Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.
Guide to Network Defense and Countermeasures Second Edition
WSUS Presented by: Nada Abdullah Ahmed.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Microsoft Systems Management Server Implementation at SLAC Freddie Chow Freddie Chow Stanford Linear Accelerator.
Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
APA of Isfahan University of Technology In the name of God.
Intranet, Extranet, Firewall. Intranet and Extranet.
AIS, Passwords Should not be shared Should be changed by user Should be changed frequently and upon compromise (suspected unauthorized disclosure)
Networks What are they and how do they work? What is a Network?  Hardware and software data communication system  Two or more devices connected for.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Module 11: Remote Access Fundamentals
Brent Mosher Senior Sales Consultant Applications Technology Oracle Corporation.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Denial-of-Service Attacks Justin Steele Definition “A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate.
Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
1 CERN’s Computer Security Challenges Denise Heagerty CERN Computer Security Officer Openlab Security Workshop, 27 Apr 2004.
Firewall Security.
Windows Terminal Server & Citrix MetaFrame
1 Installing and Maintaining ISA Server Planning an ISA Server Deployment Understand the current network infrastructure. Review company security.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
Network Security Part III: Security Appliances Firewalls.
Module 11: Designing Security for Network Perimeters.
Lesson 19-E-Commerce Security Needs. Overview Understand e-commerce services. Understand the importance of availability. Implement client-side security.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Security fundamentals Topic 10 Securing the network perimeter.
IT Security Policy: Case Study March 2008 Copyright , All Rights Reserved.
Database Security David Nguyen. Dangers of Internet  Web based applications open up new threats to a corporation security  Protection of information.
Security Discussion IST Retreat June IT Security Statement definition In the context of computer science, security is the prevention of, or protection.
Proposed UW Minimum Computer Security Standards From C&C 28 Jan 2005 Draft.
Computer Security Status C5 Meeting, 2 Nov 2001 Denise Heagerty, CERN Computer Security Officer.
Module 3 l Objectives –Identify the security risks associated with specific NT Services –Understand the risk introduced by specific protocols –Identify.
12/3/98 Stanford Linear Accelerator Center Patrick R. Hancox
DOS Attacks Lyle YapDiangco COEN 150 5/21/04. Background DOS attacks have been around for decades Usually intentional and malicious Can cost a target.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
SMOOTHWALL FIREWALL By Nitheish Kumarr. INTRODUCTION  Smooth wall Express is a Linux based firewall produced by the Smooth wall Open Source Project Team.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.
By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.
Security fundamentals
Chapter 7. Identifying Assets and Activities to Be Protected
CONNECTING TO THE INTERNET
Network Security Analysis Name : Waleed Al-Rumaih ID :
Introduction to Networking
Security in Networking
Windows Terminal Server & Citrix MetaFrame
Unit 27: Network Operating Systems
Windows NT to 2000/XP Migration at SLAC
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein
Network hardening Chapter 14.
6. Application Software Security
Global One Communications
Presentation transcript:

Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC

12/04/98Bob Cowles - SLAC2 Background Over 3000 hosts respond to ping –1200 over NT machines –800 over Unix machines Business Services Division –PeopleSoft Financials & Human Resources –WinNT workstations; Oracle DB on Unix 150 W/S in central offices 50 W/S in departments distributed around Lab

12/04/98Bob Cowles - SLAC3 Crisis -> Response Serious intrusion in June 1998 –Over 20 Unix hosts compromised (root) –Over 40 user accounts used Response –Cut off from Internet for a week –Changed all passwords –Applied deferred security patches –Increased packet filtering

12/04/98Bob Cowles - SLAC4 Challenge - Priorities Prevent unauthorized access to business systems and confidential data Protect accelerator control systems Protect physics data and programs

12/04/98Bob Cowles - SLAC5 Challenge - Constraints Implement security measures consistent with the research mission –Open –Collaborative Credible response to vulnerabilities –Password compromise –Local admin & PC mode of thinking

12/04/98Bob Cowles - SLAC6 Threat Analysis Attack on Oracle DB –Alter data –Read personal or confidential data –Denial of Service External Attack Internal (authenticated user) Attack Adapt to new threats over next 2 years

12/04/98Bob Cowles - SLAC7 Countermeasures I External –Filter out NT networking protocols –Strengthen passwords (passfilt) Internal –Emphasize SP3 + Hotfixes –Promote SMS and central mgmt tools –Proposed significant tightening of all NT W/S

12/04/98Bob Cowles - SLAC8 Problems I General revolt at proposal –“Personal Computer” –Inadequate support –Non-standard configurations –Inventive requirements One size does not fit all

12/04/98Bob Cowles - SLAC9 Countermeasures II Use Business Services Division as a pilot –Significantly increase restrictions on NT –Use latest technology to provide: safety functionality Examined many alternatives –Filtering routers, firewalls, VPNs, IDS, etc.

12/04/98Bob Cowles - SLAC10 Problems II Latest technology is very immature (!) and vendors don’t understand it Required features in the next release (RSN) Solutions require –Lots of inter-group cooperation & coordination –Very easy to have 3-4 inadequate solutions for the same problem BSD users are all over the Lab

12/04/98Bob Cowles - SLAC11 Strawman I Use VLANs to put all users “together” Very heavy filtering on internal router Many users have two workstations –Communicate externally & with rest of Lab No tight controls on configuration –Communicate with PeopleSoft applications Centrally maintained Standard configuration

12/04/98Bob Cowles - SLAC12 BSDnet Rest of SLAC Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman I BSD Domain Cntlr

12/04/98Bob Cowles - SLAC13 Strawman I :-( Cost of additional W/S and network equip. Fear of “yellow cables” Loss of desktop space - user reaction Confusing relationship between domains Concerns about “piped” cross authentication (e.g. new web browsers)

12/04/98Bob Cowles - SLAC14 BSDnet Rest of SLAC Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman II BSD Domain Cntlr

12/04/98Bob Cowles - SLAC15 Strawman II :-( Very difficult to packet filter properly (SQL*Net uses ephemeral ports) Possible performance issues with Two-tier PeopleSoft client Questionable protection in time of intrusion

12/04/98Bob Cowles - SLAC16 BSDnet Rest of SLAC WTS Server Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman III BSD Domain Cntlr

12/04/98Bob Cowles - SLAC17 Strawman III :-( Still problems during/immediately after intrusion –Mission critical functions –Access to BIS web server required WTS is new technology –What if it fails? –What if it can’t handle the load?

12/04/98Bob Cowles - SLAC18 BSDnet Secure BSDnet Rest of SLAC WTS +Citrix Farm Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01 UserMC UserYYUserXX Plan A BSD Domain Cntlr

12/04/98Bob Cowles - SLAC19 BSDnet Secure BSDnet Rest of SLAC WTS +Citrix Farm Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI “Air Gap” User01 UserMC UserYYUserXX Plan A - Intrusion BSD Domain Cntlr

12/04/98Bob Cowles - SLAC20 Plan A :-) Mission critical work can be done using what works now WTS+Citrix provides add’l flexibility and security options Token cards will provide two-factor authentication IDS will watch for what gets past filters Patrick

12/04/98Bob Cowles - SLAC21 Current Status Testing WTS farm with live users Developing specifications for configration on user machines (apps, registry, etc.) Network hardware being installed Estimated completion - April 1

12/04/98Bob Cowles - SLAC22 Comments? What have we overlooked? What are YOU doing in this area? How do you handle user administrated W/S? Feedback is appreciated!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.