Transcript OSTEER Network Security

Security: Great
Expectations
Clifford Collins
Manager, Network Security
Services
Network Security Services
 Focused on higher education in Ohio
 Driven by feedback from OSTEER
 Supplements existing services
 Fee-based
 Two additional staff expected before the end
of summer
 Full support of OARnet’s management
Initial service offering
 Site security audit
– On-site investigation of infrastructure
– Inventory of critical services
– Internet scan for vulnerabilities
– Intranet scan for vulnerabilities
– Telephone scan for modem vulnerabilities
– Analysis of results
– Presentation and report of findings
Why a network security audit?
 You can’t manage a service you aren’t
measuring -- would you manage your
personal finances without a bank statement?
 You can better justify the expenditure of
funds to fix problems when you have facts
to support your assertions
 It’s where the corporate world starts!
The deliverables: presentation
and final report
 1-hour presentation at an executive level
 Written executive summary
 Technical assessment with
recommendations for remediation and
projected costs and time estimates
 CD-ROM copy of all documents in
password-protected Acrobat files
Technical report content
Interesting ports on foo.bar.edu (10.0.0.2):
Port
21/tcp
23/tcp
80/tcp
513/tcp
State
open
open
open
open
Service
ftp
telnet
http
login
TCP Sequence Prediction:
Class=random positive increments
Difficulty=49978 (Worthy challenge)
Remote operating system guess:
FreeBSD 2.2.1 - 4.0
Technical report content (cont.)
Interesting ports on re.bar.edu (10.0.0.3):
Port
135/tcp
139/tcp
1030/tcp
State
open
open
open
Service
loc-srv
netbios-ssn
iad1
TCP Sequence Prediction:
Class=trivial time dependency
Difficulty=8 (Trivial joke)
Remote operating system guess:
Windows NT4 / Win95 / Win98
Technical report content (cont.)
IP Address
10.1.1.225
DNS Name
oracle:oracle
Vulnerability
High
Name
Rexec
Additional Info
port 7
Severity
default account accessible
Description:
An accessible default account was detected through
rexec. Default accounts allow attackers easy access to
remote systems.
Fix:
Disable the Rexec account or change the password to
something difficult to guess.
Technical report content (cont.)
Unix: Disable login access to this Unix account if it is not needed.
To remove login access for a Unix account, follow these steps:
1. Edit the /etc/passwd file.
2. Locate the account.
3. Place an * (asterisk) in the password field.
4. Place the string /bin/false in the shell field. An example of the
/etc/passwd entry for a disabled guest account should resemble
the following:
guest:*:2311:50:Guest User:/home/guest:/bin/false
5. Save and exit the file.
Technical report content (cont.)
Windows: Change the password on this account to something
difficult to guess, or disable login access to this Windows account.
To change a password on a Windows account, follow these steps:
1. Open User Manager. From the Windows NT Start menu, select
Programs, Administrative Tools (Common), User Manager.
2. Double-click the account to display the User Properties dialog box.
3. In the Password field, type the new password.
4. In the Confirm Password field, confirm the new password.
5. Click OK.
--OR--
Technical report content (cont.)
Windows continued:
To disable login access to a Windows account, follow these steps:
1. Open User Manager. From the Windows NT Start menu, select
Programs, Administrative Tools (Common), User Manager.
2. Double-click the account to display the User Properties dialog box.
3. To disable the account, select the Account Disabled check box.
4. Click OK.
How much will this cost?
 Guidance from last October’s meeting
 Principally driven by size of address space
 Must cover the cost to support a central
infrastructure and some staff
 Can be reduced by committing to periodic
audits to amortize licensing costs
Future expectations
 Security education and training
 Security resources web site
 Certificate Authority and PKI
 Incident response support
 Site licensing of security software
 Broaden firewall offering
Questions?