1998 ASR Home

Back

SCD ASR Index

Next

SCD Home

Computer and network security

During the summer of 1997, the High Performance Systems section of SCD hired Richard Johnson to fill the UCAR Computer and Network Security Administrator position. He has subsequently been working with CSAC on the implementation of their recommendations and the advancement of security measures within UCAR.

SCD and UCAR have implemented a number of the CSAC security recommendations and plan to enhance computer and network security further during the upcoming year. The following paragraphs provide a brief synopsis of the FY1998 activities.

Enhanced UCAR's security perimeter:

• The CSAC-recommended gatekeeper host systems and the security perimeter were implemented after exhaustive evaluation and testing of security filters and their impact on the UCAR organization. The gatekeeper hosts were implemented in a high-availability configuration in FY1998, and will be enhanced in FY1999 with more fail-safe, fail-over, and load-sharing capabilities.

• Exposed hosts are actively scanned for known security vulnerabilities and new services on a regular basis.

• Secure Networks' "Ballista" scanner (now part of Network Associates' "Cybercop") was selected, and a 60-node license was acquired at the end of FY1998.

• Host security was enhanced by maintaining and applying a local knowledge base of security vulnerabilities and patches for the various operating systems in use at UCAR. Some patches and advisories are already available from the local repository; more (and pointers to vendor-supplied patches) are being added on a routine basis.

Enhanced UCAR's security incident response:

• Developed and implemented UCAR-wide incident response plan and policy. Incident response criteria were developed as part of an exposed-host security standards enforcement policy.

• Built automated intrusion detection alarm systems.

• Selected Network Associates' "Cybercop" bundled with scanner. Also will be using the net-supported SHADOW.

Enhanced security enclaves:

• Assisted with the implementation of higher-security enclaves within UCAR; for instance, HAO has no exposed hosts with the assistance of special proxies on the gatekeeper hosts.

• Evaluated and selected "intranet" firewall/filtering and authentication/encryption solutions on a case-by-case basis, in consultation with the NETS section of SCD and the NCAR divisions needing enhanced security.

Established assured connection integrity and privacy:

• Encouraged use of "ssh" end-to-end encryption within UCAR for authentication of both users and hosts, session integrity, and data privacy. ssh is actually, at the end of FY1998, being demanded by a growing segment of users. SCD and the UCAR Security Administrator plan to arrange PC/Mac client licensing in early FY1999.

• Introduced certification services for UCAR web, mail, and login use (ssh host keys, SSL server and user keys, PGP user keys). Initial use is expected to be personnel and contracts-related, driven by legal requirements, but it is anticipated this use will expand. SSL proxy was put in place for providing internal pages to authorized outside users. UCAR Certificate Authority was made available for web server and user email certificates.

Adopted a subset of industry security standards within the UCAR computational environment:

• Worked on reducing corporate legal liability with regard to security standards and practices by leading the generation of a "sense of the industry" (high-performance computing centers) with our compatriots at other centers.

The majority of the security changes were evaluated and implemented by the UCAR Security Administrator in conjunction with the Computer Security Advisory Committee (CSAC). The UCAR Security Administrator advises UCAR administrators in matters concerning security and possible violations. The goal is producing an environment that, as much as possible, retains our open network's advantages for our external and internal users, while also protects their work from damage and disruption by external attackers.