Security in the NT Environment at SLAC

HEPNT at CERNDecember 4, 1998

Bob Cowles, SLAC

12/04/98 Bob Cowles - SLAC 2

Background

• Over 3000 hosts respond to ping– 1200 over NT machines– 800 over Unix machines

• Business Services Division– PeopleSoft Financials & Human Resources– WinNT workstations; Oracle DB on Unix

• 150 W/S in central offices

• 50 W/S in departments distributed around Lab

12/04/98 Bob Cowles - SLAC 3

Crisis -> Response

• Serious intrusion in June 1998– Over 20 Unix hosts compromised (root)– Over 40 user accounts used

• Response– Cut off from Internet for a week– Changed all passwords– Applied deferred security patches– Increased packet filtering

12/04/98 Bob Cowles - SLAC 4

Challenge - Priorities

• Prevent unauthorized access to business systems and confidential data

• Protect accelerator control systems

• Protect physics data and programs

12/04/98 Bob Cowles - SLAC 5

Challenge - Constraints

• Implement security measures consistent with the research mission– Open– Collaborative

• Credible response to vulnerabilities– Password compromise– Local admin & PC mode of thinking

12/04/98 Bob Cowles - SLAC 6

Threat Analysis

• Attack on Oracle DB– Alter data– Read personal or confidential data– Denial of Service

• External Attack

• Internal (authenticated user) Attack

• Adapt to new threats over next 2 years

12/04/98 Bob Cowles - SLAC 7

Countermeasures I

• External– Filter out NT networking protocols– Strengthen passwords (passfilt)

• Internal– Emphasize SP3 + Hotfixes– Promote SMS and central mgmt tools– Proposed significant tightening of all NT W/S

12/04/98 Bob Cowles - SLAC 8

Problems I

• General revolt at proposal– “Personal Computer”– Inadequate support– Non-standard configurations– Inventive requirements

• One size does not fit all

12/04/98 Bob Cowles - SLAC 9

Countermeasures II

• Use Business Services Division as a pilot– Significantly increase restrictions on NT– Use latest technology to provide:

• safety

• functionality

• Examined many alternatives– Filtering routers, firewalls, VPNs, IDS, etc.

12/04/98 Bob Cowles - SLAC 10

Problems II

• Latest technology is very immature (!) and vendors don’t understand it

• Required features in the next release (RSN)

• Solutions require – Lots of inter-group cooperation & coordination– Very easy to have 3-4 inadequate solutions for

the same problem

• BSD users are all over the Lab

12/04/98 Bob Cowles - SLAC 11

Strawman I

• Use VLANs to put all users “together”

• Very heavy filtering on internal router

• Many users have two workstations– Communicate externally & with rest of Lab

• No tight controls on configuration

– Communicate with PeopleSoft applications• Centrally maintained

• Standard configuration

12/04/98 Bob Cowles - SLAC 12

BSDnet

Rest of SLAC

DataWarehouse

BISWeb Server

TestPeopleSoft

ProdPeopleSoft

FDDI

User01 UserYY UserXX

Strawman I

BSDDomain Cntlr

12/04/98 Bob Cowles - SLAC 13

Strawman I :-(

• Cost of additional W/S and network equip.

• Fear of “yellow cables”

• Loss of desktop space - user reaction

• Confusing relationship between domains

• Concerns about “piped” cross authentication (e.g. new web browsers)

12/04/98 Bob Cowles - SLAC 14

BSDnet

Rest of SLAC

DataWarehouse

BISWeb Server

TestPeopleSoft

ProdPeopleSoft

FDDI

User01 UserYY UserXX

Strawman II

BSDDomain Cntlr

12/04/98 Bob Cowles - SLAC 15

Strawman II :-(

• Very difficult to packet filter properly (SQL*Net uses ephemeral ports)

• Possible performance issues with Two-tier PeopleSoft client

• Questionable protection in time of intrusion

12/04/98 Bob Cowles - SLAC 16

BSDnet

Rest of SLAC

WTSServer

DataWarehouse

BISWeb Server

TestPeopleSoft

ProdPeopleSoft

FDDI

User01 UserYY UserXX

Strawman III

BSDDomain Cntlr

12/04/98 Bob Cowles - SLAC 17

Strawman III :-(

• Still problems during/immediately after intrusion– Mission critical functions– Access to BIS web server required

• WTS is new technology – What if it fails?– What if it can’t handle the load?

12/04/98 Bob Cowles - SLAC 18

BSDnet

Secure BSDnet

Rest of SLAC

WTS+Citrix Farm

DataWarehouse

BISWeb Server

TestPeopleSoft

ProdPeopleSoft

FDDI

User01

UserMC

UserYY UserXX

Plan A

BSDDomain Cntlr

12/04/98 Bob Cowles - SLAC 19

BSDnet

Secure BSDnet

Rest of SLAC

WTS+Citrix Farm

DataWarehouse

BISWeb Server

TestPeopleSoft

ProdPeopleSoft

FDDI

“Air Gap”

“Air Gap”

User01

UserMC

UserYY UserXX

Plan A - Intrusion

BSDDomain Cntlr

12/04/98 Bob Cowles - SLAC 20

Plan A :-)

• Mission critical work can be done using what works now

• WTS+Citrix provides add’l flexibility and security options

• Token cards will provide two-factor authentication

• IDS will watch for what gets past filters

Patrick

12/04/98 Bob Cowles - SLAC 21

Current Status

• Testing WTS farm with live users

• Developing specifications for configration on user machines (apps, registry, etc.)

• Network hardware being installed

• Estimated completion - April 1

12/04/98 Bob Cowles - SLAC 22

Comments?

• What have we overlooked?

• What are YOU doing in this area?

• How do you handle user administrated W/S?

• Feedback is appreciated!

rdc@slac.stanford.edu