HAO in the NCAR Security Model
Using the UCAR/NCAR Gatekeeper
Introduction
UCAR/NCAR's Computer Security Advisory Committee (CSAC) was created in November of 1995 by the UCAR Management Committee (UMC). CSAC was chartered with the tasks of assessing the electronic security of UCAR/NCAR's computers and networks, and proposing a solution to risks exposed by the assessment. CSAC released the Security Plan on December 17, 1996. That document may be found at http://www.ncar.ucar.edu/csac/internal/secplan/.
CSAC concluded that the risk to data and the scientific mission of UCAR/NCAR is significant and proposed a model under which the risk could be mitigated while minimizing the disturbance to work.
This document describes HAO's part in the Security Plan and explains the methods which will be used to gain access to HAO computing facilities from outside of UCAR/NCAR.
SCD has prepared an on-line tutorial about using the Gatekeeper:
Security Model
Refer to Figure 1 for a view of this model.
The security model addresses restrictions to access of HAO computing facilities from the outside of UCAR/NCAR.
In general, access to HAO computing facilities from the outside is not directly allowed, which prevents direct assaults from the Internet by persons of malicious intent. (It does not protect us from persons within the organization, but that is another matter) Since direct access is restricted, a mechanism for indirect access must be provided. This is the role of the gatekeepers. The gatekeepers channel access through a well-protected entry-way and only allow authorized access in. The confirmation of authorized access is called authentication, which simply means that a username and password are needed to use the gatekeeper, so that entry is uniquely identified with a person who is explicitly granted access.
Access from computers inside HAO to the outside world is not restricted. telnet, for example, from a computer inside HAO to a computer at an outside institution is not restricted.
The security perimeter is the dividing line between what is inside and outside of UCAR/NCAR.
The gatekeepers include gate.ucar.edu and webcluster.ucar.edu. The gatekeepers are computers managed by SCD.
Proxies are computer programs which run on the gatekeepers and mediate the traffic into HAO.
There are three types of hosts included in this security model. Protected hosts are machines that are totally inside the perimeter and have no direct access from the outside. Fully exposed hosts are machines which are accessible from outside, and only a very few services are not allowed. Semi-exposed hosts also are accessible from the outside, but these are more protected in that only a few well-secured services (such as web servers or ssh servers) are allowed, and all others are denied. As of this writing, all of HAO's machines are protected hosts.
The security model focuses upon those services which are vital to HAO in it's function to provide access to HAO computing facilities and data served by HAO. Security measures usually cause some inconvenience. Careful thought has gone into optimizing the balance between security and inconvenience with an understanding of the character and atmosphere of work within UCAR/NCAR.
In August of 2001, the CSAC instituted a policy that banned the use of clear-text passwords when accessing NCAR/UCAR hosts from outside the security perimeter. This means that the use of telnet, non-anonymous ftp, POP email and any other service that requires authentication via the use of a password that is unencrypted is now denied. The use of clear-text passwords was deemed an important enough threat to the security of our systems to disallow its use.
Services under the Security Model
The most important services which HAO provides to the outside world are interactive logins, access to data via FTP, the delivery of data from outside observing stations, and serving anonymous access to information, ideas and data from HAO via the Web (HTTP).
The gatekeeper authenticates access, which means that any access to HAO's computing facilities needs to be uniquely electronically identified. Therefore, any outside user needing interactive access to a computer within HAO must have a username and password on the gatekeeper. Since the gatekeepers are managed by SCD for all of UCAR/NCAR, the username must be registered at the UCAR/NCAR level (in SCD). Accounts created in HAO can have a username which is different from that created in SCD at the UCAR/NCAR level. The latter is valid for access to the gatekeeper, since the HAO username will not be recognized outside of HAO if it differs from the username at the UCAR/NCAR level.
New accounts created in HAO will automatically be given a gatekeeper account. All current accounts for HAO staff and visitors will be given gatekeeper accounts. Any requests for gatekeeper accounts should be addressed sending e-mail to trouble@hao.ucar.edu.
Remote Login using ssh
Remote login must now use a ssh program. ssh programs exist for most versions of unix, Windows 98/NT/2000 and Macintosh. Here is a source of information about obtaining a ssh program:
http://opensores.thebunker.net/pub/mirrors/ssh-faq/ssh-faq-2.html
The login to HAO computer systems from outside the perimeter is a two step process. One must login to the gatekeeper first, using one's UCAR/NCAR-wide username and password, and follow that with the actual login to the target system. The first login, at the gatekeeper, authenticates access to the rest of UCAR/NCAR resources.
Here is an example of using ssh to connect to hao.ucar.edu:
Last login: Mon Nov 26 20:28:36 2001 from 3com-joanne-198
On 5 December 2001 at 9am-10am MST (UTC-7), the SSH 1 and SSH 2 host keys for gate.ucar.edu will be replaced by new keys.
Please see the following URL for more details:
<http://www.ucar.edu/csac/gate-ssh-keys/new-key-announce.txt>
UCAR SSH Proxy (? for help)> hao.ucar.edu
hao.ucar.edu appears to have SSH available; using encrypted connection
bgamblin@hao.ucar.edu's password:
Last login: Mon Dec 3 09:17:55 2001 from cedar
On most unix systems, the command slogin is equivilent to ssh.
File Transfer
Transfer of files from outside the security perimeter to HAO computers must be accomplished via the use of scp since FTP does not encrypt password information. A special proxy has been set up on the gatekeepers to make this transfer possible. To use it, you specify the -P option with the port number of 2222. Here is an example of sending a file from outside the security perimeter:
% scp -P 2222 somefile.dat bgamblin@ftp.hao.ucar.edu:/home/bgamblin/somefile.dat
bgamblin's password: (Note this is your HAO password, not the gatekeeper one)
If you want to copy a file from a HAO computer, you just turn it around:
% scp -P 2222 bgamblin@ftp.hao.ucar.edu:/home/bgamblin/myfile.dat myfile.dat
The gatekeepers do not support file transfer by way of the rcp command.
FTP
Access to the Anonymous FTP area from outside sites
Due to the cleartext password ban, it is no longer possible to use ftp from outside sites using a real username and password. (You must use scp as described above) However, the use of anonymous ftp is still allowed. A mode of access to HAO's anonymous ftp area has been set up which directs the connection through the gatekeeper in a way which does not require authentication through a gatekeeper account. Note that this method can only be used to connect to HAO's FTP server. You can instruct people who wish to access HAO's anonymous ftp server to do so by providing a special port number, 122.
Note that the example above assumes access from a Unix system. If your collaborator's system is running another operating system, the principles are the same, but the collaborator needs to learn how to configure FTP on their system to use port 122.
Access to FTP data is possible through the HAO web server. This application makes use of the flexibility of the Web URL, which allows one to specify the ftp protocol rather than http:
Connecting to the gatekeeper on port 122 will transparently access the HAO FTP server without requiring authentication on the gatekeeper.
Sometimes (usually when the requestor is also behind a firewall) the use of ftp via port 122 just does not work. A web server has been set up on the anonymous ftp server specifically for this purpose. The anonymous ftp area can be accessed via a browser using the http protocol with this URL:
FTP to Outside Sites from Inside HAO
Outgoing FTP must be initiated by a client program which can do the PASV (passive) mode of FTP, so that the client will control the session while the server remains passive. The standard FTP clients in Solaris and IRIX cannot do PASV mode, so we supply our own FTP client. Using this client is transparent because it defaults to the PASV mode, and is modeled after the standard FTP client.
There are cases in which passive mode is rejected by the remote FTP server. In that case, try using the gatekeeper as an proxy for FTP access to the outside. Here is an example of an outgoing ftp session through the gatekeeper:
(luke) bgamblin : ftp gate.ucar.edu
220 gate2 FTP proxy (Version V2.0) ready.
Name (gate.ucar.edu:bgamblin): ftp@ftp.usenix.org
331-(----GATEWAY CONNECTED TO ftp.usenix.org----)
331-(220 db.usenix.org FTP server (Version wu-2.4.2-academ[BETA-13](1) Tue Jun 10 15:41:03 PDT 1997) ready.)
331 Guest login ok, send your complete e-mail address as password.
Changing Your Gatekeeper Password
(Note the term EQ/C stands for Email Query/Change program. The example below shows how to use it.)
Please change your initial password as soon as possible, to a good password only you know. A good password will:
- Be an acronym that doesn't spell a word, or a combination of words
- Have digits and/or punctuation characters as well as letters
- Have both upper and lower case letters
- Be easy to remember, so it does not have to be written down
- Be seven or eight characters long, or longer where possible
You can use the EQ/C to change your password by following this example:
csh% telnet directory.ucar.edu
Select "C) Change Gatekeeper Password," and when prompted provide your login, initial password, and new password. Or, you can follow this second example, substituting your login for that of "generic". (If you are connecting from an internal host, you may not be asked for the initial Username.) You must use ssh to connect to the gatekeeper even if you are on a protected host (inside the perimeter).
HTTP
The web proxy, which is named webcluster.ucar.edu, is the intermediary for HTTP transactions. Access to HAO's web server, namely www.hao.ucar.edu, must actually refer to a virtual interface on webcluster. This is transparent to outside access. When someone outside HAO requests a web page from www.hao.ucar.edu, DNS (the Domain Name System, which converts names into the network numbers that computers recognize) actually returns them the address of webcluster, which in turn makes the request to HAO's server for the actual data. From the inside, requests to web pages on outside servers can optionally be configured to go through webcluster, for security, and also for the performance gain of caching.
Electronic Mail
Security changes have also affected how electronic mail is managed in HAO. E-mail cannot be directly delivered into HAO, but must go through an intermediary, which is the computer cluster mscan.ucar.edu in this case. This is another example of a computer acting as a gatekeeper of sorts.
Relaying Mail through NCAR
Electronic mail into UCAR/NCAR should be addressed to the user's user@ucar.edu address. This will route the mail through mscan.ucar.edu.
Mail should not be addressed directly to the user@hao.ucar.edu or a particular computer in HAO such as user@flower.hao.ucar.edu. For backwards-compatibility, e-mail in these cases will be handled properly, but it is not guaranteed to work in the future.
Similar to the concern for remote login regarding usernames which are different at the UCAR/NCAR level from that in HAO, mail directed to user@ucar.edu must use the UCAR/NCAR-wide username.
Accessing Mail from HAO's Server
Again, due to the cleartext password ban, the use of POP to read mail from outside the perimeter is now blocked. At the time of this writing there are two options to use mail readers that use POP to read and/or send mail. One is the use of a dial-in account using the UCAR RAS dial-in server. The other option is to setup a Virtual Private Network, or VPN. Both of these are services offered by SCD which effectively make your computer outside the perimeter a protected host inside the perimeter. Once connected either to the RAS or a VPN, you can use applications such as Netscape or Eudora to access your HAO email. VPN clients are available for Windows (98/NT/2000), Solaris and Macintosh OS X (no clients are available for older versions of Mac OS). Further information on VPN can be found here:
X Window System
Remote displays from the X Window System present a problem much like that of FTP to the outside. The complication occurs when one wants to run an X program on an outside system and display the output to your desktop system inside HAO. The X connection from the outside will be refused. You must now be able to connect to the remote host via ssh. The correct syntax of the ssh command is:
$ ssh -X -l <remoteusername> remote host
Once connected to remotehost, you must NOT set the DISPLAY environment variable. If your shell startup file (e.g. ~/.cshrc) does reset the DISPLAY variable, you must correct it. ssh sets the DISPLAY variable to a special setting which tunnels your X commmands through the ssh tunnel.
If you are not able to use ssh to connect to remotehost, contact the system administrator of that remote host.
RealPlayer 8
Here is a recipe to access RealPlayer from your web browser inside HAO:
- Go to View -> Preferences -> Transport.
- Click on "Use specified transports".
- Click on "RTSP Settings...".
- Click on "Use TCP to Connect to Server".
- put a tick in "Attempt to use TCP for all content".
- Make sure other boxes are not ticked.
- Click OK
- Click on "PNA Settings..." and use the same settings as RTSP.