library security issues

Library Security Issues

Marshall BreedingDirector for Innovative Technologies and ResearchVanderbilt Universityhttp://staffweb.library.vanderbilt.edu/breeding

Alaska Library Association Annual Conference February 24, 2006

http://staffweb.library.vanderbilt.edu/breeding



Library Security IssuesFeb 24, 2006

The Threat

Hacking: unauthorized access to servers and workstations on your network

DoS: Denial of service: impedes legitimate access to your services

Worms: self-perpetuating attacks that spread among vulnerable systems

Viruses: Unauthorized program attached to a legitimate program (typically e-mail)


Security threats

Volume of attacks increasing Sophistication of attacks increasing Maliciousness of attacks have been far less than what

might be possible in the future. Commercial motivations: find ways to distribute SPAM

and deliver hits to Web sites Tools for creating attacks are becoming easier to use

—”script kiddies” abound, but: Fewer script kids, more professional code jockeys. More 0-day scenarios: exploits available before

security patches are available.


Consequences

Lost dataInterruption servicesReveal personal data about library usersGeneral loss of productivityStaff time for system administrators in

recoveryInstitutional embarrassment


Library Security Issues

Same concerns as commercial businesses and other organizations—no less of an issue

Protect the privacy of your library users Protect your library’s services and data Don’t let library systems become a jumping-off

point for hackers to other networks or computers

Libraries are perceived as “an easy mark”


Targets

Servers Operating System Network services – Web, email, DNS, NFS, etc Applications: ILS, Other database applications

Workstations – Less of a distinction today between servers and workstations


Security domains

Server / WorkstationDepartmental Enterprise Level


Develop Multiple Tiers of Security

Server / Workstation: Each individual computer must be well secured

Enterprise – protect the network as a whole

Departmental – enforce additional security measures appropriate to departmental needs

Server & Workstation Security

Protecting systems individually


Server / Workstation

Protect the individual computerEven if other layers of security protection

fail, each computer on the network is well protected.


Operating System Security

Maintain an up-to-date operating systemTake advantage of automatic notification

and updating servicesProactively monitor vulnerability reportsInstall security-related patches

expeditiouslyUse personal firewalls

Part of Windows XP


Operating System Security

Use only what you needEvery network service and application

requires attention to securityInstall selectivelyCheck / Verify services and subsystemsUninstall non-essential services


Application Security

Make sure that your core business applications (ie: ILS) run securely and enforce strong protection of all data elements.

Keep the application as current as possible

Work with vendors to insure tight security.


Buffer overflows

Both OS and Applications are subject to attacks through buffer overflows

Causes applications to abort, leaving the user at an unknown state.

Often the unknown state is root-level, or can get it.


Account Management

Review all delivered accounts – disable, rename, remove as appropriate

Pay special attention to accounts associated with network services and anonymous accessWhat account is associated with your Web

server? And what are its privileges?


Password Management

Require the use of strong passwordsLong passwords of pass phrasesDo not use words in any dictionary,

including foreign-languagesDo not use proper nounsDo not use keyboard patterns

Enforce frequent password changesBe prepared for staff grumbling


Password vulnerabilities

Never send a password over the network in the clear.

Ensure that all applications use encryption in its login sequence.

Secure passwords must never be exposed to insecure login systems

Require separate passwords for systems that don’t meet this requirement


Root-level accounts

Must be treated with extraordinary careAt a minimum enforce password

requirements used for standard accountsDo not let system administrators use

root/Administrator level accounts for routine activities.

Login as Root only when making system changes that require superuser rights


Server / Workstation Firewalls

Personal FirewallsMonitor incoming and outgoing network

trafficEnforces rules for allowed and non-

allowed patternsPort by port securityApplication-specific rules


Personal Firewall examples

Zone Alarm (http://www.zonelabs.com)Windows servers

Windows Firewall from MicrosoftTCP Wrappers

Unix

http://www.zonelabs.com/


Workstation-level virus protection

Scans incoming mail and files for signatures revealing known viruses and worms

Must be active continuously and updated routinely to be effective

Generally considered to be a secondary layer of protection in organizations that implement enterprise-level scanning.


Server considerations

Do not run mail clients on network servers

Avoid introducing security problems on a server through a Web clientWeb browser needed for installation of

server softwareBrowse only to sites you consider reliable

and safe.

Enterprise-Level Security

Protect the network as a whole


Network Firewall

Intelligent router that passes traffic based on pre-established rules

Can block traffic on any given portsCan block traffic to specific computers

within the organizationPacket-by-packet analysis


Denial of Service protection

Most firewalls protect from DoSPort scanning – outsiders building a

network mapAggressive attacks can flood firewall,

effectively creating a DoSLogging of attacks is helpful, but often

needs to stop during an aggressive attack to avoid flooding.


Enterprise Network Security Architecture

Trend toward managing security on the enterprise level

Divides the network into security zonesEnforced through VLANsInternal firewalls


Limit / Eliminate Network Sniffing

Ethernet allows for promiscuous mode for packet viewing

Shared media Ethernet exposes entire segment

Switched Ethernet limits what a packet sniffer can view.

Organizations moving toward switched Ethernet


Firewall Placement

Perimeter control established through primary Internet router

Many internal zones are just as threatening as Internet

Internal firewalls often established to protect highly sensitive computing systems from general purpose network


Virtual Private Networks

Offer end-to-end encryption across insecure security zones

Often works in conjunction with firewalls.VPN client: communicates with VPN

application on a firewall or server to establish a secure channel of communications.


Enterprise Virus protection

Eliminate viruses and other malicious attacks at the perimeter of the network

Move toward centralized mail services Scanning performed before messages enter

the mail delivery system Example Trend Micro

Trend toward security appliances that perform spam filtering, virus protection, bandwidth shaping and other security-related features.


Enterprise Virus protection

Much more effective than workstation-level utilities

Uses sophisticated detection systems that can be updated very frequently.

Less reliant on human interventionVirtually eliminates the possibility of a

virus making its way to the workstationNot fool-proof


Departmental Security

Each department or unit within an organizational should assess the security needs appropriate to its role or mission.

Libraries may need zones that offer more open access than the enterprise

May have other specialized concerns with security implications: Public access computing, internet filtering, etc.


Departmental services

What services should be provided department and what services should be provided by the enterprise

Most organizations moving more toward supplying network services at the enterprise level Mail, file services, DNS, etc.

Only specialized applications run by departments ILS

Many organizations moving away from all departmental computing in favor of the enterprise

The network is as secure as its weakest links

Library-specific issues


Library Security

Libraries need to operate within the security standards of their higher level IT support organizations

Libraries have some security requirements often not well understood by IT

Public-access computing challenging from a security perspective


Public workstation security

Many products and techniques for “securing” public workstations

Deal more with inhibiting tampering than with ensuring networking security

Don’t trust what happens on workstations with anonymous unauthenticated access regardless of the level of anti-tampering control

Segregate public computing from staff computing

Router

Ethernet Switch

Access Point

Public Access

Workstations

Library Staff W

orkstations

Ethernet Switch

Ethernet Switch

Router / Firewall

Library NetworkWith Public / Staff

Separation

http://images.google.com/imgres?imgurl=http://www.schenectady.k12.ny.us/Library/computer.gif&imgrefurl=http://www.schenectady.k12.ny.us/Library/&h=255&w=277&sz=20&tbnid=5uX1qf6cUU4J:&tbnh=100&tbnw=109&hl=en&start=33&prev=/images%3Fq%3Dlibrary%2Bcomputer%26start%3D20%26svnum%3D10%26hl%3Den%26lr%3D%26safe%3Doff%26sa%3DN





http://images.google.com/imgres?imgurl=http://www.prime-notions.co.uk/en108hub.jpg&imgrefurl=http://www.prime-notions.co.uk/ethernet_hubs1.htm&h=150&w=200&sz=4&tbnid=GKORmLUJdbEJ:&tbnh=74&tbnw=99&hl=en&start=4&prev=/images%3Fq%3Dethernet%2Bhub%26svnum%3D10%26hl%3Den%26lr%3D%26safe%3Doff%26sa%3DN






http://images.google.com/imgres?imgurl=http://www.prime-notions.co.uk/en108hub.jpg&imgrefurl=http://www.prime-notions.co.uk/ethernet_hubs1.htm&h=150&w=200&sz=4&tbnid=GKORmLUJdbEJ:&tbnh=74&tbnw=99&hl=en&start=4&prev=/images%3Fq%3Dethernet%2Bhub%26svnum%3D10%26hl%3Den%26lr%3D%26safe%3Doff%26sa%3DN

http://images.google.com/imgres?imgurl=http://www.i-tech.com.au/images/products/DGS-1008TL.jpg&imgrefurl=http://www.i-tech.com.au/products/4420_D_LINK_DGS_1008TL_8_Port_Copper_Gigabit.asp&h=204&w=280&sz=5&tbnid=3_Cpt8QhzKwJ:&tbnh=79&tbnw=109&hl=en&start=19&prev=/images%3Fq%3Dethernet%2Bswitch%26svnum%3D10%26hl%3Den%26lr%3D%26safe%3Doff

http://images.google.com/imgres?imgurl=http://www.whitetrashcharms.com/images/charms/bolt.jpg&imgrefurl=http://www.whitetrashcharms.com/lightening_bolt.html&h=274&w=204&sz=5&tbnid=ck_WLj986FwJ:&tbnh=109&tbnw=81&hl=en&start=4&prev=/images%3Fq%3Dlightening%2Bbolt%26svnum%3D10%26hl%3Den%26lr%3D%26safe%3Doff%26sa%3DN




Final thoughts

Good security is expensive and time-consuming

Requires constant attentionNecessary overhead for organizations

like libraries that provide network-based services

Shouldn’t stymie the organization


Questions / Discussion

Marshall Breeding

[email protected]://staffweb.library.vanderbilt.edu/breeding

library security issues

Documents

security patches

layers of security protection

library systems

library usersprotect

selfperpetuating attacks

librarys services

legitimate program

unauthorized program