JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999.

Slides:

Advertisements

Similar presentations

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.

Advertisements

Enabling Secure Internet Access with ISA Server

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Web Server Administration TEC 236 Securing the Web Environment.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Chapter 7 HARDENING SERVERS.

HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Chapter 13 Chapter 13: Managing Internet and Network Interoperability.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

COEN 252: Computer Forensics Router Investigation.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

Remote Accessing Your Home Computer Using VNC and a Dynamic DNS Name.

Course 201 – Administration, Content Inspection and SSL VPN

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Virtual Company Group 8 Presentation Date: June /04/2017

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Securing Microsoft® Exchange Server 2010

Switch Concepts and Configuration and Configuration Part II Advanced Computer Networks.

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

1 Defining Network Security Security is prevention of unwanted information transfer What are the components? –...Physical Security –…Operational Security.

Jefferson Lab Site Report Sandy Philpott Thomas Jefferson National Accelerator Facility Newport News, Virginia USA

Secure Shell for Computer Science Nick Czebiniak Sung-Ho Maeung.

Site Report HEPiX/HEPNT 17 April 2002 Catania Paul Kuipers.

Internet Engineering Course Network Design. Internet Engineering Course; Sharif University of Technology Contents Define and analyse an organization network.

NESDIS/ORA March 2004 IT Security Incident Recovery Plan and Status April 12, 2004 Joe Brust, ORA Technical Support Team Lead.

1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch

User Access to Router Securing Access.

Module 9: Fundamentals of Securing Network Communication.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.

Internet (THEnet ISP Gateway) Home PC Home Laptop Wireless AP/RouterVPN Concentrator Firewall Hub (running WireShark for Monitoring) Work Server Work PCs.

CHAPTER 9 Sniffing.

Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS.

Module 5: Designing Security for Internal Networks.

Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.

Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.

Online Tutorial 24-Jan-03 Online Systems Tutorial 24-Jan-2003 S. Fuess.

Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.

1 Firewalls - Introduction l What is a firewall? –Firewalls are frequently thought of as a very complex system that is some sort of magical, mystical..

6/14/2001Liz Buckley-Geer - Ely Meeting1 Strong Authentication and what it means for MINOS Liz Buckley-Geer Fermilab.

General Concerns on WWW Security Name: Huaying Chen ID# Instructor: Dr Mort Anvari.

Network and Computer Security in the Fermilab Accelerator Control System Timothy E. Zingelman Control System Cyber-Security Workshop (CS)2/HEP Knoxville,

Small Business Server 2003 Linux Small Business Server versus Linux functionality.

Web Server Security: Protecting Your Pages NOAA OAR WebShop 2001 August 2 nd, 2001 Jeremy Warren.

XXIII HTASC Meeting – CERN March 2003 LIP and the Traveling Physicist Jorge Gomes LIP - Computer Centre.

Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.

WARCS (Wide Area Remote Control for SPring-8)‏ A. Yamashita and Y.Furukawa SPring-8, Japan Control System Cyber-Security Workshop (CS)2/HEP Oct

Working at a Small-to-Medium Business or ISP – Chapter 8

Client1 Client2 Client3 Client4 My network setup Server Pix Des

Server-to-Client Remote Access and DirectAccess

Chapter 27: System Security

Lab 7 - Topics Establishing SSH Connection Install SSH Configure SSH

Computer Security Distributed System Security

دیواره ی آتش.

CLASP Project AAI Workshop, Nov 2000 Denise Heagerty, CERN

Chapter 10: Advanced Cisco Adaptive Security Appliance

Introduction to Network Security

Chapter 7 Network Applications

Preventing Privilege Escalation

Presentation transcript:

JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999

History Aug ’97 – break-in & compromise –Off the net for 5 days Enforced password changes & tightened rules Installed network and system monitors Tightened/created access policies –Denied off-site access for non-verified & monitored systems

Since then… Install firewall + traffic monitors Continual tightening of access –Very few systems directly open to outside now Push to ssh on all platforms –Teratem/ssh on PCs, DataFellows on Mac –Shutdown telnet, rsh etc. Mail : IMAP + SSL –Netscape + Outlook as remote clients Creation of “DMZ” Continue to move to switched network (> 70%) Protect with routers: –Business Services/HR –Accelerator controls

External access Need still to provide clear-text password access from off-site Implementing “DMZ” outside firewall with: –Split horizon DNS –External mail server (forwarder) –ftp server (not through firewall) –Web server –(eventually) telnet/ssh forwarder Only 3 central hosts open to outside –Ssh or web access to selected internal hosts These have to be monitored.

Mail Currently allow POP, IMAP and S-IMAP (SSL) –Switch off POP, clear-text IMAP soon UW IMAP server –SSLeay provides password encryption Server provides certificate to client Clients : –Netscape (everywhere), Outlook (PC’s) S-IMAP has been working well for > 1 year

External mail server Server in DMZ forwards S-IMAP, IMAP, POP to internal mail server (ports only) –Perl script –Avoids copying files or mounting filesystems outside firewall –No authentication outside No password file accessible on external server Working on telnet/ssh forwarder (gateway) –Deny direct telnet access to inside, but –Provide telnet access where needed

Developments Would be nice to have a consistent framework for all authenticated applications and processes Something that: –Works with SSL, that can: Handle normal logins Do process-process authentication Minimize the number of credentials a user has to keep track of Setup a general CA –Currently use (different) certificates for Mail MIS applications

Developments.. Cont. Possible candidates: –Globus/GSI Ssh that uses certificates Authenticates processes Can span sites with different encryption schemes (Kerberos, etc, etc.) –Kerberos?

Summary Close to removing clear text passwords internally Provide clear-text external access in a controlled way Need a consistent framework for authentication Problems: –NIS – ypcat –X-terminals (although most are now on switched ports) –Win95/98 LANManager hash cripples NT security Suppress W95/98 in domain by mid-2000 –Modems – back door