Security At NCAR
description
Transcript of Security At NCAR
![Page 1: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/1.jpg)
National Center for Atmospheric Research 1NCAR
Security At NCAR
Pete Siemsen
National Center for Atmospheric Research
November 22, 1999
![Page 2: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/2.jpg)
National Center for Atmospheric Research 2NCAR
NCAR’s Environment• Academic research institution
• But no students• Collaboration with 63 member Universities
• ~1500 university (external) users• Diverse, widespread field projects• ~2500 networked devices internal to NCAR
• ~1500 internal users
![Page 3: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/3.jpg)
National Center for Atmospheric Research 3NCAR
Obstacles to Security• Security not taken seriously• Considered low priority (few resources)• Doesn’t mesh well with NCAR’s goals• Security is a lose-lose proposition!
• Too little security: it’s your fault· We got hacked, you should’ve done more
• Too much security: it’s your fault· I can’t get my work done, you should do less
• When it works, no one notices
![Page 4: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/4.jpg)
National Center for Atmospheric Research 4NCAR
Motivation to Get SeriousAbout Security
• We experienced increasing malicious attacks• More hackers hacking• Availability of hacker “kits”
· Easy to get· Don’t require network expertise
– (URLs will be shown later ;-)
• We had some strong advocates
![Page 5: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/5.jpg)
National Center for Atmospheric Research 5NCAR
Getting Started
![Page 6: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/6.jpg)
National Center for Atmospheric Research 6NCAR
NCAR Security Committee
• We created a committee to develop policy• Sysadmins from all NCAR Divisions• Policy process delivers institutional buy-in• 2-hour meetings once a month• Lots of cooperation, little authority
![Page 7: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/7.jpg)
National Center for Atmospheric Research 7NCAR
The Security Policy• Need a policy that defines
• vulnerabilities• how much security is needed• level of inconvenience that is tolerable• solutions
• We recommended a full-time Security Administrator for the institution
• http://www.ncar.ucar.edu/csac
![Page 8: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/8.jpg)
National Center for Atmospheric Research 8NCAR
Define Scope of Problem• Decide which types of attacks are problems• Examples:
• Hacker spoofing of source IP address • Hacker scanning for weaknesses
· TCP/UDP ports, INETD services • Hackers sniffing passwords• Hacker exploitation of buggy operating systems
· Inconsistent/tardy OS patching
![Page 9: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/9.jpg)
National Center for Atmospheric Research 9NCAR
Define Scope of Solution• What we won’t do
• Not feasible to secure every computer• Over-reliance on timely OS security fixes• Can’t prohibit internal “personal” modems• Attacks from within aren’t a big problem
• What we will do• Reduce external attacks from the Internet
![Page 10: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/10.jpg)
National Center for Atmospheric Research 10NCAR
Basic Solutions at NCAR
• One-time passwords• Switched LANs• Router packet filtering• Application-proxy gateways
![Page 11: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/11.jpg)
National Center for Atmospheric Research 11NCAR
One-Time Passwords
![Page 12: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/12.jpg)
National Center for Atmospheric Research 12NCAR
One-time Passwords• A.K.A. Challenge-Response• Requires little calculator things (~$50/per)• Prevents password sniffing• We use it on critical devices
• Routers, ATM Switches, Ethernet Switches, Remote Access Servers, Server hosts (root accounts)
• At the least, do this!
![Page 13: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/13.jpg)
National Center for Atmospheric Research 13NCAR
Switched LANs
![Page 14: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/14.jpg)
National Center for Atmospheric Research 14NCAR
Switched LANs
• Reduces packet eavesdropping• Get this for “free” with switched network
![Page 15: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/15.jpg)
National Center for Atmospheric Research 15NCAR
Packet Filtering
![Page 16: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/16.jpg)
National Center for Atmospheric Research 16NCAR
Router-Based Filters• Used to construct router-based firewall
around your internal network• (and/or between internal networks)
• Main security implementation tool• Routers check each inbound packet
against filter criteria and accept or reject• Filters reject dangerous packets• Filters accept all useful packets
![Page 17: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/17.jpg)
National Center for Atmospheric Research 17NCAR
![Page 18: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/18.jpg)
National Center for Atmospheric Research 18NCAR
![Page 19: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/19.jpg)
National Center for Atmospheric Research 19NCAR
Packet Filtering At NCAR• Cisco access-lists filter on
• IP address source, destination, ranges• Interfaces: inbound and/or outbound• Protocols, TCP ports, etc.
• We filter only inbound packets• Performance is an issue
• We have Cisco 7507 routers• Using RSP4 CPUs
![Page 20: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/20.jpg)
National Center for Atmospheric Research 20NCAR
Filter Stance: Strong or Weak?
• Strong• Deny everything, except for the good stuff
• Weak• Allow everything, except for the bad stuff
• NCAR chose a Strong stance
![Page 21: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/21.jpg)
National Center for Atmospheric Research 21NCAR
Firewall Flexibility Needed• Some NCAR Divisions wanted...
• All hosts on some subnets to be “outside” firewall
• Just some hosts “outside” firewall in each subnet
• Our solution…• Some whole IP subnets bypassed by firewall
filters• Part of every IP subnet bypassed by firewall
filters
![Page 22: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/22.jpg)
National Center for Atmospheric Research 22NCAR
Firewall Flexibility Needed• Excluded/bypassed subnets are called
exposed subnets; all others are called protected subnets
• Excluded/bypassed hosts are called exposed hosts; all other hosts are called protected hosts
• “protected” means NO connections are allowed from outside the firewall
![Page 23: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/23.jpg)
National Center for Atmospheric Research 23NCAR
![Page 24: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/24.jpg)
National Center for Atmospheric Research 24NCAR
Implementing Flexibility
• Rules to define exposed subnets• Filters bypass all hosts on selected subnets • permit ip any 128.117.1.0 0.0.0.255• One of these rules for each exposed subnet• This works best when subnets are assigned
according to organizational topology
![Page 25: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/25.jpg)
National Center for Atmospheric Research 25NCAR
Implementing Flexibility
• Rules to define exposed hosts• Bypass a fixed set of hosts on all subnets• permit ip any 128.117.0.0 0.0.255.15• Divisions had to re-address some hosts
before the filter was installed
![Page 26: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/26.jpg)
National Center for Atmospheric Research 26NCAR
Example Filter Statistics• 41 lines (rules) in NCAR’s access-list• Hits, 28 days after filter was installed:
• 3 MP Denied because of spoofing• 17 MP Denied because of
“catchall”• 71 MP Permitted to exposed
networks• 100MP Permitted to exposed hosts
![Page 27: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/27.jpg)
National Center for Atmospheric Research 27NCAR
Exposed Hosts
• Example: Web servers, data source machines, etc.
• Must meet stringent security standards to avoid being compromised and used as launch pads for attacking protected hosts• OS restricts set of network services allowed• Must keep up with OS patches
![Page 28: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/28.jpg)
National Center for Atmospheric Research 28NCAR
Application-Proxy Gateways
![Page 29: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/29.jpg)
National Center for Atmospheric Research 29NCAR
![Page 30: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/30.jpg)
National Center for Atmospheric Research 30NCAR
What They Are & Do• Provides proxy access to protected
hosts for insecure services like FTP, Telnet, X11
• Central access and monitoring point• Authenticates users• OS is kept VERY secure
• Patches kept up to date• Unneeded services turned off• No “direct” use by users
![Page 31: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/31.jpg)
National Center for Atmospheric Research 31NCAR
Security Administrator
![Page 32: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/32.jpg)
National Center for Atmospheric Research 32NCAR
Security Administrator• Provides focus for security for the entire
institution• Helps deal with break-ins
• Central point of contact• Tracks CERT advisories for sysadmins• Advocates security solutions, like ssh• Scans exposed hosts for standards violations• Generally helps/educates sysadmins
![Page 33: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/33.jpg)
National Center for Atmospheric Research 33NCAR
Impacts of NCAR’s Security
![Page 34: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/34.jpg)
National Center for Atmospheric Research 34NCAR
Benefits
• >95% of NCAR hosts are protected• Outbound Telnet, HTTP, etc. still work• Most users don’t notice any changes• Relatively cheap and easy• Dial-in users are “inside”, no changes
![Page 35: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/35.jpg)
National Center for Atmospheric Research 35NCAR
Drawbacks• UDP is blocked• Some services are no longer available
• Inbound pings are blocked !!!• To use FTP, must use passive mode, or
use an exposed host, or proxy through the Gateway
• DNS and email can get REAL complicated
![Page 36: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/36.jpg)
National Center for Atmospheric Research 36NCAR
Drawbacks (cont.)
• Password sniffing still possible outside of firewall
• Ignores attacks from within• Modems in offices are a huge hole
• Bypasses authentication in our secure modem pool
![Page 37: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/37.jpg)
National Center for Atmospheric Research 37NCAR
Wrapup
![Page 38: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/38.jpg)
National Center for Atmospheric Research 38NCAR
Security is Never “Done”
• How do you know if you’re being hacked?• “Silent” attacks very hard to detect• “Noisy” attacks hard to distinguish from
other network (or host) problems• Network keeps changing• Software keeps changing• Hackers keep advancing
![Page 39: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/39.jpg)
National Center for Atmospheric Research 39NCAR
Security is Never “Done” (cont.)
• Policy and security mechanisms must keep
• Security committee continues to meet
![Page 40: Security At NCAR](https://reader031.fdocuments.us/reader031/viewer/2022013122/56815fe8550346895dceec19/html5/thumbnails/40.jpg)
National Center for Atmospheric Research 40NCAR
Conclusion• NCAR struck a balance between:
• Convenience and Security• Politics and Technology• Cost and Quality
• Seems to work for us• Installed it “just in time”
• Filters were installed just as attacks were getting unbearable