From CIT Wiki

Network Security

Security continues to become an increasingly important issue with computers. Whereas originally virus creators were only motivated by a desire to cause mischief, increasingly they are after sensitive data that they can sell for a profit. In light of this environment taking steps to protect your computer is essential.

Is Your Computer Infected?

This April Fools' Day the Conficker (or Downadup) virus is in the news. Want to check to see if your computer is infected with Conficker? Check out our Conficker Eye Chart...

Passwords and Your ObieID

Since May, 2006, we have begun to converge Oberlin accounts and passwords into one more-memorable ObieID. Instead of separate passwords for Stulocker, ObieMail, Blackboard, and so forth, your ObieID will become the "master key" to most Oberlin resources. With such convenience, however, comes some insecurity.

We've had occasional incidents where offensive or threatening email messages have been sent from ObieMail, by persons who had been given or guessed someone else's password. Some of those incidents had legal implications! Even your lowly email account password needs to be protected.

• Don't share your ObieID password with anyone else.
• Don't use a password that can be easily guessed.
• Don't write your password on a sticky note or on your computer!
• Don't use your ObieID password on random web sites...

Think of the things someone could learn about you by reading all your saved email... perhaps not all of that stuff should be posted on the bulletin board down the hall, should it? And as your ObieID can be used to access your Blackboard account, or your ResEd room preferences, the sorts of things someone could do with your password could have embarrassing consequences, or worse.

We are obligated to help you keep that account information secure. Generally speaking, longer passwords are harder to guess or crack than shorter ones, as are more complex ones. Hence the Password Policy, which requires that your ObieID password:

• Not be one of your 3 most recently used passwords
• Contain at least 6 characters
• Not contain a word found in the dictionary or a proper name
• Contain at least one letter AND one number
• Not contain blank spaces or runs of characters (e.g. 123, abc, qwerty)
• Not contain your name, initials, or username
• We also recommend that your password contain special characters, like !^%$[>~.

All these features make it that much harder for someone to crack or guess your password. We can't enforce a "guessability" policy, but we strongly suggest you avoid basing passwords on your family members' names, the name of your pet, your birthdate, or other items your friends might be able to guess about you.

It's far easier to remember strong passwords if they are based not on pass"words" but on passphrases, using "Under the spreading chestnut tree," as a mnemonic device for "Ut5ct," for instance. (I know that's too short, but it's only an example). These passwords can be quite easy to remember, while looking quite obscure and unguessable at first glance. If you want to be even more difficult, you could use the last letter of each word in the phrase, instead of the first ;-)

We're not trying to make your password impossible to remember, just difficult to guess. Think about it: Anyone in the world could be right now trying to crack your email password, using the webmail interface. Our firewall logs record millions of attempts to make secure connections with College servers using dictionary and more clever password-guessing attacks.

In addition, we have greater access to College systems on campus, providing services to faculty, staff, and students alike. Again, this degree of openness means that password remains in some cases the only protection for those user credentials, whereas companies are free to restrict access more securely, and hold tighter relationships with every individual who might be able to even attempt to login. Here, our systems are open and available from any of the campus buildings, public labs, or even to folks connected wirelessly while sitting in Tappan Square!

Here are a few references for your consideration, which recommend more stringent requirements than we have chosen to implement, particularly the frequency of password changes (ours last 122 days, or change three times a year). The purpose of changing passwords, and requiring unique passwords, is to break any illicit access that had been gained to an account during the password interval. We have had occasion to rely on that feature in the past.

• SANS GIAC recommends regular password changes (item #6). (SANS is the most trusted and by far the largest source for information security training and certification in the world.)

• Password Memorability and Security: Empirical Results IEEE Security and Privacy Volume 2, Issue 5 (September 2004) Pages: 25 - 31 ISSN:1540-7993

• The National Institute of Standards and Technology have a paper on "Electronic Authentication Guidelines" that includes, in Appendix A, an attempt to provide some empirical guidelines for password entropy, and a framework in which to trade off password length, rules, and number of password guesses an attacker an attempt.

Industry surveys show that our password policies are consistent with the majority of institutions and agencies, albeit a little on the generous side; more often the requirement is to change passwords monthly.

Impulse Point Safe•Connect Network Access Control

In 2003, two rather effective viruses were released in August, exploiting then-recently discovered vulnerabilities in the Windows operating system. Both these viruses spread by searching the network for unpatched systems and taking advantage of the vulnerability to infect all the Windows systems they could find. This process happened so fast, as quickly as students (and staff) moved in and connected to our network, they became infected and started searching for more victims. So much traffic was generated on the network that normal operations came to a grinding halt.

The only rather crudely effective measure we could take was to disable the Resnet portion of the network (and some sections of campus, too), and have folks haul their systems into the Computing Center in Mudd's A-Level for hands-on inspection and remediation. We thank you all for having been so understanding and cooperative, even you Linux and Macintosh users who argued rightly that your system wasn't implicated in the problem in the first place!

To keep from having to go through that process again, we installed a network scanning, access control, and remediation appliance known as mpulse Point Safe•Connect. Read on for details on the NAC system and what impact it has on connecting your computer to the Oberlin College network.

Firewalls

Firewalls are devices, either in hardware or software, that provide protection by preventing some traffic from reaching your computer. The College network has built in firewalls that act as a front line to stop some nefarious traffic from reaching your computer. Nonetheless, it is recommended that you enable the firewall that came with either Windows XP or Mac OS X

Windows XP Firewall

The Windows XP firewall should be enabled by default if Service Pack 2 is installed on your computer. To check the status of the firewall go to Start then Control Panel and double click Security Center.

If this says the firewall is on, then it (or another firewall) is enabled. If it says the firewall is not on you can click Windows Firewall under Manage Security Settings. Then click the circle next to On.

Mac OS X Firewall

In order to enable the firewall in OSX go to the Apple in the upper left hand corner, go into System Preferences, then Sharing. Click the Firewall tab (the middle of the three) and click the "Start" button which enables the firewall.

Viruses

In computer security, a computer virus is a self-replicating computer program that spreads by inserting copies of itself into other executable code or documents. Viruses are one of the several types of malicious software or malware. In common parlance, the term virus is often extended to refer to other similar nefarious programs such as worms, trojan horses and other sorts of malware.

(portions of this section were taken from Wikipedia and are covered under the GNU Free Documentation License)

Malware

Malware ("malicious software") includes all computer software designed to infiltrate or damage a computer without the computer owners intent. While this can include viruses, it generally refers to spyware and adware. Spyware is malicious software intended to send information from the computer it infects to the creator of the spyware program (ie the program is spying on you). Adware is software that generates pop-up ads when you are browsing the Internet. The creator then receives a payment for each of the ads that people click on. The much larger market share of Microsoft Windows has meant that Malware disproportionately affects Windows computers rather than those running other operating systems.

Several free pieces of free software exist to clean malware off of computers. Microsoft has released a beta version of an antispyware tool called Windows Defender which is freely available at http://www.microsoft.com/athome/security/spyware/software/default.mspx. Two other prominent applications are Ad-Aware and Spybot. Spybot is available as a free download at http://www.safer-networking.org/en/index.html. Ad-aware is available at http://www.lavasoftusa.com/software/adaware/.

Running a Server?

Oberlin College enjoys a rather open approach to computing resources on campus. While most college servers and systems are centrally located in CIT's protected facility, many departments continue to operate their own servers for special purposes, and many scientific instruments incorporate computer systems for control and data acquisition. We encourage departmental system administrators to keep on top of system updates and application security issues for the protection of their documents and data, and for the health and operation of the campus network.

Securing your server is a multi-layered project, beginning with the steps you can follow on the server itself. Elsewhere we present a detailed discussion on securing servers, with tools and benchmark documents, but here we outline what CIT also can do to protect your system.

In the fall of 2006 we installed firewall devices separating the several segments of our network, as well as at the edge to protect us from unknowns on the Internet (this works both ways, as Joel Rosenblatt of Columbia University puts it, "Our firewall protects the Internet from our users...") We are able to provide different levels of access to on-campus servers, such as permitting students in the residence halls to upload files to a server while off-campus viewers can only read web pages on the same server. To provide enhanced access from off-campus to authorized users, we prefer you take advantage of our Virtual Private Network service to come into our network by the private entrance while permitting the firewalls to guard the gates.

This means that if you are considering running a server in your department, you will need to coordinate several things with us before setting up the server for the first time. Best would be to contact the CIT Help Desk to begin the process. We're going to need the following information:

• The name and purpose of your server. We ask this...
  • to better understand your requirements
  • to suggest alternatives that may already exist
  • to help determine useful names and locations for the server
• The server's Ethernet address, if known. We need this to create...
  • an IP address assignment
  • the filter to bypass network authentication, NAC
• A desired hostname or identifier for the service
• A comprehensive list of TCP/IP ports required by the server

We will consult with you to assign an IP address for the server, help get it set for networking if necessary, and create a hostname so your visitors may find it, such as "citwiki.oberlin.edu" or "timara.csr.oberlin.edu." We'll also perform some network diagnostics against the server to help us determine the proper settings in our campus and Internet firewalls for the proper operation of your server.

We are not here to prevent you from getting your message to the world! But we are here to ensure your services are offered in a safe and secure manner. We will work with you to make that happen as smoothly and swiftly as possible.