Skip to content

Changes

Page history
stoller created page: Security Policies authored by Leigh Stoller's avatar Leigh Stoller
Hide whitespace changes
Inline Side-by-side
Security-Policies.md 0 → 100644
View page @ ce914a66
Here is a brief rundown of some important security issues you should be
aware of.
### Login IDs
We require all Emulab users to provide current, non-pseudonymic login
IDs. **Shared accounts are strictly forbidden! Each user should apply
separately and specify their standard login name**.
### Cookies
To enhance operation and security, we make use of _Cookies_ that holds
your login name. Therefore, you will need to enable cookies on your
browser. Please contact us if you have questions about how to do that in
your browser.
### SSL
To protect data you submit, SSL is used to encrypt data as it is
transferred across the Internet. Therefore, you will need to access these
pages with a browser that supports SSL.
When you first visit Emulab, you might be asked if you want to accept the
_server certificate_. Be sure to accept it!
### SSH
We require all users to use Secure Shell (SSH) to log into Emulab
nodes. Experience has taught us a few things about managing keys which we
will pass on to you at no extra charge:
* You should **not** store your Emulab public key (.ssh/identity.pub) in
your authorized_keys file on remote sites. This prevents easy logins
from Emulab to your remote sites in case your Emulab account is ever
compromised (since the Emulab generated private key is not protected by
a passphrase).
* You should **not** mess with the Emulab generated key in your .ssh
directory (.ssh/identity). This is an unencrypted key (see above) that
is used by Emulab when setting up experiments. You should not delete
the public part of the key from the web interface either. Failure to
heed this warning will result in experiments not setting up properly!
* We recommend that you use ssh's RSA authentication to login to Emulab
so that you do not have to type your password. The less often you type
your password the better! You do this by uploading your own public keys
to Emulab.
* When you create your private keys (ssh-keygen), pick a good passphrase!
They can be (much) longer than Unix passwords; 10 to 30 character
phrases are good.
* You should **not** copy ssh identity files (private keys) from other
places to Emulab (or any other off-site machine, for that
matter). Private keys should always be well protected!
### Email Addresses
We require all Emulab users to provide current, non-pseudonymic email
addresses. Redirections and anonymous email addresses are not allowed. We
do not sell or give your email addresses away!
### Passwords
We employ a password checking library to prevent users from choosing
passwords that could be guessed by the "Crack" library. A few basic rules
are that standard English dictionary words are not permitted, as well as
anything deemed too short or easily guessable. Also, you should take care
not to use the same password on Emulab that you use at other sites.
### Firewalling
Emulab blocks incoming connections to nodes on all of the _low numbered_
ports (ports below 1024), with the exception of ports 20 and 21 (FTP), 22
(Secure Shell), and 80 (HTTP). This is for the protection of experimenters,
as well help prevent an errant application from becoming the source of a
Denial of Service attack to sites outside of Emulab. If your application
requires external access to other low numbered ports, please contact us to
make special arrangements.
Emulab also prevents machines from using IP and MAC addresses other than
their own on the control net. The control net router blocks all traffic not
originating from the proper subnet, both to prevent IP spoofing and to
prevent experimental traffic from accidentally making it to the 'real
world' (say, through routing misconfiguration.) These restrictions are not
present on the experimental net.
### Ports used by Emulab
If you wish to do firewalling of your own on your nodes, you should be
aware that there are several ports used by Emulab that you'll need to keep
open if you want your nodes to be able to function as "normal" Emulab
nodes.
In the table below, a direction of 'out' means that your node needs to be
able to make outgoing TCP connections to a port, 'in' means that it needs
to accept incoming connections on a port, and 'both' indicates UDP ports on
which you must be able to send out packets and receive the replies.
| Host | Port | Protocol | Direction | Reason |
| ---- | ------ | -------- | --------- | ------ |
| boss | 22 | TCP | in | ssh in from boss to reboot nodes |
| boss | 53 | UDP | both | DNS queries and replies |
| boss | 123 | UDP | both | NTP |
| boss | 2917 | TCP | out | pubsub event system |
| boss | 7777 | TCP/UDP | both | Testbed Master Control Daemon |
| ops | 1024 | UDP | both | Portmapper for NFS, etc. |
| ops | 2049 | UDP | both | NFS |
### Accounts
We make use of Unix user and group mechanisms to provide protection between
users and projects. Each new user gets a new Unix UID, and each new project
gets a new Unix GID. Users are members of the Unix groups that correspond
to each of the projects they are working on, and thus may share files with
other members of those projects. The default directory permissions are set
so that project files are not readable by members of other projects.
Each project gets its own directory hierarchy (again, protected by the Unix
group mechanism) that is NFS-exported only to that project's assigned test
machines. We don't currently protect against spoofing on the control
network, so there are vulnerabilities. The test networks are fully
separated between experiments by way of VLANs.