The Dons present…OPLIN’s Security Audit

Don Nuss & Don Yarman

OLC Annual Conference

Friday, October 7, 2005

Background

Gates Staying Connected Grants Discussions with advisors, regionals RFQ Selection of Infiniti Systems Group, Inc.

ISS Internet ScannereEye Retina Network Security ScannerAirDefense Enterprise

Vision Statement1. A full assessment of the state of the routers, web servers, mail servers and

proxies on the network that are under our control.

2. A list of all libraries they can penetrate past the border router.

3. A full assessment and testing of the routers, web servers, mail servers and proxies (possibly ALL devices) of 25 libraries.

4. A clear statement of the minimum requirements OPLIN should demand of every building connected to the network.

5. Recommended steps libraries should take over and above the minimum.

6. Recommended products and services the OPLIN Support Center should supply routinely.

7. A list of recommended monitoring tools and knowledge transfer to OPLIN Staff so that they can carry on with security monitoring.

1. A full assessment of the state of the routers, web servers, mail servers and proxies on the network that are under our control

“Overall, we found OPLIN’s Core network to be very secure from both internal and external attacks and compromise.

“While we were able to discover core routers, name servers, mail, www, and the OPLIN backup server, because of OPLIN’s superior network architecture, we were unable to discover any information about the Core devices which would have enabled us to compromise the network.”

2. A list of all libraries they can penetrate past the border router.

ACLs and other security measures applied to the OPLIN core and site routers prevented Infiniti from actively peering into the libraries.

3. A full assessment and testing of the routers, web servers, mail servers and proxies (possibly ALL devices) of 25 libraries. OPLIN will choose the sample.

Stark County District Library Clermont County District LibraryEuclid Public Library Newark Public Library SystemLima Public Library PL of Mt. Vernon and Knox CountyPortsmouth Public Library Chillicothe & Ross County Public LibraryWood County District Public Library Rodman Public LibraryPickerington Public Library Salem Public LibraryKinsman Free Public Library Defiance Public LibraryAuglaize County Public District Library Puskarich Public LibraryPaulding County Carnegie Library Huron Public LibraryCarnegie Public Library (East Liverpool) Harbor-Topky Memorial LibraryBucyrus Public Library Community Public Library (St Marys)Pemberville Public Library Herrick Memorial Public LibraryNew Straitsville Public Library

Statistics

88% had a firewall of some sort.29% were using an ISA firewall.

4% had separated public and staff data.

83% had an up-to-date antivirus solution.

25% were up to date on patches.

Statistics

50% were using wireless.42% had secured the connection.

13% had a non-OPLIN connection

33% had outsourced their network support50% utilized consortium support

Ratings

Far Above Average – 8%

Above Average – 25%

Average – 50%

Below Average – 13%

Far Below Average – 4%

4. A clear statement of the minimum requirements OPLIN should demand of every building connected to the network.

OPLIN worked with Infiniti to create proposed policies. The draft policy specified that every library must have:

1. A dedicated firewall device2. A commercial-grade antivirus solution3. A approved technology plan

Instead, “OPLIN Community Good Neighbor Policy”

This policy created in 2002 specifies OPLIN procedures in the event that malicious, objectionable, or illegal activity is detected originating from our network.

Open mail relays which permit spam Insecure hosts exploited by a hacker Third party denial of service attacks

5. Recommended steps libraries should take over and above the minimum. (Staff can figure out what incentives we might supply)

Firewalls Antivirus Operating system updates Data security & integrity Caution with remote management

Firewalls

Every site must have a firewall, ideally a dedicated appliance. 12% of libraries studied had no network firewall at all. OPLIN is investigating managed-firewall services that we can offer to assist libraries with this urgent need.

Antivirus

Every institution must have an active antivirus program protecting every workstation. OPLIN has pursued discounts with a variety of vendors; more information is available at http://www.oplin.org/security.

Operating system updates

We are sensitive to the obstacles of installing critical patches to every workstation and server in a library. But software vulnerabilities, particularly within Microsoft Windows, are easily and commonly exploited, and they pose a greater threat than computer viruses.

Data security and integrity

Give serious thought to protecting network communications and stored data. Infiniti recommends segmenting the network traffic for library staff from that of the public into different subnets, a service OPLIN is able to implement

Communication between buildings could be encrypted or protected (perhaps by using a secure program like “Putty” instead of open telnet)

Wireless networks used by staff should be encrypted to protect the data

Good data backups are vital

Caution with remote management

Many administrators find tools such as Microsoft Terminal Services or PC Anywhere to be indispensable, but they should be used with caution, and libraries should be mindful that they may provide unauthorized access into their systems.

Bottom line…

It is difficult to weigh the principles of security against the freedom and openness that libraries foster. We encourage libraries to give careful consideration to their local computer usage policies, particularly in regard to patron storage media (floppies, USB drives) and wireless access points. Actual policies are up to the individual library to set, but it is important that every library regularly devote attention to balancing patron convenience with library network security.

6. Recommended products and services the OPLIN Support Center should supply routinely.

OPLIN is working with Infiniti as well as the Network and Library Application Advisory Committees to develop services that we will present to you for approval later next spring.

Services will address…

1. Ongoing security monitoring of the OPLIN core. 2. Voluntary security audits for libraries.3. Providing firewall service options for libraries.4. Providing ongoing security awareness for the library

community.

7. A list of recommended monitoring tools and knowledge transfer to OPLIN Staff so that they can carry on with security monitoring.

OPLIN has obtained the tools utilized by Infiniti during the audit.

1. eEye Retina Scanner2. Internet Security Systems Scanner

We are developing a Audit Service that we hope to make available next spring.

Questions?

For problems:OPLIN Support Center (support@oplin.org)888.966.7546 (888.96.OPLIN)

For questions:Don Yarman (yarmando@oplin.org)Don Nuss (nussdo@oplin.org)

This presentation is available online at www.oplin.org/presentations/secaudit.ppt