Contractor |
DOE Office |
|
|
Date of last assessment: October
2000
The Unclassified
Computer Security functional area self-assessment is based on, and measured
against, performance objectives and standards as reflected in the SLAC contract.
Identification
of Self-Assessment Report Staff
Scope of Self-Assessment
Status of Open Items
from 2000 Review
The SCS Security Group is fully integrated and
represented in all computing matters. In
addition, computer security considerations are well represented in the two
policy groups, the Computer Coordinating Committee (CCC) and the Associate
Directors Committee on Computing (ADCC), by Richard Mount, Director of SLAC
Computing Services (SCS) who chairs the former and is an ex-officio member of
the latter.
Secure BSD-Network
Additional progress has been made toward completing
this project (described in some detail in last year’s self-assessment):
Progress Reducing Clear Text Passwords
At the end of FY99, the HEP community had replaced
all Telnet connections with Secure Shell (ssh). During FY00, SSRL has been introducing ssh onto most of its
servers and has eliminated Telnet to all but two machines.
The remaining users of the Telnet protocol have been identified, and SSRL
management has accepted the risk as a necessary communications link for their
staff. It should be possible to
eliminate these Telnet sessions in the future (i.e., encouraging those staff to
establish and use ssh at their home computers).
The
largest remaining bastion of clear-text passwords was POP and IMAP e-mail
service. A large-scale migration
from POP/IMAP servers to Microsoft Exchange and Outlook was completed ahead of
the scheduled target date of January 1, 2001.
Users desiring to continue using POP or IMAP were required to use the
secure version of those protocols to communicate with the Exchange server.
At the end of the fiscal year, the remaining ports for unsecured POP and
IMAP at SSRL were blocked, completing the conversion to secure email protocols.
In addition, the Meeting Maker group calendaring software, also a source
of clear-text passwords, was retired in favor of calendaring functions within
Outlook/Exchange.
Discussion of Individual Performance Objectives
Performance Objective
# 3:
Information resources are provided protection commensurate with the risk
and magnitude of harm that could result from the loss, misuse, or unauthorized
access to or modification of such information resources.
Performance Criteria: 3.1
Through
a documented unclassified computer security program, SLAC will ensure its
information systems and applications operate effectively and provide appropriate
confidentiality, integrity, and availability protection.
Discussion
New FY01 Activities
Security Education
Classes for Windows system administrators were held
on-site to train people in securing Windows NT4 and Windows 2000 (35 attendees).
An additional class was held for web administrators on securing
Microsoft’s IIS web server; people from SLAC attended an on-site class or one
presented at LLNL, depending on their schedule (24 attendees).
In all cases, the instructor was Gene Schultz, a highly regarded
instructor of many classes given by the SANS Institute.
Anti-Virus Activities
If one needed a subtitle describing FY01, it might
very well be “The Year of the IIS Worm.”
Most organizations worldwide have suffered major infections from worms
that proliferated through Microsoft’s IIS Web Server. Very fortunately, SLAC has been spared all of this agony.
The principal reason for this has been the default blocking of port 80
for all but registered and well maintained web servers.
As tools became available, internal networks were scanned for web servers
that were vulnerable even though they were not visible from the Internet.
In the case of multi-mode worms like nimdA, incoming e-mail at SLAC is
stripped of executable attachments at the gateway before it ever gets delivered
to the users. Almost all incoming
mail enters SLAC through a single gateway.
The gateway software, PMDF, has within it flexible algorithms for
scanning and stripping attachment files that either contain executable macros or
are themselves executable and additional scanning is performed at the MS
Exchange server. Additionally,
real-time anti-virus scanning is performed at user workstations and home
directory file servers.
The anti-virus product InocuLAN virus signature
updates, are distributed almost immediately to SLAC workstations by means of the
networked distribution servers that are part of the InocuLAN product.
According to monthly scans, over 90% of all Windows machines on-site have
InocuLAN installed and the virus signature is up-to-date.
SPAM
SLAC
continues to be aggressive in suppressing SPAM when there are complaints from
the user community. We do this,
once again at the mail gateway, by blocking incoming e-mail from ranges of
offending IP addresses (i.e., blocking traffic from all IP addresses in the
range 24.28.42.*). At the present
we have blocked more than 5900 such ranges.
There are over 220 additions each month, and removal of approximately two
per month when requested by a SLAC user in order to receive e-mail from someone
off-site.
The
SLAC community enthusiastically supports this program and complains loudly when
new “spammers” discover the Laboratory.
The only downside is the on-going staff effort that must be expended in
maintaining the lists of blocked ranges.
Management
of Linux desktops
The
SCS Unix Systems Group completed and deployed software to standardize the
management of Linux systems. This
software is used extensively on all central Linux servers and is strongly
encouraged for Linux desktops. Penetration
of this technology for the desktop systems has not been high as yet (in thye
20-25% range) but is expected to improve significantly when the BaBar experiment
moves their supported Linux release from Red Hat 6.2 to Red Hat 7.2.
Status of FY01 Goals:
1.
Integrate handling of computer accounts for Staff, Collaborators, and
contractor/consultants so that they may be properly terminated upon departure
from SLAC. Automation of this
process for currently departing staff has been completed. Accounts are tracked in a central database (RES).
Upon termination or end of association with SLAC work, email is sent to
potentially concerned parties (terminating person, supervisor, computer czars,
etc.), notifying them that the
account will be deleted in 30 days unless steps are taken to transfer data or
change account ownership. At the
end of the period, the accounts are closed.
2.
Complete implementation of BSD Secure Network.
As noted above, significant progress has been made; final implementation
of the firewall awaits commissioning of PeopleSoft 7.5 Financials for production
use since WTS implementation is not possible for earlier versions of Financials.
Improvement Action Plan/Goals
Goals for FY02:
The
Laboratory’s true performance with regard to Unclassified Computer Security is
perhaps best measured by the things that did NOT happen during FY01:
The Laboratory in general has had an outstanding year of accomplishments in the area of computer security.
For Questions or comments, Please contact Ziba Mahdavi, Last Updated 10/24/00