Abstract
With the widespread use of Information Technologies in the universities, it has become of most importance to guarantee the integrity and fair use of Information Resources. The security concerns in an academic institution are not the same than those of an ISP or a commercial enterprise. The popularity of Internet, giving easy access to millions of people, has produced an exponential increase in the number of security incidents in our University. Those considerations led us to the initial deployment of a Security Plan, which is based upon the identification of security-sensitive points and the development of adequate standard responses to security breakage scenarios. Finally, the deployment of a full-fledged firewall policy is under consideration, but faces the special characteristics of an academic institution, in which the use and availability of resources is based in the "mostly open" paradigm.
1.- Introduction: Problem description and significative issues
The word "security" is somehow tainted of common-placeness. It has been so widely used and abused that we feel uncomfortable faced to the need to define it again. In our opinion, a security policy refers to "the rational organization of resources and its policies of use to set up an adequate balance between the easy access for the legitimate users and the protection of resources and data from malicious or unauthorized users". In common words, "simplify the use and difficult the misuse and abuse".
It seems clear that according to the finality and social dynamics, an academic institution as the University of Las Palmas de Gran Canaria is quite different from commercial enterprises or other institutions regarding the use, deployment and functionality’s of its corporate network/Internet connectivity.
We firmly believe that the aim of the university should be "to facilitate the creation, spread and sharing of knowledge", and this foundational principle bring as a consequence that, regarding Information Technologies (IT), it should "promote, develop and facilitate the use of IT resources not only within the institution but also within national, supranational and international academic and R&D communities". From this point of view, the restrictions in the use of IT resources must be carefully analyzed and evaluated in order to minimize the impact of these measures in the normal use of such resources. On the other side, it seems evident that when some sophisticated resources and equipment are being handled by students, whose skills are not fully developed, some "casualties" are doomed to happen. A 1995-study [1] estimates that over 50% of all security incidents actually result from user accidents. However, these "casualties" must no be seen as an undesired situation, but as the normal evolution of the learning process.
Considering that the university is also a "focal point" of culture, science and knowledge within the community that supports it, it seems also clear that the "osmosis" between university and community must be as strong as possible. This way, the first one will be able to give back the investment made by the second one.
Among the several issues that conform the difference between academic institutions and other kind of organizations (both public and private), we can emphasize the following three that make specially difficult the design of security policies for the first ones:
Decentralization: Decision-making regarding ITs within public academic institutions (at least in our country) is usually decentralized among several sometimes competing entities, i.e. management, department heads, high level technical staff, etc. Unless some kind of "Information Czar" (like the recently appearing "Chief Information Officer" -CIO-) position has been established, the setup of global IT security policies will have to face a global agreement in this respect.
Students and "Cracking for Dummies": The biggest part of the user base of IT resources within an university are the students. As previously said, students are prone to cause security incidents because of their lack of skills. They can be malicious though; not only for the reward they can get (marks, tests, etc.) but for the sake of the "excitement" about cracking university systems. This is aggravated by the fact that nowadays is very easy to find compilations of "cracking utilities" that allows even to the most illiterate user to compromise the security of servers through known security holes. (However, our experience up to date, indicates that the damage caused by this attitude is normally not as serious as it could seem).
Amateur system administrators: Another important issue raises from the special characteristics of many members of faculty, staff and even grant holders, which are plugged in the position of administering one or several servers with no further knowledge than being formerly an advanced user of the system.
Servers as "Jumping Platforms": The former issue, the openness and availability of university servers (which are up and running 24 hours a day, 7 days a week, with permanent connections to the Internet), produces that many times they become a "jumping platform" for crackers and other malicious users which do not have permanent Internet connections.
2.- Problem posing: ULPnet, deployment and facilities
The University of Las Palmas de Gran Canaria is a medium-sized public university (as for Spanish standards) that provides academic services to about 20,000 students with a faculty of about 1,400 members and a staff of 800 people. It is located about the city of Las Palmas de Gran Canaria (pop. 400,000) within the Island of Gran Canaria, one of the Canary Islands.
According to its Information Technologies Plan, our University deployed during last years an ATM (Asynchronous Transfer Mode) infrastructure for the corporate university network, ULPnet, allowing the interconnection of 23 buildings spread over 3 campuses. Each of these campuses is several kilometers away from the others, externally gathered via mono-mode fiber provided by Telefonica (Spanish PTT), and using multi-mode fiber inside. The ULPnet ATM backbone provides the global connections between several Ethernet Lanswitches (about 50), giving more than 3,000 dedicated Ethernet connections logically arranged into several "virtual LANs" (about 20) on behalf of LANE (LAN Emulation) services distributed into the 12 ATM backbone switches. Every ATM link is at 155 Mbps, with some trunks migrating to 640 Mbps in the near future. Several central servers are directly connected to the ATM switches (at 155 Mpbs) or via Fast Ethernet (100 Mbps). Internet connectivity is provided by Spanish Academic and R&D Network, RedIRIS with a bandwidth of 4 Mbps and another smaller link to the commercial Spanish Internet (via Telefonica) mainly used for SOHO –Small Office/Home Office- connectivity. [2].
Use of virtual LANs under ATM gives us the possibility to arrange the logical network structure according to functionality considerations, instead of being forced to an arrangement based upon geographical distribution. This technology provides a feature rich physical connectivity, that can be the basement for many Ethernet-emulated LANs, each one of them free of some of the conventional Ethernet constraints (i.e.: distance between nodes, number of nodes in a segment, etc.). In short: "Any user on Any network, Anywhere".
Once that a flat LAN topology has been built over LAN Emulation and ATM, practical considerations have led us to the segmentation of these big LAN into smaller "C class" emulated IP-IPX networks, to avoid excessive broadcasts. That segmentation provides the above noted 20 VLANs, which can be arranged into four "functional classes" -as explained further on-.
The LAN Emulation mechanism has intrinsic security advantages, such as the "non-promiscuous" mode of operation, which avoids the possibility of listening ("sniffing") at packets addressed to other destinations. Besides, the hardware deployed allows us to implement "blocking and assignment by MAC address" to avoid "equipment tampering and address counterfeiting". To take profit of all these capabilities, a special network Web-based Network Management Software has been developed by the local staff [3].
Nowadays, there seem to be a rising popularity in putting the task of security advisory over the shoulders of external consulting firms. However, following the recommendations given by [4], it appeared much more sensible to develop an "internal team" to take care of security concerns within the institution.
The University of Las Palmas de Gran Canaria (ULPGC) corporate network has evolved from two disjoint separate networks. The first one for academic and R&D uses, based upon IP, IPX and DECnet protocols, and the second one for administrative and management uses based upon SNA protocols suitable for the IBM mainframes. The result is the actual ULPnet described above, in which the IP protocol is taking a bigger role.
This unification in IT resources has brought with it the need to settle a global Security Policy, which definition is being developed by an "ad hoc" committee composed by people coming from both environments. The resulting "Security Plan for the ULPnet" is not a closed policy, but instead is a set of recommendations that try to adapt themselves to the changing environment and growing threats of security requirements. Also, there has been done an initial work to setup an electronic environment for secure data transmission and signature authentication for administrative and academic documentation and certification, as shown in [5]. In the following paragraphs the recommendations for security policy emanated from this committee will be explained in further detail.
3.- Security Recommendations
The following recommendations that were produced by the "Security Committee" of the ULPGC can be arranged in several categories, according to the concerns addressed that range from the good configuration and maintenance of the smallest PC to the actions that pertain to the global ULPnet definition, structure and interaction with the Internet.
A.- Computer Level
Despite the classical distinction between servers and workstations,
actual trends emphasize the client/server paradigm, in which the roles
can be dynamically interchanged or even shared. So we will center ourselves
in different recommendations at this level according to the operating system
that the computer runs. Taking apart operating systems that are in sheer
decay in our University (VMS, IBM proprietary and Novell NOS) we will consider
two big families: Microsoft Windows (in its several incarnations) and UNIX-like
Operating Systems (lead by Linux).
A.1.- Viruses and alikes
Microsoft Operating Systems are prone to be attacked by almost every kind of computer viruses and alikes. This issue has been addressed by the acquisition of a corporate license of a Well-Known Spanish-produced antivirus software (Panda) which has shown to be the best and most effective alternative after the evaluation of several other products.
Regarding Unix-Like OS, they were traditionally immune to virus attacks. However, the growing popularity of Linux combined with the wide availability of its source code, makes that we are seeing now the birth of virus-like programs. On this issue we would like to mention the infamous "bliss" program that behaved like a standard virus and infected Linux machines. The best defense against this kind of attacks is a normal security policy for the "root" user that should by all means avoid to run dubious binaries. Further on, be will describe several other utilities to check the integrity of that kind of systems.
A.2.- Upgrading and Maintenance
Upgrading is a semi-automatic task in Microsoft Operating Systems. Our University has signed a corporate agreement with Microsoft Corp. which permits deployment, installation and easy access to upgrades of their products. This task accomplished by CD-ROM distribution and anonymous FTP services. The maintenance of PC Labs installations involves the replication of pre-configured standard disk images. This is done by means of specially designed utility applications.
The upgrading and maintenance of Linux operating systems has been dramatically simplified by the widespread use of Red Hat distributions (characterized by the concept of "software packages" and its installer, the Red Hat Package Manager –RPM-) combined with the commitment of redhat.com to provide easy installation updates that are produced to face any kind of security hazard and are available through their FTP servers. This can be combined with a small utility (autorpm) which in an automatic fashion upgrades the system according to the guidelines that are settled by the system manager in a configuration file. Another utility (check_packages) checks the integrity of the system and warns each time that a "sensitive file" is modified in any form.
B.- Network Application and Service Level
Here we will consider the recommendations which stands for interoperation, resource sharing and service providing of computers through network facilities, not including those related specific network relationships, which will be explained later.
B.1.- Authentication Services
Despite the non-promiscuous nature of the underlying ATM infrastructure, it seems sensible that the transmission of authentication’s information (login names and passwords) be encrypted to minimize the risk of compromising these highly sensitive informations. This accomplished by enforcing the use of encrypting protocols for the authentication and authorization of users, especially for extranet accesses. We have adopted the standard and well known SSL (Secure Socket Layer) and SSH (Secure Shell) protocols, which can be combined with the flexibility provided by Linux PAM (Plugable Authentication Modules)
B.2.- Standard User Applications (e-mail, ftp, www, etc.)
These classes of applications are of uttermost importance. We can say that a sensible security policy for electronic mail retrieval and sending is one of the key points of any corporate security policy. Traditionally, network services like sendmail , telnet, ftp, POP, IMAP, etc. (specially from a extranet point of view) have been a security nightmare for the systems administrators. The trend right now is to hold as many as possible of these services via HTTP/SSL, minimizing this way the risks derived from the unencrypted transmission of authentication information and, at the same time, providing an "ubiquitous client" –web browsers- to the end user.
Monitoring of proper user of all these network services can be easily achieved by using the "logwatch" tool on Linux, that provides comprehensive mail reports of the singficant events of the daily server activity.
C.- Internal Network Level
Within the global security policy for the internal network, which includes the classification according to user criteria (Faculty, Staff and Students –undergraduates and postgraduates-) and functional criteria (Research, Academia, Global Information Services and Administration/Management). Due to the relative lack of security involving mere user authentication, it will be necessary to implement additional security checks based on workstation access for highly sensitive services. Besides, technical reasons rise two issues: a) functional criteria is associated to the server in which is located the application and b) servers (and clients too) have to be inserted in a particular VLAN. Hence, the mere user and password authentication will be enough to get granted access to the less sensitive services, while more sensitive services will need additional checks based on the physical location (which will be checked by the IP address of the workstation, depending on the VLAN in which it has been previously inserted). This workstation to server (i.e.: VLAN to VLAN) controlled interaction mechanism will be implemented at central router level, by setting adequate access lists.
At this time, we have already implemented this scheme regarding administration and core networking services, and in the near future we hope to apply the model to other services, and the same time to implement a sensible encapsulation policy (IP secure tunneling) to override and complement the security model.
D.- External Network Level
According with all that has been previously stated, the security committee proposed the following measures regarding external accesses (besides the obvious monitoring and accounting on routers and servers):
D.1.- Client filtering by IP/Port and selective filtering of servers
According to [6], "The most important step is to disable any service that is not used or needed. Since any TCP/IP port can be a security concern, the removal of any unused service can reduce the amount of information that is leaked, and also eliminates the port daemon service the application protocol as a possible vector for an attack". In our University, we take into account this words by using the "selective filtering", which has two aspects: a) Clients can be the only ones to initiate the connection to the outside; and b) Servers can be connected from the outside only in specific ports, according to the service they are providing. These two aspects have been implemented by means of an "inventory of servers" and the enumeration of services that they are providing.
D.2.- Systemic Analysis and Scanning of Servers
Within the security policy, one important step is to check out the vulnerability of our servers to external attacks. According to [7] "The same tools that can be used to break into a system can be used to root out problems so that holes can be plugged and deficiencies mended. By showing what intruders can do to gain access to a remote site, a system administrator can make informed decisions on how to best secure their site".
D.2.- Dialup access control
This access is granted to the members of the University through and authentication server, which is based on Livingstone Radius. To all practical effects, the dynamic IP addresses assigned to the calling workstations belongs to a PC-Lab VLAN.
4.- Conclusions
From our experience in all these issues, there is something that we have learnt: security policies are based on people, and must cover the following aspects: a) continuous training and information for system administrators as well as for end users: b) global acceptance and commitment with the security policies which have to be perceived as sensible and feasible, and doesn’t impose an excessive burden on the shoulders of the final user. The criteria of easiness of use should prevail over any other consideration, as long as the level of threaten does not increase in excess.
In the actual situation and considering the trade-offs between usability and security, the implementation of a full-fledged standard firewall does not seem a feasible alternative for the whole University network, while at the same time can be a very good solution to protect specially sensitive environments (i.e. inner administration).
5.- References
[1].- Power, Richard, "Current and Future Danger: A CSI Primer on Computer Crime and Information Warfare", San Francisco, CA, Computer Security Institute. (1995).
[2].- Rubio-Royo, E. et al. "An Integration of services (voice, data, video and security) in the ULPnet network of the University of Las Palmas de Gran Canaria". EUNIS'98. Congress on European Co-operation in Higher Education Information Systems. Prague (1998).
[3].- Ocon, A. et al. "GESTnet: Entorno de gestión de red basado en WWW para la ULPnet". Error! Bookmark not defined..
[4].- Anonymous. "The Dark Side of White Hat Hacking: Being "Owned" By White Hat Hackers". Error! Bookmark not defined.. (1999).
[5].- Galan-Moreno, M. et al. "Secure Data Transmission and Electronic Signature of Documentation in a medium-size academic institution. Deployment and implementation within the University of Las Palmas". EUNIS'99. Congress on European Co-operation in Higher Education Information Systems. Helsinki (1999).
[6].- Farmer, Dan and Venema, Wietse, "Improve the Security of Your Site by Breaking Into it,". (1994).
[7].- Hesprich, David G., "SATAN-ism: Computer Security Probes Over
the Internet – Shrink Wrapped for Your Safety?", (1996).