Unclassified Computer Security

Introduction/Background

Date of last assessment: October 2000

Departmental Overview

Laboratory Mission

The Stanford Linear Accelerator Center (SLAC) is dedicated to experimental and theoretical research in elementary particle physics and in those fields that make use of its synchrotron radiation facilities, including biology, chemistry, geology, material science and electrical engineering. This includes the development of new techniques in 1) particle acceleration and detection and 2) synchrotron radiation sources and associated instrumentation. The center is operated as a national user facility for the Department of Energy by Stanford University. 

Organizational Mission

The Unclassified Computer Security function is responsible for coordinating and promoting programs within the Laboratory to assure that information resources  provide protection commensurate with the risk and magnitude of harm that could result from loss, misuse, or unauthorized access or from modification of such information resources and to assure that systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability protection.

The Unclassified Computer Security functional area self-assessment is based on, and measured against, performance objectives and standards as reflected in the SLAC contract.

 Identification of Self-Assessment Report Staff

Names, titles, affiliations of participants

Bob Cowles, Computer Security Officer, SLAC

Richard Mount, Director, SLAC Computing Services (SCS)

Scope of Self-Assessment

Status of Open Items from 2000 Review

The SCS Security Group is fully integrated and represented in all computing matters.  In addition, computer security considerations are well represented in the two policy groups, the Computer Coordinating Committee (CCC) and the Associate Directors Committee on Computing (ADCC), by Richard Mount, Director of SLAC Computing Services (SCS) who chairs the former and is an ex-officio member of the latter.

Secure BSD-Network

Additional progress has been made toward completing this project (described in some detail in last year’s self-assessment): 

• PeopleSoft HR and Financials applications  now run exclusively from the Citrix Windows Terminal Server environment (the BSD Extremely Private Network or BSD-EPN) via fully encrypted ICA sessions.
• The BSD firewall around the PeopleSoft Database has been activated with a handful of exceptions.  The exceptions will be dealt with on a case-by-case basis.

Progress Reducing Clear Text Passwords 

At the end of FY99, the HEP community had replaced all Telnet connections with Secure Shell (ssh).  During FY00, SSRL has been introducing ssh onto most of its servers and has eliminated Telnet to all but two machines.  The remaining users of the Telnet protocol have been identified, and SSRL management has accepted the risk as a necessary communications link for their staff.  It should be possible to eliminate these Telnet sessions in the future (i.e., encouraging those staff to establish and use ssh at their home computers). 

The largest remaining bastion of clear-text passwords was POP and IMAP e-mail service.  A large-scale migration from POP/IMAP servers to Microsoft Exchange and Outlook was completed ahead of the scheduled target date of January 1, 2001.  Users desiring to continue using POP or IMAP were required to use the secure version of those protocols to communicate with the Exchange server.  At the end of the fiscal year, the remaining ports for unsecured POP and IMAP at SSRL were blocked, completing the conversion to secure email protocols.  In addition, the Meeting Maker group calendaring software, also a source of clear-text passwords, was retired in favor of calendaring functions within Outlook/Exchange. 

Discussion of Individual Performance Objectives 

Performance Objective # 3: Information resources are provided protection commensurate with the risk and magnitude of harm that could result from the loss, misuse, or unauthorized access to or modification of such information resources. 

Performance Criteria: 3.1 

Through a documented unclassified computer security program, SLAC will ensure its information systems and applications operate effectively and provide appropriate confidentiality, integrity, and availability protection. 

Discussion

New FY01 Activities

Security Education 

Classes for Windows system administrators were held on-site to train people in securing Windows NT4 and Windows 2000 (35 attendees).  An additional class was held for web administrators on securing Microsoft’s IIS web server; people from SLAC attended an on-site class or one presented at LLNL, depending on their schedule (24 attendees).  In all cases, the instructor was Gene Schultz, a highly regarded instructor of many classes given by the SANS Institute. 

Anti-Virus Activities 

If one needed a subtitle describing FY01, it might very well be “The Year of the IIS Worm.”  Most organizations worldwide have suffered major infections from worms that proliferated through Microsoft’s IIS Web Server.  Very fortunately, SLAC has been spared all of this agony.  The principal reason for this has been the default blocking of port 80 for all but registered and well maintained web servers.  As tools became available, internal networks were scanned for web servers that were vulnerable even though they were not visible from the Internet.  In the case of multi-mode worms like nimdA, incoming e-mail at SLAC is stripped of executable attachments at the gateway before it ever gets delivered to the users.  Almost all incoming mail enters SLAC through a single gateway.  The gateway software, PMDF, has within it flexible algorithms for scanning and stripping attachment files that either contain executable macros or are themselves executable and additional scanning is performed at the MS Exchange server.  Additionally, real-time anti-virus scanning is performed at user workstations and home directory file servers.   

The anti-virus product InocuLAN virus signature updates, are distributed almost immediately to SLAC workstations by means of the networked distribution servers that are part of the InocuLAN product.  According to monthly scans, over 90% of all Windows machines on-site have InocuLAN installed and the virus signature is up-to-date. 

SPAM 

SLAC continues to be aggressive in suppressing SPAM when there are complaints from the user community.  We do this, once again at the mail gateway, by blocking incoming e-mail from ranges of offending IP addresses (i.e., blocking traffic from all IP addresses in the range 24.28.42.*).  At the present we have blocked more than 5900 such ranges.  There are over 220 additions each month, and removal of approximately two per month when requested by a SLAC user in order to receive e-mail from someone off-site.   

The SLAC community enthusiastically supports this program and complains loudly when new “spammers” discover the Laboratory.  The only downside is the on-going staff effort that must be expended in maintaining the lists of blocked ranges. 

Management of Linux desktops 

The SCS Unix Systems Group completed and deployed software to standardize the management of Linux systems.  This software is used extensively on all central Linux servers and is strongly encouraged for Linux desktops.  Penetration of this technology for the desktop systems has not been high as yet (in thye 20-25% range) but is expected to improve significantly when the BaBar experiment moves their supported Linux release from Red Hat 6.2 to Red Hat 7.2. 

Status of FY01 Goals:

1.      Integrate handling of computer accounts for Staff, Collaborators, and contractor/consultants so that they may be properly terminated upon departure from SLAC.  Automation of this process for currently departing staff has been completed.  Accounts are tracked in a central database (RES).  Upon termination or end of association with SLAC work, email is sent to potentially concerned parties (terminating person, supervisor, computer czars, etc.),  notifying them that the account will be deleted in 30 days unless steps are taken to transfer data or change account ownership.  At the end of the period, the accounts are closed.

2.      Complete implementation of BSD Secure Network.  As noted above, significant progress has been made; final implementation of the firewall awaits commissioning of PeopleSoft 7.5 Financials for production use since WTS implementation is not possible for earlier versions of Financials. 

 Improvement Action Plan/Goals

Goals for FY02:

1. Continue an appropriate computer security education program for SLAC.
2. Automate account clean-up procedures for departed users (prior to establishment of automated procedures).
3. Develop appropriate Performance Measures for the Peer Review era of Laboratory Review.

The Laboratory’s true performance with regard to Unclassified Computer Security is perhaps best measured by the things that did NOT happen during FY01:

• There were no detected break-ins.
• In the worst year ever for viruses and worms, there were no significant infestations at SLAC.
• There were no known denial-of-service attacks (probably a reflection of good system administration and intrusion detection efforts).

The Laboratory in general has had an outstanding year of accomplishments in the area of computer security.

SLAC | BIS  |BSD

For Questions or comments, Please contact Ziba Mahdavi, Last Updated 10/24/00