Home » Resources » RSMAS Computing Facility » Security

RSMAS Computing Facility

Security

July, 2004 draft, Grant Basham (12/2006)
Always under construction

No computer on a network is secure!

Contents:

Policy
Firewall
Email  
Updates
   Windows Updates
  Linux updates
  Client updates
Access
   accounts
   passwords
File Sharing
Backups & Physical Security

Policy:

The RSMAS Computer Facility (RCF) has a number of recommendations and policies to help users avoid the security threats that abound in today's Internet environment. Ultimately, computer security is your responsibility. Although the RCF provides some services and announcements, Owners/Users are the primary implementors of effective computer security.

Firewall:

The RCF runs a firewall that limits inbound network traffic. By default, a computer node on the RSMAS network (local) can not be reached by a computer that is on an outside network (remote).  A local computer is allowed to initiate a connection with a remote computer using any protocol (with some exceptions) that is allowed by the remote computer. Thus, you can browse the web from your computer, and any local computer (on the RSMAS network) can browse a web site you set up on your computer; but a non-RSMAS remote computer could not see the web site you set up on your local RSMAS computer. In a similar manner, inbound connections for email, ftp, ssh, telnet, Xwindows, and all other protocols are blocked. This policy has been in place for all RSMAS nodes since January, 2002.

Exceptions to this policy might be grudgingly allowed on a case-by-case basis. Contact RCF Staff if you need access for a particular protocol on a particular node.

The following points are considered when exceptions are requested:

  • RCF provides a number of widely used services such as anonymous FTP (file exchange), SMTP (network exchange for email), POP/IMAP (email message pickup), and HTTP (web service). You are requested to use these protocols from RSMAS servers rather than setting them up on your own computer unless there are unusual circumstances that prevent the shared services from fulfilling your needs. Shared files residing on your computer can be made visible as folders on ftp://ftp.rsmas.miami.edu/users.. Personal and group web pages, with the content under your control, can be served by the RSMAS web server; see http://www.rsmas.miami.edu/web

  • Telnet, FTP, and Xwindows are three protocols that were widely used by Unix/Linux workstations for network communications. Telnet provides remote login, FTP allows remote file transfer, and Xwindows allows users to run Unix graphics applications across the net. These protocols all present significant security risks; RCF recommends that the SSH protocol suite be used as a substitute for all of these functions. An ssh daemon needs to be installed on the local RSMAS computer that is to be contacted. An ssh client must be available on the remote network computer to provide ssh as a secure substitute for Telnet and Xwindows and scp as a secure substitute for FTP. Most modern Unix/Linux installations have this software. You can pick up Windows versions of the ssh client software at ftp://ftp.rsmas.miami.edu/pc/ssh/ Contact RCF to insure that your computer is allowed to accept remote SSH connections.

  • Computer software is constantly updated in response to known security threats. Keeping software current(link) is crucial for any system, particularly for systems that can be accessed by remote computers. Local nodes that need to be accessed by remote computers must have a plan and a responsible person to make sure that security updates are performed on a regular basis.

If you have need for special access to the RSMAS network from your home or other remote computer, RCF provides Virtual Private Network (VPN) software that will let a remote computer appear to be on the local RSMAS net, thereby avoiding firewall restrictions.  Go to https://remote.rsmas.miami.edu, login with your RSMAS username/password, and click the [Start] button at the bottom of the Secure Access Server window.

Email:

RSMAS provides email account services and access to RSMAS mailing lists to all members of the RSMAS community. There are a number of security considerations for email transactions. Email is often used to transmit viruses/worms which can trash your system and/or let your system be used to trash other networked computers.  Forged messages that look like they come from a legitimate institution may report some problem and ask that you contact them by clicking a link or sending them account/financial information; DON'T.   These attempts, called phishing, can be quite sophisticated.  You can be fooled if you are not alert.

Your email may be seen by others

Computer system administrators and the occasional hacker have access to your email at several points during it's transmission. Though it is considered bad form, they can read your email if they wish. Those who own the networks and the computers handling email can institute any reasonable policies they wish about monitoring email and computer systems on the net.  Don't send anything you consider confidential by email.

Email is easily forged

It is easy to make email look like it is from anyone and anywhere one chooses. People use email to send hoaxes, scams, viruses, and just plain junk, intending to fool you. Common hoaxes tell you that there is some horrible virus that no one can do anything about, or you may be told to delete some file on your computer and/or send email to warn everyone you know about some pending calmity. You may be encouraged to send your bank account information. I advise skepticism. Search the Symantec virus encyclopedia for keywords in your message to see if you have a hoax or a real virus.

Many types of email attachments are blocked at RSMAS

Viruses are often spread as attachments to email messages; these attachments infect your computer if you open or execute them. It is good security policy NEVER to open an email attachment unless you know the person that is sending it AND you were expecting to receive it. Unfortunately, there are main-stream email clients that may be configured to automatically open attachments (DON'T); virus-infected attachments will infect these computers without any explicit action by user.  Although you have anti-virus software on your computer, and we scan for viruses at the mail-server, there is often a lag between the rapid spread of a new virus and the availability of effective anti-virus signatures. To prevent infection of computers on the RSMAS net during this period, and to help protect poorly-configured computers, we block the transmission of all executable attachments in or out of the RSMAS mail-server. Messages containing such attachments are quarantined and delivered to you with a note that the attachment was removed. The messages can be unblocked by RCF staff if we are notified within 5 days.  Blocked file types include exe, bat, and other executable file types. Most standard document and MS Office types are allowed.

Mail pickup

Mail clients are programs that retrieve and send email from personal computers or workstations. Microsoft Office Outlook 2003 and Thunderbird are supported and recommended by the RCF. Mail clients retrieve incoming mail from a mail server using the IMAP protocol. The client must be configured to use secure (SSL) connections. The IMAP protocol leaves your messages on the mail server until you explicitly delete them or transfer them to folders on your local machine; your email inbox resides on the mail server. The POP protocol is less useful because your messages are transferred from the mail server to an inbox on your local computer; your access to your current messages is limited to a single computer.  Use IMAP, not POP.  You can see an additional writeup  about email at RSMAS, including information on client software and how to configure it, at http://rcf.rsmas.miami.edu/rcf/email.html.

Anti-virus Software

 Computer viruses are programs designed to replicate and spread to other computers; they can damage your computer or it's files. These programs are generally spread by email. You cannot protect your networked Windows or Macintosh computer without anti-virus software. Viruses are less of a problem with Unix/Linux computers. RSMAS makes Norton Antivirus software available for Windows and Macintosh systems at RSMAS. The software looks at files and programs on your computer and checks them against a database that contains signature fragments for many thousands of known viruses. This database needs to be updated daily with the software's LiveUpdate function to maintain adequate protection for your computer. You can pick up anti-virus software and get instructions at http://rcf.rsmas.miami.edu/rcf/virus.html.
  An important adjunct to Anti-virus software is software to scan for Trackware, which reports your web-browsing patterns and other personal information to vendors and can take over your browser. See the RSMAS ftp site at ftp://ftp.rsmas.miami.edu/pc/spyware for software and information.

System Patches and Updates

Operating system software (OS) and utilities are regularly updated in response to security problems. Security hacks get widely publicized and crackers regularly scan our nets, looking for systems that have known security weaknesses. They use these weaknesses to break into computers with unpatched software, then use the compromised computer as a base to attack all of the RSMAS net with the increased access granted a computer on the local net. You must install your vendor's patches on a regular basis to avoid being caught.  OS software, non-OS web browsers, and mail clients are all frequent targets; you should keep up with the current patches and versions.

RCF reserves the right discontinue network service to nodes that do not keep up to date with OS and virus updates.

December 2007 OS status: Operating systems on the shared RSMAS network needs to be kept up to date with the appropriate security patches.  Systems that are not being supported need to be removed from the RMSAS net.  If, for any reason, you feel you cannot comply with this, contact RCF now.

The following operating systems are not being updated for security problems and should not be on the RSMAS net.  They should be updated or removed from the Net immediately:

  •   RedHat older than Enterprise Linux 3.0 or Fedore Core 7 *
  •   Windows NT, ME, 98, or 95
  •   Windows XP older than Service Pack 3
  •   Windows 2000 SP 3 and older (SP4 ok)

* Fedora releases are current for 6 months, supported for an additional 6 months,  and are then retired.

The following are under support and are OK on the net as long as you do regular updates:

  •  Windows 2K service pack 4
  •  Windows XP, Service Pack 2
  •  Windows Server 2003
  •  RedHat Enterprise Linux 3 and higher.
  •  The last two RedHat Fedora Core releases (7 & 8 as of 12/2007)
  •   Vista is a current OS and is fine to use, though we have little experience in supporting it.

Any other OS on the RSMAS net need to be supported by their distributor and have local managers that keep security updates current.  Nodes that are not regularly updated for current security patches are discourged on the net and are not to be accessed from off of the RSMAS net.

Windows OS Updates

For WindowsXP, you can configure your system for automatic unattended daily updates:
    [Start] ->  Control Panel -> System -> [Automatic Updates]
    Click "Automatically download the updates, and install..."
    and select "Every day" in the drop down menu.  Enter a time-of-day when your computer will be on.
RCF recommends this configuration. Windows XP, Service Pack 2, will run this configuration by default.

Any time you reinstall your system, or need to insure that your updates are current, go to the http://windowsupdate.microsoft.com site as instructed below. Details will vary a bit depending on your operating system, but during the process you will be offered the opportunity to have your computer scanned to determine what updates you need. Updates will be rated critical,recommended, or other categories. You will get the opportunity to select the updates you wish to install. A reboot may be necessary after installation. You can often download and install all the patches in one batch, but occasionally your will be told that a patch will have to be done alone.   In such cases, repeat the update process untill you are told there are no more critical updates.   To perform updates on XP/2000, you will need administrative access to the computer.

  • Windows 2000
    Click [Start] -> ... Windows update . A product update page will appear. Select Scan for updates and follow the instructions

  • Windows XP
    Windows XP will nag you when updates are ready. Follow the instructions. You can check to see if there are updates by clicking
    [Start] -> Help & Support -> ... Windows Update
    Select Scan for updates and follow the instructions

Microsoft Office can be updated from http://officeupdate.microsoft.com/officeupdate It is much easier to manage newer Office versions (XP or 2003) than earlier versions of Office. The newer versions have an automatic inventory function similar to the Windows OS updates. A copy of the CD you used to install Microsoft Office is required to complete installation of Service Pack updates.   Office updates are not automatic, you must run them by hand.  A copy of the installation CD is often required.  You can access a copy of the CD online from \\ftp\officeXP or \\ftp\office2003.  You may have to "map network drive" to use them.

Linux OS Updates

RedHat Linux is a Unix variant widely used at RSMAS; Red Hat regularly patches known security breaches; patches are are released as rpms, files that can be downloaded and used to update the distribution.

RedHat has two  product lines.   Fedora  is a freeware product that will be updated 2 to 3 times per year; old versions will be supported for only 6 months after a new version comes out.  This means that you will have to update 2 to 3 times per year to maintain full access to the RSMAS net.  Intermediate security updates should be run at least weekly by runing the "up2date" command at least weekly as the root user.  Redhat Enterprise Linux (REL) is a commercial product with a 3 year version cycle and a 5 year support cycle.  Starting in the spring of 2004, RCF will provide workstation licenses for REL to nodes with a regular RSMAS network address.  A local server  provides easy updates for these nodes.  RCF recommends that you use REL.

When updates are required, the button by the clock in the lower right corner of the screen turns from blue to red.  You then just need to run
    > sudo /sbin/up2date
You will be prompted for your password, then a gui will run that will lead you thru the current updates.

Non-OS clients

Non-OS Browsers and mail clients are best updated by going to their web homes and looking for patches and updates. We send announcements of major updates to the rcf-note@rsmas.miami.edu mailing list when they come to our attention. Best practice is for you to check occasionally at the website of the vendor/supplier. Programs in this category include Mozilla, Netscape, and Eudora. Look in the download areas at these sites for the current versions. The Norton AntiVirus software is updated through it's LiveUpdate function.

Access:

Access to RSMAS networks and computer services is controlled by the University of Miami and RSMAS. Local access to individual computers is controlled by and is the responsibility of the owners of the computers.  All network access to RSMAS nodes and services should be made, where possible, with protocols that encrypt usernames and passwords.  SSH/SCP offer secure alternatives to FTP and Telnet.  Mac/Unix/Linux OS come with SSH/SCP installed.  You can download these utilities for Windows at ftp://ftp.rsmas.miami.edu/pc/ssh/.  Access to RSMAS nodes and services with insecure protocols is generally blocked at the firewall.  RCF reserves the right to limit  or discontinue network access to nodes that are running operating systems that are no longer supported by the vendor,  or nodes that are not kept up to date with security patches for the relevant operating system or programs.

Accounts

On Unix/Linux workstations, access to your files and other services is linked to an account. Accounts are described by "passwd" records which include a username. In a local networked environment it is important that usernames, and the underlying numeric ID for the username, be unique, or it may be possible for others to access and even delete your files in some circumstances. RCF will provide, on request, unique user names and IDs. Your username/password for email access is an example of this. It is good security practice for those who run their own workstations to use RCF-assigned usernames and IDs; Owners that assign their own usernames and IDs will not be included in RSMAS shared-file and shared-printer networks.

Passwords

Passwords will be assigned to you when your account is issued. You can change your password on RCF computers; follow the rules below when selecting a password. Username/Password are often used for account and service access. Passwords should:

  • be at least 6 characters long

  • contain more than one character type (lowercase, caps, digits, punctuation)

  • not be based on a dictionary word in any language

  • not be based on names, scientific terms, facts about you (office number, birth date, etc.)

Don't post passwords on your bulletin board, don't email them, don't give them to your friends. Do change them often. For RCF services, you are responsible for computer and network activities that occur under your username/password.

The RCF will irregularly use standard password-guessing software to check the passwords on RCF accounts. If your password is guessed, your account will be blocked; you will have to come by the RCF and listen to a boring password lecture before it will be reactivated.

File sharing

Files may be shared with other computers on the local RSMAS network if you desire. Files that are shared on the network are at much more risk of being viewed or even altered/deleted than files that are restricted to your local node. By default, your home directory on most Unix/Linux computers at RSMAS is shared with the local RSMAS net.

Linux/Unix systems share files with the Network File Sharing protocol (NFS). Windows and Macintosh systems can share file folders. Security for shared is beyond the scope of this document. On Windows systems, see the system help on "sharing folders" On many Unix/Linux machines, run
info -f fileutils.info
and see the section on File permissions and Changing file attributes

Backups and Physical Security

I know these seem obvious, but...

Backup your files regularly. A new computer hard drive (disk) works somewhere between a couple of hours and several years, then it crashes, destroying all the files on the disk. Don't learn the hard way.

Someone with physical access to your computer can do anything they want with the computer and the files on it, regardless of the computer and network security you have installed.

No computer on a network is secure.

RCF

.(JavaScript must be enabled to view this email address)
305.421.4028