The Dons present. OPLIN's Security AuditPresentation Transcript
The Dons present… OPLIN’s Security Audit Don Nuss & Don Yarman OLC Annual Conference Friday, October 7, 2005
Gates Staying Connected Grants
Discussions with advisors, regionals
Selection of Infiniti Systems Group, Inc.
ISS Internet Scanner
eEye Retina Network Security Scanner
A full assessment of the state of the routers, web servers, mail servers and proxies on the network that are under our control.
A list of all libraries they can penetrate past the border router.
A full assessment and testing of the routers, web servers, mail servers and proxies (possibly ALL devices) of 25 libraries.
A clear statement of the minimum requirements OPLIN should demand of every building connected to the network.
Recommended steps libraries should take over and above the minimum.
Recommended products and services the OPLIN Support Center should supply routinely.
A list of recommended monitoring tools and knowledge transfer to OPLIN Staff so that they can carry on with security monitoring.
1. A full assessment of the state of the routers, web servers, mail servers and proxies on the network that are under our control “ Overall, we found OPLIN’s Core network to be very secure from both internal and external attacks and compromise. “ While we were able to discover core routers, name servers, mail, www, and the OPLIN backup server, because of OPLIN’s superior network architecture, we were unable to discover any information about the Core devices which would have enabled us to compromise the network.”
2. A list of all libraries they can penetrate past the border router. ACLs and other security measures applied to the OPLIN core and site routers prevented Infiniti from actively peering into the libraries.
3. A full assessment and testing of the routers, web servers, mail servers and proxies (possibly ALL devices) of 25 libraries. OPLIN will choose the sample. Stark County District Library Clermont County District Library Euclid Public Library Newark Public Library System Lima Public Library PL of Mt. Vernon and Knox County Portsmouth Public Library Chillicothe & Ross County Public Library Wood County District Public Library Rodman Public Library Pickerington Public Library Salem Public Library Kinsman Free Public Library Defiance Public Library Auglaize County Public District Library Puskarich Public Library Paulding County Carnegie Library Huron Public Library Carnegie Public Library (East Liverpool) Harbor-Topky Memorial Library Bucyrus Public Library Community Public Library (St Marys) Pemberville Public Library Herrick Memorial Public Library New Straitsville Public Library
88% had a firewall of some sort.
29% were using an ISA firewall.
4% had separated public and staff data.
83% had an up-to-date antivirus solution.
25% were up to date on patches.
50% were using wireless.
42% had secured the connection.
13% had a non-OPLIN connection
33% had outsourced their network support
50% utilized consortium support
Far Above Average – 8%
Above Average – 25%
Average – 50%
Below Average – 13%
Far Below Average – 4%
4. A clear statement of the minimum requirements OPLIN should demand of every building connected to the network.
OPLIN worked with Infiniti to create proposed policies. The draft policy specified that every library must have:
A dedicated firewall device
A commercial-grade antivirus solution
A approved technology plan
Instead, “OPLIN Community Good Neighbor Policy”
This policy created in 2002 specifies OPLIN procedures in the event that malicious, objectionable, or illegal activity is detected originating from our network.
Open mail relays which permit spam
Insecure hosts exploited by a hacker
Third party denial of service attacks
5. Recommended steps libraries should take over and above the minimum. (Staff can figure out what incentives we might supply)
Operating system updates
Data security & integrity
Caution with remote management
Every site must have a firewall, ideally a dedicated appliance. 12% of libraries studied had no network firewall at all. OPLIN is investigating managed-firewall services that we can offer to assist libraries with this urgent need.
Every institution must have an active antivirus program protecting every workstation. OPLIN has pursued discounts with a variety of vendors; more information is available at http:// www.oplin.org /security .
Operating system updates
We are sensitive to the obstacles of installing critical patches to every workstation and server in a library. But software vulnerabilities, particularly within Microsoft Windows, are easily and commonly exploited, and they pose a greater threat than computer viruses.
Data security and integrity
Give serious thought to protecting network communications and stored data. Infiniti recommends segmenting the network traffic for library staff from that of the public into different subnets, a service OPLIN is able to implement
Communication between buildings could be encrypted or protected (perhaps by using a secure program like “Putty” instead of open telnet)
Wireless networks used by staff should be encrypted to protect the data
Good data backups are vital
Caution with remote management
Many administrators find tools such as Microsoft Terminal Services or PC Anywhere to be indispensable, but they should be used with caution, and libraries should be mindful that they may provide unauthorized access into their systems.
It is difficult to weigh the principles of security against the freedom and openness that libraries foster. We encourage libraries to give careful consideration to their local computer usage policies, particularly in regard to patron storage media (floppies, USB drives) and wireless access points. Actual policies are up to the individual library to set, but it is important that every library regularly devote attention to balancing patron convenience with library network security.
6. Recommended products and services the OPLIN Support Center should supply routinely.
OPLIN is working with Infiniti as well as the Network and Library Application Advisory Committees to develop services that we will present to you for approval later next spring.
Services will address…
Ongoing security monitoring of the OPLIN core.
Voluntary security audits for libraries.
Providing firewall service options for libraries.
Providing ongoing security awareness for the library community.
7. A list of recommended monitoring tools and knowledge transfer to OPLIN Staff so that they can carry on with security monitoring.
OPLIN has obtained the tools utilized by Infiniti during the audit.
eEye Retina Scanner
Internet Security Systems Scanner
We are developing a Audit Service that we hope to make available next spring.
For problems: OPLIN Support Center ( [email_address] ) 888.966.7546 (888.96.OPLIN)
For questions: Don Yarman ( [email_address] ) Don Nuss ( [email_address] )
This presentation is available online at www.oplin.org/presentations/secaudit.ppt