Better network security measures instituted
Users can still directly access SCD supercomputers . . .
 Juli Rew
|
by Juli Rew On 2 September 1998, SCD instituted new security measures that will help protect NCAR/UCAR's internal network from unauthorized access. "It's likely to be a major change for some people, and none at all for others," says Greg Woods of the SCD Distributed Systems Group. Although internal servers and SCD workstations are now enclosed within a new "security perimeter," users will still be able to directly access the SCD supercomputers as before. Computers permitted to be accessed through the new security perimeter are called "exposed hosts," meaning that they may be accessed directly via telnet. Other exposed hosts in addition to the supercomputers include the front-end computer meeker, the SCD server niwot, the data server huron, the Internet Remote Job Entry (IRJE) server, the SGI Power Challenge winterpark, and the "gatekeeper" server (see diagram). The diagram below shows the design of the security perimeter; the arrows indicate that only outgoing direct connections are permitted, except to exposed hosts.
Rcp (remote copying) to and from the Crays is still permitted, although it is likely that in the future it will be discontinued, since it depends on .rhosts files that may not be secure. SCD is exploring the use of ssh (secure shell) commands on the exposed hosts. The ssh suite of commands uses encryption, and thus may provide a secure way to do remote file copying analogous to rcp. Ssh is already available on meeker and winterpark, and a UNICOS version is being tested for the Crays. Remote users who are coming in via the remote access server (RAS) or the annex terminal server are considered to be inside the security perimeter and thus can log in to internal hosts. However, users who come in via an Internet Service provider (ISP) will need to log in to an exposed host or to the gatekeeper server, where password verification can take place.
One change that will affect staff within the perimeter is that they must go through the X proxy on the gateway server in order to run X Window clients on remote sites with display back to their workstation. (Again this is because the security perimeter does not allow connections from the outside to an internal host.) Contact security administrator Rich Johnson (rjohnson@ucar.edu) if you need help setting up to use the X proxy. Users who log in to an exposed host, such as a Cray, will still be able to display X applications back to their home workstations.
Only versions of File Transfer Protocol (FTP) that support "passive mode" will work from protected hosts. (FTP normally establishes two connections, one for incoming and one for outgoing). Applications such as Netscape by default support passive mode FTP, so URLs of the form ftp://... should work normally. SCD also has installed a gatekeeper server on the perimeter that runs proxy software to allow NCAR/UCAR staff to FTP to and from NCAR without having to move their data outside the perimeter or to an exposed host.
|
