tsag meeting 3/14/02 update on current technology initiatives
Post on 22-Dec-2015
221 views
TRANSCRIPT
TSAG Meeting3/14/02
Update on Current Technology Initiatives
Overview
• Announcements:– Account Maintenance System (March 8, 2002)
– SIMS/R Forms http://simsrforms.csun.edu
– Limiting SMTP Vulnerabilities (Proposed March 29, 2002)
• Directory Initiative• Desktop and Server Security Issues (Caleb Fahey)
• Wireless Initiative (Will Trask)
• Network Access Control (Will Moran)
Directory Initiative
Goals:• To provide users with a single user-name and
password for all IT resources– improve system security via strong authentication– reduce account management overhead– simplify end-user problems
• To allow IT units to specify who may access their resources (i.e., units specify authorization)
• To engineer a system that works with existing local IT system protocols and procedures
Technical Challenges
• To correlate existing database information
into a single source
• To unify the various IT account systems
• To engineer a system that works with:
Macs, Microsoft, Novell, and Unix systems
From Many To …
/etc/passwd
/etc/aliases
SIMS/R
PeopleSoft HR
ECS
A&F NDS
Library
Campus Phone Directory
Majordomo
~dlt/aliases
~dlt/*.vbars
password.account
In Production:
• CSUN1 Authentication
• findalias
• finduser
• Modem Pool
• Wireless Network
• Webmail
Next up:
• Majordomo Authentication
• Vacation Authentication
• Mail Client: Find People
Being Discussed/Planned:
• PeopleSoft Authentication
• A&F NDS tree
Directory Aware ServicesAuthentication, Authorization, & Information Lookup
Outlook: Find People
Top-Level DIT Layout
O=CSUN
ou=Authentication ou=Libraryou=ECS
ou=Users ou=Groups
Approaches toDelegate Control
• Mirror – Unit copies all authentication objects– Unit augments objects with authorization information
• Referral (ldaps://hostname)– Unit relies on central infrastructure– Authentication and authorization information stored with
single user object
• Alias – Each Unit user is an authorization object with a referral to
authentication object– Works in theory!
Distributed, Replicated Architecture
eDirectory(edir.csun.edu)
iPlanet(idir.csun.edu)
OpenLDAP(odir.csun.edu)
ActiveDir.(adir.csun.edu)
http://www.csun.edu/accountdir.csun.edu:636ldaps.csun.edu:636
ldap.csun.edu:389
Encryption Modules
Dis
trib
utio
n
LD
AP
Ser
ver
Desktop and ServiceSecurity Issues
Goals:• To educate the campus and the IT staffs on the needs
for appropriate security controls• To collaboratively define and implement these
controls, which will result in– improved security for the campus computing infrastructure– reduced work load for the technical staffs– increased productivity of the end users
• To ensure that local autonomy/flexibility is retained via the local IT units
Standards Include?
• Administrator Access and Passwords• Software requirements?
– Secure Shell• http://www.macssh.com• http://www.ssh.com
– Antivirus software
• Shutdown Policy• Mail Server Standards?
– Antivirus Filter– Authenticated SMTP– Directory Aware
Mail Servers
• SMTP Vulnerabilities (2/15)Inbound: 192 Outbound: 256x256
• Identified Mail Servers (3/2)imap.csun.edu alpha.ecs.csun.edu ppm.csun.edu std-affairs.csun.edu jacek.csun.edu admsvcs.csun.edu jour.csun.edu sundial.csun.edu jour1.csun.edu codes.csun.edu sauron.csun.edu ncod.csun.edu akala.csun.edu sunspot.csun.edu galileo.csun.edu davinci.csun.edu
• SMTP Vulnerabilities (Proposed 3/29)Inbound: 16 Outbound: 16+1
Wireless Initiativehttp://www.csun.edu/wireless
• Purpose: To provide flexible and secure accessto the Internet via portable devices
• Services:– Web: http and https– Mail: smtp to smtp.csun.edu– SSH: to the world– Virtual Private Network (VPN) for the future!
• Status:– Pilot phase well underway– Campus wide test in April– Anticipated production services in the fall
• Sierra Quad
• Oviatt Lawn
• Sequoia Hall
• Engineering
• Exchange
• Business/Education
• Student Services
Wireless Zones Today
Wireless Zonesin May
• University Hall
• Oviatt Library (4th)
• Sierra Hall
• Jerome Richfield
• Bookstore
• Athletics Fields
And a whole lot more to follow!
Network Access Control
• Reduce the amount of SPAM mail• Reduce exposure to copyright infringement• Reduce exposure to DOS attacks
• Increase bandwidth to campus community• Increase the integrity of inter- and intra-campus
network communications• Increase productivity of all by not dealing with
SPAM and other such attacks
Not Again
Zzzz
Approach• Paradigms:
– Allow all, deny exceptions
– Deny all, allow exceptions
• Attack problem in levels• First step: Focus on campus/internet boundary
– Reduce the number of entry points to campus– Reduce the number of exit points to campus
• Move towards authenticated and encrypted protocols and applications, e.g., https, ssh
Tasks
• ACLs deployed for several colleges/units and for several protocols (snmp, smtp!)
• Provide information on (date?):– Deployed servers on campus– Required inbound ports for servers– Required outbound ports for servers
• Block all inbound traffic to non-servers (date?)• Block all unwanted traffic to servers (date?)• Recommend and then deploy SSH client (date?)
ftp, ssh, http/s, irc/s