Security in the NT Environment at SLAC
HEPNT at CERNDecember 4, 1998
Bob Cowles, SLAC
12/04/98 Bob Cowles - SLAC 2
Background
• Over 3000 hosts respond to ping– 1200 over NT machines– 800 over Unix machines
• Business Services Division– PeopleSoft Financials & Human Resources– WinNT workstations; Oracle DB on Unix
• 150 W/S in central offices
• 50 W/S in departments distributed around Lab
12/04/98 Bob Cowles - SLAC 3
Crisis -> Response
• Serious intrusion in June 1998– Over 20 Unix hosts compromised (root)– Over 40 user accounts used
• Response– Cut off from Internet for a week– Changed all passwords– Applied deferred security patches– Increased packet filtering
12/04/98 Bob Cowles - SLAC 4
Challenge - Priorities
• Prevent unauthorized access to business systems and confidential data
• Protect accelerator control systems
• Protect physics data and programs
12/04/98 Bob Cowles - SLAC 5
Challenge - Constraints
• Implement security measures consistent with the research mission– Open– Collaborative
• Credible response to vulnerabilities– Password compromise– Local admin & PC mode of thinking
12/04/98 Bob Cowles - SLAC 6
Threat Analysis
• Attack on Oracle DB– Alter data– Read personal or confidential data– Denial of Service
• External Attack
• Internal (authenticated user) Attack
• Adapt to new threats over next 2 years
12/04/98 Bob Cowles - SLAC 7
Countermeasures I
• External– Filter out NT networking protocols– Strengthen passwords (passfilt)
• Internal– Emphasize SP3 + Hotfixes– Promote SMS and central mgmt tools– Proposed significant tightening of all NT W/S
12/04/98 Bob Cowles - SLAC 8
Problems I
• General revolt at proposal– “Personal Computer”– Inadequate support– Non-standard configurations– Inventive requirements
• One size does not fit all
12/04/98 Bob Cowles - SLAC 9
Countermeasures II
• Use Business Services Division as a pilot– Significantly increase restrictions on NT– Use latest technology to provide:
• safety
• functionality
• Examined many alternatives– Filtering routers, firewalls, VPNs, IDS, etc.
12/04/98 Bob Cowles - SLAC 10
Problems II
• Latest technology is very immature (!) and vendors don’t understand it
• Required features in the next release (RSN)
• Solutions require – Lots of inter-group cooperation & coordination– Very easy to have 3-4 inadequate solutions for
the same problem
• BSD users are all over the Lab
12/04/98 Bob Cowles - SLAC 11
Strawman I
• Use VLANs to put all users “together”
• Very heavy filtering on internal router
• Many users have two workstations– Communicate externally & with rest of Lab
• No tight controls on configuration
– Communicate with PeopleSoft applications• Centrally maintained
• Standard configuration
12/04/98 Bob Cowles - SLAC 12
BSDnet
Rest of SLAC
DataWarehouse
BISWeb Server
TestPeopleSoft
ProdPeopleSoft
FDDI
User01 UserYY UserXX
Strawman I
BSDDomain Cntlr
12/04/98 Bob Cowles - SLAC 13
Strawman I :-(
• Cost of additional W/S and network equip.
• Fear of “yellow cables”
• Loss of desktop space - user reaction
• Confusing relationship between domains
• Concerns about “piped” cross authentication (e.g. new web browsers)
12/04/98 Bob Cowles - SLAC 14
BSDnet
Rest of SLAC
DataWarehouse
BISWeb Server
TestPeopleSoft
ProdPeopleSoft
FDDI
User01 UserYY UserXX
Strawman II
BSDDomain Cntlr
12/04/98 Bob Cowles - SLAC 15
Strawman II :-(
• Very difficult to packet filter properly (SQL*Net uses ephemeral ports)
• Possible performance issues with Two-tier PeopleSoft client
• Questionable protection in time of intrusion
12/04/98 Bob Cowles - SLAC 16
BSDnet
Rest of SLAC
WTSServer
DataWarehouse
BISWeb Server
TestPeopleSoft
ProdPeopleSoft
FDDI
User01 UserYY UserXX
Strawman III
BSDDomain Cntlr
12/04/98 Bob Cowles - SLAC 17
Strawman III :-(
• Still problems during/immediately after intrusion– Mission critical functions– Access to BIS web server required
• WTS is new technology – What if it fails?– What if it can’t handle the load?
12/04/98 Bob Cowles - SLAC 18
BSDnet
Secure BSDnet
Rest of SLAC
WTS+Citrix Farm
DataWarehouse
BISWeb Server
TestPeopleSoft
ProdPeopleSoft
FDDI
User01
UserMC
UserYY UserXX
Plan A
BSDDomain Cntlr
12/04/98 Bob Cowles - SLAC 19
BSDnet
Secure BSDnet
Rest of SLAC
WTS+Citrix Farm
DataWarehouse
BISWeb Server
TestPeopleSoft
ProdPeopleSoft
FDDI
“Air Gap”
“Air Gap”
User01
UserMC
UserYY UserXX
Plan A - Intrusion
BSDDomain Cntlr
12/04/98 Bob Cowles - SLAC 20
Plan A :-)
• Mission critical work can be done using what works now
• WTS+Citrix provides add’l flexibility and security options
• Token cards will provide two-factor authentication
• IDS will watch for what gets past filters
Patrick
12/04/98 Bob Cowles - SLAC 21
Current Status
• Testing WTS farm with live users
• Developing specifications for configration on user machines (apps, registry, etc.)
• Network hardware being installed
• Estimated completion - April 1
12/04/98 Bob Cowles - SLAC 22
Comments?
• What have we overlooked?
• What are YOU doing in this area?
• How do you handle user administrated W/S?
• Feedback is appreciated!
Top Related