Presentation is loading. Please wait.

Presentation is loading. Please wait.

JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999.

Published byAlexina Jones Modified over 9 years ago

Similar presentations

Presentation on theme: "JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999."— Presentation transcript:

1 JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999

2 History Aug ’97 – break-in & compromise –Off the net for 5 days Enforced password changes & tightened rules Installed network and system monitors Tightened/created access policies –Denied off-site access for non-verified & monitored systems

3 Since then… Install firewall + traffic monitors Continual tightening of access –Very few systems directly open to outside now Push to ssh on all platforms –Teratem/ssh on PCs, DataFellows on Mac –Shutdown telnet, rsh etc. Mail : IMAP + SSL –Netscape + Outlook as remote clients Creation of “DMZ” Continue to move to switched network (> 70%) Protect with routers: –Business Services/HR –Accelerator controls

4 External access Need still to provide clear-text password access from off-site Implementing “DMZ” outside firewall with: –Split horizon DNS –External mail server (forwarder) –ftp server (not through firewall) –Web server –(eventually) telnet/ssh forwarder Only 3 central hosts open to outside –Ssh or web access to selected internal hosts These have to be monitored.

5 Mail Currently allow POP, IMAP and S-IMAP (SSL) –Switch off POP, clear-text IMAP soon UW IMAP server –SSLeay provides password encryption Server provides certificate to client Clients : –Netscape (everywhere), Outlook (PC’s) S-IMAP has been working well for > 1 year

6 External mail server Server in DMZ forwards S-IMAP, IMAP, POP to internal mail server (ports only) –Perl script –Avoids copying files or mounting filesystems outside firewall –No authentication outside No password file accessible on external server Working on telnet/ssh forwarder (gateway) –Deny direct telnet access to inside, but –Provide telnet access where needed

7 Developments Would be nice to have a consistent framework for all authenticated applications and processes Something that: –Works with SSL, that can: Handle normal logins Do process-process authentication Minimize the number of credentials a user has to keep track of Setup a general CA –Currently use (different) certificates for Mail MIS applications

8 Developments.. Cont. Possible candidates: –Globus/GSI Ssh that uses certificates Authenticates processes Can span sites with different encryption schemes (Kerberos, etc, etc.) –Kerberos?

9 Summary Close to removing clear text passwords internally Provide clear-text external access in a controlled way Need a consistent framework for authentication Problems: –NIS – ypcat –X-terminals (although most are now on switched ports) –Win95/98 LANManager hash cripples NT security Suppress W95/98 in domain by mid-2000 –Modems – back door

Download ppt "JLAB Password Security Ian Bird Jefferson Lab HEPiX-SLAC 6 Oct 1999."

Similar presentations

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.
Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
Web Server Administration TEC 236 Securing the Web Environment.

Web Server Administration TEC 236 Securing the Web Environment.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Chapter 7 HARDENING SERVERS.

Chapter 7 HARDENING SERVERS.
HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.

HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.

Telnet/SSH Tim Jansen, Mike Stanislawski. TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the.
Chapter 13 Chapter 13: Managing Internet and Network Interoperability.

Chapter 13 Chapter 13: Managing Internet and Network Interoperability.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.

TCP/IP - Security Perspective Upper Layers CS-431 Dick Steflik.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.

Similar presentations

Ads by Google