Security At NCAR

National Center for Atmospheric Research 1NCAR

Security At NCAR

Pete Siemsen

National Center for Atmospheric Research

November 22, 1999

NCAR’s Environment• Academic research institution

• But no students• Collaboration with 63 member Universities

• ~1500 university (external) users• Diverse, widespread field projects• ~2500 networked devices internal to NCAR

• ~1500 internal users

Obstacles to Security• Security not taken seriously• Considered low priority (few resources)• Doesn’t mesh well with NCAR’s goals• Security is a lose-lose proposition!

• Too little security: it’s your fault· We got hacked, you should’ve done more

• Too much security: it’s your fault· I can’t get my work done, you should do less

• When it works, no one notices

Motivation to Get SeriousAbout Security

• We experienced increasing malicious attacks• More hackers hacking• Availability of hacker “kits”

· Easy to get· Don’t require network expertise

– (URLs will be shown later ;-)

• We had some strong advocates

Getting Started

NCAR Security Committee

• We created a committee to develop policy• Sysadmins from all NCAR Divisions• Policy process delivers institutional buy-in• 2-hour meetings once a month• Lots of cooperation, little authority

The Security Policy• Need a policy that defines

• vulnerabilities• how much security is needed• level of inconvenience that is tolerable• solutions

• We recommended a full-time Security Administrator for the institution

• http://www.ncar.ucar.edu/csac

Define Scope of Problem• Decide which types of attacks are problems• Examples:

• Hacker spoofing of source IP address • Hacker scanning for weaknesses

· TCP/UDP ports, INETD services • Hackers sniffing passwords• Hacker exploitation of buggy operating systems

· Inconsistent/tardy OS patching

Define Scope of Solution• What we won’t do

• Not feasible to secure every computer• Over-reliance on timely OS security fixes• Can’t prohibit internal “personal” modems• Attacks from within aren’t a big problem

• What we will do• Reduce external attacks from the Internet

Basic Solutions at NCAR

• One-time passwords• Switched LANs• Router packet filtering• Application-proxy gateways

One-Time Passwords

One-time Passwords• A.K.A. Challenge-Response• Requires little calculator things (~$50/per)• Prevents password sniffing• We use it on critical devices

• Routers, ATM Switches, Ethernet Switches, Remote Access Servers, Server hosts (root accounts)

• At the least, do this!

Switched LANs

• Reduces packet eavesdropping• Get this for “free” with switched network

Packet Filtering

Router-Based Filters• Used to construct router-based firewall

around your internal network• (and/or between internal networks)

• Main security implementation tool• Routers check each inbound packet

against filter criteria and accept or reject• Filters reject dangerous packets• Filters accept all useful packets

Packet Filtering At NCAR• Cisco access-lists filter on

• IP address source, destination, ranges• Interfaces: inbound and/or outbound• Protocols, TCP ports, etc.

• We filter only inbound packets• Performance is an issue

• We have Cisco 7507 routers• Using RSP4 CPUs

Filter Stance: Strong or Weak?

• Strong• Deny everything, except for the good stuff

• Weak• Allow everything, except for the bad stuff

• NCAR chose a Strong stance

Firewall Flexibility Needed• Some NCAR Divisions wanted...

• All hosts on some subnets to be “outside” firewall

• Just some hosts “outside” firewall in each subnet

• Our solution…• Some whole IP subnets bypassed by firewall

filters• Part of every IP subnet bypassed by firewall

filters

Firewall Flexibility Needed• Excluded/bypassed subnets are called

exposed subnets; all others are called protected subnets

• Excluded/bypassed hosts are called exposed hosts; all other hosts are called protected hosts

• “protected” means NO connections are allowed from outside the firewall

Implementing Flexibility

• Rules to define exposed subnets• Filters bypass all hosts on selected subnets • permit ip any 128.117.1.0 0.0.0.255• One of these rules for each exposed subnet• This works best when subnets are assigned

according to organizational topology

Implementing Flexibility

• Rules to define exposed hosts• Bypass a fixed set of hosts on all subnets• permit ip any 128.117.0.0 0.0.255.15• Divisions had to re-address some hosts

before the filter was installed

Example Filter Statistics• 41 lines (rules) in NCAR’s access-list• Hits, 28 days after filter was installed:

• 3 MP Denied because of spoofing• 17 MP Denied because of

“catchall”• 71 MP Permitted to exposed

networks• 100MP Permitted to exposed hosts

Exposed Hosts

• Example: Web servers, data source machines, etc.

• Must meet stringent security standards to avoid being compromised and used as launch pads for attacking protected hosts• OS restricts set of network services allowed• Must keep up with OS patches

Application-Proxy Gateways

What They Are & Do• Provides proxy access to protected

hosts for insecure services like FTP, Telnet, X11

• Central access and monitoring point• Authenticates users• OS is kept VERY secure

• Patches kept up to date• Unneeded services turned off• No “direct” use by users

Security Administrator

Security Administrator• Provides focus for security for the entire

institution• Helps deal with break-ins

• Central point of contact• Tracks CERT advisories for sysadmins• Advocates security solutions, like ssh• Scans exposed hosts for standards violations• Generally helps/educates sysadmins

Impacts of NCAR’s Security

Benefits

• >95% of NCAR hosts are protected• Outbound Telnet, HTTP, etc. still work• Most users don’t notice any changes• Relatively cheap and easy• Dial-in users are “inside”, no changes

Drawbacks• UDP is blocked• Some services are no longer available

• Inbound pings are blocked !!!• To use FTP, must use passive mode, or

use an exposed host, or proxy through the Gateway

• DNS and email can get REAL complicated

Drawbacks (cont.)

• Password sniffing still possible outside of firewall

• Ignores attacks from within• Modems in offices are a huge hole

• Bypasses authentication in our secure modem pool

Wrapup

Security is Never “Done”

• How do you know if you’re being hacked?• “Silent” attacks very hard to detect• “Noisy” attacks hard to distinguish from

other network (or host) problems• Network keeps changing• Software keeps changing• Hackers keep advancing

Security is Never “Done” (cont.)

• Policy and security mechanisms must keep

• Security committee continues to meet

Conclusion• NCAR struck a balance between:

• Convenience and Security• Politics and Technology• Cost and Quality

• Seems to work for us• Installed it “just in time”

• Filters were installed just as attacks were getting unbearable

Security At NCAR

Documents

Infrared Satellite Data Assimilation at NCAR

GSI developments and plans at NCAR/MMM

"HPC at NCAR: Past, Present and Future" - Cray User Group · PDF fileHPC at NCAR: Past, Present and Future ... These, along with a lawsuit against IBM, ... marketing phantom machines

Ncar Graphics

Hydrological modelling research at NCAR · Hydrological modelling research at NCAR CCRN Modelling Workshop, Saskatoon Canada ... WRF-Hydro is a community-based, supported coupling

1 ncar ucar NCAR UCAR NCAR UCAR UConnect at UCAR Teri Eastburn Tag-Up 9.25.13 Teri Eastburn Tag-Up 9.25.13

NCAR/TN-196+IA The IBM 4341: Gateway to NCAR Computers282... · 2015-10-16 · NCAR/TN-196+IA NCAR TECHNICAL NOTE July 16, 1982 The IBM 4341: Gateway To NCAR Computers Editor: Gregory

NCAR Auto-Nowcaster Convective Weather Group NCAR/RAL

The Research Data Archive at NCAR Doug Schuster and Steve Worley NCAR

NCAR & Nextel

NCAR Annual Budget Review October 8, 2007 Tim Killeen NCAR Director

NSF NCAR / NASA GSFC / DOE LANL ANL / NOAA NCEP GFDL / MIT / U MICH C. DeLuca/NCAR, J. Anderson/NCAR, V. Balaji/GFDL, B. Boville/NCAR, N. Collins/NCAR,

Data to Support Ocean-Atmosphere Research NCAR Research Data Archive (RDA), Zaihua Ji, NCAR Steven Worley, NCAR Scott Woodruff,

Societal Impacts of Weather and Climate at NCAR

IPT at NCAR

Theme of the Year Workshop 3 at NCAR Geophysical Turbulent Phenomena

TIGGE Data Archive at NCAR

Automated Snow Measurement R&D at NCAR and NOAA: the Marshall testbed

Select Industrial Hygiene Assessment at the NCAR/UCAR ......Select Industrial Hygiene Assessment at the NCAR/UCAR Mesa Laboratory Boulder, Colorado Submitted to Melinda Powers, CIH

Marcel Casado NCAR/RAP WEATHER WARNING TOOL NCAR