Although basic user authentication does not ensure that the userid involved was owned by the person who caused the incident, it gives us a place to start. With un-authenticated network access, we have no idea of who might have been involved in an incident. A successful user authentication system depends on the existence of unique IDs for every user and a method for generating, maintaining, and transmitting passwords in a secure fashion.

An essential component in network security is the network server logs. By keeping log files of user authentication, network traffic, dial-up sessions, etc. we can build an audit trail for investigating incidents. In order to be useful, these logs should be maintained for a substantial period of time (e.g., for as long as two or more years) and be readily available to the Network Security Organization.

Our networks house a multitude of servers and routers, all of which generate some form of log file. Although some of these logs are maintained in a central location, many are kept by disparate departments spread across the state of Pennsylvania. Assembling all of the logs involved in an incident can take a lot of time and effort.

This organizational stumbling block is exacerbated by the lag time inherent in wide ranging security incidents. It is not uncommon for another institution to contact us concerning an incident many months in the past. As noted above, in order to be useful, the logs may well need to be maintained for 2 years or more. Exact duration and format of log storage is a decision that each institution needs to define when crafting its security strategy. Busy servers can generate monthly log files in the tens of megabytes. Multiplied by, for example, 24 months and a few hundred servers, storage nightmares can result without effective planning.

PSU manages information technology in over 24 separate locations across the state of Pennsylvania. These sites are tied into a WAN through T1 lines and SMDS circuits. Although this WAN is in the process of being redesigned , the current infrastructure relies on multiple 'star' configurations and there is no backup or redundant network capacity in many locations. (Redundant links to all locations are planned and will, hopefully, be in place by the end of the current academic year) However, prior to completion of the upgrades, when we experience network outages, (which is relatively rare), a campus may be cut off from the network for a considerable length of time, depending on the specific cause of the failure and the vendor responsible for remedying the fault.

Within this WAN environment, we operate a large number of LANs utilizing Novell, Banyan-Vines, Token Ring, NT, Appletalk, DECNet, and various types of UNIX. The hosts in these LANs provide a wide variety of services including departmental file servers, application servers, HTTP. FTP. NOTES, Gopher, POP, etc. Various protocols are broadcast over the infrastructure, but TCP/IP is by far the most heavily used. Only TCP/IP and Appletalk are actually natively routed. The remainder that are proprietary/NOS specific operate within the local LAN environment, though some may be tunneled over TCP/IP.

The University is organized into various administrative groups and academic Colleges. The central Computer & Information Systems (C&IS) group manages the overall infrastructure, administrative and academic computing systems, central email servers, etc. The various colleges and other administrative groups are at liberty to design, implement, and manage their own LANs, servers, and end user equipment. This creates a dynamic computing environment with occasional incompatibilities and overlaps

Our user population is becoming increasingly computer literate. Surveys conducted within the Commonwealth College (a 12 campus college) show that the number of entering Freshmen with significant computer experience has more than doubled (22% to 48%) from Fall 1995 to Fall 1997. With this rise in familiarity we have seen a concomitant rise in computer and network use in the student population. Unfortunately, the rate of security incidents has risen at the same time. As more of our students come to the University with greater facility with information technology, there will be a steady increase in the reliance on sophisticated network services and a commensurable need for strong network security.

PSU has adopted Kerberos as its primary user authentication architecture. The Kerberos server provides a one-way encrypted password and userid repository. This Kerberos server(s) are maintained centrally, and are not replicated at other campuses. The student computer labs and various other systems at PSU's central campus (to include some College-supported labs) use the Kerberos system to authenticate users prior to enabling regular operation of the computer. In order to implement this system, the central campus labs have been standardized on NT Workstation and the Mac OS. Windows 95 and other environments are not supported without modification, though the code will be made available to Colleges or campuses desiring to implement the necessary changes for their environments. Those campuses for which redundancy and/or operating system environment issues are resolved can adopt the central campus lab authentication solution, and, as noted, some are in the process of migrating to this methodology.

Although the Kerberos system provides excellent user authentication, the PSU WAN makes use of a centralized Kerberos system problematic in a number of locations until network redundancy is fully implemented. If a computer is tied to Kerberos in such a way that the computer will not operate without a successful Kerberos authentication, then a network outage will render the computer inoperable. Although we experience exemplary uptimes on the PSU WAN, we do experience times when the network to a particular campus or group of campuses is down. If we tied these campuses to the centralized Kerberos system for user authentication at the present time, computing resources would be unavailable until the WAN was re-established. Our objective then is to build a user authentication system in the near-term that will work in a distributed environment without reliance on a WAN. The solution must be cost-effective and supportable. It must also facilitate transition to a centrally supported architecture when that becomes practical. Thus, a design goal is compatibility with the central authentication and authorization vision/architecture while still supplying authentication to ALL campuses expeditiously.

We did not want to form a single NT domain spread across the entire state for a variety of reasons. Instead, we constructed a central NT server housing encrypted files with campus user authentication data.

The PSU Accounts office generates a single file that includes a list of all registered PSU students, their userid, and a novel, generated password. This password is semi-random and is not intended to be retained. The file is generated on a mainframe system.

This file is encrypted using PGP and FTP'd to the central NT server. The file is subsequently decrypted and read into an Access database system. Once in Access, the data is split into multiple files, one for each campus. These database files are then encrypted with the PGP Key of the appropriate campus technologist and placed in an area of the server reserved for access by the campus technologists.

The local campus technologist connects to the central NT server via direct login, trust relationship, or FTP and copies the file for his or her campus to their local NT server. The campus file is then decrypted and output as a text file in the appropriate format for use with the NT Resource Kit utility ADUSERS.EXE.

Running ADDUSERS.EXE against the text file of user authentication data integrates the data into the Security Administration Management (SAM) database of the local NT domain. It is also possible to automatically join these new student IDs to all appropriate Global and Local groups in the NT domain.

In the student labs all of the Windows desktop systems are configured to force a domain login under NT. If the user does not successfully log into the domain they receive a blank desktop with no functions or are returned to the domain login screen. This effect has been achieved on both NT Workstation systems and Windows 95 machines. We do not currently support legacy systems running earlier versions of Windows.

Weekly updates of the user authentication data with students dropped or added are produced, encrypted, and distributed in a similar fashion. These updates are provided for the first month of each semester.

We cannot control the software configuration on laptop computers owned by students, faculty, or staff. The NT Domain login used in the previous system depends on total control of the OS configuration on the client machine. In order to force user authentication on "un-controlled" machines prior to enabling network access, we integrate an IP Filtering firewall into the LAN design.

The firewall system relies on four components: a KarlBridge IP filtering bridge, a DHCP server, a specially programmed Web server, and the centralized Kerberos authentication system. When a user activates a laptop, Macintosh, or other, uncontrolled system, their system polls the network for a DHCP server. The DHCP server connects with the computer and assigns an IP to the local system. The IP's assigned by the DHCP server are from a restricted pool.

[The KarlBridge is a product of KarlNet of Ohio. They are available on the web at http://www.karlnet.com]

The IP assigned to the computer is restricted from general network access by the KarlBridge. The one IP destination allowed by the firewall is the authentication Web server. As a result, when a mobile user attaches to the network, the only network function they can access is a Web session with the authentication server.

The authentication web server presents a single page to the user. This page requests a userid and password. When this data is submitted by the user, the web server transmits the data to the Kerberos system. In order to safeguard the transmission of this data across the network, the web server operates under Secure Sockets Layer (SSL).

If the Kerberos system verifies the user authentication data, the Web server reprograms the KarlBridge firewall to allow the user to have full access to the network. If the user authentication is unsuccessful, the firewall restriction remains in place.

[The authentication web server is a secure Netscape server running on NT. The software handling the interaction with Kerberos and the multiple KarlBridge's was developed by Chris Sacksteder at PSU's Center for Academic Computing.]

With the above systems in place we next need to implement a system for managing the plethora of log files we generate. The KarlBridge system generates logs for each firewall and for the web server. These logs are maintained by PSU's Center for Academic Computing within their centralized facilities. The logs for the various NT servers at the campuses are another matter.

In order to provide a central library of server logs and to minimize the storage burden on the individual campuses, we constructed a file transfer and storage system which mirrors the authentication data distribution system.

Every month, participating campuses transfer copies of their log files to the central NT server. These files are then collected into a directory hierarchy and written out to CD. The CD's are kept secure and only made available to the appropriate network security staff. Although CD's are less than ideal, they provide a cheap, high volume storage medium.

As with the NT system, the labor involved in collecting the log files is considerable. Otherwise, the system works very well.