TPR3: Web Security and Service: Finding a new Balance

About This Presentation

Title:

TPR3: Web Security and Service: Finding a new Balance

Description:

We Publish - UR has over 2.5 million pages on over 140 servers ... Cracked 20% of user passwords. Npassword. Expired all passwords ... – PowerPoint PPT presentation

Number of Views:51

Avg rating:3.0/5.0

Slides: 25

Provided by: daleg4

Category:

more less

Transcript and Presenter's Notes

Title: TPR3: Web Security and Service: Finding a new Balance

1
TPR3 Web Security and Service Finding a new
Balance

University of Rochester
Web Services
Dale B.Grady
University Web Technical Coordinator

2
Why do we do it?

Universities are all about information
We Publish - UR has over 2.5 million pages on
over 140 servers
The central sever publishes 1.2 million pages per
week.
650 publishers on the central server alone
We serve our customers figuratively literally

3
The way it was 5-10 years ago

If you went down - nobody noticed
No critical systems were Webified
The President thought Web Pest control
Few professors were using it
Potential realized by few

4
Today

Phone rings before the crash finishes
Everybody notices immediately
The president
People in China
Critical systems depend on Web access
Payroll
Student records
We have become mission critical to the university
We must be online ALL the time
Downtime costs money and productivity

5
Two Forces

The barbarians
Our technology

6
Barbarians at the Gates

Constant attempts
Log files are full of them
They try everything
Internal checks
Power of hackers equipment
Hacker software freely available

7
Conclusions Challenges

We have to stay ahead of them
Deprive them of favorite tools
Strengthen the barriers
Watch more closely
Increase the service provided
Not make it too hard for publishers
Not make too expensive
Must remain near the cutting edge
Old equipment breaks
Old software become incompatible

8
Bottom Line

Security vs. Service

9
Common Server Configuration
10
Possible Horrors
One Server One of everything No
redundancy Everything is a single point of failure
11
Next steps Development/Production Model
12
Even Better
13
Development

Sometimes called Test
Full dataroot
Duplicate of production
Full compliment of cgi etc
Configured the same as Prod
SFTP NOT FTP
SSH NOT Telnet
Shell accounts
Out of sight to the world

14
Production

Full dataroot
Duplicate of development
Full compliment of cgi etc
Configured the same as Dev
Staff only SFTP NOT FTP
Staff only SSH NOT Telnet
Staff only Shell accounts
Firewalled etc.
Visible to the world

15
What we did not change

Use of Dreamweaver
Use of FTP (for while)
FTP address
Production server addresses
How you make pages and sites

16
What did change

Development server Web addresses a whole new
domain wdev
http//www.wdev.rochester.edu
http//www.sa.wdev.rochester.edu
Deploy to production
The ONLY way to change the production server.
This is a deliberate security feature.

17
Deploy
Deploy is a utility much like FTP that puts you
in complete control of moving your new pages into
the public view.

Only path to production sites
Moves one file or many
Moves whole directories
Delete files from production
Developed in house

18
Deploy -cont.

SSL
SFTP
Looks like typical FTP interface
Auth-password
Locked to dataroot
Rights determined on Dev.

19
Benefits

Increased Security
Private Sand Box development
Exactly like production
Out of site to public
Protects production server
Simplifies new development

20
Points of confusion

What server are you looking at?
Literal links vs relative links
Symbolic link chains
Incorrect paths in preferences produce unexpected
results
A path with a symbolic link rather than the
actual address - Know your real path.
Addresses for different functions

21
Weak Passwords