170 likes | 284 Views
R. Les Cottrell <cottrell@slac.stanford.edu> Stanford Linear Accelerator Center (SLAC) Presented at SCS Technical Coordination Meeting July 22, 1998 www.slac.stanford.edu/grp/scs/net/talk/bsd-fw/. BSD Firewall. Introduction. Securing BSD SLAC is a requirement from Richter
E N D
R. Les Cottrell <cottrell@slac.stanford.edu> Stanford Linear Accelerator Center (SLAC) Presented at SCS Technical Coordination Meeting July 22, 1998 www.slac.stanford.edu/grp/scs/net/talk/bsd-fw/ BSD Firewall uc.slac.stanford.edu/cottrell/slac/bsd-fw
Introduction • Securing BSD SLAC is a requirement from Richter • Protect BSD without destroying open collaborative environment for most of SLAC • This meetings goals: • explain the current understanding & improve it • put forward some first steps • raise questions / concerns • prioritize and assign resources to address as appropriate uc.slac.stanford.edu/cottrell/slac/bsd-fw
Possible Concept ADSM www-bis BSD ~200 hosts ISDN Purch Dev Web NTFS’ Plan PS BSD DNS’ NTP’ Sage DHCP SMS’ Firewall web-proxy sql*net DW ssh ssh Unix-admins Oracle/Parsley sql*net uc.slac.stanford.edu/cottrell/slac/bsd-fw
Legend • Sage (Sun): Oracle server for BSD • Parsley (Sun): Oracle server for SLAC (e.g. CANDO) • Web-proxy (Sun or NT?): allows BSD folks to have a single way of getting to outside BSD web pages & thus allows blocking of most Web access. • ssh (Sun): allows single point of access to BSD for Unix logon thus allowing blocking of most ssh logons • DHCP (Sun): dynamic host configuration server needed if DHCP blocked • PS (NT): PeopleSoft server for BSD • SMS’ (NT), NTFS’ (NT): provides support for separate BSD NT domain • ISDN (Cisco): allows dialin access to BSD from home uc.slac.stanford.edu/cottrell/slac/bsd-fw
Requirements Allow: time, smtp, http out, dns POP/IMAP telnet out of BSD ftp out of BSD [s] afs & Kerberos VPN? print adsm sql*net between PS & DW [s] snmp (need for monitoring) [s] Deny all others Block no mail gateways http in telnet into BSD ftp into BSD nfs, nis, tftp, bootp? r* NT network (135-139) hydra? X11 & XDMCP, finger DECnet, AppleTalk, NetWare uc.slac.stanford.edu/cottrell/slac/bsd-fw
Firewall Requirements • Some of the services/protocols can be blocked with existing router ACLs, e.g. • nfs, r*, NT networking, telnet into BSD • To allow some services/protocols (ftp, sql*net) requires statefulness • i.e. open connection on well know port, then data flows on ephemeral ports, so when see well known port open up ephermeral ports for duration of session • we do not currently have a device that can do this uc.slac.stanford.edu/cottrell/slac/bsd-fw
Possibilities • Move ~50 purchasers & planners into BSD, ~ $12K • Provide a router with ACLs (cannot be stateful) for BSD to block: • telnet in to BSD, r*, ftp in to BSD, NIS (via portmapper) • DECnet, IPX (does Flex server use this?), AppleTalk (only IP printers in BSD) • NT networking, ie.135-139 • Buy a firewall which supports stateful blocking [s] ~ $12K • Put all BSD on switches (avoid sniffing, can block snmp), cost ~ $45K uc.slac.stanford.edu/cottrell/slac/bsd-fw
Questions - Services • How many BSD insiders need to telnet/ssh out? • How many BSD insiders need to ftp out • Can BSD insiders use afs instead of ftp? • Can we allow all simple TCP outbound access • simple means non stateful protocols • if so, then we may not need a Web proxy • Can all BSD insiders use an ssh IMAP/POP client? • Protect passwords in clear uc.slac.stanford.edu/cottrell/slac/bsd-fw
Questions - BSD • Printers • Do printers inside need to be accessed from outside? • Do printers outside need to be accessed from inside? • How does NT print, is there an NT print server inside? • Where does Flex server go? • Do we have to block DHCP/BootP? • Do we need ISDN, if so how many? • Costly ($700/mo, $12K one time) if > than say 4 users • What about host stored passwords in shared homes? • Do these users already have ISDN? uc.slac.stanford.edu/cottrell/slac/bsd-fw
Questions - BSD Policies/assumptions • Users do not install software (esp. off net or floppy) • Users do not accept Excel/Word enclosures with macros or: • is McAfee VirusScan good enough • do we need to check all mail at gateway ($20K) • No unregistered Web servers off port 80 • Assumptions, inside BSD: • no NCDs • no AppleTalk printers (laserwriters) • NIS turned off on all hosts in BSD uc.slac.stanford.edu/cottrell/slac/bsd-fw
Questions - initial testing • Need to precisely define what protocols/services to block, in which direction and to & from where (IP address) • who decides & works with John Halperin? • Need to identify more precisely the impacts of blocking. • Who works with users to notify, educate, provide documentation & FAQs, consult, trouble-shoot, coordinate, schedule outages uc.slac.stanford.edu/cottrell/slac/bsd-fw
Questions - What about NT • What are the plans & schedule for: • splitting the BSD domain off from the rest of SLAC • providing NTFS’ • the contacts are Andrea, Patrick, Jeff, Bill Johnson • etc.? • Do NT afs clients need ephermeral ports? • How does NT print, is there an NT print server inside? uc.slac.stanford.edu/cottrell/slac/bsd-fw
Questions - NT & App admin access • Do Ian, Freddie, Frank, George etc. need to be inside firewall or outside or both • How many such people are there? • How do we identify them, & who is responsible for identifying them? • What are the possible solutions? uc.slac.stanford.edu/cottrell/slac/bsd-fw
Questions - Web Servers • What are the plans for proxy • What is needed? • What is available? • Is it NT or Unix? • Is it a separate server & if so where? • When will it be ready? • Who is the contact person? • Is a separate server needed inside firewall to access PS? uc.slac.stanford.edu/cottrell/slac/bsd-fw
Questions - Databases • What are plans for Parsley • When does it get installed? • What has to get moved to it etc.? • Ian reconfigures Sage • Database group is responsible for Development Web server. • Who is responsible for Web-proxy server? uc.slac.stanford.edu/cottrell/slac/bsd-fw
Questions - Unix • When will Parsley be ready for Ian? • Who is responsible for the ssh server (do we need one)? • ADSM issues: • do Parsley & Sage backup to ADSM? • what protocols does it use? • Are there issues with administering Sage, DHCP, web-proxy with NFS, NIS etc. blocked? • How are inside accounts administered? uc.slac.stanford.edu/cottrell/slac/bsd-fw
Actions • Get ssh ftp for evaluation • Get questions answered • Assign group to define initial simple blocks uc.slac.stanford.edu/cottrell/slac/bsd-fw