TSAG Meeting3/14/02

Update on Current Technology Initiatives

Overview

• Announcements:– Account Maintenance System (March 8, 2002)

– SIMS/R Forms http://simsrforms.csun.edu

– Limiting SMTP Vulnerabilities (Proposed March 29, 2002)

• Directory Initiative• Desktop and Server Security Issues (Caleb Fahey)

• Wireless Initiative (Will Trask)

• Network Access Control (Will Moran)

Directory Initiative

Goals:• To provide users with a single user-name and

password for all IT resources– improve system security via strong authentication– reduce account management overhead– simplify end-user problems

• To allow IT units to specify who may access their resources (i.e., units specify authorization)

• To engineer a system that works with existing local IT system protocols and procedures

Technical Challenges

• To correlate existing database information

into a single source

• To unify the various IT account systems

• To engineer a system that works with:

Macs, Microsoft, Novell, and Unix systems

From Many To …

/etc/passwd

/etc/aliases

SIMS/R

PeopleSoft HR

ECS

A&F NDS

Library

Campus Phone Directory

Majordomo

~dlt/aliases

~dlt/*.vbars

password.account

In Production:

• CSUN1 Authentication

• Email

• findalias

• finduser

• Modem Pool

• Wireless Network

• Webmail

Next up:

• Majordomo Authentication

• Vacation Authentication

• Mail Client: Find People

Being Discussed/Planned:

• PeopleSoft Authentication

• A&F NDS tree

Directory Aware ServicesAuthentication, Authorization, & Information Lookup

Outlook: Find People

Top-Level DIT Layout

O=CSUN

ou=Authentication ou=Libraryou=ECS

ou=Users ou=Groups

Approaches toDelegate Control

• Mirror – Unit copies all authentication objects– Unit augments objects with authorization information

• Referral (ldaps://hostname)– Unit relies on central infrastructure– Authentication and authorization information stored with

single user object

• Alias – Each Unit user is an authorization object with a referral to

authentication object– Works in theory!

Distributed, Replicated Architecture

eDirectory(edir.csun.edu)

iPlanet(idir.csun.edu)

OpenLDAP(odir.csun.edu)

ActiveDir.(adir.csun.edu)

http://www.csun.edu/accountdir.csun.edu:636ldaps.csun.edu:636

ldap.csun.edu:389

Encryption Modules

Dis

trib

utio

n

LD

AP

Ser

ver

Desktop and ServiceSecurity Issues

Goals:• To educate the campus and the IT staffs on the needs

for appropriate security controls• To collaboratively define and implement these

controls, which will result in– improved security for the campus computing infrastructure– reduced work load for the technical staffs– increased productivity of the end users

• To ensure that local autonomy/flexibility is retained via the local IT units

Standards Include?

• Administrator Access and Passwords• Software requirements?

– Secure Shell• http://www.macssh.com• http://www.ssh.com

– Antivirus software

• Shutdown Policy• Mail Server Standards?

– Antivirus Filter– Authenticated SMTP– Directory Aware

Mail Servers

• SMTP Vulnerabilities (2/15)Inbound: 192 Outbound: 256x256

• Identified Mail Servers (3/2)imap.csun.edu alpha.ecs.csun.edu ppm.csun.edu std-affairs.csun.edu jacek.csun.edu admsvcs.csun.edu jour.csun.edu sundial.csun.edu jour1.csun.edu codes.csun.edu sauron.csun.edu ncod.csun.edu akala.csun.edu sunspot.csun.edu galileo.csun.edu davinci.csun.edu

• SMTP Vulnerabilities (Proposed 3/29)Inbound: 16 Outbound: 16+1

Wireless Initiativehttp://www.csun.edu/wireless

• Purpose: To provide flexible and secure accessto the Internet via portable devices

• Services:– Web: http and https– Mail: smtp to smtp.csun.edu– SSH: to the world– Virtual Private Network (VPN) for the future!

• Status:– Pilot phase well underway– Campus wide test in April– Anticipated production services in the fall

• Sierra Quad

• Oviatt Lawn

• Sequoia Hall

• Engineering

• Exchange

• Business/Education

• Student Services

Wireless Zones Today

Wireless Zonesin May

• University Hall

• Oviatt Library (4th)

• Sierra Hall

• Jerome Richfield

• Bookstore

• Athletics Fields

And a whole lot more to follow!

http://www.csun.edu/wireless

Announcement List: wireless-l@csun.edu

Will.Trask@csun.edu

Network Access Control

• Reduce the amount of SPAM mail• Reduce exposure to copyright infringement• Reduce exposure to DOS attacks

• Increase bandwidth to campus community• Increase the integrity of inter- and intra-campus

network communications• Increase productivity of all by not dealing with

SPAM and other such attacks

Not Again

Zzzz

Approach• Paradigms:

– Allow all, deny exceptions

– Deny all, allow exceptions

• Attack problem in levels• First step: Focus on campus/internet boundary

– Reduce the number of entry points to campus– Reduce the number of exit points to campus

• Move towards authenticated and encrypted protocols and applications, e.g., https, ssh

Tasks

• ACLs deployed for several colleges/units and for several protocols (snmp, smtp!)

• Provide information on (date?):– Deployed servers on campus– Required inbound ports for servers– Required outbound ports for servers

• Block all inbound traffic to non-servers (date?)• Block all unwanted traffic to servers (date?)• Recommend and then deploy SSH client (date?)

ftp, ssh, http/s, irc/s