1 / 39

Library Security Issues

Library Security Issues. Marshall Breeding Director for Innovative Technologies and Research Vanderbilt University http://staffweb.library.vanderbilt.edu/breeding. Alaska Library Association Annual Conference. February 24, 2006. The Threat.

kipling
Download Presentation

Library Security Issues

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Library Security Issues Marshall BreedingDirector for Innovative Technologies and Research Vanderbilt University http://staffweb.library.vanderbilt.edu/breeding Alaska Library Association Annual Conference February 24, 2006

  2. The Threat • Hacking: unauthorized access to servers and workstations on your network • DoS: Denial of service: impedes legitimate access to your services • Worms: self-perpetuating attacks that spread among vulnerable systems • Viruses: Unauthorized program attached to a legitimate program (typically e-mail)

  3. Security threats • Volume of attacks increasing • Sophistication of attacks increasing • Maliciousness of attacks have been far less than what might be possible in the future. • Commercial motivations: find ways to distribute SPAM and deliver hits to Web sites • Tools for creating attacks are becoming easier to use—”script kiddies” abound, but: • Fewer script kids, more professional code jockeys. • More 0-day scenarios: exploits available before security patches are available.

  4. Consequences • Lost data • Interruption services • Reveal personal data about library users • General loss of productivity • Staff time for system administrators in recovery • Institutional embarrassment

  5. Library Security Issues • Same concerns as commercial businesses and other organizations—no less of an issue • Protect the privacy of your library users • Protect your library’s services and data • Don’t let library systems become a jumping-off point for hackers to other networks or computers • Libraries are perceived as “an easy mark”

  6. Targets • Servers • Operating System • Network services – Web, email, DNS, NFS, etc • Applications: ILS, Other database applications • Workstations – Less of a distinction today between servers and workstations

  7. Security domains • Server / Workstation • Departmental • Enterprise Level

  8. Develop Multiple Tiers of Security • Server / Workstation: Each individual computer must be well secured • Enterprise – protect the network as a whole • Departmental – enforce additional security measures appropriate to departmental needs

  9. Server & Workstation Security Protecting systems individually

  10. Server / Workstation • Protect the individual computer • Even if other layers of security protection fail, each computer on the network is well protected.

  11. Operating System Security • Maintain an up-to-date operating system • Take advantage of automatic notification and updating services • Proactively monitor vulnerability reports • Install security-related patches expeditiously • Use personal firewalls • Part of Windows XP

  12. Operating System Security • Use only what you need • Every network service and application requires attention to security • Install selectively • Check / Verify services and subsystems • Uninstall non-essential services

  13. Application Security • Make sure that your core business applications (ie: ILS) run securely and enforce strong protection of all data elements. • Keep the application as current as possible • Work with vendors to insure tight security.

  14. Buffer overflows • Both OS and Applications are subject to attacks through buffer overflows • Causes applications to abort, leaving the user at an unknown state. • Often the unknown state is root-level, or can get it.

  15. Account Management • Review all delivered accounts – disable, rename, remove as appropriate • Pay special attention to accounts associated with network services and anonymous access • What account is associated with your Web server? And what are its privileges?

  16. Password Management • Require the use of strong passwords • Long passwords of pass phrases • Do not use words in any dictionary, including foreign-languages • Do not use proper nouns • Do not use keyboard patterns • Enforce frequent password changes • Be prepared for staff grumbling

  17. Password vulnerabilities • Never send a password over the network in the clear. • Ensure that all applications use encryption in its login sequence. • Secure passwords must never be exposed to insecure login systems • Require separate passwords for systems that don’t meet this requirement

  18. Root-level accounts • Must be treated with extraordinary care • At a minimum enforce password requirements used for standard accounts • Do not let system administrators use root/Administrator level accounts for routine activities. • Login as Root only when making system changes that require superuser rights

  19. Server / Workstation Firewalls • Personal Firewalls • Monitor incoming and outgoing network traffic • Enforces rules for allowed and non-allowed patterns • Port by port security • Application-specific rules

  20. Personal Firewall examples • Zone Alarm (http://www.zonelabs.com) • Windows servers • Windows Firewall from Microsoft • TCP Wrappers • Unix

  21. Workstation-level virus protection • Scans incoming mail and files for signatures revealing known viruses and worms • Must be active continuously and updated routinely to be effective • Generally considered to be a secondary layer of protection in organizations that implement enterprise-level scanning.

  22. Server considerations • Do not run mail clients on network servers • Avoid introducing security problems on a server through a Web client • Web browser needed for installation of server software • Browse only to sites you consider reliable and safe.

  23. Enterprise-Level Security Protect the network as a whole

  24. Network Firewall • Intelligent router that passes traffic based on pre-established rules • Can block traffic on any given ports • Can block traffic to specific computers within the organization • Packet-by-packet analysis

  25. Denial of Service protection • Most firewalls protect from DoS • Port scanning – outsiders building a network map • Aggressive attacks can flood firewall, effectively creating a DoS • Logging of attacks is helpful, but often needs to stop during an aggressive attack to avoid flooding.

  26. Enterprise Network Security Architecture • Trend toward managing security on the enterprise level • Divides the network into security zones • Enforced through VLANs • Internal firewalls

  27. Limit / Eliminate Network Sniffing • Ethernet allows for promiscuous mode for packet viewing • Shared media Ethernet exposes entire segment • Switched Ethernet limits what a packet sniffer can view. • Organizations moving toward switched Ethernet

  28. Firewall Placement • Perimeter control established through primary Internet router • Many internal zones are just as threatening as Internet • Internal firewalls often established to protect highly sensitive computing systems from general purpose network

  29. Virtual Private Networks • Offer end-to-end encryption across insecure security zones • Often works in conjunction with firewalls. • VPN client: communicates with VPN application on a firewall or server to establish a secure channel of communications.

  30. Enterprise Virus protection • Eliminate viruses and other malicious attacks at the perimeter of the network • Move toward centralized mail services • Scanning performed before messages enter the mail delivery system • Example Trend Micro • Trend toward security appliances that perform spam filtering, virus protection, bandwidth shaping and other security-related features.

  31. Enterprise Virus protection • Much more effective than workstation-level utilities • Uses sophisticated detection systems that can be updated very frequently. • Less reliant on human intervention • Virtually eliminates the possibility of a virus making its way to the workstation • Not fool-proof

  32. Departmental Security • Each department or unit within an organizational should assess the security needs appropriate to its role or mission. • Libraries may need zones that offer more open access than the enterprise • May have other specialized concerns with security implications: Public access computing, internet filtering, etc.

  33. Departmental services • What services should be provided department and what services should be provided by the enterprise • Most organizations moving more toward supplying network services at the enterprise level • Mail, file services, DNS, etc. • Only specialized applications run by departments • ILS • Many organizations moving away from all departmental computing in favor of the enterprise • The network is as secure as its weakest links

  34. Library-specific issues

  35. Library Security • Libraries need to operate within the security standards of their higher level IT support organizations • Libraries have some security requirements often not well understood by IT • Public-access computing challenging from a security perspective

  36. Public workstation security • Many products and techniques for “securing” public workstations • Deal more with inhibiting tampering than with ensuring networking security • Don’t trust what happens on workstations with anonymous unauthenticated access regardless of the level of anti-tampering control • Segregate public computing from staff computing

  37. Library Network With Public / Staff Separation Router / Firewall Router Ethernet Switch Ethernet Switch Ethernet Switch Library Staff Workstations Access Point Public Access Workstations

  38. Final thoughts • Good security is expensive and time-consuming • Requires constant attention • Necessary overhead for organizations like libraries that provide network-based services • Shouldn’t stymie the organization

  39. Questions / Discussion Marshall Breeding Marshall.breeding@vanderbilt.edu http://staffweb.library.vanderbilt.edu/breeding

More Related