Security in the NT environment at SLAC - Hep NT Days
Werbung
Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC Background • Over 3000 hosts respond to ping – 1200 over NT machines – 800 over Unix machines • Business Services Division – PeopleSoft Financials & Human Resources – WinNT workstations; Oracle DB on Unix • 150 W/S in central offices • 50 W/S in departments distributed around Lab 12/04/98 Bob Cowles - SLAC 2 Crisis -> Response • Serious intrusion in June 1998 – Over 20 Unix hosts compromised (root) – Over 40 user accounts used • Response – – – – 12/04/98 Cut off from Internet for a week Changed all passwords Applied deferred security patches Increased packet filtering Bob Cowles - SLAC 3 Challenge - Priorities • Prevent unauthorized access to business systems and confidential data • Protect accelerator control systems • Protect physics data and programs 12/04/98 Bob Cowles - SLAC 4 Challenge - Constraints • Implement security measures consistent with the research mission – Open – Collaborative • Credible response to vulnerabilities – Password compromise – Local admin & PC mode of thinking 12/04/98 Bob Cowles - SLAC 5 Threat Analysis • Attack on Oracle DB – Alter data – Read personal or confidential data – Denial of Service • External Attack • Internal (authenticated user) Attack • Adapt to new threats over next 2 years 12/04/98 Bob Cowles - SLAC 6 Countermeasures I • External – Filter out NT networking protocols – Strengthen passwords (passfilt) • Internal – Emphasize SP3 + Hotfixes – Promote SMS and central mgmt tools – Proposed significant tightening of all NT W/S 12/04/98 Bob Cowles - SLAC 7 Problems I • General revolt at proposal – – – – “Personal Computer” Inadequate support Non-standard configurations Inventive requirements • One size does not fit all 12/04/98 Bob Cowles - SLAC 8 Countermeasures II • Use Business Services Division as a pilot – Significantly increase restrictions on NT – Use latest technology to provide: • safety • functionality • Examined many alternatives – Filtering routers, firewalls, VPNs, IDS, etc. 12/04/98 Bob Cowles - SLAC 9 Problems II • Latest technology is very immature (!) and vendors don’t understand it • Required features in the next release (RSN) • Solutions require – Lots of inter-group cooperation & coordination – Very easy to have 3-4 inadequate solutions for the same problem • BSD users are all over the Lab 12/04/98 Bob Cowles - SLAC 10 Strawman I • Use VLANs to put all users “together” • Very heavy filtering on internal router • Many users have two workstations – Communicate externally & with rest of Lab • No tight controls on configuration – Communicate with PeopleSoft applications • Centrally maintained • Standard configuration 12/04/98 Bob Cowles - SLAC 11 Strawman I BSDnet BSD Domain Cntlr User01 Prod Test PeopleSoft PeopleSoft BIS Data Web Server Warehouse UserYY UserXX Rest of SLAC FDDI 12/04/98 Bob Cowles - SLAC 12 Strawman I :-( • • • • • Cost of additional W/S and network equip. Fear of “yellow cables” Loss of desktop space - user reaction Confusing relationship between domains Concerns about “piped” cross authentication (e.g. new web browsers) 12/04/98 Bob Cowles - SLAC 13 Strawman II BSDnet User01 Prod Test PeopleSoft PeopleSoft BIS Data Web Server Warehouse UserYY UserXX BSD Domain Cntlr Rest of SLAC FDDI 12/04/98 Bob Cowles - SLAC 14 Strawman II :-( • Very difficult to packet filter properly (SQL*Net uses ephemeral ports) • Possible performance issues with Two-tier PeopleSoft client • Questionable protection in time of intrusion 12/04/98 Bob Cowles - SLAC 15 Strawman III BSDnet BSD Prod Test WTS Domain Cntlr PeopleSoft PeopleSoft Server User01 BIS Data Web Server Warehouse UserYY UserXX Rest of SLAC FDDI 12/04/98 Bob Cowles - SLAC 16 Strawman III :-( • Still problems during/immediately after intrusion – Mission critical functions – Access to BIS web server required • WTS is new technology – What if it fails? – What if it can’t handle the load? 12/04/98 Bob Cowles - SLAC 17 Plan A Secure BSDnet UserMC User01 Prod Test WTS PeopleSoft PeopleSoft +Citrix Farm BIS Data BSD Web Server Warehouse Domain Cntlr UserYY UserXX BSDnet Rest of SLAC FDDI 12/04/98 Bob Cowles - SLAC 18 Plan A - Intrusion Secure BSDnet UserMC User01 Prod Test WTS PeopleSoft PeopleSoft +Citrix Farm BIS Data BSD Web Server Warehouse Domain Cntlr UserYY BSDnet UserXX “Air Gap” “Air Gap” Rest of SLAC FDDI 12/04/98 Bob Cowles - SLAC 19 Plan A :-) • Mission critical work can be done using what works now • WTS+Citrix provides add’l flexibility and security options Patrick • Token cards will provide two-factor authentication • IDS will watch for what gets past filters 12/04/98 Bob Cowles - SLAC 20 Current Status • Testing WTS farm with live users • Developing specifications for configration on user machines (apps, registry, etc.) • Network hardware being installed • Estimated completion - April 1 12/04/98 Bob Cowles - SLAC 21 Comments? • • • • What have we overlooked? What are YOU doing in this area? How do you handle user administrated W/S? Feedback is appreciated! [email protected] 12/04/98 Bob Cowles - SLAC 22
