1 / 40

Security At NCAR

Security At NCAR. Pete Siemsen National Center for Atmospheric Research November 22, 1999. NCAR’s Environment. Academic research institution But no students Collaboration with 63 member Universities ~1500 university (external) users Diverse, widespread field projects

thi
Download Presentation

Security At NCAR

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Security At NCAR Pete Siemsen National Center for Atmospheric Research November 22, 1999 National Center for Atmospheric Research

  2. NCAR’s Environment • Academic research institution • But no students • Collaboration with 63 member Universities • ~1500 university (external) users • Diverse, widespread field projects • ~2500 networked devices internal to NCAR • ~1500 internal users National Center for Atmospheric Research

  3. Obstacles to Security • Security not taken seriously • Considered low priority (few resources) • Doesn’t mesh well with NCAR’s goals • Security is a lose-lose proposition! • Too little security: it’s your fault • We got hacked, you should’ve done more • Too much security: it’s your fault • I can’t get my work done, you should do less • When it works, no one notices National Center for Atmospheric Research

  4. Motivation to Get SeriousAbout Security • We experienced increasing malicious attacks • More hackers hacking • Availability of hacker “kits” • Easy to get • Don’t require network expertise • (URLs will be shown later ;-) • We had some strong advocates National Center for Atmospheric Research

  5. Getting Started National Center for Atmospheric Research

  6. NCAR Security Committee • We created a committee to develop policy • Sysadmins from all NCAR Divisions • Policy process delivers institutional buy-in • 2-hour meetings once a month • Lots of cooperation, little authority National Center for Atmospheric Research

  7. The Security Policy • Need a policy that defines • vulnerabilities • how much security is needed • level of inconvenience that is tolerable • solutions • We recommended a full-time Security Administrator for the institution • http://www.ncar.ucar.edu/csac National Center for Atmospheric Research

  8. Define Scope of Problem • Decide which types of attacks are problems • Examples: • Hacker spoofing of source IP address • Hacker scanning for weaknesses • TCP/UDP ports, INETD services • Hackers sniffing passwords • Hacker exploitation of buggy operating systems • Inconsistent/tardy OS patching National Center for Atmospheric Research

  9. Define Scope of Solution • What we won’t do • Not feasible to secure every computer • Over-reliance on timely OS security fixes • Can’t prohibit internal “personal” modems • Attacks from within aren’t a big problem • What we will do • Reduce external attacks from the Internet National Center for Atmospheric Research

  10. Basic Solutions at NCAR • One-time passwords • Switched LANs • Router packet filtering • Application-proxy gateways National Center for Atmospheric Research

  11. One-Time Passwords National Center for Atmospheric Research

  12. A.K.A. Challenge-Response Requires little calculator things (~$50/per) Prevents password sniffing We use it on critical devices Routers, ATM Switches, Ethernet Switches, Remote Access Servers, Server hosts (root accounts) At the least, do this! One-time Passwords National Center for Atmospheric Research

  13. Switched LANs National Center for Atmospheric Research

  14. Switched LANs • Reduces packet eavesdropping • Get this for “free” with switched network National Center for Atmospheric Research

  15. Packet Filtering National Center for Atmospheric Research

  16. Used to construct router-based firewall around your internal network (and/or between internal networks) Main security implementation tool Routers check each inbound packet against filter criteria and accept or reject Filters reject dangerous packets Filters accept all useful packets Router-Based Filters National Center for Atmospheric Research

  17. National Center for Atmospheric Research

  18. National Center for Atmospheric Research

  19. Cisco access-lists filter on IP address source, destination, ranges Interfaces: inbound and/or outbound Protocols, TCP ports, etc. We filter only inbound packets Performance is an issue We have Cisco 7507 routers Using RSP4 CPUs Packet Filtering At NCAR National Center for Atmospheric Research

  20. Filter Stance: Strong or Weak? • Strong • Deny everything, except for the good stuff • Weak • Allow everything, except for the bad stuff • NCAR chose a Strong stance National Center for Atmospheric Research

  21. Some NCAR Divisions wanted... All hosts on some subnets to be “outside” firewall Just some hosts “outside” firewall in each subnet Our solution… Some whole IP subnets bypassed by firewall filters Part of every IP subnet bypassed by firewall filters Firewall Flexibility Needed National Center for Atmospheric Research

  22. Excluded/bypassed subnets are called exposed subnets; all others are called protected subnets Excluded/bypassed hosts are called exposed hosts; all other hosts are called protected hosts “protected” means NOconnections are allowed from outside the firewall Firewall Flexibility Needed National Center for Atmospheric Research

  23. National Center for Atmospheric Research

  24. Rules to define exposed subnets Filters bypass all hosts on selected subnets permit ip any 128.117.1.0 0.0.0.255 One of these rules for each exposed subnet This works best when subnets are assigned according to organizational topology Implementing Flexibility National Center for Atmospheric Research

  25. Rules to define exposed hosts Bypass a fixed set of hosts on all subnets permit ip any 128.117.0.0 0.0.255.15 Divisions had to re-address some hosts before the filter was installed Implementing Flexibility National Center for Atmospheric Research

  26. Example Filter Statistics • 41 lines (rules) in NCAR’s access-list • Hits, 28 days after filter was installed: • 3 MP Denied because of spoofing • 17 MP Denied because of “catchall” • 71 MP Permitted to exposed networks • 100MP Permitted to exposed hosts National Center for Atmospheric Research

  27. Example: Web servers, data source machines, etc. Must meet stringent security standards to avoid being compromised and used as launch pads for attacking protected hosts OS restricts set of network services allowed Must keep up with OS patches Exposed Hosts National Center for Atmospheric Research

  28. Application-Proxy Gateways National Center for Atmospheric Research

  29. National Center for Atmospheric Research

  30. Provides proxy access to protected hosts for insecure services like FTP, Telnet, X11 Central access and monitoring point Authenticates users OS is kept VERY secure Patches kept up to date Unneeded services turned off No “direct” use by users What They Are & Do National Center for Atmospheric Research

  31. Security Administrator National Center for Atmospheric Research

  32. Provides focus for security for the entire institution Helps deal with break-ins Central point of contact Tracks CERT advisories for sysadmins Advocates security solutions, like ssh Scans exposed hosts for standards violations Generally helps/educates sysadmins Security Administrator National Center for Atmospheric Research

  33. Impacts of NCAR’s Security National Center for Atmospheric Research

  34. >95% of NCAR hosts are protected Outbound Telnet, HTTP, etc. still work Most users don’t notice any changes Relatively cheap and easy Dial-in users are “inside”, no changes Benefits National Center for Atmospheric Research

  35. UDP is blocked Some services are no longer available Inbound pings are blocked !!! To use FTP, must use passive mode, or use an exposed host, or proxy through the Gateway DNS and email can get REAL complicated Drawbacks National Center for Atmospheric Research

  36. Password sniffing still possible outside of firewall Ignores attacks from within Modems in offices are a huge hole Bypasses authentication in our secure modem pool Drawbacks (cont.) National Center for Atmospheric Research

  37. Wrapup National Center for Atmospheric Research

  38. Security is Never “Done” • How do you know if you’re being hacked? • “Silent” attacks very hard to detect • “Noisy” attacks hard to distinguish from other network (or host) problems • Network keeps changing • Software keeps changing • Hackers keep advancing National Center for Atmospheric Research

  39. Security is Never “Done” (cont.) • Policy and security mechanisms must keep • Security committee continues to meet National Center for Atmospheric Research

  40. Conclusion • NCAR struck a balance between: • Convenience and Security • Politics and Technology • Cost and Quality • Seems to work for us • Installed it “just in time” • Filters were installed just as attacks were getting unbearable National Center for Atmospheric Research

More Related