update and discussions on technology initiatives tsag meeting 4/11/02
Post on 22-Dec-2015
218 views
TRANSCRIPT
Update and Discussions on Technology Initiatives
TSAG Meeting 4/11/02
Announcements:
Webmail caching problems: Logout of webmail, and Close the web browser
Webmail Sorting Criteria:
Limiting SMTP Vulnerabilities (4/15/02 4/20/02)
Unification of Majordomo, Vacation, and Campus Account (5/6/02)
DNS Naming and cleanup (coming!)
Topics for Today
Wireless Network Update (Will Trask) Active-Directory Testing Update (Ed Stark)
Network Access Control Desktop and Server Standards
Supported OS (Tim Boyle)
Required Software Desktop Security “Best Practices” (Caleb Fahey)
Goal for Network Access Control Reduce the amount of SPAM mail Reduce exposure to copyright infringement Reduce exposure to DOS attacks
Increase bandwidth to campus community Increase the integrity of inter- and intra-campus
network communications Increase productivity of all by not dealing with SPAM
and other such attacks
To address the LARGE number of current system vulnerabilities !
Approach to Network Security Steps to Improve Security:
Security Assessment Education (and immediate remedies) Policy Generation
Network Policies: Today: Anyone at anytime from any location can physical
connect any server to the Network. Future?
Paradigms: Allow all, deny exceptions Deny all, allow exceptions
Current Snapshot
Internet Services housed at CSUN: AFS and NFS: 13 + 71 Kerberos: 41Jet Direct: 586 pcanywhere: 19Flexlm: 744 netbios-ssn: 2279loc-srv: 2069 svrloc: 433ldap: 82 ldaps: 636http/s (601+114 + 343(MGMT) 80 (proxy)): 557ftp: 648 telnet: 793 ssh: 221
Number of Servers: 2703 Number of Ports: 17094 Number of Ports < 1024: 13527
Current Snapshot
Internet Services housed at CSUN: AFS and NFS: 13 + 71 Kerberos: 41Jet Direct: 586 pcanywhere: 19Flexlm: 744 netbios-ssn: 2279loc-srv: 2069 svrloc: 433ldap: 82 ldaps: 636http/s (601+114 + 343(MGMT) 80 (proxy)): 557ftp: 648 telnet: 793 ssh: 221
Number of Servers: 2703 Number of Ports: 17094 Number of Ports < 1024: 13527
Current Snapshot
Internet Services housed at CSUN: AFS and NFS: 13 + 71 Kerberos: 41Jet Direct: 586 pcanywhere: 19Flexlm: 744 netbios-ssn: 2279loc-srv: 2069 svrloc: 433ldap: 82 ldaps: 636http/s (601+114 + 343 (MGMT) 80 (proxy)): 557ftp: 648 telnet: 793 ssh: 221
Number of Servers: 2703 Number of Ports: 17094 Number of Ports < 1024: 13527
Current Snapshot
Internet Services housed at CSUN: AFS and NFS: 13 + 71 Kerberos: 41Jet Direct: 586 pcanywhere: 19Flexlm: 744 netbios-ssn: 2279loc-srv: 2069 svrloc: 433ldap: 82 ldaps: 636http/s (601+114 + 343(MGMT) 80 (proxy)): 557ftp: 648 telnet: 793 ssh: 221
Number of Servers: 2703 Number of Ports: 17094 Number of Ports < 1024: 13527
Activities to Address Vulnerabilities: Attack problem in levels First step: Focus on campus/internet boundary
Reduce the number of entry points to campus Reduce the number of exit points to campus
Move towards authenticated and encrypted protocols and applications, e.g., https, ssh
Focus on prominent vulnerabilities, e.g., mail protocols: smtp (142 => ~16) pop2, pop3, imap2 (155)
Tasks and Next Steps?
ACLs deployed for several colleges/units and for several protocols (snmp, smtp!)
Provide information on: Deployed servers on campus Required inbound ports for servers Required outbound ports for servers
Block all inbound traffic to non-servers (date?) Block all unwanted traffic to servers (date?) Recommend and then deploy SSH client (date?)
Desktop and Server StandardsGoals: To educate the campus and the IT staffs on the
needs for appropriate security controls To collaboratively define and implement these
controls, which will result in improved security for the campus computing infrastructure reduced work load for the technical staffs increased productivity of the end users
To ensure that local autonomy/flexibility is retained via the local IT units
Standards Should Include Operating Systems (Tim Boyle)
Administrator Access and Passwords Software requirements?
Secure Shell http://www.macssh.com http://www.ssh.com
Antivirus software Mail Server Standards?
Antivirus Filter Authenticated SMTP and IMAP Directory Aware
Shutdown Policy (ITR Internal Draft)
ITR’s Top Five Practices for NT Administration1. Eliminate well-known accounts:
administrator, guest, ...
2. Only administrators should have administrator privileges
3. Provide a separate and unique administration account for each administrator
Naming convention should be a_<username>
4. All desktops must require login passwords and must enable screen savers
5. Default login name on login prompt should be blank