PowerPoint Format

Secure ServicesSecure ServicesA user support perspectiveA user support perspective

Frank J. RedaFrank J. RedaDirector, Distributed Computing SupportDirector, Distributed Computing Support

Rutgers University Computing Services – New Rutgers University Computing Services – New BrunswickBrunswick

March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective

AgendaAgenda

Description of secure servicesDescription of secure services RUCS-NB implementationRUCS-NB implementation Recommended clientsRecommended clients Impact on our end usersImpact on our end users


What are secure services?What are secure services?

We’ll start by looking at “insecure” We’ll start by looking at “insecure” services, concentrating on two services, concentrating on two specific aspects:specific aspects:

• PasswordsPasswords• Encryption of dataEncryption of data



The network as we know it today was The network as we know it today was built around services that offered built around services that offered little or no default security:little or no default security:• TelnetTelnet• FTP (file transfer protocol)FTP (file transfer protocol)• EmailEmail• Web browsersWeb browsers



In many cases, passwords were required In many cases, passwords were required to access services over the network.to access services over the network.

With no default encryption of passwords, With no default encryption of passwords, compromise was always a risk.compromise was always a risk.

Once an intruder had your password, they Once an intruder had your password, they had access to all of the services that had access to all of the services that accepted that password.accepted that password.


Why are secure services important?Why are secure services important?

Most online systems incorporate some Most online systems incorporate some kind of password based access. If kind of password based access. If passwords are easily compromised, passwords are easily compromised, systems may be easily compromised.systems may be easily compromised.

Most people assume their password is Most people assume their password is secure when it is transmitted across the secure when it is transmitted across the network, not realizing that it is possible for network, not realizing that it is possible for others to gain access to it.others to gain access to it.



Rutgers is moving in the direction of using Rutgers is moving in the direction of using NetID (username/password) as the main NetID (username/password) as the main source for authentication to university source for authentication to university applications.applications.

If you use your NetID to access insecure If you use your NetID to access insecure services, and thus risk compromising your services, and thus risk compromising your password, you may also be compromising password, you may also be compromising the integrity of other University systems.the integrity of other University systems.



Certain government Certain government regulationsregulations require require the security of sensitive data. the security of sensitive data. Unencrypted data traveling over a network Unencrypted data traveling over a network can be snooped. As snooping gets easier, can be snooped. As snooping gets easier, this becomes a bigger issue.this becomes a bigger issue.

In some cases, inadequate protection and In some cases, inadequate protection and custodial care of data may lead to legal custodial care of data may lead to legal action.action.



The level of technical savvy is increasing. There The level of technical savvy is increasing. There are sources on the web that teach you how to are sources on the web that teach you how to snoop. snoop.

Access to “snooping” tools is increasing.Access to “snooping” tools is increasing.

Previously, snooping involved getting physical Previously, snooping involved getting physical access to a network connection. With wireless access to a network connection. With wireless networking, you can snoop a network without networking, you can snoop a network without getting anywhere near the physical network getting anywhere near the physical network components.components.


Exploits Associated with Weak SecurityExploits Associated with Weak Security

Password exploits expose systems to intrusion Password exploits expose systems to intrusion that appears to be from valid users.that appears to be from valid users.

Intrusion involves unauthorized access to the Intrusion involves unauthorized access to the network or the data traveling on the network. network or the data traveling on the network.

Programs exist to capture data streams, and Programs exist to capture data streams, and reconstruct communications.reconstruct communications.

The services we’re implementing seek to The services we’re implementing seek to minimize these risks.minimize these risks.


What will the secure services What will the secure services implementation accomplish?implementation accomplish?

Encryption of passwordsEncryption of passwords Encrypted data channelsEncrypted data channels The The potentialpotential for stronger password for stronger password

securitysecurity Minimize risks associatedMinimize risks associated

with intrusion / snoopingwith intrusion / snooping

Post-It©

Username: redaPassword: hockeypuck


RUCS – NB ImplementationRUCS – NB Implementation

Secure services, in the RUCS-NB context, refers to Secure services, in the RUCS-NB context, refers to a set of services that will be available solely via a set of services that will be available solely via encrypted channels.encrypted channels.

The implementation calls for decommissioning of The implementation calls for decommissioning of “insecure” communications channels.“insecure” communications channels.

The implementation of secure services The implementation of secure services concentrates on:concentrates on:• Telnet clientsTelnet clients• FTP clients (FTP clients (and web authoring tools using FTPand web authoring tools using FTP))• Email clientsEmail clients• X clientsX clients



As of July 1, 2003, the Rutgers New Brunswick As of July 1, 2003, the Rutgers New Brunswick campus will begin turning off access to selected campus will begin turning off access to selected insecure versions of these services.insecure versions of these services.

By August 15, 2003, all access to telnet, FTP and By August 15, 2003, all access to telnet, FTP and email on RUCS systems in New Brunswick will email on RUCS systems in New Brunswick will require secure communications capabilities.require secure communications capabilities.

The discontinuation of “insecure” services is The discontinuation of “insecure” services is being done over 6 weeks to minimize the support being done over 6 weeks to minimize the support impact.impact.



As of March 1, 2003, RUCS-NB began a campaign As of March 1, 2003, RUCS-NB began a campaign to communicate with and educate the end user to communicate with and educate the end user population regarding the upcoming changes.population regarding the upcoming changes.

Response to the announcements has been Response to the announcements has been minimalminimal• Maybe no one is listening?Maybe no one is listening?• Maybe they don’t understand the impact?Maybe they don’t understand the impact?• Maybe they’re waiting for things to break?Maybe they’re waiting for things to break?



In February, RUCS-NB announced the changes to In February, RUCS-NB announced the changes to Apple, PC and Unix administrator groupsApple, PC and Unix administrator groups

Unit Computing Specialists were also notified of Unit Computing Specialists were also notified of the likely implications of the upcoming changesthe likely implications of the upcoming changes

Reaction from the technical staff was mostly Reaction from the technical staff was mostly positivepositive


Implications for End UsersImplications for End Users

Effective August 15, 2003 insecure versions of the Effective August 15, 2003 insecure versions of the following tools will no longer work:following tools will no longer work:• Telnet Telnet • FTPFTP• EmailEmail

Current clients will probably not workCurrent clients will probably not work

Reconfiguration of existing clients may be Reconfiguration of existing clients may be necessarynecessary

Acquisition and installation of new software may Acquisition and installation of new software may be necessarybe necessary


Implications for End UsersImplications for End Users

Old comfortable tools may not work any Old comfortable tools may not work any moremore

Things will look differentThings will look different

Procedures may be slightly differentProcedures may be slightly different


Implications for UCS’sImplications for UCS’s

UCS’s received advance notification of the UCS’s received advance notification of the changeschanges

Proactive UCS’s should see minimal impact when Proactive UCS’s should see minimal impact when “insecure” services are turned off“insecure” services are turned off

Peripheral systems (those not directly supported Peripheral systems (those not directly supported by UCS’s) may not be kept up to dateby UCS’s) may not be kept up to date

Support call volume should rise/fall at an inverse Support call volume should rise/fall at an inverse rate to the effort expended in anticipation of the rate to the effort expended in anticipation of the transition processtransition process


So, what changes?So, what changes?


Recommended Clients – WindowsRecommended Clients – Windows

SSH ClientsSSH Clients• SSH Corp. SSH Corp. $L$L• PuttyPutty

FTP ClientsFTP Clients• SSH Corp. (text / graphical)SSH Corp. (text / graphical)• PuttyPutty• WinSCP (graphical)WinSCP (graphical)

EmailEmail• Microsoft Outlook 2000 – XP Microsoft Outlook 2000 – XP $$$$• Microsoft Outlook ExpressMicrosoft Outlook Express• Netscape Communicator 4.7 & upNetscape Communicator 4.7 & up• (Very) Limited support for Eudora / Pegasus Mail(Very) Limited support for Eudora / Pegasus Mail


Recommended Clients – MacintoshRecommended Clients – Macintosh

SSHSSH• Mac SSH (OS 8, 9)Mac SSH (OS 8, 9)• Terminal (OS X)Terminal (OS X)

FTPFTP• Fugu (OS X)Fugu (OS X)• SFTP (OS X)SFTP (OS X)• SCP (OS X)SCP (OS X)• Terminal (OS X)Terminal (OS X)• Mac SFTP (OS 8, 9, X) Mac SFTP (OS 8, 9, X) $$$$

EmailEmail• Entourage (OS 8, 9, X) Entourage (OS 8, 9, X) $$$$• Netscape Communicator 4.7 (OS 8, 9)Netscape Communicator 4.7 (OS 8, 9)• Netscape Communicator 7 (OS X)Netscape Communicator 7 (OS X)• Mail App (OS X)Mail App (OS X)


Recommended Clients – LinuxRecommended Clients – Linux

Open SSHOpen SSH SFTP and SCPSFTP and SCP Netscape CommunicatorNetscape Communicator


Recommended Procedures – X11Recommended Procedures – X11

Procedures on SSH X11 forwarding are Procedures on SSH X11 forwarding are available on our Secure Services website.available on our Secure Services website.


Web EditorsWeb Editors

Some web editors use FTP to publish web pages:Some web editors use FTP to publish web pages:• Netscape ComposerNetscape Composer• Macromedia DreamweaverMacromedia Dreamweaver• Microsoft FrontPageMicrosoft FrontPage• Adobe GoLive!Adobe GoLive!

These applications do not currently support These applications do not currently support secure FTP mechanismssecure FTP mechanisms


Web EditorsWeb Editors

There are products that allow users to mount There are products that allow users to mount (what look like) local drives/folders using secure (what look like) local drives/folders using secure FTP mechanisms.FTP mechanisms.

We recommend:We recommend:• WebDrive (WebDrive ($L$L) for Windows users) for Windows users• Interarchy (Interarchy ($$$$) for Macintosh users) for Macintosh users

Using these products, developers can publish to Using these products, developers can publish to local designations of FTP directories.local designations of FTP directories.


DocumentationDocumentation

RUCS-NB has authored web pages to announce RUCS-NB has authored web pages to announce the service changes and to make available the service changes and to make available necessary clients.necessary clients.

RUCS-NB has authored how-to documentation to RUCS-NB has authored how-to documentation to guide users through the process of transitioning guide users through the process of transitioning client software to secure services. client software to secure services.


DocumentationDocumentation

All updated documentation related to this effort is All updated documentation related to this effort is available at:available at:• http://www.nbcs.rutgers.edu/secure-services.php3http://www.nbcs.rutgers.edu/secure-services.php3

Sample documentation and recent versions of the Sample documentation and recent versions of the client software is available on the CD we’ll be client software is available on the CD we’ll be handing out.handing out.

Additional supporting documentation is available Additional supporting documentation is available at:at:• http://mssg.rutgers.edu/software/http://mssg.rutgers.edu/software/


Secure Services CDSecure Services CD

Please notePlease note that the CD contains software that the CD contains software licensed to Rutgers University. licensed to Rutgers University.

If you are attending from outside the If you are attending from outside the University, you are welcome to view the University, you are welcome to view the CD, but we kindly ask that you do not CD, but we kindly ask that you do not install the licensed software.install the licensed software.


TrainingTraining

The main thrust of our training effort was in the The main thrust of our training effort was in the documentation areadocumentation area• UCS’s were notified of the coming changes and directed UCS’s were notified of the coming changes and directed

to the documentation for guidanceto the documentation for guidance• Documentation was written for end usersDocumentation was written for end users

The tools themselves don’t change, just the The tools themselves don’t change, just the settings.settings.

Help Desk staff have been apprised of necessary Help Desk staff have been apprised of necessary information related to the transition and will information related to the transition and will guide users through the documentation, guide users through the documentation, escalating unresolved issues to senior staffescalating unresolved issues to senior staff


Communication PlansCommunication Plans

Targeted email communicationsTargeted email communications• March 1March 1• April 1April 1• May 1May 1• June 2June 2

Announcement on top level University web pages Announcement on top level University web pages in Junein June

Paper mailingsPaper mailings


SummarySummary

RUCS-NB is moving to secure services to reduce RUCS-NB is moving to secure services to reduce the risk of password compromise and increase the risk of password compromise and increase data security.data security.

Such a move represents a significant event for Such a move represents a significant event for users.users.

Documenting necessary changes to user Documenting necessary changes to user applications is no small taskapplications is no small task


SummarySummary

Communication regarding the change is critical to Communication regarding the change is critical to successsuccess• Enlist the assistance of “allies”Enlist the assistance of “allies”• Communicate to the massesCommunicate to the masses

Train your support staffTrain your support staff• In your organizationIn your organization• In affected areasIn affected areas


QuestionsQuestions??

Date post:	20-Jun-2015
Category:	Documents
Upload:	sammy17
View:	170 times
Download:	1 times

PowerPoint Format

Documents