0 Windows NT ServersTotal: 2To Do: 0, removed from net by April 16th Windows NT desktops/notebooksTotal: 61 To Do: 0, removed from net by April 16th VMSTotal: 4To Do: 4 MacTotal: 10To Do: Implement patch management System administrators subscribe to manufacturers patch notification lists System administrators receive notifications from NCIRT, FedCIRT, etc. System administrators check manufacturers web sites daily for new vulnerabilities and patches Patches tested If no problems, applied within 72 hours, document If problems, mitigate, analyze risk, decide whether to apply, document Red Hat Linux Use AutoRPM to query NCIRT daily for updates. Logs kept automatically Windows XP Use Auto Update to query Microsoft daily for updates. Logs kept automatically Other operating systems done by hand. Logs kept by hand. Specific system administrators will be responsible for checking specific OSes and will report daily

Restrict Reset passwords Worried about sniffed passwords and stolen encrypted password files from incident Disabled all passwords Have users come to system administrators for new passwords Where able, checking in place to enforce strong passwords Must be changed every 90 days We try to crack our passwords to find weak ones before outsiders do Remove group accounts Were used for collaboration Can't share passwords, per DOC policy Disallow blank SSH keys Were used by scientists/programmers for automated file transfers New scripts check for, and block them Involved in UMD, NASA connections during this incident Remove Windows users’ elevated privileges Were used to allow users to install local printers, compilers, etc. System administrators must now install all system software Users have "User" privilege Notebook users need "Net" privilege to change network settings when away from WWB

Firewall Implement WWB firewall for UNIX network segment All UNIX, Linux, VMS, Mac computers on one network segment. Creates choke point. Allow only inbound DNS, HTTP, Anonymous FTP, and traffic to their respective servers Will investigate a DMZ for these servers in the near future Implement WWB firewall for Windows network segment All Windows computers on one network segment. Creates choke point. Allow only inbound DNS traffic to our DNS servers Will investigate a DMZ for these servers in the near future Restrict access from non-WWB computers We were allowing SSH/SCP connections from specific remote machines to specific ORA machines to ease scientists' work. Now turned off. Will discuss VPN use with NCIRT. We have one established, but now turned off. Implementing an SSH gateway in the near future Will discuss an SCP gateway with NCIRT, investigate implementations, alternatives Migrate Migrate UNIX/Linux, VMS, and Mac computers to secure UNIX domain All UNIX, Linux, VMS, Mac computers on one network segment All UNIX, Linux, VMS, Mac computers in orbit.nesdis.noaa.gov DNS domain. Gives us DNS control. Migrate Windows 2000 & XP computers to secure Windows domain All Windows computers on one network segment All Windows computers in orbit1.nesdis.noaa.gov DNS domain. Gives us DNS control. Removing remaining Windows NT domain, 2 servers, 62 desktops and notebooks

Test Run Harris STAT vulnerability scanning tool Next run will be Friday, April 16th, after this two week plan is complete It is run regularly as part of the C&A process There are problems with this tool Inventory Inventory networked IT, operating system versions and patch levels Already have this available in various forms, will pull it together

FY04 Plans Re-implement VPN if possible. Must discuss with NCIRT. By May 7, 2004 Implement SSH gateway to allow but control remote login access By May 31, 2004 Implement an SCP gateway to allow but control remote file transfers. Must discuss with NCIRT, investigate. By June 30, 2004 Implement Microsoft System Management Server (SMS) to provide better Windows patch management and administration. Had already purchased necessary HW and SW. By May 31, 2004 Update McAfee Virus Scan to Enterprise 7 version. Implement EPolicy Orchestrator. By June 15, 2004 Secure ORA server protocols. Use SSL for IMAP, SMTP, and LDAP. Use HTTPS in lieu of HTTP. By May 31, 2004 Replace UNIX/Linux NIS (Network Information Service) information sharing scheme with a more secure internal LDAP directory By June 30, 2004 Investigate and re-structure ORA WWB IT onto an independent, firewalled network. Include DMZ for DNS, Web, FTP, , and VPN servers. All controlled by ORA. By October 31, 2004