SLAC Computer Security		Search SLAC
SLAC Home | Computing Home | Computing Outages | Help

Cyber Security Awareness Month

These tips are part of a month long effort to distribute useful computer security information to the SLAC community.

Day 9 - Access Controls, including Wireless, VPN, and Physical Access

Wireless Turn off bluetooth when you are not using it. If you are using a wired connection then disable the wireless connection.  When setting up your wireless network at home use WPA2 if at all possible. When traveling be aware that people set up wireless networks in airports and hotels and wait for unsuspecting wireless users to connect to them. They will listen to all your traffic and steal whatever they can from your session. Clear out the names of the unprotected, insecure network names from your wireless network list. You don't want to accidentally connect to them. VPN = Virtual Private Network SLAC supports VPN connections and this is a way for you to connect to the SLAC network from home or while you are on the road. It changes your computer so it has an IP address as if you were sitting at your desk in your SLAC office.  What it also means is you've opened a direct path between the SLAC network and the networks your remote computer is a part of. If you are running any file sharing software (EDonkey, Kazaa, Gnutella, BitTorrent, etc.) and you are also VPN'd into SLAC then you are exposing SLAC's network to the insecure, unsafe, illegal(?) peer-to-peer file sharing network. In other words, don't do anything during your VPN session that you wouldn't do while sitting at your desk computer at SLAC. Physical Access Here is a story from SANS of an attempt at making a computer server room secure. Unfortunately it wasn't well thought out... "At my previous place of employment we had several small machine rooms dotted around the building. You needed to get a key stored at the security station to enter any of them and there was a list of approved personnel who could check out a key. When I needed to reboot a downed server I asked to borrow the key, but as my name was not on the list, security needed an email from someone who was. Their names revealed by the security guard, I promptly went to the authorized person's PC, fired off an email in their absence and trotted back down to the security station. Key was handed over, server rebooted and all was well. This place had better security than many other places I've worked but some simple social engineering meant I could get hold of the key and gain physical access to server. The security system was sound in principle, but let down by the simple means by which access could be delegated with a single email. I could have simple forged an email if the person's PC had been locked and most likely achieved the same result."