Internet Security Concerns and Securing Telnet, etc' - PowerPoint PPT Presentation

1 / 32

About This Presentation

Title:

Internet Security Concerns and Securing Telnet, etc'

Description:

SSL/TLS for email (POP, IMAP, SMTP) SSH for Telnet (terminal ... Spotting a hoax 'Send this to everyone you know' Doesn't say what type of computer it affects ... – PowerPoint PPT presentation

Number of Views:115

Avg rating:3.0/5.0

Slides: 33

Provided by: daves84

Category:

more less

Transcript and Presenter's Notes

Title: Internet Security Concerns and Securing Telnet, etc'

1
Internet Security Concerns and Securing Telnet,
etc.

Setting your paranoia level and what to do about
it(?)

2
Overview

Old and New threats
Sensible Security Precautions
Protecting your password
Secure communications (client/server)

3
Fundamental Tenet of Security
Trust No One Security is everyones
responsibility. The easiest way into any
computer system is by tricking a nice person.
4
Good Password Habits

Change password periodically
Choose a good password
No easily guessable words, phrases or dates
Use a phrase plus a number
Use a different password on different systems
Dont write important passwords down
Report potential password violations
failures since last successful login

5
Good Password Habits (Contd)

Only you should know your password
This is why passwords are pre-expired
Even the administrator should not know our
password
Dont give you password to ANYONE!
DAS Staff should never need your password
If you do give your password to someone change it
ASAP
If you think someone got your password
Change it immediately
Report to DAS for investigation

6
Saving Passwords is Evil!

Dont let mail clients or browsers save your
important passwords
It may be convenient, but it means your password
is stored in local workstation and is vulnerable
Anyone with physical (or network) access to your
computer may be able to acquire or use your
password

7
Not just your DAS password

Dont just be paranoid about your DAS password
STRS reporting
On-line banking
Local file/print sharing network
Other mail systems
Many sites or services can have financial impact
or threats of impersonation

8
Dont be annoyed by your DAS when

They log you out automatically
They pre-expire your password
Your password expires
They dont believe you are who you claim to be

9
Technical Threats to your password and data

Most Internet connections to computers are
unsecured (unencrypted or plain text)
It is possible for eavesdroppers to pluck your
password from the wire
Physical security of wire is important
As networks grow and become more complex physical
security is less certain
Access from Home becomes dangerous

10
Network security

From inside the DAS
Networks are switched and relatively secure
But still a reason for concern
Access from dialup modem (ISP)
Packets travel directly to ISP, then across
global network
Access from DSL or Cable modem
Packets visit all your neighbors as well as ISP
The neighbor kid could snag your password

11
(No Transcript)
12
Solutions for Unsecured Networks

Encrypting data between computers
Only cooperating machines can read the data
Eavesdroppers see only gibberish
Two broad solutions
VPNs (Virtual Private Networks)
Client connects to known network with
authentication
All communication with that network becomes
encrypted
Requires software/configuration in both networks
SSL for each application

13
SSL for each application

TLS (or SSL) is widely adopted for
HTTPS for web sites
SSL/TLS for email (POP, IMAP, SMTP)
SSH for Telnet (terminal emulators)
SSH for FTP (file transfers)
Each of these encrypts both the username/password
and the data

14
NWOCA Implementation

NWOCA has implemented SSL for
Email (POP/IMAP)
Some web servers
Currently optional, but will begin to require
Will be implementing secure TELNET
Will be required for connections from outside
Implementing VPN for some users
May require new software and/or configuration
changes

15
What You Can Do

See what encrypted services are already
available
POP/IMAP mail clients
SSH for Telnet
HTTPS for web sites
Encourage DA Site and Tech Coordinator to
implement SSL or VPNs
Be cooperative when they do
May cause some pain
New software (upgrades or replacement)
Configuration changes

16
Services you should be concerned about

Any place you type your password for important
and sensitive information
DA Site account (Telnet for state software)
Email client
FiscWeb
SSWAT or DSL
Et al.

17
Viruses

All computers should have virus scanning
To protect both data security and workstation
Even if DA Site virus scans email
Multiple levels of protection are necessary
Keep virus scanners up-to-date
Scanners only catch virus they know about
Be suspicious
even if its someone you know
Only open attachments you were expecting

18
Hoaxes

Hoaxes are human viruses
They trick humans into doing something
Never forward a virus warning, especially if
its from a friend
If concerned about a particular warning, forward
it to DAS or network staff for evaluation

19
Spotting a hoax

Send this to everyone you know
Doesnt say what type of computer it affects
Claims to come from a reputable person at
Microsoft, IBM, some virus company, CNN, etc,
etc.
Claims unbelievable catastrophe if you dont
immediately delete some file(s)

20
Other Miscellaneous Things

Dont use work email address for personal
business
Your personal mail may become public record
Review Districts Acceptable Use Policy
Consider adding password rules
Consider requiring secure connections for
remote or internal access

21
Related Sites
http//www.viruslist.com/ (Virus and Hoax
Lists) http//www.cert.org/ http//www.sophos.co
m/
22
Technical Details

TLS/SSL
Operates at application/socket level
Each application must provide support or some
knowledge of SSL
Either provides special port, e.g.
HTTPS 443, IMAP/TLS 993, POP/TLS995
Client must connect to correct port
Or provides mechanism to negotiate TLS over
standard port, e.g.
ESMTP port 25 STARTTLS
If committing to secure connections only then
must block non-secure ports at firewall
or disable non-secure ports on server

23
SSH, Secure Shell

Secure replacement for
TELNET
RSHELL/RHOST
Can tunnel for other protocols
Listens on port 22
Client and server transfer keys for encryption
and optionally authentication
Authentication methods
Password
Host Authentication (RHOST with host key)
RSA Auentication (user key)

24
Configuring SSH1/SSH2 on Multinet

Multinet 4.4 supports both SSH
Similar configuration for both
Enable SSH service
Generate host keys for SSH1 and/or SSH2
See Multinet Installation and Administrator
Guide for details
Read carefully, especially intrusion detection
If using
Password authentication, nothing else to do
If using host or user RSA authentication, then
must move host and/or user keys to remote system
See Multinet User Guide

25
Example RSA Host authentication with SSH1
!Host authentication MULTINET SSH1
mx1.nwoca.org Last interactive login on Tuesday,
17-SEP-2002 121823.15 Last non-interactive
login on Tuesday, 17-SEP-2002 081943.76 type
.rhosts nwoca.org smith type
.SSHknown_hosts. nwoca.org 1024 33
10419763534523288398817453543573513685740079341368
054739651242 0666066648846428812346617099775231083
9953168572391310124452017313072891801777871 160461
65434384487151150224687146888398411590798727403199
059829142694706571327219 5184694169021430566794841
83949756813699918547438239226695614981377936373132
86613 2890647
26
Example Password authentication with SSH2
MU SSH2 mx1.nwoca.org Welcome to OpenVMS (TM)
Alpha Operating System, Version V7.3 smith's
password smith's password Authentication
successful. Last interactive login on
Tuesday, 17-SEP-2002 122253.66 Last
non-interactive login on Tuesday, 17-SEP-2002
122323.28 1 login failures since last
successful login
27
Example RSA Authentication with SSH2
DIR/NOTOTAL .SSH2 Directory
NWBSMITH.SSH2 IDENTIFICATION.2
1/9 15-SEP-2002 192154.37 ID_DSA_102
4_B.1 2/9
15-SEP-2002 192113.68 ID_DSA_1024_B.PUB1
2/9 15-SEP-2002
192113.77 RANDOM_SEED.1
1/9 14-SEP-2002 192945.19 TYPE
.SSH2IDENTIFICATION. idkey ID_DSA_1024_B MU
SSH2 MX1.NWOCA.ORG Welcome to OpenVMS (TM) Alpha
Operating System, Version V7.3 Authentication
successful. Last interactive login on
Tuesday, 17-SEP-2002 122712.47 Last
non-interactive login on Tuesday, 17-SEP-2002
122323.28 DIR .SSH2 Directory
DKC100SMITH.SSH2 AUTHORIZATION.1 1
15-SEP-2002 191553.69 HOSTKEYS.DIR1
1 14-SEP-2002 215434.90 ID_DSA_1024_B.PUB1
2 15-SEP-2002 192113.77 RANDOM_SEED.1
1 14-SEP-2002 191520.54 Total of 4
files, 5 blocks. TYPE .SSH2AUTHORIZATION. key
ID_DSA_1024_B.PUB
28
Example Tunneling with SSH2
MU SSH2 MX1.NWOCA.ORG /LOCAL_FORWARD(2300nwoca
7.nwoca.org23)/allow_remote Welcome to OpenVMS
(TM) Alpha Operating System, Version
V7.3 Authentication successful. Last
interactive login on Tuesday, 17-SEP-2002
123628.06 Last non-interactive login on
Tuesday, 17-SEP-2002 122323.28 ! ! From another
Session PIPE MULTINET SHOW/CONNECTION(ALL,PI)
FILTER 2300 2020EB1C 0 0
LOCALHOST(2300) () telnet
localhost /port2300 Trying... Connected to
LOCALHOST. NWOCA7, Version V7.1 Username
smith Password Welcome to OpenVMS (TM) Alpha
Operating System, Version V7.1 on node NWOCA7
Last interactive login on Tuesday, 16-JUL-2002
133236.78 Last non-interactive login on
Tuesday, 17-SEP-2002 124026.70 show
users/full smith OpenVMS User Processes at
17-SEP-2002 124340.04 Total number of users
1, number of processes 1 Username Process
Name PID Terminal SMITH SMITH
00000547 NTY16 (mx1.nwoca.org)
29
Example Tunneling with SSH2 (contd)
! Or from another system ! C\gt telnet
nwoca.org 2300 NWOCA7, Version V7.1 Username
smith Password Welcome to OpenVMS (TM) Alpha
Operating System, Version V7.1 on node NWOCA7
Last interactive login on Tuesday, 17-SEP-2002
124333.41 Last non-interactive login on
Tuesday, 17-SEP-2002 124026.70
30
More about VPNs