jlab password security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
JLAB Password Security PowerPoint Presentation
Download Presentation
JLAB Password Security

Loading in 2 Seconds...

play fullscreen
1 / 9

JLAB Password Security - PowerPoint PPT Presentation


  • 141 Views
  • Uploaded on

JLAB Password Security. Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999. History. Aug ’97 – break-in & compromise Off the net for 5 days Enforced password changes & tightened rules Installed network and system monitors Tightened/created access policies

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'JLAB Password Security' - tania


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
jlab password security

JLAB Password Security

Ian Bird

Jefferson Lab

HEPiX-SLAC

6 Oct 1999

history
History
  • Aug ’97 – break-in & compromise
    • Off the net for 5 days
  • Enforced password changes & tightened rules
  • Installed network and system monitors
  • Tightened/created access policies
    • Denied off-site access for non-verified & monitored systems
since then
Since then…
  • Install firewall + traffic monitors
  • Continual tightening of access
    • Very few systems directly open to outside now
  • Push to ssh on all platforms
    • Teratem/ssh on PCs, DataFellows on Mac
    • Shutdown telnet, rsh etc.
  • Mail : IMAP + SSL
    • Netscape + Outlook as remote clients
  • Creation of “DMZ”
  • Continue to move to switched network (> 70%)
  • Protect with routers:
    • Business Services/HR
    • Accelerator controls
external access
External access
  • Need still to provide clear-text password access from off-site
  • Implementing “DMZ” outside firewall with:
    • Split horizon DNS
    • External mail server (forwarder)
    • ftp server (not through firewall)
    • Web server
    • (eventually) telnet/ssh forwarder
  • Only 3 central hosts open to outside
    • Ssh or web access to selected internal hosts
      • These have to be monitored.
slide5
Mail
  • Currently allow POP, IMAP and S-IMAP (SSL)
    • Switch off POP, clear-text IMAP soon
  • UW IMAP server
    • SSLeay provides password encryption
      • Server provides certificate to client
  • Clients :
    • Netscape (everywhere), Outlook (PC’s)
  • S-IMAP has been working well for > 1 year
external mail server
External mail server
  • Server in DMZ forwards S-IMAP, IMAP, POP to internal mail server (ports only)
    • Perl script
    • Avoids copying files or mounting filesystems outside firewall
    • No authentication outside
      • No password file accessible on external server
  • Working on telnet/ssh forwarder (gateway)
    • Deny direct telnet access to inside, but
    • Provide telnet access where needed
developments
Developments
  • Would be nice to have a consistent framework for all authenticated applications and processes
  • Something that:
    • Works with SSL, that can:
      • Handle normal logins
      • Do process-process authentication
  • Minimize the number of credentials a user has to keep track of
  • Setup a general CA
    • Currently use (different) certificates for
      • Mail
      • MIS applications
developments cont
Developments .. Cont.
  • Possible candidates:
    • Globus/GSI
      • Ssh that uses certificates
      • Authenticates processes
      • Can span sites with different encryption schemes (Kerberos, etc, etc.)
    • Kerberos?
summary
Summary
  • Close to removing clear text passwords internally
  • Provide clear-text external access in a controlled way
  • Need a consistent framework for authentication
  • Problems:
    • NIS – ypcat
    • X-terminals (although most are now on switched ports)
    • Win95/98 LANManager hash cripples NT security
      • Suppress W95/98 in domain by mid-2000
    • Modems – back door