College of ChemistryDepartment of ChemistryDept of Chemical Engineeringbg image
slogan
visual image

Computer and Network Security Guideline

Information Systems

»  overview
»  our staff
»  web services
»  telecommunication
»  research computing
»  policies
»  windows security
»  documents
»  desktop support
»  licensed software
»  campus resources

Date: November 30, 2001
To: Faculty Members and Research Directors
From: Yau-Man Chan, Director - Information Systems
  Clayton Heathcock - Dean
Re: Computer Attacks and Network Security

The current state of hacker and virus attacks poses very serious threats to all computers attached to the Internet. Over the last few weeks, the Computing and Network group have spent an enormous amount of time and resources assisting various research groups in recovering from hacker and virus attacks. Many research groups in the College have already suffered a great deal of down time and expense due to compromised machines. For the near future, the outlook is grim - there does not appear to be any let-up in these kinds of hacker and virus attacks via the Internet. If we do not institute significant changes soon the number of incidents and severity of attacks will escalate rapidly.

Because graduate students in the College have, or should have, academic and research pursuits as their top priority rather than acting as a conscientious (read "paranoid") system administrator, they are unlikely to be sufficiently prompt and consistent in their maintenance of Unix/Linux and Windows NT systems. No system can ever be completely secure and so the best strategy involves minimizing risks. The first step is to remove the most obvious security threats whenever alternatives can be found. This includes removing FTP, Sendmail, web servers and telnet and most importantly, avoid setting up any peer-to-peer disk-sharing among computers. Some of these, such as ftp and peer-to-peer disk sharing, are inherently unsafe. Others, such as Sendmail and Microsoft's IIS web server, are very risky, with security flaws found very frequency. Whenever security "holes" are found they need to be patched immediately or the machine can be expected to be compromised. The current situation seems to be shifting towards massive onslaughts as soon as any vulnerability is revealed. A very telling incident was witnessed with one of our servers a few weeks ago. Within 30 minutes of IIS (web server) services being turned on (inadvertently), the Code Red virus successfully invaded the system and was launching attacks from that machine.

To assist us in "defending" our network more effectively and to help us use our existing resources more efficiently, we request the following changes be made to all Unix/Linux and Windows NT/Win2K systems operating in the College of Chemistry network:

  1. Do not run SendMail in any variants of Unix/Linux or Windows platform. You should be using UCLINK for mail services instead. Visitors and new employees without employee ID yet can get a temporary email account from us.

  2. Do not run Microsoft IIS (web server) on any Windows platform. If you must host a web site on a Windows-base machine, use Apache instead. The Apache web server may be downloaded for free from http://httpd.apache.org/

  3. Do not run Microsoft Outlook (or Outlook Express) mail reader on any Windows platform. Use Eudora. The full-featured commercial version is licensed for the Berkeley campus and may be downloaded free of charge from http://depot.Berkeley.edu.

  4. Do not run FTP service on any variants of Unix/Linux or Windows platform. Use SCP FTP.

  5. Do not run Telnet service on any variants of Unix/Linux or Windows platform. Use SSH. SSH for Unix/Linux and Macintosh is available free from http://unix.cchem.berkeley.edu and for PC Windows from http://windows.berkeley.edu/software/security/SSH/ssh.html

  6. Do not set up a peer-to-peer network to "cross share" hard disks among multiple computers in your research group. If you must share files, set up a single server file-sharing system and put extraordinary effort into securing the file server. The College Computing Service can help you with this. You can also buy space on our College servers for your group.

  7. Finally, we ask that you label ALL your Unix/Linux and NT/Win2K computers with the following information so that you may be contacted immediately when we determined that the computer has been compromised:

    a. Name and off hour telephone number of the System Administrator for the computer
    b. Name and off hour telephone number of an Alternate sysadmin for the computer.
    c. Make sure the info on the label is current and the label visible in a prominent location on front of the computer or monitor.

Effective immediately, we will institute the following policy on any machines attached to the CCHEM network which has been revealed to us as being compromised:

  1. The machine will be immediately disconnected from the network.

  2. We will work with the sysadmin of that machine to try to evaluate the severity of the damage and to secure logs and status files for forensics and diagnostics purpose. We will assist the research groups with cleanup and reinstallation of the operating system. The group will be charged for the work.

  3. Machines shutdown or detached from the network will not be allowed back on until we can be assured that the operating system is free of worms and viruses. This may entail reformatting the system disk and reinstalling the operating system from a secure media and with all the latest security patches applied. The network security group of The College of Chemistry Information Services Unit will have the final say if a rebuilt system will be allowed back on the CCHEM network. Under no circumstances would a compromised system be allowed back on the network without being inspected and scrutinized for "cleanliness."

We understand that these actions which we are taking to secure our network may be disruptive to your research program. We must do everything to protect our network. Any infected machine running in our network will infect computers in other parts of campus and the rest of the Internet community. If we do not respond to reports of virus/worm being propagated by computers in our network or if we are not prompt in shutting down "Denial of Service" or other network disabling attacks originating from our network, System Operators in other commercial and research networks can and will effectively block ALL traffic from the berkeley.edu domain; thus isolating the Berkeley Campus network and rendering all computers on the Berkeley campus network useless.

I hope you understand our need to take such drastic actions. If you have any questions concerning this new policy, I will be available to discuss them with you. yauman@cchem.berkeley.edu 3-1034

Thank you.