CTIO Network Security Guidelines Page

For a long time, the CTIO computer infrastructure was sheltered from unwanted visitors by its remote physical and network location. Today's security threat environment is far different and it is necessary to implement a number of security measures to defend the CTIO network and its users.

These security measures are meant to prevent unauthorized access by hackers and/or malware exploits from breaching the CTIO defenses. To protect CTIO users and to protect its visitors from unwittingly allowing compromise of their home institution's network, the following guidelines need to be followed. Over time, they will probably become even more stringent!

Please register your computer with CISS

If you plan on bringing down your own computer, whether laptop, desktop or server, please use the form at http://www.ctio.noao.edu/sys/dhcpform.php, which will provide us the necessary information to register your computer into our system.

CTIO DHCP servers will provide dynamic IP addresses only if the MAC address has been registered, so please send this information a few days before you come down so that you can connect immediately to our La Serena or Cerro Tololo networks.

Please don't bring down an insecure system

If you are planning to bring down your own computer, please also check the CTIO Visitor Computer Guidelines to make sure you have your computer properly set up to plug in to the CTIO network.

Remote Email Access

IMAP and POP connections OUTGOING from the CTIO network are allowed, hence visitors may access their home institution email accounts using Thunderbird, Mozilla, Netscape, Outlook or other IMAP/POP mail clients.

If you are using a laptop, it should work as is provided your home institution does not itself block IMAP/POP access from CTIO. If you want to use the Thunderbird/Mozilla/Netscape email client messenger running on one of the visitor machines in La Serena or on Cerro Tololo to read email from your home institution, you will need to set up an addition IMAP/POP account server under the Thunderbird/Mozilla/Netscape preferences. See CTIO Email Guidelines for more general information about CTIO email.

Of course, the absolute *best* way to get back to your home institution is to use your home institution's own VPN. If they don't have one, you might request that they set one up, and they not block VPN out to other institutions!

Virtual Private Network Access

Travellers and collaborators at other institutions involved with remote observing or other programs at CTIO should know that VPN or Virtual Private Network connections are the recommended means to remotely connect up to the CTIO network.

VPN can provide an authentication and confidentiality between the remote user's machine and CTIO: through VPN a remote computer actually becomes a virtual part of the organization network and its traffic "appears" to be emitting from within CTIO. As a result, a laptop connected to CTIO's internal network will function almost identically to one connected via VPN from far away: most applications will work transparently in the VPN environment.

However, since the remote machine is still connected up from the outside internet even while VPN'ed into CTIO, if taken over by malware it can be used as a trojan horse used to bypass CTIO's normal defenses. Even worse, since much of the VPN traffic is encrypted via IPsec, security appliances such as IDS are unable to scan remote machine traffic for malware.

Fortunately, VPN these days is handled by firewall devices, such as is the case at CTIO, that impose the same or tighter security requirements on a VPN client as they do to other internal organization computers. In addition, we require both a VPN group password along with a valid username and password before our authentication server will allow the VPN connection to establish.

All this helps, but does not prevent a machine that has been taken over by malware from causing problems via VPN.

The upshot is that the remote computer or laptop needs to have its own perimeter defenses in place, such as personal IDS or packet filter security, anti-virus and anti-spyware software installed.

A CISCO VPN client (or under linux, 'vpnc') is typically required for running VPN into CTIO and making best use of the IPsec encryption options. Check with CISS to make sure this client is installed on your laptop.

Speak with CISS personnel for more information on current VPN clients and access codes into CTIO.

Remote Login Access

CTIO has installed SSHv2 software on all machines used by visitors, providing for secure internal access using ssh. However, ssh connections from the outside are no longer allowed in except by prior agreement so we can allow access in through the CTIO firewall. If you will need ssh access, please contact CISS.

The ssh program is part of the SSHv2 package which functions in a way similar to the disallowed telnet, rlogin, or rsh which it replaces. SSHv2 encrypts data and passwords in order to prevent snooping. Here are some basic instructions, covering the most frequent connections to the outside world.

• Logging in FROM a CTIO machine TO a remote computer:

Instead of using telnet, rlogin, or rsh, just type

ssh machinename -l username (where username is the account name on the machine to which you're connecting)

If the machine you're trying to connect to doesn't have the SSH software, then this will try to default back to a normal (unsecure) rsh session - it may not work since rsh is frequently blocked by most firewalls these days. If this happens to you, we suggest that you encourage the system administrators to install the ssh server sshd for their own network security.

If it is the first time you're logging into a given machine, you will receive a warning message like

    Host key not found from the list of known hosts.
    Are you sure you want to continue connecting (yes/no)?

to which you can safely answer "yes" if you indeed haven't logged into that machine before. (Note that logging in to ctios2, for example, using ssh ctios2 and then, afterwards, using ssh ctios2.ctio.noao.edu will produce the above question both times, since ssh is not smart enough to know that "ctios2" and "ctios2.ctio.noao.edu" are the same machine.)

For such outgoing connections, the commands telnet, rlogin, or rsh still work on our systems. However, we recommend that you use ssh to protect your password information for the remote machine (i.e., using telnet, rlogin, or rsh for outbound connections isn't a security risk for our machines, but it IS for the machines to which you're connecting).

• Logging in FROM an outside computer TO a CTIO machine:

We no longer accept logins from machines outside the ctio.edu domain except via ssh. Regular telnet into CTIO machines from the outside is not allowed. If you need to log into a CTIO machine from outside, you must have software capable of making a ssh connection. This software is available for most operating systems (see links below), either freely or through commercial sources.

Remote File Transfer

The same SSH software that provides ssh connections can provide secure file transfers using scp (similar to rcp - but secure).

• Obtaining files from the CTIO anonymous FTP archives:

We have restricted regular anonymous FTP service on the computers at CTIO to only our central server, www.ctio.noao.edu. If you need to download manuals, filter curves, or other information, you should be able to find them there. Depositing files into the CTIO anonymous ftp area is not allowed (to do so is a major security risk). If you need to transfer files down here from the outside, see the following entries.

• Transferring files FROM a CTIO machine TO a remote computer:

For outgoing file transfers, we recommend that you use scp instead of ftp or rcp, IF the remote computer has the SSH server running.

To transfer files securely from CTIO to another site, just type

    scp local_file username@machinename:

Note that the colon at the end IS necessary. If you want to put the file in a specific directory, just add that on the end, scp local_file username@machinename:directory/directory
If the remote machine doesn't have the SSH server running, you can still use ftp to transfer your files to remote sites.

• Transferring files FROM a remote computer TO a CTIO machine:

As mentioned above, anonyous FTP transfers TO CTIO computers are not allowed, neither on our main server nor on any of the other machines. If you need to bring files down to a CTIO machine, you can do so in a variety of other ways.

The most secure (and therefore highly recommended) way is to use scp. You can either run it on the remote machine, "pushing" the file down here, e.g., (on remote machine)

    scp file username@ctiomachine:

OR you can run it on a CTIO machine and "pull" the file down, (on CTIO machine)

    scp username@machinename:filename

Finally, you can use FTP to "pull" files down to a CTIO machine by first logging on to the CTIO machine (preferably using ssh) and then running ftp to connect to the remote host and download the file.

If none of these file transfer options will work for you, contact us and we'll set up a temporary alternative.

Additional information on SSH

For more information about SSH in general, try looking at SSH Communications Security's SSH Home Page. The Data Fellows web site also has a detailed discussion of the SSH protocol at http://www.datafellows.com/f-secure/fprotoco.htm. A web version of the SSH Readme file is available from Indiana, and if you have more questions, you can check the SSH FAQ page.

Some of the nice features of SSH include:

Encrypts ALL data passing back and forth between the two computers, not just the password. So everything you type is safe from prying eyes. Note however that the older SSHv1 encryption is obsolete and much more easily crackable than SSHv2 encryption, along with SSHv1 having more security flaws which can be exploited. For this reason the security industry best practices guideline favor no longer using SSHv1.
Automagically sets the DISPLAY environment variable, so that if you ssh to a remote host, and then start an X widget (e.g., xterm), it will show up on your local screen (assuming you are connected from an X session). And of course, the whole X session is encrypted.
Encryption keys are changed every hour, so even sessions that are somehow logged are VERY difficult to decipher.

Where to get SSHv2

CTIO blocks SSH v1 access, that means only SSH distributions which support version 2 ssh should be used. Usually, an SSHv2 distribution will also include scp and sftp which can be used for secure file transfers between CTIO and other institutions.

Free Versions:

UNIX (including SunOS, Solaris, Linux, and other variants)

The OpenSSH organization is the major developer of open source SSHv2 and is to be found at www.openssh.org

Windows 9x/NT/2000/XP

FileZilla is an excellent open source SSHv2 ftp/sftp client (and server!) for Win32 platforms
PuTTY is a free implementation of SSHv2 for Win32 platforms and the distribution also includes PSCP and PSFTP (and telnet), along with an xterm terminal emulator.
NetworkSimplicity and others have ported the OpenSSH package to Windows 9x, ME, NT, 2000 and XP. The distribution also includes sftp and scp. These all run from a DOS windows rather than a GUI.

For MacOS

Jean-Pierre Stierlin has produced a freeware MacOS SSHv2 client based on the solid foundation of BetterTelnet (by Rolf Braun). You can also pick up a shareware version of MacSFTP at this same site!
For Mac users OUTSIDE of the United States, Jonas Walldén has produced a modified version of Chris Newman's NiftyTelnet with SSH encryption. Try looking at http://www.lysator.liu.se/~jonasw/freeware.html for more information.
For Mac users in the United States, Rolf Braun has been adding SSH support to BetterTelnet. You can check http://www.cstone.net/~rbraun/mac/telnet/ for more information.

ciss@ctio.noao.edu