Security At NCAR

1
Security At NCAR

• Pete Siemsen
• National Center for Atmospheric Research
• November 22, 1999

2
NCARs Environment

• Academic research institution
• But no students
• Collaboration with 63 member Universities
• 1500 university (external) users
• Diverse, widespread field projects
• 2500 networked devices internal to NCAR
• 1500 internal users

3
Obstacles to Security

• Security not taken seriously
• Considered low priority (few resources)
• Doesnt mesh well with NCARs goals
• Security is a lose-lose proposition!
• Too little security its your fault
• We got hacked, you shouldve done more
• Too much security its your fault
• I cant get my work done, you should do less
• When it works, no one notices

4
Motivation to Get SeriousAbout Security

• We experienced increasing malicious attacks
• More hackers hacking
• Availability of hacker kits
• Easy to get
• Dont require network expertise
• (URLs will be shown later -)
• We had some strong advocates

5
Getting Started
6
NCAR Security Committee

• We created a committee to develop policy
• Sysadmins from all NCAR Divisions
• Policy process delivers institutional buy-in
• 2-hour meetings once a month
• Lots of cooperation, little authority

7
The Security Policy

• Need a policy that defines
• vulnerabilities
• how much security is needed
• level of inconvenience that is tolerable
• solutions
• We recommended a full-time Security Administrator
  for the institution
• http//www.ncar.ucar.edu/csac

8
Define Scope of Problem

• Decide which types of attacks are problems
• Examples
• Hacker spoofing of source IP address
• Hacker scanning for weaknesses
• TCP/UDP ports, INETD services
• Hackers sniffing passwords
• Hacker exploitation of buggy operating systems
• Inconsistent/tardy OS patching

9
Define Scope of Solution

• What we wont do
• Not feasible to secure every computer
• Over-reliance on timely OS security fixes
• Cant prohibit internal personal modems
• Attacks from within arent a big problem
• What we will do
• Reduce external attacks from the Internet

10
Basic Solutions at NCAR

• One-time passwords
• Switched LANs
• Router packet filtering
• Application-proxy gateways

11
One-Time Passwords
12
One-time Passwords

• A.K.A. Challenge-Response
• Requires little calculator things (50/per)
• Prevents password sniffing
• We use it on critical devices
• Routers, ATM Switches, Ethernet Switches, Remote
  Access Servers, Server hosts (root accounts)
• At the least, do this!

13
Switched LANs
14
Switched LANs

• Reduces packet eavesdropping
• Get this for free with switched network

15
Packet Filtering
16
Router-Based Filters

• Used to construct router-based firewall around
  your internal network
• (and/or between internal networks)
• Main security implementation tool
• Routers check each inbound packet against filter
  criteria and accept or reject
• Filters reject dangerous packets
• Filters accept all useful packets

17
(No Transcript)
18
(No Transcript)
19
Packet Filtering At NCAR

• Cisco access-lists filter on
• IP address source, destination, ranges
• Interfaces inbound and/or outbound
• Protocols, TCP ports, etc.
• We filter only inbound packets
• Performance is an issue
• We have Cisco 7507 routers
• Using RSP4 CPUs

20
Filter Stance Strong or Weak?

• Strong
• Deny everything, except for the good stuff
• Weak
• Allow everything, except for the bad stuff
• NCAR chose a Strong stance

21
Firewall Flexibility Needed

• Some NCAR Divisions wanted...
• All hosts on some subnets to be outside
  firewall
• Just some hosts outside firewall in each subnet
• Our solution
• Some whole IP subnets bypassed by firewall
  filters
• Part of every IP subnet bypassed by firewall
  filters

22
Firewall Flexibility Needed

• Excluded/bypassed subnets are called exposed
  subnets all others are called protected subnets
• Excluded/bypassed hosts are called exposed hosts
  all other hosts are called protected hosts
• protected means NO connections are allowed from
  outside the firewall

23
(No Transcript)
24
Implementing Flexibility

• Rules to define exposed subnets
• Filters bypass all hosts on selected subnets
• permit ip any 128.117.1.0 0.0.0.255
• One of these rules for each exposed subnet
• This works best when subnets are assigned
  according to organizational topology

25
Implementing Flexibility

• Rules to define exposed hosts
• Bypass a fixed set of hosts on all subnets
• permit ip any 128.117.0.0 0.0.255.15
• Divisions had to re-address some hosts before the
  filter was installed

26
Example Filter Statistics

• 41 lines (rules) in NCARs access-list
• Hits, 28 days after filter was installed
• 3 MP Denied because of spoofing
• 17 MP Denied because of catchall
• 71 MP Permitted to exposed networks
• 100MP Permitted to exposed hosts

27
Exposed Hosts

• Example Web servers, data source machines, etc.
• Must meet stringent security standards to avoid
  being compromised and used as launch pads for
  attacking protected hosts
• OS restricts set of network services allowed
• Must keep up with OS patches

28
Application-Proxy Gateways
29
(No Transcript)
30
What They Are Do

• Provides proxy access to protected hosts for
  insecure services like FTP, Telnet, X11
• Central access and monitoring point
• Authenticates users
• OS is kept VERY secure
• Patches kept up to date
• Unneeded services turned off
• No direct use by users

31
Security Administrator
32
Security Administrator

• Provides focus for security for the entire
  institution
• Helps deal with break-ins
• Central point of contact
• Tracks CERT advisories for sysadmins
• Advocates security solutions, like ssh
• Scans exposed hosts for standards violations
• Generally helps/educates sysadmins

33
Impacts of NCARs Security
34
Benefits

• gt95 of NCAR hosts are protected
• Outbound Telnet, HTTP, etc. still work
• Most users dont notice any changes
• Relatively cheap and easy
• Dial-in users are inside, no changes

35
Drawbacks

• UDP is blocked
• Some services are no longer available
• Inbound pings are blocked !!!
• To use FTP, must use passive mode, or use an
  exposed host, or proxy through the Gateway
• DNS and email can get REAL complicated

36
Drawbacks (cont.)

• Password sniffing still possible outside of
  firewall
• Ignores attacks from within
• Modems in offices are a huge hole
• Bypasses authentication in our secure modem pool

37
Wrapup
38
Security is Never Done

• How do you know if youre being hacked?
• Silent attacks very hard to detect
• Noisy attacks hard to distinguish from other
  network (or host) problems
• Network keeps changing
• Software keeps changing
• Hackers keep advancing

39
Security is Never Done (cont.)

• Policy and security mechanisms must keep
• Security committee continues to meet

40
Conclusion

• NCAR struck a balance between
• Convenience and Security
• Politics and Technology
• Cost and Quality
• Seems to work for us
• Installed it just in time
• Filters were installed just as attacks were
  getting unbearable