Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fermilab Computer Security & Strong Authentication Project Mark Kaletka Computing Division Operating Systems Support Department.

Published byEustace Gilmore Modified over 8 years ago

Similar presentations

Presentation on theme: "Fermilab Computer Security & Strong Authentication Project Mark Kaletka Computing Division Operating Systems Support Department."— Presentation transcript:

1 Fermilab Computer Security & Strong Authentication Project Mark Kaletka Computing Division Operating Systems Support Department

2 Philosophy "Scientific thinking and invention flourish best where people are allowed to communicate as much as possible unhampered.” -- Enrico Fermi

3 Security Philosophy  Like an academic institution, we want to maintain an atmosphere which encourages free exchange of ideas;  Yet, we have an obligation to protect our data and systems;  We allow wide latitude within certain limits;

4 Security Policy “… Fermilab’s single mission is science and the laboratory’s stated policy is to maintain an open scientific environment where the free exchange of ideas is encouraged and protected. We want there to be unhindered freedom to use computers within a wide area, but this area is surrounded by extremely high walls. …”

5 Policies and Rules  All computer and network usage at the Laboratory is subject to the “Fermilab Policy on Computing”;  Includes “Policies and Rules to Protect Fermilab Computers” aka computer security policy;  Copies are available on the web at: http://www.fnal.gov/cd/main/cpolicy.html;

6 Rules for General Systems  Mandatory incident reporting;  Report all suspicious activity:  If urgent to FCC Helpdesk, x2345, 24x7;  Or to system manager (if immediately available);  Non-urgent to computer_security@fnal.gov;  Incidents investigated by Fermi Computer Incident Response Team (FCIRT);  Not to be discussed!

7 Rules for General Systems  “Blatant disregard” of computer security;  First time warning, repeat offense disciplinary action;  Unauthorized or malicious actions;  Damage of data, unauthorized use of accounts, denial of service, etc., are forbidden;  Ethical behavior;  Same standards as for non-computer activities;

8 Rules for General Systems  Restricted central services;  May only be provided by Computing Division;  Security & cracker tools;  Possession (& use) must be authorized;  System managers;  Must be registered with FCSC;  See: http://www-miscomp.fnal.gov/sysadmindb

9 Rules for General Systems  Backup Policy - Users  Users (data owners) responsible for determining:  What data requires protection;  How destroyed data would be recovered, if needed;  Coordinating backup plan w/ sysadmins;  or doing their own backups;

10 FCIRT  Investigate (“triage”) initial reports;  Coordinate investigation overall;  Work with local system managers;  Call in technical experts;  May take control of affected systems;  Maintain confidentiality;

11 Computer Security Organization

12 Strong Authentication "Techniques that permit entities to provide evidence that they know a particular secret without revealing the secret."

13 Goals of Strong Authentication  Primary -  Prevent network disclosure of passwords.  Secondary -  Provide a single-signon environment.  Integrate AFS accounts & systems.  Simplify account management, especially terminations - take this burden off the system administrators.  Enforce password policies.

14 Fermilab Strong Authentication Project  Based on MIT Kerberos v5 w/ enhancements:  integration w/ AFS  CryptoCard challenge/response one-time passwords  additional clients (sshv1)  features for unattended jobs

15 Kerberos Authenticated Access Strengthened RealmPortal Untrusted Realm On-Site Off-Site Kerberos KDC Trusted Realm KDC Kerberos

16 CryptoCard

17 Limited Production Phase  CDF & D0 Run II  Strengthen Run II systems & applications:  Analysis systems  Farms  Mass storage  Desktops – on- & off-site

18 Production Phase  “… the present plan calls for the whole Fermilab site to be in the strengthened realm by the end of 2001.”  Specific exceptions are allowed:  Non-authenticated read-only access;  Web or db form data entry;  Restricted physical access;  Access restricted via prior Kerberos authentication

19 Strong Authentication Issues for Farms  Secure distribution, installation, backup, restoration of host service principal keytabs;  Creation, distribution of (host-specific) user cron principals & keytabs;  Authenticating processes which don’t belong to an individual;  Ticket expiration, forwarding, & renewal;

20 Running Unattended Jobs  As root:  use that host’s keytab;  As an individual:  kcroninit creates a special principal, valid for that host, & gets & stashes a keytab;  kcron gets the tickets & runs the job;

21 Running Unattended Jobs  As a “group”:  “group” (& group admin) approved by the KDC admin;  group admin creates principals, valid for that host, for “job” & “group”, also extracts & stashes the keytab;  file permissions control members of “group”;  As a “group” on a farm:  as above, but valid for any host in farm;

22 References  http://www.fnal.gov/cd/main/cpolicy.pdf http://www.fnal.gov/cd/main/cpolicy.pdf  http://computing.fnal.gov/security/StrongAuth/ http://computing.fnal.gov/security/StrongAuth/  http://www.fnal.gov/docs/strongauth/ http://www.fnal.gov/docs/strongauth/  http://computing.fnal.gov/security/UserGuide/com mon-problems.txt http://computing.fnal.gov/security/UserGuide/com mon-problems.txt

23 A Final Thought... “The quest for security is no picnic!” -- Linus van Pelt

Download ppt "Fermilab Computer Security & Strong Authentication Project Mark Kaletka Computing Division Operating Systems Support Department."

Similar presentations

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.

Darton College Information Systems Use Policies. Introduction Dartons Information Systems are critical resources. The Information Systems Use Policies.
Hart District Acceptable Use Policy Acceptable Use Policy.

Hart District Acceptable Use Policy Acceptable Use Policy.
Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.

Establishing an OU Hierarchy for Managing and Securing Clients Base design on business and IT needs Split hierarchy Separate user and computer OUs Simplifies.
Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.

Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.
A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.

A dialogue with FMUG: Sensitive Data & Filemaker MIT Policy and Data Classifications ** DRAFT ** Guidelines Feedback and Discussion Tim McGovern 2 June.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Access Control Methodologies

Access Control Methodologies
Strong Authentication – System Design and Deployment Matt Crawford Fermilab Computer Security Team.

Strong Authentication – System Design and Deployment Matt Crawford Fermilab Computer Security Team.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M030 17 th November, 2008.

The Kerberos Authentication System Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Strong Authentication Project CD/DCD/Computer Security Team Fermi National Accelerator Laboratory Mark Kaletka Matt Crawford.

Strong Authentication Project CD/DCD/Computer Security Team Fermi National Accelerator Laboratory Mark Kaletka Matt Crawford.
Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.

Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.

Basic Computer Security. Outline F Why Computer Security F Fermilab Strategy: –Integrated Computer Security –Defense in Depth F Your role and responsibilities.
Security Essentials for Fermilab System Administrators.

Security Essentials for Fermilab System Administrators.
Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security.

Building Global HEP Systems on Kerberos Matt Crawford Fermilab Computer Security.
Security Essentials for Desktop System Administrors.

Security Essentials for Desktop System Administrors.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Similar presentations

Ads by Google