1. TSAG Meeting 3/14/02 Update on Current Technology Initiatives

2. Overview Announcements: –Account Maintenance System (March 8, 2002) –SIMS/R Forms http://simsrforms.csun.eduhttp://simsrforms.csun.edu –Limiting SMTP Vulnerabilities (Proposed March 29, 2002) Directory Initiative Desktop and Server Security Issues (Caleb Fahey) Wireless Initiative (Will Trask) Network Access Control (Will Moran)

3. Directory Initiative Goals: To provide users with a single user-name and password for all IT resources –improve system security via strong authentication –reduce account management overhead –simplify end-user problems To allow IT units to specify who may access their resources (i.e., units specify authorization) To engineer a system that works with existing local IT system protocols and procedures

4. Technical Challenges To correlate existing database information into a single source To unify the various IT account systems To engineer a system that works with: Macs, Microsoft, Novell, and Unix systems

5. From Many To … /etc/passwd /etc/aliases SIMS/R PeopleSoft HR ECS A&F NDS Library Campus Phone Directory Majordomo ~dlt/aliases ~dlt/*.vbars password.account

6. In Production: CSUN1 Authentication Email findalias finduser Modem Pool Wireless Network Webmail Next up: Majordomo Authentication Vacation Authentication Mail Client: Find People Being Discussed/Planned: PeopleSoft Authentication A&F NDS tree Directory Aware Services Authentication, Authorization, & Information Lookup

7. Outlook: Find People

8. Top-Level DIT Layout O=CSUN ou=Authenticationou=Libraryou=ECS ou=Usersou=Groups

9. Approaches to Delegate Control Mirror –Unit copies all authentication objects –Unit augments objects with authorization information Referral (ldaps://hostname) –Unit relies on central infrastructure –Authentication and authorization information stored with single user object Alias –Each Unit user is an authorization object with a referral to authentication object –Works in theory!

10. Distributed, Replicated Architecture eDirectory (edir.csun.edu) iPlanet (idir.csun.edu) OpenLDAP (odir.csun.edu) ActiveDir. (adir.csun.edu) http://www.csun.edu/account dir.csun.edu:636 ldaps.csun.edu:636 ldap.csun.edu:389 Encryption Modules Distribution LDAP Server

11. Desktop and Service Security Issues Goals: To educate the campus and the IT staffs on the needs for appropriate security controls To collaboratively define and implement these controls, which will result in –improved security for the campus computing infrastructure –reduced work load for the technical staffs –increased productivity of the end users To ensure that local autonomy/flexibility is retained via the local IT units

12. Standards Include? Administrator Access and Passwords Software requirements? –Secure Shell http://www.macssh.com http://www.ssh.com –Antivirus software Shutdown Policy Mail Server Standards? –Antivirus Filter –Authenticated SMTP –Directory Aware

13. Mail Servers SMTP Vulnerabilities (2/15) Inbound: 192 Outbound: 256x256 Identified Mail Servers (3/2) imap.csun.edu alpha.ecs.csun.edu ppm.csun.edu std-affairs.csun.edu jacek.csun.edu admsvcs.csun.edu jour.csun.edu sundial.csun.edu jour1.csun.edu codes.csun.edu sauron.csun.edu ncod.csun.edu akala.csun.edu sunspot.csun.edu galileo.csun.edu davinci.csun.edu SMTP Vulnerabilities (Proposed 3/29) Inbound: 16 Outbound: 16+1

14. Wireless Initiative http://www.csun.edu/wireless Purpose: To provide flexible and secure access to the Internet via portable devices Services: –Web: http and https –Mail: smtp to smtp.csun.edu –SSH: to the world –Virtual Private Network (VPN) for the future! Status: –Pilot phase well underway –Campus wide test in April –Anticipated production services in the fall

15. Sierra Quad Oviatt Lawn Sequoia Hall Engineering Exchange Business/Education Student Services Wireless Zones Today

16. Wireless Zones in May University Hall Oviatt Library (4 th ) Sierra Hall Jerome Richfield Bookstore Athletics Fields And a whole lot more to follow!

17. http://www.csun.edu/wireless Announcement List: wireless-l@csun.edu Will.Trask@csun.edu

18. Network Access Control Reduce the amount of SPAM mail Reduce exposure to copyright infringement Reduce exposure to DOS attacks Increase bandwidth to campus community Increase the integrity of inter- and intra-campus network communications Increase productivity of all by not dealing with SPAM and other such attacks Not Again Zzzz

19. Approach Paradigms: –Allow all, deny exceptions –Deny all, allow exceptions Attack problem in levels First step: Focus on campus/internet boundary –Reduce the number of entry points to campus –Reduce the number of exit points to campus Move towards authenticated and encrypted protocols and applications, e.g., https, ssh

20. Tasks ACLs deployed for several colleges/units and for several protocols (snmp, smtp!) Provide information on (date?): –Deployed servers on campus –Required inbound ports for servers –Required outbound ports for servers Block all inbound traffic to non-servers (date?) Block all unwanted traffic to servers (date?) Recommend and then deploy SSH client (date?) ftp, ssh, http/s, irc/s