TSAG Meeting 3/14/02 Update on Current Technology Initiatives

Overview Announcements: –Account Maintenance System (March 8, 2002) –SIMS/R Forms –Limiting SMTP Vulnerabilities (Proposed March 29, 2002) Directory Initiative Desktop and Server Security Issues (Caleb Fahey) Wireless Initiative (Will Trask) Network Access Control (Will Moran)

Directory Initiative Goals: To provide users with a single user-name and password for all IT resources –improve system security via strong authentication –reduce account management overhead –simplify end-user problems To allow IT units to specify who may access their resources (i.e., units specify authorization) To engineer a system that works with existing local IT system protocols and procedures

Technical Challenges To correlate existing database information into a single source To unify the various IT account systems To engineer a system that works with: Macs, Microsoft, Novell, and Unix systems

From Many To … /etc/passwd /etc/aliases SIMS/R PeopleSoft HR ECS A&F NDS Library Campus Phone Directory Majordomo ~dlt/aliases ~dlt/*.vbars password.account

In Production: CSUN1 Authentication findalias finduser Modem Pool Wireless Network Webmail Next up: Majordomo Authentication Vacation Authentication Mail Client: Find People Being Discussed/Planned: PeopleSoft Authentication A&F NDS tree Directory Aware Services Authentication, Authorization, & Information Lookup

Outlook: Find People

Top-Level DIT Layout O=CSUN ou=Authenticationou=Libraryou=ECS ou=Usersou=Groups

Approaches to Delegate Control Mirror –Unit copies all authentication objects –Unit augments objects with authorization information Referral (ldaps://hostname) –Unit relies on central infrastructure –Authentication and authorization information stored with single user object Alias –Each Unit user is an authorization object with a referral to authentication object –Works in theory!

Distributed, Replicated Architecture eDirectory (edir.csun.edu) iPlanet (idir.csun.edu) OpenLDAP (odir.csun.edu) ActiveDir. (adir.csun.edu) dir.csun.edu:636 ldaps.csun.edu:636 ldap.csun.edu:389 Encryption Modules Distribution LDAP Server

Desktop and Service Security Issues Goals: To educate the campus and the IT staffs on the needs for appropriate security controls To collaboratively define and implement these controls, which will result in –improved security for the campus computing infrastructure –reduced work load for the technical staffs –increased productivity of the end users To ensure that local autonomy/flexibility is retained via the local IT units

Standards Include? Administrator Access and Passwords Software requirements? –Secure Shell –Antivirus software Shutdown Policy Mail Server Standards? –Antivirus Filter –Authenticated SMTP –Directory Aware

Mail Servers SMTP Vulnerabilities (2/15) Inbound: 192 Outbound: 256x256 Identified Mail Servers (3/2) imap.csun.edu alpha.ecs.csun.edu ppm.csun.edu std-affairs.csun.edu jacek.csun.edu admsvcs.csun.edu jour.csun.edu sundial.csun.edu jour1.csun.edu codes.csun.edu sauron.csun.edu ncod.csun.edu akala.csun.edu sunspot.csun.edu galileo.csun.edu davinci.csun.edu SMTP Vulnerabilities (Proposed 3/29) Inbound: 16 Outbound: 16+1

Wireless Initiative Purpose: To provide flexible and secure access to the Internet via portable devices Services: –Web: http and https –Mail: smtp to smtp.csun.edu –SSH: to the world –Virtual Private Network (VPN) for the future! Status: –Pilot phase well underway –Campus wide test in April –Anticipated production services in the fall

Sierra Quad Oviatt Lawn Sequoia Hall Engineering Exchange Business/Education Student Services Wireless Zones Today

Wireless Zones in May University Hall Oviatt Library (4 th ) Sierra Hall Jerome Richfield Bookstore Athletics Fields And a whole lot more to follow!

Announcement List:

Network Access Control Reduce the amount of SPAM mail Reduce exposure to copyright infringement Reduce exposure to DOS attacks Increase bandwidth to campus community Increase the integrity of inter- and intra-campus network communications Increase productivity of all by not dealing with SPAM and other such attacks Not Again Zzzz

Approach Paradigms: –Allow all, deny exceptions –Deny all, allow exceptions Attack problem in levels First step: Focus on campus/internet boundary –Reduce the number of entry points to campus –Reduce the number of exit points to campus Move towards authenticated and encrypted protocols and applications, e.g., https, ssh

Tasks ACLs deployed for several colleges/units and for several protocols (snmp, smtp!) Provide information on (date?): –Deployed servers on campus –Required inbound ports for servers –Required outbound ports for servers Block all inbound traffic to non-servers (date?) Block all unwanted traffic to servers (date?) Recommend and then deploy SSH client (date?) ftp, ssh, http/s, irc/s