Date: Wed, 20 Jun 2001 14:54:20 -0400 From: burton rosenberg X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) X-Accept-Language: en To: vjm@cs.miami.edu, irina@cs.miami.edu, burt@cs.miami.edu Subject: Information Infrastructure White Paper 20 June 2001 Information Infrastructure White Paper Burton Rosenberg 20 June, 2001 Abstract --------- This White Paper gives an overview of where we are going with our information infrastructure. It includes some near-term conclusions regarding implementation. Specific policy is left for individual discussion. Goals ------ The Department of Computer Science proposes to define and implement an experimental information infrastructure which will break down the traditional spatial barriers of learning. The Internet revolution brought computer scientists together in ways heretofore impossible. Now, the continued development of the web brings new challenges to integrity and privacy in cyberspace, and the rapid decline in price of computing hardware has forced revisions of fundamental engineering parameters. We seek a solution, through the innovative use of software and teaching methods which will, (A) Bind together co-learners in an information safe-harbor, protecting the privacy of the interactions, the integrity of the mechanisms. (B) To provide each member of the safe-harbor the sense of potency and responsibility that encourages group identification and self initiative. (C) To make the safe-harbor available regardless of participant's physical location. (D) To develop activities and a knowledge base within the safe-harbor that fulfills its goal as a communal place of interchange, growth and learning. We propose to apply Virtual Private Network (VPN) technology to create secure environments for our students, faculty and labs. A VPN secures a network by cryptologic methods to assure privacy and the identity of users. It allows the secured network to bridge over public, unsecured networks. The student's computer, in his dorm room or at his off-campus home, can be joined to the VPN and thence the student will have full access to the network section to which he is trusted. There will be multiple VPN's, each with a policy adapted to use. For instance, a classroom VPN will endeavor to provide privacy between students, but less so from student to teacher, for the purposes of grading. However, a lab VPN will allow almost unrestricted access to all participants. VPN's will be carefully bridged by software units so as to share resources but only according to the policies in effect on each side of the bridge. We hope to provide access through SmartCards, rather than passwords. SmartCards provide stronger protection than possibly bad passwords, and the SmartCard could carry a complex wallet of permissions to the multiple VPN's that can be updated over the Internet. Threat Analysis ---------------- There is the threat of attack from unknowns across the Internet. We have no offsetting gain when we raise the level of risk to this class of attack. The rememdies here are to lowering our exploit profile by limiting available services, to use strong and encrypted passwords to prevent access via eavesdropping and password cracking, and to compartmentalize the damage resulting from this level of attack. There is the threat of attack from inside. Herein are two subclasses of threats: those for which abuse is not unlikely, and those for which abuse is highly unlikely, taken to be an impossibility. Undergraduates pose the first sort of insider threat. They are knowledgable users with excellent physical access to the machines and network. They are naturally curious and energetic, and are rapidly developing skills in both the technical and social domains. On the other hand, there is appreciable offsetting gain for risks which we take in providing student access. We believe that students will not have the proper richness of environment and we will not pass on to them our expertise in programing, algorithms and sytems, unless we take certain risks. Rather we live with the realization that our students have a great deal of power that they should not abuse, and consider containment of damage in the event that abuse does occur. Good auditing is important so that the abuser belocated and his or her behavior corrected. Faculty and secretaries pose the second sort of insider threat. These are properly grouped with recovery procedures from hardware failure, since both cause large and unpredictable damage where recovery is an absolute necessity whereas prevention is an expensive luxury. Graduate students form an interesting case, since some interface closely with faculty while others are educationally similar to undergraduates. In this class, we first feel the distinction between protection of system integrity versus protection of data privacy. Technology Analysis --------------------- The department makes us of a mix of Unix and Windows platforms. Students will work on Unix workstations but will likely have Window PC's to use at home or in the dorm. Our solution must interoperate across these two platforms. We maintain a Windows infrastructure for certain reasons, however it has not proved as reliable and Linux or FreeBSD, and it is hardly as adaptible. The major departmental servers run Linux and FreeBSD. We support approximately 150 desktop computers and 6 servers. We currently run a mix of Ethernet technologies including repeated segments of 10-Base 2, switched 10 Base-T and local distribution of 10 Base-T out of hubs attached to a 10-Base 2 backbone. Remote access is provided either by the University-wide dial-up and LAT or by TCP/IP over the public Internet. We make extensive use of TCP/IP and also DEC LAT, MOP and NetBIOS support (Microsoft networking). We have a single Cisco router which provides security by packet filtering. We own three class C address blocks, 129.171.34.0, 192.31.89.0 and 192.70.171.0, and are reachable from the university backbone at backbone addresses 129.171.32.5 and 129.171.32.9. Our computing architecture has been affected by the increasing popularity and commercialization of the Internet, by the maturation of Microsoft on the desktop, by the arrival of Open Source Unix and its port to inexpensive Intel based computers, and the need for expanded network bandwidth. The current response has been to centralize computing resources on a single server and to depend on packet filtering at our router for security services. This solution does not satisfy our expectations. It cannot provide the differentiated level of trust in order to carry out effective teaching and it does not provide the level or remote access consistent with home networks and broadband WAN connectivity. I propose to segment our information resources into zones, where each zone maps to a related class of trusted users, and to interconnect those zones using dynamically constructed authenticated and encrypted channels. A major tool to implement this structure is the Firewalls. We have chosen a six-port Cisco PIX 515 router for this purpose. Loosely speaking, each port maps to a zone, and the PIX contains rule sets for the allowed conversations between zones. An equally import tool is the VLAN Switch. We have chosen an expandable collection of Cisco 2948G switches for this. A VLAN switch allows the zones to be distributed to client computers and servers while providing proper isolation. Each zone will map to a VLAN, and no data can pass between VLAN's without the intervention of the Firewall/router. The Firewall/VLAN architecture makes trust decisions based on physical location. To expand access beyond the Firewall we will make use of VPN technology (Virtual Private Network). VPN's provide the following four services: encryption; authentication; identification; and authorization. The combination of these services reconstructs in software the advantages of physical location. Using VPN's, we cannot differentiate too finely the services and trust relationships. Kerberos, a security technology originally from MIT, allows the studied mediation of all services between two clients over a single public media. MIT deploys this campus wide. However, our goals are more modest, and will do not need as sophisticated a mechanism. Current VPN technologies include: IPSec; PPTP; L2TP; SSH tunneling; and SSL (TLS). We will make use of SSH. There is some platform dependency in PPTP and L2TP. The Linux kernel needs to be reconfigured to enable these VPN styles. IPSec is a better solution in terms of generality and platform independence, but it doesn't yet seem to work. SSH tunneling is Ad Hoc, but it has received widespread use, is flexible and easy to understand. It is platform independent and cheap. It is not as complete a solution as the others, but we continue to work on expanding its possibilities. SSL is a variant of a VPN. It is widely used in e-commerce to establish a secure connection to a Web server while entering credit card information. It provides encryption and authentication. As deployed, it does not provide identification and authorization. Furthermore, SSL enabling an application requires the code be changed and recompiled. Conclusions ------------ A basic framework for a new information infrastructure has been described and a general implementation direction chosen. Specific policy will be made concering each of the following network services: SMTP (email); IMAP; POP; anonymous FTP; FTP; NNTP (news); DNS; Telnet/Ssh; X11; HTTP (web) including Java, server-side technologies such as cgi-bin and Javascript; backup and recovery; NFS; SMB and other NetBIOS services (Microsoft); Windows Domain architecture; ping and traceroute and other ICMP; network sniffing and analysis; auditing and logging; tripwires.