Transcript Protecting Wintel Infrastructures: The University of

Protecting Wintel
Infrastructures:
The University of Memphis
Case
Robert Jackson, University of Memphis
Dr. Mark Frolick, Xavier University
Copyright Mark Frolick and Robert Jackson 2003. This work is the intellectual property of the Mark Frolick and
Robert Jackson. Permission is granted for this material to be shared for non-commercial, educational purposes,
provided that this copyright statement appears on the reproduced materials and notice is given that the copying is
by permission of the authors. To disseminate otherwise or to republish requires written permission from the
authors.
1
Presentation Content
I.
II.
III.
IV.
V.
VI.
Existing infrastructure
Challenges so far
Lessons Learned
What does the future hold?
Miscellaneous last-minute points
Questions and Comments
2
I. Existing Infrastructure
3
Network
• Open network
- Most computers directly accessible via
internet
- Limited firewall protection
- Common port vulnerabilities blocked at
University of Memphis border (eg, ingress
filters for NETBIOS and MS-SQL access)
4
Hardware
• Approximately 60 Wintel servers
– Dell servers
– Virtual servers (www.vmware.com)
• Typical configuration
– NT4 / W2K / W2K3 / Novell
– RAID 5
– Redundancy
• Power
• Fans
• Network connections
5
Hardware, continued
• Console for local access to Wintel servers
– Limited access to console
• Physical access
• User privileges
– Accessible via internet (requires additional
privileges)
6
Personnel
• Central IT staff
– 3 Wintel System Administrators
– 1 Network Security Specialist
• Local Support Providers (LSP’s)
– Approximately 50 personnel
– Various levels of technical expertise
7
Software
• NetBackup
– www.veritas.com
– Enterprise solution
– Currently hosted on Unix servers
– Data backed up to tape library
• Incrementals
• Full
8
Software, continued
• PowerDeploy Suite 2.0
– www.powerquest.com
– Supports Dell RAID controllers
– Procedure
•
•
•
•
•
•
•
Operating system installed
Server configured / secured
Sysprep
PowerDeploy used to create image of OS partition
Image burned to CD for shorter recovery times
Image restoration tested
Server made available
9
Software, continued
• Norton Anti-virus Corporate Edition 7.6
– www.norton.com
– Virus definitions updated daily
– Scans performed nightly
– Automatic notification via email of virus
activity
10
Software, continued
• Nessus vulnerability scanning
–
–
–
–
–
www.nessus.org
Nessus server (Linux)
NessusWx client (Wintel)
MySQL database (Wintel)
New vulnerability definitions (“plugins“) downloaded
each Friday
– Automatic scans performed each Monday morning
– Manual scans performed as requested
11
Software, continued
• Update Expert by St. Bernard Software
– www.stbernard.com
– Automatic application of selected patches to
various servers
– Patches applied in test environment Tuesday
– Notification of intent to patch production
occurs on Wednesday
– Patches applied to production servers on
Sunday mornings
12
Software, continued
• System monitoring and reporting
– Big Brother
• Email only
• Webpage for overview of all servers
– BindView
• Phone paging
• Email
13
II. Challenges so far
14
Challenges
• Server compromises
• Improve backup/restore process
• Upgrade infrastructure software (eg, NAV
7.6)
• Guaranteed weekly downtime for Wintel
patches
• Communication with internal ITD staff
15
Challenges, continued
• Improve PowerQuest imaging procedure
• Vulnerability scanning
– False positives
– Is there a need for
• historical analysis?
• for notification of newly detected vulnerabilities?
• Proactive scanning of campus network?
– Are “safe checks” really safe?
16
III. Lessons learned
17
Lessons Learned
• Network
– Diverse requirements of research
environment
– Difficult to proactively lock-down campus
network without “breaking things” (eg, MSSQL)
18
Lessons Learned, continued
• Hardware
– Try to provide as much redundancy as
possible
– Service administrators want full access to
hardware
– Involve service administrators when
developing access policies for hardware
19
Lessons Learned, continued
• Software
– Encourage participation in the deployment of
security technologies
• Update Expert
• Norton Anti-Virus Corporate Edition
• Nessus (Beware of unlimited network scanning!)
20
Lessons Learned, continued
• Policy and procedure changes
– Written security policy
– Procedure for handling compromised servers
– Procedure for implementing new services (eg,
3-tier model)
• Educating users, including internal IT staff,
about security concerns is an on-going
process
21
IV. What Does the Future Hold?
22
…The Future…
• Network infrastructure
– Monitoring capabilities (HP Openview?)
– Convert parts of campus to routed network
• Wintel environment
– Backup software (CA backup?)
– Event log analysis capabilities (Aelita’s InTrust)
– Strive to improve existing processes
• Communication and Teamwork
– Continue educating co-workers about advantages of
working together to provide server security
23
V. Miscellaneous Last-minute
Points
24
• Password strength validation
– L0phtcrack
• Password “auditing” program
• Various methods to obtain and decipher Windows platform
passwords
• To avoid privacy issues, always get permission before
“auditing” passwords
• 3-tier model (test, pre-production, production)
• Helpful websites
–
–
–
–
www.vmware.com
www.nessus.org
www.sans.org
www.symantec.com
25
Questions and
Comments?
Robert Jackson
[email protected]
Dr. Mark Frolick
[email protected]
26