Secure ServicesSecure ServicesA user support perspectiveA user support perspective
Frank J. RedaFrank J. RedaDirector, Distributed Computing SupportDirector, Distributed Computing Support
Rutgers University Computing Services – New Rutgers University Computing Services – New BrunswickBrunswick
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
AgendaAgenda
Description of secure servicesDescription of secure services RUCS-NB implementationRUCS-NB implementation Recommended clientsRecommended clients Impact on our end usersImpact on our end users
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
What are secure services?What are secure services?
We’ll start by looking at “insecure” We’ll start by looking at “insecure” services, concentrating on two services, concentrating on two specific aspects:specific aspects:
• PasswordsPasswords• Encryption of dataEncryption of data
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
What are secure services?What are secure services?
The network as we know it today was The network as we know it today was built around services that offered built around services that offered little or no default security:little or no default security:• TelnetTelnet• FTP (file transfer protocol)FTP (file transfer protocol)• EmailEmail• Web browsersWeb browsers
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
What are secure services?What are secure services?
In many cases, passwords were required In many cases, passwords were required to access services over the network.to access services over the network.
With no default encryption of passwords, With no default encryption of passwords, compromise was always a risk.compromise was always a risk.
Once an intruder had your password, they Once an intruder had your password, they had access to all of the services that had access to all of the services that accepted that password.accepted that password.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Why are secure services important?Why are secure services important?
Most online systems incorporate some Most online systems incorporate some kind of password based access. If kind of password based access. If passwords are easily compromised, passwords are easily compromised, systems may be easily compromised.systems may be easily compromised.
Most people assume their password is Most people assume their password is secure when it is transmitted across the secure when it is transmitted across the network, not realizing that it is possible for network, not realizing that it is possible for others to gain access to it.others to gain access to it.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Why are secure services important?Why are secure services important?
Rutgers is moving in the direction of using Rutgers is moving in the direction of using NetID (username/password) as the main NetID (username/password) as the main source for authentication to university source for authentication to university applications.applications.
If you use your NetID to access insecure If you use your NetID to access insecure services, and thus risk compromising your services, and thus risk compromising your password, you may also be compromising password, you may also be compromising the integrity of other University systems.the integrity of other University systems.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Why are secure services important?Why are secure services important?
Certain government Certain government regulationsregulations require require the security of sensitive data. the security of sensitive data. Unencrypted data traveling over a network Unencrypted data traveling over a network can be snooped. As snooping gets easier, can be snooped. As snooping gets easier, this becomes a bigger issue.this becomes a bigger issue.
In some cases, inadequate protection and In some cases, inadequate protection and custodial care of data may lead to legal custodial care of data may lead to legal action.action.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Why are secure services important?Why are secure services important?
The level of technical savvy is increasing. There The level of technical savvy is increasing. There are sources on the web that teach you how to are sources on the web that teach you how to snoop. snoop.
Access to “snooping” tools is increasing.Access to “snooping” tools is increasing.
Previously, snooping involved getting physical Previously, snooping involved getting physical access to a network connection. With wireless access to a network connection. With wireless networking, you can snoop a network without networking, you can snoop a network without getting anywhere near the physical network getting anywhere near the physical network components.components.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Exploits Associated with Weak SecurityExploits Associated with Weak Security
Password exploits expose systems to intrusion Password exploits expose systems to intrusion that appears to be from valid users.that appears to be from valid users.
Intrusion involves unauthorized access to the Intrusion involves unauthorized access to the network or the data traveling on the network. network or the data traveling on the network.
Programs exist to capture data streams, and Programs exist to capture data streams, and reconstruct communications.reconstruct communications.
The services we’re implementing seek to The services we’re implementing seek to minimize these risks.minimize these risks.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
What will the secure services What will the secure services implementation accomplish?implementation accomplish?
Encryption of passwordsEncryption of passwords Encrypted data channelsEncrypted data channels The The potentialpotential for stronger password for stronger password
securitysecurity Minimize risks associatedMinimize risks associated
with intrusion / snoopingwith intrusion / snooping
Post-It©
Username: redaPassword: hockeypuck
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
RUCS – NB ImplementationRUCS – NB Implementation
Secure services, in the RUCS-NB context, refers to Secure services, in the RUCS-NB context, refers to a set of services that will be available solely via a set of services that will be available solely via encrypted channels.encrypted channels.
The implementation calls for decommissioning of The implementation calls for decommissioning of “insecure” communications channels.“insecure” communications channels.
The implementation of secure services The implementation of secure services concentrates on:concentrates on:• Telnet clientsTelnet clients• FTP clients (FTP clients (and web authoring tools using FTPand web authoring tools using FTP))• Email clientsEmail clients• X clientsX clients
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
RUCS – NB ImplementationRUCS – NB Implementation
As of July 1, 2003, the Rutgers New Brunswick As of July 1, 2003, the Rutgers New Brunswick campus will begin turning off access to selected campus will begin turning off access to selected insecure versions of these services.insecure versions of these services.
By August 15, 2003, all access to telnet, FTP and By August 15, 2003, all access to telnet, FTP and email on RUCS systems in New Brunswick will email on RUCS systems in New Brunswick will require secure communications capabilities.require secure communications capabilities.
The discontinuation of “insecure” services is The discontinuation of “insecure” services is being done over 6 weeks to minimize the support being done over 6 weeks to minimize the support impact.impact.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
RUCS – NB ImplementationRUCS – NB Implementation
As of March 1, 2003, RUCS-NB began a campaign As of March 1, 2003, RUCS-NB began a campaign to communicate with and educate the end user to communicate with and educate the end user population regarding the upcoming changes.population regarding the upcoming changes.
Response to the announcements has been Response to the announcements has been minimalminimal• Maybe no one is listening?Maybe no one is listening?• Maybe they don’t understand the impact?Maybe they don’t understand the impact?• Maybe they’re waiting for things to break?Maybe they’re waiting for things to break?
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
RUCS – NB ImplementationRUCS – NB Implementation
In February, RUCS-NB announced the changes to In February, RUCS-NB announced the changes to Apple, PC and Unix administrator groupsApple, PC and Unix administrator groups
Unit Computing Specialists were also notified of Unit Computing Specialists were also notified of the likely implications of the upcoming changesthe likely implications of the upcoming changes
Reaction from the technical staff was mostly Reaction from the technical staff was mostly positivepositive
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Implications for End UsersImplications for End Users
Effective August 15, 2003 insecure versions of the Effective August 15, 2003 insecure versions of the following tools will no longer work:following tools will no longer work:• Telnet Telnet • FTPFTP• EmailEmail
Current clients will probably not workCurrent clients will probably not work
Reconfiguration of existing clients may be Reconfiguration of existing clients may be necessarynecessary
Acquisition and installation of new software may Acquisition and installation of new software may be necessarybe necessary
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Implications for End UsersImplications for End Users
Old comfortable tools may not work any Old comfortable tools may not work any moremore
Things will look differentThings will look different
Procedures may be slightly differentProcedures may be slightly different
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Implications for UCS’sImplications for UCS’s
UCS’s received advance notification of the UCS’s received advance notification of the changeschanges
Proactive UCS’s should see minimal impact when Proactive UCS’s should see minimal impact when “insecure” services are turned off“insecure” services are turned off
Peripheral systems (those not directly supported Peripheral systems (those not directly supported by UCS’s) may not be kept up to dateby UCS’s) may not be kept up to date
Support call volume should rise/fall at an inverse Support call volume should rise/fall at an inverse rate to the effort expended in anticipation of the rate to the effort expended in anticipation of the transition processtransition process
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
So, what changes?So, what changes?
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Recommended Clients – WindowsRecommended Clients – Windows
SSH ClientsSSH Clients• SSH Corp. SSH Corp. $L$L• PuttyPutty
FTP ClientsFTP Clients• SSH Corp. (text / graphical)SSH Corp. (text / graphical)• PuttyPutty• WinSCP (graphical)WinSCP (graphical)
EmailEmail• Microsoft Outlook 2000 – XP Microsoft Outlook 2000 – XP $$$$• Microsoft Outlook ExpressMicrosoft Outlook Express• Netscape Communicator 4.7 & upNetscape Communicator 4.7 & up• (Very) Limited support for Eudora / Pegasus Mail(Very) Limited support for Eudora / Pegasus Mail
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Recommended Clients – MacintoshRecommended Clients – Macintosh
SSHSSH• Mac SSH (OS 8, 9)Mac SSH (OS 8, 9)• Terminal (OS X)Terminal (OS X)
FTPFTP• Fugu (OS X)Fugu (OS X)• SFTP (OS X)SFTP (OS X)• SCP (OS X)SCP (OS X)• Terminal (OS X)Terminal (OS X)• Mac SFTP (OS 8, 9, X) Mac SFTP (OS 8, 9, X) $$$$
EmailEmail• Entourage (OS 8, 9, X) Entourage (OS 8, 9, X) $$$$• Netscape Communicator 4.7 (OS 8, 9)Netscape Communicator 4.7 (OS 8, 9)• Netscape Communicator 7 (OS X)Netscape Communicator 7 (OS X)• Mail App (OS X)Mail App (OS X)
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Recommended Clients – LinuxRecommended Clients – Linux
Open SSHOpen SSH SFTP and SCPSFTP and SCP Netscape CommunicatorNetscape Communicator
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Recommended Procedures – X11Recommended Procedures – X11
Procedures on SSH X11 forwarding are Procedures on SSH X11 forwarding are available on our Secure Services website.available on our Secure Services website.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Web EditorsWeb Editors
Some web editors use FTP to publish web pages:Some web editors use FTP to publish web pages:• Netscape ComposerNetscape Composer• Macromedia DreamweaverMacromedia Dreamweaver• Microsoft FrontPageMicrosoft FrontPage• Adobe GoLive!Adobe GoLive!
These applications do not currently support These applications do not currently support secure FTP mechanismssecure FTP mechanisms
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Web EditorsWeb Editors
There are products that allow users to mount There are products that allow users to mount (what look like) local drives/folders using secure (what look like) local drives/folders using secure FTP mechanisms.FTP mechanisms.
We recommend:We recommend:• WebDrive (WebDrive ($L$L) for Windows users) for Windows users• Interarchy (Interarchy ($$$$) for Macintosh users) for Macintosh users
Using these products, developers can publish to Using these products, developers can publish to local designations of FTP directories.local designations of FTP directories.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
DocumentationDocumentation
RUCS-NB has authored web pages to announce RUCS-NB has authored web pages to announce the service changes and to make available the service changes and to make available necessary clients.necessary clients.
RUCS-NB has authored how-to documentation to RUCS-NB has authored how-to documentation to guide users through the process of transitioning guide users through the process of transitioning client software to secure services. client software to secure services.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
DocumentationDocumentation
All updated documentation related to this effort is All updated documentation related to this effort is available at:available at:• http://www.nbcs.rutgers.edu/secure-services.php3http://www.nbcs.rutgers.edu/secure-services.php3
Sample documentation and recent versions of the Sample documentation and recent versions of the client software is available on the CD we’ll be client software is available on the CD we’ll be handing out.handing out.
Additional supporting documentation is available Additional supporting documentation is available at:at:• http://mssg.rutgers.edu/software/http://mssg.rutgers.edu/software/
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Secure Services CDSecure Services CD
Please notePlease note that the CD contains software that the CD contains software licensed to Rutgers University. licensed to Rutgers University.
If you are attending from outside the If you are attending from outside the University, you are welcome to view the University, you are welcome to view the CD, but we kindly ask that you do not CD, but we kindly ask that you do not install the licensed software.install the licensed software.
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
TrainingTraining
The main thrust of our training effort was in the The main thrust of our training effort was in the documentation areadocumentation area• UCS’s were notified of the coming changes and directed UCS’s were notified of the coming changes and directed
to the documentation for guidanceto the documentation for guidance• Documentation was written for end usersDocumentation was written for end users
The tools themselves don’t change, just the The tools themselves don’t change, just the settings.settings.
Help Desk staff have been apprised of necessary Help Desk staff have been apprised of necessary information related to the transition and will information related to the transition and will guide users through the documentation, guide users through the documentation, escalating unresolved issues to senior staffescalating unresolved issues to senior staff
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
Communication PlansCommunication Plans
Targeted email communicationsTargeted email communications• March 1March 1• April 1April 1• May 1May 1• June 2June 2
Announcement on top level University web pages Announcement on top level University web pages in Junein June
Paper mailingsPaper mailings
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
SummarySummary
RUCS-NB is moving to secure services to reduce RUCS-NB is moving to secure services to reduce the risk of password compromise and increase the risk of password compromise and increase data security.data security.
Such a move represents a significant event for Such a move represents a significant event for users.users.
Documenting necessary changes to user Documenting necessary changes to user applications is no small taskapplications is no small task
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
SummarySummary
Communication regarding the change is critical to Communication regarding the change is critical to successsuccess• Enlist the assistance of “allies”Enlist the assistance of “allies”• Communicate to the massesCommunicate to the masses
Train your support staffTrain your support staff• In your organizationIn your organization• In affected areasIn affected areas
March 27, 2003March 27, 2003Secure Services – A user support perspectiveSecure Services – A user support perspective
QuestionsQuestions??