Changes

Leigh Stoller · ce914a66
--- a/Security-Policies.md
+++ b/Security-Policies.md
+Here is a brief rundown of some important security issues you should be
+aware of.
+
+### Login IDs
+
+We require all Emulab users to provide current, non-pseudonymic login
+IDs. **Shared accounts are strictly forbidden! Each user should apply
+separately and specify their standard login name**.
+
+### Cookies
+
+To enhance operation and security, we make use of _Cookies_ that holds
+your login name. Therefore, you will need to enable cookies on your
+browser. Please contact us if you have questions about how to do that in
+your browser.
+
+### SSL
+
+To protect data you submit, SSL is used to encrypt data as it is
+transferred across the Internet. Therefore, you will need to access these
+pages with a browser that supports SSL.
+
+When you first visit Emulab, you might be asked if you want to accept the
+_server certificate_. Be sure to accept it!
+
+### SSH
+
+We require all users to use Secure Shell (SSH) to log into Emulab
+nodes. Experience has taught us a few things about managing keys which we
+will pass on to you at no extra charge:
+
+  * You should **not** store your Emulab public key (.ssh/identity.pub) in
+    your authorized_keys file on remote sites. This prevents easy logins
+    from Emulab to your remote sites in case your Emulab account is ever
+    compromised (since the Emulab generated private key is not protected by
+    a passphrase). 
+  * You should **not** mess with the Emulab generated key in your .ssh
+    directory (.ssh/identity). This is an unencrypted key (see above) that
+    is used by Emulab when setting up experiments. You should not delete
+    the public part of the key from the web interface either. Failure to
+    heed this warning will result in experiments not setting up properly! 
+  * We recommend that you use ssh's RSA authentication to login to Emulab
+    so that you do not have to type your password. The less often you type
+    your password the better! You do this by uploading your own public keys
+    to Emulab. 
+  * When you create your private keys (ssh-keygen), pick a good passphrase!
+    They can be (much) longer than Unix passwords; 10 to 30 character
+    phrases are good. 
+  * You should **not** copy ssh identity files (private keys) from other
+    places to Emulab (or any other off-site machine, for that
+    matter). Private keys should always be well protected! 
+
+### Email Addresses
+
+We require all Emulab users to provide current, non-pseudonymic email
+addresses. Redirections and anonymous email addresses are not allowed. We
+do not sell or give your email addresses away!
+
+### Passwords
+
+We employ a password checking library to prevent users from choosing
+passwords that could be guessed by the "Crack" library. A few basic rules
+are that standard English dictionary words are not permitted, as well as
+anything deemed too short or easily guessable. Also, you should take care
+not to use the same password on Emulab that you use at other sites. 
+
+### Firewalling
+
+Emulab blocks incoming connections to nodes on all of the _low numbered_
+ports (ports below 1024), with the exception of ports 20 and 21 (FTP), 22
+(Secure Shell), and 80 (HTTP). This is for the protection of experimenters,
+as well help prevent an errant application from becoming the source of a
+Denial of Service attack to sites outside of Emulab. If your application
+requires external access to other low numbered ports, please contact us to
+make special arrangements.
+
+Emulab also prevents machines from using IP and MAC addresses other than
+their own on the control net. The control net router blocks all traffic not
+originating from the proper subnet, both to prevent IP spoofing and to
+prevent experimental traffic from accidentally making it to the 'real
+world' (say, through routing misconfiguration.) These restrictions are not
+present on the experimental net.
+
+### Ports used by Emulab
+
+If you wish to do firewalling of your own on your nodes, you should be
+aware that there are several ports used by Emulab that you'll need to keep
+open if you want your nodes to be able to function as "normal" Emulab
+nodes.
+
+In the table below, a direction of 'out' means that your node needs to be
+able to make outgoing TCP connections to a port, 'in' means that it needs
+to accept incoming connections on a port, and 'both' indicates UDP ports on
+which you must be able to send out packets and receive the replies.
+
+| Host | Port   | Protocol | Direction | Reason |
+| ---- | ------ | -------- | --------- | ------ |
+| boss | 22     | TCP      |  in       | ssh in from boss to reboot nodes |
+| boss | 53     | UDP      |  both     | DNS queries and replies |
+| boss | 123    | UDP      |  both     | NTP |
+| boss | 2917   | TCP      |  out      | pubsub event system |
+| boss | 7777   | TCP/UDP  |  both     | Testbed Master Control Daemon |
+| ops  | 1024   | UDP      |  both     | Portmapper for NFS, etc. |
+| ops  | 2049   | UDP      |  both     | NFS |
+
+### Accounts
+
+We make use of Unix user and group mechanisms to provide protection between
+users and projects. Each new user gets a new Unix UID, and each new project
+gets a new Unix GID. Users are members of the Unix groups that correspond
+to each of the projects they are working on, and thus may share files with
+other members of those projects. The default directory permissions are set
+so that project files are not readable by members of other projects.
+
+Each project gets its own directory hierarchy (again, protected by the Unix
+group mechanism) that is NFS-exported only to that project's assigned test
+machines. We don't currently protect against spoofing on the control
+network, so there are vulnerabilities. The test networks are fully
+separated between experiments by way of VLANs.