Update and Discussions on Technology Initiatives TSAG Meeting 4/11/02.

transcript

Update and Discussions on Technology Initiatives

TSAG Meeting 4/11/02

Announcements:

Webmail caching problems: Logout of webmail, and Close the web browser

Webmail Sorting Criteria:

Limiting SMTP Vulnerabilities (4/15/02 4/20/02)

Unification of Majordomo, Vacation, and Campus Account (5/6/02)

DNS Naming and cleanup (coming!)

Topics for Today

Wireless Network Update (Will Trask) Active-Directory Testing Update (Ed Stark)

Network Access Control Desktop and Server Standards

Supported OS (Tim Boyle)

Required Software Desktop Security “Best Practices” (Caleb Fahey)

Goal for Network Access Control Reduce the amount of SPAM mail Reduce exposure to copyright infringement Reduce exposure to DOS attacks

Increase bandwidth to campus community Increase the integrity of inter- and intra-campus

network communications Increase productivity of all by not dealing with SPAM

and other such attacks

To address the LARGE number of current system vulnerabilities !

Approach to Network Security Steps to Improve Security:

Security Assessment Education (and immediate remedies) Policy Generation

Network Policies: Today: Anyone at anytime from any location can physical

connect any server to the Network. Future?

Paradigms: Allow all, deny exceptions Deny all, allow exceptions

Current Snapshot

Internet Services housed at CSUN: AFS and NFS: 13 + 71 Kerberos: 41Jet Direct: 586 pcanywhere: 19Flexlm: 744 netbios-ssn: 2279loc-srv: 2069 svrloc: 433ldap: 82 ldaps: 636http/s (601+114 + 343(MGMT) 80 (proxy)): 557ftp: 648 telnet: 793 ssh: 221

Number of Servers: 2703 Number of Ports: 17094 Number of Ports < 1024: 13527

Current Snapshot

Internet Services housed at CSUN: AFS and NFS: 13 + 71 Kerberos: 41Jet Direct: 586 pcanywhere: 19Flexlm: 744 netbios-ssn: 2279loc-srv: 2069 svrloc: 433ldap: 82 ldaps: 636http/s (601+114 + 343 (MGMT) 80 (proxy)): 557ftp: 648 telnet: 793 ssh: 221

Current Snapshot

Activities to Address Vulnerabilities: Attack problem in levels First step: Focus on campus/internet boundary

Reduce the number of entry points to campus Reduce the number of exit points to campus

Move towards authenticated and encrypted protocols and applications, e.g., https, ssh

Focus on prominent vulnerabilities, e.g., mail protocols: smtp (142 => ~16) pop2, pop3, imap2 (155)

Tasks and Next Steps?

ACLs deployed for several colleges/units and for several protocols (snmp, smtp!)

Provide information on: Deployed servers on campus Required inbound ports for servers Required outbound ports for servers

Block all inbound traffic to non-servers (date?) Block all unwanted traffic to servers (date?) Recommend and then deploy SSH client (date?)

Desktop and Server StandardsGoals: To educate the campus and the IT staffs on the

needs for appropriate security controls To collaboratively define and implement these

controls, which will result in improved security for the campus computing infrastructure reduced work load for the technical staffs increased productivity of the end users

To ensure that local autonomy/flexibility is retained via the local IT units

Standards Should Include Operating Systems (Tim Boyle)

Administrator Access and Passwords Software requirements?

Secure Shell http://www.macssh.com http://www.ssh.com

Antivirus software Mail Server Standards?

Antivirus Filter Authenticated SMTP and IMAP Directory Aware

Shutdown Policy (ITR Internal Draft)

ITR’s Top Five Practices for NT Administration1. Eliminate well-known accounts:

administrator, guest, ...

2. Only administrators should have administrator privileges

3. Provide a separate and unique administration account for each administrator

Naming convention should be a_<username>

4. All desktops must require login passwords and must enable screen savers

5. Default login name on login prompt should be blank

Update and Discussions on Technology Initiatives TSAG Meeting 4/11/02.

Documents