forschungszentrum karlsruhe in der helmholtz-gemeinschaft authors: andreas lorenz and thomas brandel...
Post on 19-Dec-2015
214 views
TRANSCRIPT
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Authors: Andreas Lorenz and Thomas BrandelRevised for the ISSeG Project by Ursula Epting, Bruno Hoeft and Tobias Koenig
The following presentations have been used for System Administrator training at FZK and are thus specific to their environment. However many features will be common to most institutes and thus the slides could make a good basis for producing customized training material
IT Security - Regulations and Technical Aspects
Desktop and mobile devices
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
• Desktop operation
• Mobile devices
Agenda
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
• Password regulations and management
• Anonymous user accounts
• Security update management
• Antivirus service
• Desktop standards
• How are standards set at FZK?
• Service logon/logoff
Desktop Operation
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Passwords (1)
• Password regulations (excerpt):– Minimum length in characters: 8– Complexity: At least 3 of 4 categories
• (A…Z) large letters• (a…z) small letters• (0...9) digits• (!$%#) special characters
• Reasons:– Prevention of brute force attacks
• A password of 7 characters in length with large and small letters and digits (62 different characters) can be cracked within a maximum of 13 hours with a PowerPC G5-2500 x 4 (access to hash values)
• 8 characters take a maximum of 33.5 days• 9 characters take a maximum of 5.7 years
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Passwords (2)
– Prevention of lexicon attacks• Extensive lists of words are freely accessible on the
internet• Password crackers test combinations of these words with
digits and special characters• More rapid success than in case of brute force
• “Bad“ passwords (although they agree with the regulations):– Susy333– summerday1
• „Good“ passwords:– 4s1pynBF! (For such a password you need Brute Force!)– #Wsw3ma? (#When shall we three meet again?)
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Passwords (3)
• Important: No transmission of passwords in clear text!– Possibility of “sniffing“ on hubs and switches
– No telnet, rlogin, ftp
– Use current ssh2 on UNIX!
– Use SSL coding on web servers
• Safe transmission of initial passwords of users– No uncoded mail
– Personally or via phone
– Receiver must be authenticated without any doubts
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Passwords (4)
• Immediately change default passwords of newly purchased devices– Extensive lists of passwords for various devices are available on the
internet (routers, switches, storage, ...)
– Default passwords are usually mentioned in the (frequently freely accessible) documentation of the devices
• Do not use any “department-wide“ passwords (the same root password for all servers)– Use password manager, if applicable (important: Coded storage)
– Store passwords in a sealed enveloped in the safe, if necessary
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Passwords (5)
• Miscellaneous:– No transmission of passwords
– Password hashes must not be accessible to users (/etc/shadow under UNIX)
– Group regulations in the active directory
– Deactivation of LM hashes by group regulation
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Anonymous User Accounts
• As a rule, user accounts must be assigned to one person• If this is not the case, it is an anonymous account• Regulations (excerpt):
– User group can be identified by the name (e.g. course013, laboratory, measurement computer)
– Anonymous user accounts may only possess a minimum of functionalities and must be justified
– Establish local accounts in the Windows area
– Name a responsible person
• Common use of files is no reason to establish anonymous accounts, as this may be done by access rights
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Tasks of the Antivirus Service
Antivirus Service
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Antivirus Service (1)Daily Tasks
• Observation of all messages from distribution lists, with virus information:
CERT list BSI list Symantec list• Check of the websites of antivirus software suppliers:• If new viruses are existent, the following steps have to be taken:• Check, whether antivirus software suppliers make available the
respective virus definitions• If virus definition is available: Immediately check AV servers and update, if necessary Immediately protect the mail entry and exchange servers
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Antivirus Service (2)Exceptional Cases: Critical Viruses
In case of critical viruses, from category 3: Send information describing the virus and possible impacts. Inform about the signature status needed. Send information to organizational units and working groups.
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Antivirus Service (3)No Current Virus Definitions Are Available
• Immediately contact the AV software suppliers by phone and mail.• Immediately contact the Federal Office for IT Security (BSI) by phone
and mail.• (Inform all administrators of the decentralized AV servers.)• Increase permanent telephone support, if necessary, virus phone and
staff.• Constant check of AV software suppliers and BSI websites.• Check, whether service packs or hotfixes may protect.• Send the information about this to persons above.• Activate hotfix service.
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Antivirus Service (4)Other Actions
• Check, whether firewall may intercept the impacts.• Possibly switch off the mail servers.• Possibly switch off the internet.• Possibly switch off network segments.
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Operation Systems
Software
Processes
Hardware
Network Services
Installation Methods
Desktop Standards
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Rules Related to Desktop PCs
Hardware ProcurementThere is a framework contract partner for PCs, monitors, laptops, and accessories. Orders are integrated automatically in the procurement system, and the administrative expenditure is minimized. Delivery, onsite setup, and installation of the systems with basic system adapted to the site requirements are included in the procurement price.
Software ProcurementThe procurement portal is integrated completely in the purchasing system, and the administrative expenditure of the site is minimized.
Desktop Standards (1)
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Rules Related to Desktop PCs Operation System
A working group defines operation system standards. This considerably minimizes the installation and maintenance expenditure.
OfficeOffice communication standards are also defined by the IT working group. This considerably minimizes the installation and maintenance expenditure.
BrowsersA working group defines browser standards. Web applications shall work perfectly with both standards. For reasons of economic efficiency, exceptions can be made.
Desktop Standards (2)
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Rules Related to Desktop PCs
Active Directory IntegrationA central directory service exists for the Windows PCs. Office communication offers are based on this service.
Antivirus SoftwareAll desktops and laptops are integrated in the central antivirus domain. This allows for a central distribution of virus definitions.
Security Update ManagementAll Windows desktops and laptops are or shall be integrated in the central security update management. Thus, it is ensured that security update and other tested safety-relevant programs can be rolled out promptly. This service complements the central antivirus service.
Desktop Standards (3)
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Rules Related to Desktop PCs
Local FirewallPCs and laptops which are on the intranet and sometimes in “foreign“ networks have to be provided with a personal firewall. It has to be configured, such that only incoming and outgoing links required and explicitly requested by the user are permitted. This regulation applies to computers in “foreign” networks. In case of uncertainties concerning the product and configuration, the products supported by the site have to be applied.
Password RegulationsThe valid password regulations shall apply to all person-related user accounts, i.e. also to local users in all operation systems.
Desktop Standards (4)
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Rules Related to Desktop PCs LAN Coordination
The allocation and deletion of IP addresses are subject to regulations. Name Conventions
The computer names (host names) and DNS names are subject to regulations, such that unambiguous identification of the computer is ensured.
PC Service and RepairsRepairs and installations are performed centrally. This reduces the costs and the expenditure associated with new installations and software maintenance.
Desktop Standards (5)
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
On behalf of the Data Processing Commission of the Scientific-Technical Council
On behalf of the IT Expert Group
On behalf of the IT Expert Group
PC Working Group
IT Expert Group
Linux Working Group
Works Council, HR, data protection commissioner, and IT security commissioner
Data Processing Commission
+
Administrators of organizational units, security commissioner, data protection commissioner
The Linux Working Group is an information and discussion platform for central or other Linux topics
Report to the IT Expert Group
Administrators of the organizational units, IT security commissioner, data protection commissioner
Specification of standards for each organizational unit (HW&SW)Platform of information on and dis- cussion of central or site-wide matters
Preparation of decision papers for the IT Expert Group
Report to the IT Expert Group
Specification of IT solutions and IT standards based on the report of various working groups taking into account the interests of the
organizational units
General decisions on the basis of the decision paper
Report to the Data Processing Commission
Appointed and elected members +
Composition:
Composition:
IT experts from the organizational units, IT Security and Data Protection Commissioners
Tasks:
Tasks:
Tasks:
Tasks:Definition of site-wide regulations and recommendations based on the
report
In cooperation with:
Composition:
Composition:
In-house agreement on … Art. 1 SubjectSubject of the agreementIs … Art. 2 Purpose… Regulations for:
• Private e-mails• Access from outside• Remote support• …
Head: N.N.
Head: N.N.
Head: N.N.
Head: N.N.
Provide advice in the preparation of IT-related in-house agreements
How Are IT Standards and IT Solutions Developed?
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Account, authorized
All (employees and others)
Data inventory Central database (based on process lists and information from the organizational units, also on external companies)
Account distribution
Directory service for mail, radius, SFU, export to various individual systems
Create account Manual
Name convention Family name (-V)
Decentralized administration
Allowed
Delete account Log-off and change of registration, logical deletion after permit
Log-on concept Synchronization of log-on data among various systems (one log-on for various services)
Log-on / Log-off Services
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
The central database contains relevant customer information:The central database is coupled to the directory service, the Exchange mail system, telephone database, and the IP administration QIP
Central Database
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
• Desktop operation
• Mobile devices
Agenda
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Mobile Devices (1)
• Mobile devices (notebooks, PDAs) are frequently linked to various networks– Intranet (directly or via VPN)– Internet (at home)– Intranet of another institution
• Risk of the intranet being infected by– worms– viruses– trojans
The infection is “carried across the firewall”
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Mobile Devices (2)
• Protection of mobile devices by:– Anti-virus client
– Personal firewall• ”Sand box“ for the selective isolation of certain applications from the
network • Partly IDS functionality• Specific blocking or clearing of ports
– Constant updating with security patches
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Mobile Devices (3)
• Protection of confidential data in case of a theft of the mobile device– Hard disk encryption
– Use of encrypted “containers”
– Safe deletion of confidential data
• Take care when using USB sticks– Potential infection of the computer with viruses (autostart, etc.)
– Risk of copying all data from the stick onto the computer
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Mobile Devices (4)
• Miscellaneous:– Activate wireless links only, if necessary:
• WLAN
• Bluetooth
• Infrared interface
• GSM / UMTS
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Thank you for your attention
Final Remark
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/
Forschungszentrum Karlsruhein der Helmholtz-Gemeinschaft
Copyright © Members of the ISSeG Collaboration, 2008.Licensed under the Apache License, Version 2.0 (the
"License"); you may not use this material except in compliance with the License.
You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, Work distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and limitations under the License.
© Members of the ISSeG Collaboration, 2008 See: http://www.isseg.eu/