Fermilab Computer Security & Strong Authentication Project Mark Kaletka Computing Division Operating Systems Support Department.

Slides:



Advertisements
Similar presentations
Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Advertisements

Hart District Acceptable Use Policy Acceptable Use Policy.
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Access Control Chapter 3 Part 3 Pages 209 to 227.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Access Control Methodologies
Strong Authentication – System Design and Deployment Matt Crawford Fermilab Computer Security Team.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Strong Authentication Project CD/DCD/Computer Security Team Fermi National Accelerator Laboratory Mark Kaletka Matt Crawford.
Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.
Access Control Intro, DAC and MAC System Security.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.
Security Essentials for Fermilab System Administrators.
Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security.
Security Essentials for Desktop System Administrors.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
7.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 7: Introducing Group Accounts.
Key Management in Cryptography
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Incident Response Updated 03/20/2015
Fermi Computer Incident Response Team Computer Security Awareness Day March 8, 2005 Michael Diesburg.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
Section Seven: Information Systems Security Note: All classified markings contained within this presentation are for training purposes only.
W2k Security At FNAL Jack Schmidt FNAL W2K Migration Working Group Chair April 16.
C HAPTER 6 NTFS PERMISSIONS & SECURITY SETTING. INTRODUCTION NTFS provides performance, security, reliability & advanced features that are not found in.
Security Essentials for Desktop System Administrors.
CSU - DCE Internet Security... Privacy Overview - Fort Collins, CO Copyright © XTR Systems, LLC Setting Up & Using a Site Security Policy Instructor:
Database Security and Auditing: Protecting Data Integrity and Accessibility Chapter 4 Profiles, Password Policies, Privileges, and Roles.
VOX Project Status T. Levshina. Talk Overview VOX Status –Registration –Globus callouts/Plug-ins –LRAS –SAZ Collaboration with VOMS EDG team Preparation.
Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.
W2K and Kerberos at FNAL Jack Mark
2  Supervisor : MENG Sreymom  SNA 2012_Group4  Group Member  CHAN SaratYUN Sinot  PRING SithaPOV Sopheap  CHUT MattaTHAN Vibol  LON SichoeumBEN.
Henry B. HotzKerberos 5 Upgrade JPL’s Kerberos 5 Upgrade Henry B. Hotz Jet Propulsion Laboratory California Institute of Technology.
1 University of Palestine Information Security Principles ITGD 2202 Ms. Eman Alajrami 2 nd Semester
Security Essentials for Desktop System Administrators.
Strong Authentication Plan Why What When How it affects You.
Security Essentials for Fermilab System Administrators 29-Sep-2009.
Working with Users and Groups Lesson 5. Skills Matrix Technology SkillObjective DomainObjective # Introducing User Account Control Configure and troubleshoot.
STANFORD UNIVERSITY INFORMATION TECHNOLOGY SERVICES 1 The Technical Services Stuff in IT Services A brief tour of the technical and service offering plethora.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Security Essentials for Fermilab System Administrors.
Security Essentials for Desktop System Administrors.
6/14/2001Liz Buckley-Geer - Ely Meeting1 Strong Authentication and what it means for MINOS Liz Buckley-Geer Fermilab.
Lisa Giacchetti AFS: What is everyone doing? LISA GIACCHETTI Operating Systems Support.
Chapter 3 Pre-Incident Preparation Spring Incident Response & Computer Forensics.
Security Essentials for Desktop System Administrors.
CPT 123 Internet Skills Class Notes Internet Security Session B.
Strong Authentication Matt Crawford CD/DCD/Computer Security Team.
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
Computer Security Essentials for Fermilab Sysadmins Irwin Gaines and Matt Crawford Computing Division.
Security Essentials for Fermilab System Administrators 08-Dec-2011.
Computer Security Awareness day November 12, 2013.
Strong Authentication at FNAL Goals Design Status.
Security Essentials for Fermilab System Administrators 29-Sep-2009.
Fermilab supports several authentication mechanisms for user and computer authentication. This talk will cover our authentication systems, design considerations,
Windows Active Directory – What is it? Definition - Active Directory is a centralized and standardized system that automates network management of user.
Fermilab Computer Security Awareness Day. Why Computer Security  The Internet is a dangerous place We are constantly being scanned for weak or vulnerable.
Secure Software Confidentiality Integrity Data Security Authentication
THE STEPS TO MANAGE THE GRID
Chapter 27: System Security
NAAS 2.0 Features and Enhancements
Information Security Awareness
Presentation transcript:

Fermilab Computer Security & Strong Authentication Project Mark Kaletka Computing Division Operating Systems Support Department

Philosophy "Scientific thinking and invention flourish best where people are allowed to communicate as much as possible unhampered.” -- Enrico Fermi

Security Philosophy  Like an academic institution, we want to maintain an atmosphere which encourages free exchange of ideas;  Yet, we have an obligation to protect our data and systems;  We allow wide latitude within certain limits;

Security Policy “… Fermilab’s single mission is science and the laboratory’s stated policy is to maintain an open scientific environment where the free exchange of ideas is encouraged and protected. We want there to be unhindered freedom to use computers within a wide area, but this area is surrounded by extremely high walls. …”

Policies and Rules  All computer and network usage at the Laboratory is subject to the “Fermilab Policy on Computing”;  Includes “Policies and Rules to Protect Fermilab Computers” aka computer security policy;  Copies are available on the web at:

Rules for General Systems  Mandatory incident reporting;  Report all suspicious activity:  If urgent to FCC Helpdesk, x2345, 24x7;  Or to system manager (if immediately available);  Non-urgent to  Incidents investigated by Fermi Computer Incident Response Team (FCIRT);  Not to be discussed!

Rules for General Systems  “Blatant disregard” of computer security;  First time warning, repeat offense disciplinary action;  Unauthorized or malicious actions;  Damage of data, unauthorized use of accounts, denial of service, etc., are forbidden;  Ethical behavior;  Same standards as for non-computer activities;

Rules for General Systems  Restricted central services;  May only be provided by Computing Division;  Security & cracker tools;  Possession (& use) must be authorized;  System managers;  Must be registered with FCSC;  See:

Rules for General Systems  Backup Policy - Users  Users (data owners) responsible for determining:  What data requires protection;  How destroyed data would be recovered, if needed;  Coordinating backup plan w/ sysadmins;  or doing their own backups;

FCIRT  Investigate (“triage”) initial reports;  Coordinate investigation overall;  Work with local system managers;  Call in technical experts;  May take control of affected systems;  Maintain confidentiality;

Computer Security Organization

Strong Authentication "Techniques that permit entities to provide evidence that they know a particular secret without revealing the secret."

Goals of Strong Authentication  Primary -  Prevent network disclosure of passwords.  Secondary -  Provide a single-signon environment.  Integrate AFS accounts & systems.  Simplify account management, especially terminations - take this burden off the system administrators.  Enforce password policies.

Fermilab Strong Authentication Project  Based on MIT Kerberos v5 w/ enhancements:  integration w/ AFS  CryptoCard challenge/response one-time passwords  additional clients (sshv1)  features for unattended jobs

Kerberos Authenticated Access Strengthened RealmPortal Untrusted Realm On-Site Off-Site Kerberos KDC Trusted Realm KDC Kerberos

CryptoCard

Limited Production Phase  CDF & D0 Run II  Strengthen Run II systems & applications:  Analysis systems  Farms  Mass storage  Desktops – on- & off-site

Production Phase  “… the present plan calls for the whole Fermilab site to be in the strengthened realm by the end of 2001.”  Specific exceptions are allowed:  Non-authenticated read-only access;  Web or db form data entry;  Restricted physical access;  Access restricted via prior Kerberos authentication

Strong Authentication Issues for Farms  Secure distribution, installation, backup, restoration of host service principal keytabs;  Creation, distribution of (host-specific) user cron principals & keytabs;  Authenticating processes which don’t belong to an individual;  Ticket expiration, forwarding, & renewal;

Running Unattended Jobs  As root:  use that host’s keytab;  As an individual:  kcroninit creates a special principal, valid for that host, & gets & stashes a keytab;  kcron gets the tickets & runs the job;

Running Unattended Jobs  As a “group”:  “group” (& group admin) approved by the KDC admin;  group admin creates principals, valid for that host, for “job” & “group”, also extracts & stashes the keytab;  file permissions control members of “group”;  As a “group” on a farm:  as above, but valid for any host in farm;

References     mon-problems.txt mon-problems.txt

A Final Thought... “The quest for security is no picnic!” -- Linus van Pelt

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.