Towards Less Insecure Administrative Networks

John Sellens
Data Processing
Information Systems and Technology
University of Waterloo

May 28, 1996


UW shield

``Official'' Abstract

With the imminent deployment of a major UNIX-based database server, and the replacement of our legacy financial systems, we are implementing a number of security and reliability measures. These include a high-availability database server, a major offsite backup system and offsite mirroring of data, a firewall system, SecurID one-time-password tokens for sensitive areas, tightly controlled access to our primary servers, and a review of our use of campus software support. This presentation will outline what we're doing and have done, why, and the good and bad things that we have discovered.

Where Did We Start?

Motivation for Change

Presentation Overview

Offsite Disks and Backups

Access Control and Physical Security

One Time Passwords

User Control on Production Systems

Limiting Access to Network Services

Network Layout, Reconfiguration, and Planning

Original Network Layout

Transitional Network Layout

Final Network Layout

Trusting Central Support

What Problems Are We Ignoring/Accepting?

Where Are We Failing?

Where Are We Succeeding?

Summary and Availability
Tue May 28 15:57:35 EDT 1996