Lab Security Policy

From DISI
Revision as of 15:22, 23 April 2014 by Frodo (talk | contribs)
Jump to navigation Jump to search

No security system is perfect. There is a tradeoff between security and ease of use and we have tried to find a way to let you do your work in peace. Getting hacked is a big deal. Please be mindful.

Our security policy can be summarized as follows:

 You can only access our cluster via ssh from a secure machine

What is a secure machine you may ask? As of Monday, April 21, our answer is as follows. This will change in the coming months.

  • A secure machine is one that we control and can protect, as follows:
    • The two portals are secure.
    • Desktops we control in CCBR 650, 940 and BH 501 are treated as secure. Subject to change.
    • Laptops in the lab are currently treated as secure. Subject to change.
    • No other machine is treated as secure. This includes the Sali cluster, the QB3 shared cluster, and if you connect via a VPN. To access our cluster from these or any other machine we do not treat as secure, you must use the portal system.
  • You can only access the portals using an ssh key.
  • Use different passwords for your bank, your email, and your cluster access. If one is hacked, the damage is contained.
  • If you have an account on a system that is hacked, please a. tell us you were hacked so we can revoke your ssh key and b. change your password asap if you think it could have been compromised.
  • You can only access the clusters from the portals using a password, never an ssh key.
  • You can use ssh keys to move around within the cluster, but only if they are secure.
  • Ssh keys must be protected at all times and must never be shared with anyone, even family members or labmates.
  • Misuse of sshkeys is a very serious matter. Please guard your ssh key access as you would your bank account.
  • some people call ssh keys "ssl keys". It is the same thing, and ssl is arguably more correct. nevermind.

If you have any doubts about appropriate use of ssh keys, please ask a sysadmin.

Security Q&A