Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC.

Published byWalker Newey Modified over 9 years ago

Similar presentations

Presentation on theme: "Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC."— Presentation transcript:

1 Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC

2 12/04/98Bob Cowles - SLAC2 Background Over 3000 hosts respond to ping –1200 over NT machines –800 over Unix machines Business Services Division –PeopleSoft Financials & Human Resources –WinNT workstations; Oracle DB on Unix 150 W/S in central offices 50 W/S in departments distributed around Lab

3 12/04/98Bob Cowles - SLAC3 Crisis -> Response Serious intrusion in June 1998 –Over 20 Unix hosts compromised (root) –Over 40 user accounts used Response –Cut off from Internet for a week –Changed all passwords –Applied deferred security patches –Increased packet filtering

4 12/04/98Bob Cowles - SLAC4 Challenge - Priorities Prevent unauthorized access to business systems and confidential data Protect accelerator control systems Protect physics data and programs

5 12/04/98Bob Cowles - SLAC5 Challenge - Constraints Implement security measures consistent with the research mission –Open –Collaborative Credible response to vulnerabilities –Password compromise –Local admin & PC mode of thinking

6 12/04/98Bob Cowles - SLAC6 Threat Analysis Attack on Oracle DB –Alter data –Read personal or confidential data –Denial of Service External Attack Internal (authenticated user) Attack Adapt to new threats over next 2 years

7 12/04/98Bob Cowles - SLAC7 Countermeasures I External –Filter out NT networking protocols –Strengthen passwords (passfilt) Internal –Emphasize SP3 + Hotfixes –Promote SMS and central mgmt tools –Proposed significant tightening of all NT W/S

8 12/04/98Bob Cowles - SLAC8 Problems I General revolt at proposal –“Personal Computer” –Inadequate support –Non-standard configurations –Inventive requirements One size does not fit all

9 12/04/98Bob Cowles - SLAC9 Countermeasures II Use Business Services Division as a pilot –Significantly increase restrictions on NT –Use latest technology to provide: safety functionality Examined many alternatives –Filtering routers, firewalls, VPNs, IDS, etc.

10 12/04/98Bob Cowles - SLAC10 Problems II Latest technology is very immature (!) and vendors don’t understand it Required features in the next release (RSN) Solutions require –Lots of inter-group cooperation & coordination –Very easy to have 3-4 inadequate solutions for the same problem BSD users are all over the Lab

11 12/04/98Bob Cowles - SLAC11 Strawman I Use VLANs to put all users “together” Very heavy filtering on internal router Many users have two workstations –Communicate externally & with rest of Lab No tight controls on configuration –Communicate with PeopleSoft applications Centrally maintained Standard configuration

12 12/04/98Bob Cowles - SLAC12 BSDnet Rest of SLAC Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman I BSD Domain Cntlr

13 12/04/98Bob Cowles - SLAC13 Strawman I :-( Cost of additional W/S and network equip. Fear of “yellow cables” Loss of desktop space - user reaction Confusing relationship between domains Concerns about “piped” cross authentication (e.g. new web browsers)

14 12/04/98Bob Cowles - SLAC14 BSDnet Rest of SLAC Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman II BSD Domain Cntlr

15 12/04/98Bob Cowles - SLAC15 Strawman II :-( Very difficult to packet filter properly (SQL*Net uses ephemeral ports) Possible performance issues with Two-tier PeopleSoft client Questionable protection in time of intrusion

16 12/04/98Bob Cowles - SLAC16 BSDnet Rest of SLAC WTS Server Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01UserYYUserXX Strawman III BSD Domain Cntlr

17 12/04/98Bob Cowles - SLAC17 Strawman III :-( Still problems during/immediately after intrusion –Mission critical functions –Access to BIS web server required WTS is new technology –What if it fails? –What if it can’t handle the load?

18 12/04/98Bob Cowles - SLAC18 BSDnet Secure BSDnet Rest of SLAC WTS +Citrix Farm Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI User01 UserMC UserYYUserXX Plan A BSD Domain Cntlr

19 12/04/98Bob Cowles - SLAC19 BSDnet Secure BSDnet Rest of SLAC WTS +Citrix Farm Data Warehouse BIS Web Server Test PeopleSoft Prod PeopleSoft FDDI “Air Gap” User01 UserMC UserYYUserXX Plan A - Intrusion BSD Domain Cntlr

20 12/04/98Bob Cowles - SLAC20 Plan A :-) Mission critical work can be done using what works now WTS+Citrix provides add’l flexibility and security options Token cards will provide two-factor authentication IDS will watch for what gets past filters Patrick

21 12/04/98Bob Cowles - SLAC21 Current Status Testing WTS farm with live users Developing specifications for configration on user machines (apps, registry, etc.) Network hardware being installed Estimated completion - April 1

22 12/04/98Bob Cowles - SLAC22 Comments? What have we overlooked? What are YOU doing in this area? How do you handle user administrated W/S? Feedback is appreciated! rdc@slac.stanford.edu

Download ppt "Security in the NT Environment at SLAC HEPNT at CERN December 4, 1998 Bob Cowles, SLAC."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.

SLAC Remote Access and Citrix XPe Brian Scott SLAC May 2004.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
WSUS Presented by: Nada Abdullah Ahmed.

WSUS Presented by: Nada Abdullah Ahmed.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.

Network and Server Basics. 6/1/20152 Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.

ITS Offsite Workshop 2002 PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology.
Microsoft Systems Management Server Implementation at SLAC Freddie Chow Freddie Chow Stanford Linear Accelerator.

Microsoft Systems Management Server Implementation at SLAC Freddie Chow Freddie Chow Stanford Linear Accelerator.
Beth Johnson April 27, 1998. What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.

Beth Johnson April 27, What is a Firewall Firewall mechanisms are used to control internet access An organization places a firewall at each external.
1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.

1 SLAC Windows Migration Bob Cowles Presented for the SLAC Windows Migration Project HEPNT, Fermilab October 24, 2002.
Patching MIT SUS Services IS&T Network Infrastructure Services Team.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.

Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
APA of Isfahan University of Technology In the name of God.

APA of Isfahan University of Technology In the name of God.

Similar presentations

Ads by Google