Remote Access Support Policy

Revised: February 28, 2007

While in the past, ssh/scp/sftp have been allowed directly to semi-exposed and exposed hosts at UCAR, CSAC policy will soon be that such access is allowed only via VPN, gate.ucar.edu, or dialup. These technologies in turn will require the use of Cryptocard or other one-time-password authentication.

Web servers

ACD computers can provide web services to the outside world on ports 80 or 8080 if they are semi-exposed hosts. Such hosts must use Cryptocard logins for authentication.

Interactive (ssh) access

Cryptocard one-time-password will be the form of authentication for all hosts which are not designated as single-user systems by the ACD Systems staff. An exception may be granted for architectures for which cryptocard technology is not available.

ssh to the root account will not be allowed except at the console.

ssh access will granted by firewall rules to the ACD, EOS, and ASP networks.

For hosts within UCAR and outside of ACD, ssh access will only be granted on a case-by-case basis from a specific host:

  • if an ACD Staff Member or Visitor has submitted a request to the Systems Staff to allow the host to access a specific machine
  • if the request has been approved by an ACD System Administrator
  • if the host's authentication mechanism is Cryptocard one-time passwords
  • if the remote host is a protected host within the UCAR security perimeter
  • if the remote host is under Systems Administration by a named UCAR System Administrator on the CSAC wheel list.
  • if the remote host is not a legacy host
  • if the remote host is not connected by VPN or wireless
ssh is the only form of access which will be granted to a host within the UCAR network but outside of the ACD/ASP/EOS networks. (that is, NFS, ftp, and other protocols will not be granted).

The UCAR Security Perimeter

The UCAR security perimeter is defined by the Computer Security Advisory Committee (CSAC) . ACD maintains one representative to this committee and its home page is at http://www.ucar.edu/csac/.

The UCAR Security Perimeter is designed to disallow inbound connections that pose a security risk to the organization at large. ACD is subject to enforcement of this policy as defined by documents at the CSAC URL above.

ACD is considered "within" the security perimeter and therefore subject to certain restrictions imposed by the security perimeter. ACD's systems staff may implement other restrictions for the sake of good internet security, usually in anticipation of forthcoming policies emerging from CSAC. For instance, ACD does not allow unencrypted passwords to be used when accessing the Unix server, acd.ucar.edu.

Security and convenience are often trade-offs. Generally, decisions are made by ACD and CSAC that favor internet security when other options exist for accessing our systems remotely. For example, access to acd.ucar.edu must be via ssh to gate.ucar.edu. This is less convenient than direct access, but protects ACD from Internet attack.

The Security Standards For Exposed Hosts document describes in detail security considerations for our semi-exposed hosts such as acd.ucar.edu. To list a few here:

  • Unencrypted passwords will not be used to authenticate to acd.ucar.edu
  • ftp files can be made available via anonymous ftp, but we do not support an anonymous capability for outside users to deliver files to us. For such users, we would prefer to set up an account and have the user go through a formal account application process.
  • We do not allow group accounts -- in ACD we require that each account have a single individual responsible for that account such that there is a one to one correspondance between accounts and individuals.
  • Setting up services for the outside world is at the discretion of the ACD Computing section head and must abide by the CSAC security policy.
  • The CSAC security policy may make some services impossible in spite of every effort on the part of CSAC and Systems Staffs. In such cases, it is ACD policy that the service will be disallowed. That is, we will not set up fully exposed hosts or hosts outside of the security perimeter just to allow the service.
  • Connecting personal computers such as laptops to an internal network such as the 128.117.32.x subnet is allowed, but only after approval of a Systems Administrator. Generally the Systems Administrator will perform the network setups on such personal computers.

Accessing Windows Systems remotely

We do not currently have a secure mechanism for viewing the screen of a PC computer remotely from outside of the security perimeter. From within the security perimeter, VNC software or Remote Desktop can be installed -- a server which runs as a service on XP or MacOS systems, and a client which is available on a variety of platforms.

Computers running non-Unix operating systems may not run as exposed hosts to the Internet.

Types of PC's allowed inside of the security perimeter

PC Computers running Microsoft Windows and existing within the security perimeter can run services such that they are accessible from other hosts within the security perimeter. This might, for instance, allow a file to ftp'ed to a Microsoft Windows machine. A remote user would first ftp the file to his/her account on acd.ucar.edu. Then he/she would use ssh or SecureCRT to connect to acd.ucar.edu and then ftp that file to its final destination on his/her own PC running an ftp server.

PC Computers on the UCAR network and existing within the security perimeter must be on the CIT domain. PC computers which are not on the CIT domain must be on a guest or external network (such as wireless), or protected behind a firewall device or front-end machine as defined by the UCAR legacy hosts policy

Transferring Files from Remote locations

We have a specific service available which allows you to scp or sftp files from a remote location to the /scratch directory on acd.ucar.edu. This is enabled on a per-request case by case basis. For details, please submit a work request to your System Administrator.