Library Security Issues Marshall Breeding Director for Innovative Technologies and Research...
-
Upload
garry-osborne -
Category
Documents
-
view
222 -
download
1
Transcript of Library Security Issues Marshall Breeding Director for Innovative Technologies and Research...
Library Security Issues
Marshall BreedingDirector for Innovative Technologies and ResearchVanderbilt Universityhttp://staffweb.library.vanderbilt.edu/breeding
Alaska Library Association Annual Conference February 24, 2006
Library Security IssuesFeb 24, 2006
The Threat
Hacking: unauthorized access to servers and workstations on your network
DoS: Denial of service: impedes legitimate access to your services
Worms: self-perpetuating attacks that spread among vulnerable systems
Viruses: Unauthorized program attached to a legitimate program (typically e-mail)
Library Security IssuesFeb 24, 2006
Security threats
Volume of attacks increasing Sophistication of attacks increasing Maliciousness of attacks have been far less than what
might be possible in the future. Commercial motivations: find ways to distribute SPAM
and deliver hits to Web sites Tools for creating attacks are becoming easier to use
—”script kiddies” abound, but: Fewer script kids, more professional code jockeys. More 0-day scenarios: exploits available before
security patches are available.
Library Security IssuesFeb 24, 2006
Consequences
Lost dataInterruption servicesReveal personal data about library usersGeneral loss of productivityStaff time for system administrators in
recoveryInstitutional embarrassment
Library Security IssuesFeb 24, 2006
Library Security Issues
Same concerns as commercial businesses and other organizations—no less of an issue
Protect the privacy of your library users Protect your library’s services and data Don’t let library systems become a jumping-off
point for hackers to other networks or computers
Libraries are perceived as “an easy mark”
Library Security IssuesFeb 24, 2006
Targets
Servers Operating System Network services – Web, email, DNS, NFS, etc Applications: ILS, Other database applications
Workstations – Less of a distinction today between servers and workstations
Library Security IssuesFeb 24, 2006
Security domains
Server / WorkstationDepartmental Enterprise Level
Library Security IssuesFeb 24, 2006
Develop Multiple Tiers of Security
Server / Workstation: Each individual computer must be well secured
Enterprise – protect the network as a whole
Departmental – enforce additional security measures appropriate to departmental needs
Server & Workstation Security
Protecting systems individually
Library Security IssuesFeb 24, 2006
Server / Workstation
Protect the individual computerEven if other layers of security protection
fail, each computer on the network is well protected.
Library Security IssuesFeb 24, 2006
Operating System Security
Maintain an up-to-date operating systemTake advantage of automatic notification
and updating servicesProactively monitor vulnerability reportsInstall security-related patches
expeditiouslyUse personal firewalls
Part of Windows XP
Library Security IssuesFeb 24, 2006
Operating System Security
Use only what you needEvery network service and application
requires attention to securityInstall selectivelyCheck / Verify services and subsystemsUninstall non-essential services
Library Security IssuesFeb 24, 2006
Application Security
Make sure that your core business applications (ie: ILS) run securely and enforce strong protection of all data elements.
Keep the application as current as possible
Work with vendors to insure tight security.
Library Security IssuesFeb 24, 2006
Buffer overflows
Both OS and Applications are subject to attacks through buffer overflows
Causes applications to abort, leaving the user at an unknown state.
Often the unknown state is root-level, or can get it.
Library Security IssuesFeb 24, 2006
Account Management
Review all delivered accounts – disable, rename, remove as appropriate
Pay special attention to accounts associated with network services and anonymous accessWhat account is associated with your Web
server? And what are its privileges?
Library Security IssuesFeb 24, 2006
Password Management
Require the use of strong passwordsLong passwords of pass phrasesDo not use words in any dictionary,
including foreign-languagesDo not use proper nounsDo not use keyboard patterns
Enforce frequent password changesBe prepared for staff grumbling
Library Security IssuesFeb 24, 2006
Password vulnerabilities
Never send a password over the network in the clear.
Ensure that all applications use encryption in its login sequence.
Secure passwords must never be exposed to insecure login systems
Require separate passwords for systems that don’t meet this requirement
Library Security IssuesFeb 24, 2006
Root-level accounts
Must be treated with extraordinary careAt a minimum enforce password
requirements used for standard accountsDo not let system administrators use
root/Administrator level accounts for routine activities.
Login as Root only when making system changes that require superuser rights
Library Security IssuesFeb 24, 2006
Server / Workstation Firewalls
Personal FirewallsMonitor incoming and outgoing network
trafficEnforces rules for allowed and non-
allowed patternsPort by port securityApplication-specific rules
Library Security IssuesFeb 24, 2006
Personal Firewall examples
Zone Alarm (http://www.zonelabs.com)Windows servers
Windows Firewall from MicrosoftTCP Wrappers
Unix
Library Security IssuesFeb 24, 2006
Workstation-level virus protection
Scans incoming mail and files for signatures revealing known viruses and worms
Must be active continuously and updated routinely to be effective
Generally considered to be a secondary layer of protection in organizations that implement enterprise-level scanning.
Library Security IssuesFeb 24, 2006
Server considerations
Do not run mail clients on network servers
Avoid introducing security problems on a server through a Web clientWeb browser needed for installation of
server softwareBrowse only to sites you consider reliable
and safe.
Enterprise-Level Security
Protect the network as a whole
Library Security IssuesFeb 24, 2006
Network Firewall
Intelligent router that passes traffic based on pre-established rules
Can block traffic on any given portsCan block traffic to specific computers
within the organizationPacket-by-packet analysis
Library Security IssuesFeb 24, 2006
Denial of Service protection
Most firewalls protect from DoSPort scanning – outsiders building a
network mapAggressive attacks can flood firewall,
effectively creating a DoSLogging of attacks is helpful, but often
needs to stop during an aggressive attack to avoid flooding.
Library Security IssuesFeb 24, 2006
Enterprise Network Security Architecture
Trend toward managing security on the enterprise level
Divides the network into security zonesEnforced through VLANsInternal firewalls
Library Security IssuesFeb 24, 2006
Limit / Eliminate Network Sniffing
Ethernet allows for promiscuous mode for packet viewing
Shared media Ethernet exposes entire segment
Switched Ethernet limits what a packet sniffer can view.
Organizations moving toward switched Ethernet
Library Security IssuesFeb 24, 2006
Firewall Placement
Perimeter control established through primary Internet router
Many internal zones are just as threatening as Internet
Internal firewalls often established to protect highly sensitive computing systems from general purpose network
Library Security IssuesFeb 24, 2006
Virtual Private Networks
Offer end-to-end encryption across insecure security zones
Often works in conjunction with firewalls.VPN client: communicates with VPN
application on a firewall or server to establish a secure channel of communications.
Library Security IssuesFeb 24, 2006
Enterprise Virus protection
Eliminate viruses and other malicious attacks at the perimeter of the network
Move toward centralized mail services Scanning performed before messages enter
the mail delivery system Example Trend Micro
Trend toward security appliances that perform spam filtering, virus protection, bandwidth shaping and other security-related features.
Library Security IssuesFeb 24, 2006
Enterprise Virus protection
Much more effective than workstation-level utilities
Uses sophisticated detection systems that can be updated very frequently.
Less reliant on human interventionVirtually eliminates the possibility of a
virus making its way to the workstationNot fool-proof
Library Security IssuesFeb 24, 2006
Departmental Security
Each department or unit within an organizational should assess the security needs appropriate to its role or mission.
Libraries may need zones that offer more open access than the enterprise
May have other specialized concerns with security implications: Public access computing, internet filtering, etc.
Library Security IssuesFeb 24, 2006
Departmental services
What services should be provided department and what services should be provided by the enterprise
Most organizations moving more toward supplying network services at the enterprise level Mail, file services, DNS, etc.
Only specialized applications run by departments ILS
Many organizations moving away from all departmental computing in favor of the enterprise
The network is as secure as its weakest links
Library-specific issues
Library Security IssuesFeb 24, 2006
Library Security
Libraries need to operate within the security standards of their higher level IT support organizations
Libraries have some security requirements often not well understood by IT
Public-access computing challenging from a security perspective
Library Security IssuesFeb 24, 2006
Public workstation security
Many products and techniques for “securing” public workstations
Deal more with inhibiting tampering than with ensuring networking security
Don’t trust what happens on workstations with anonymous unauthenticated access regardless of the level of anti-tampering control
Segregate public computing from staff computing
Router
Ethernet Switch
Access Point
Public Access
Workstations
Library Staff W
orkstations
Ethernet Switch
Ethernet Switch
Router / Firewall
Library NetworkWith Public / Staff
Separation
Library Security IssuesFeb 24, 2006
Final thoughts
Good security is expensive and time-consuming
Requires constant attentionNecessary overhead for organizations
like libraries that provide network-based services
Shouldn’t stymie the organization
Library Security IssuesFeb 24, 2006
Questions / Discussion
Marshall Breeding
[email protected]://staffweb.library.vanderbilt.edu/breeding