CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division
CERN - European Organization for Nuclear Research F. Hemmer & D. Heagerty/ITFOCUS - June 13, Motivations Long outstanding requests to access CERN resources (Dfs files, protected Web sites, controls, etc…) –From external labs –From private ISP’s (e.g. while in hotel rooms) ADSL “explosion” Securing the infrastructure –E.g. NICE, Afs passwords in clear using ftp/telnet –Complementing other measures such as secure mail, restricting ports in firewall, etc… Costs of ACB
CERN - European Organization for Nuclear Research F. Hemmer & D. Heagerty/ITFOCUS - June 13, What is a VPN? “Virtual Private Network” Is a technology that can be used to access any resource that has been restricted to the CERN Intranet when you are using a computer outside CERN Using an ISPUsing an ISP thru a VPN
CERN - European Organization for Nuclear Research F. Hemmer & D. Heagerty/ITFOCUS - June 13, How it works … A “remote” computer can connect to the internet using an arbitrary Internet Service Provider (ISP) and have an IP Address in the internet. The “tunnel” allows sending confidential data securely over the internet and reach the “safe” intranet The computer acts as if it was on the intranet
CERN - European Organization for Nuclear Research F. Hemmer & D. Heagerty/ITFOCUS - June 13, Pilot Proposal Establish a VPN pilot service –Based on same technology than ACB –Restricted to managed computers on CERN Linux machines and NICE 2000 Requirements –A NICE username with a secure password –An explicit registration Pilot success criteria's –User needs satisfied –Scalability –Reasonable security checks can be implemented
CERN - European Organization for Nuclear Research Security Considerations
CERN - European Organization for Nuclear Research F. Hemmer & D. Heagerty/ITFOCUS - June 13, Why are VPNs a security risk? Infected Computers –Viruses/worms/backdoors hidden on the VPN client machine will have full access to the CERN site –VPN client can be a launching pad for site wide disruption at Internet data rates –Home computers are a target for intruders and viruses Weak/Discovered passwords –Passwords can be guessed (if too trivial), cracked (from encrypted form) or “found” by others (files, paper, …) –Compromised VPN accounts can be used to launch attacks from anywhere as if inside the CERN firewall
CERN - European Organization for Nuclear Research F. Hemmer & D. Heagerty/ITFOCUS - June 13, What can be done to limit VPN security risks? Protect the computer –Anti-virus updated at least daily (for Windows PCs) –Operating system and installed applications kept secure for all known security holes –System restricted to only run essential applications games, music and freely copied software are targets for viruses Protect the account & password –Require registration (no default access) –Verify that VPN passwords cannot be cracked –Require at least 128 bit encryption –Limit unsuccessful login attempts
CERN - European Organization for Nuclear Research More information on