Remote Access Support Policy

For interactive login or file transfers (ssh/scp/sftp), we do not provide direct access to ACOM servers from outside of the UCAR network.  For supported servers, access is granted via gate.ucar.edu which requires a password token (CRYPTOCard or YubiKey) for access.  Alternatively, you may run a VPN client on a computer where it has been approved by an ACOM system administrator -- VPN creates a connection as if the computer is on the UCAR network after which ssh/scp/sftp access is granted.

Web servers

 

Web servers which are approved and managed by ACOM system administrators may provide web services to the outside world on ports 80 or 8080 if they are semi-exposed hosts.

Interactive (ssh) access

 

One-time-password tokens (CRYPTOCard or YubiKey) will be the form of authentication for all hosts which are not designated as single-user systems by the ACOM Systems staff. An exception may be granted by an ACOM system administrator for architectures for which these tokens are not supported.

ssh to the root account will not be allowed except at the console.

ssh access to non-root accounts will granted by firewall rules to the VPN, ACOM, and EOS networks.

For hosts within UCAR and outside of ACOM, ssh access will only be granted on a case-by-case basis from a specific host:

  • if an ACOM Staff Member or Visitor has submitted a request to the Systems Staff to allow the host to access a specific machine
  • if the request has been approved by an ACOM System Administrator
  • if the host's authentication mechanism uses a one-time password token (CRYPTOCard or YubiKey)
  • if the remote host is a protected host within the UCAR security perimeter
  • if the remote host is under Systems Administration by a named UCAR System Administrator
  • if the remote host is not a legacy host
  • if the remote host is not connected by VPN or wireless

ssh is the only form of access which will be granted to a host within the UCAR network but outside of the ACOM/EOS networks. (that is, NFS, ftp, and other protocols will not be granted).

The UCAR Security Perimeter

 

The UCAR security perimeter is defined by the Computer Security Advisory Committee (CSAC) . ACOM has one representative to this committee and its home page is at http://www.ucar.edu/csac/.

The UCAR Security Perimeter is designed to disallow inbound connections that pose a security risk to the organization at large. ACOM is subject to enforcement of this policy as defined by documents at the CSAC URL above.

ACOM is considered "within" the security perimeter and therefore subject to certain restrictions imposed by the security perimeter. ACOM's systems staff may implement other restrictions for the sake of good internet security.

Security and convenience are often trade-offs. Generally, decisions are made by ACOM and CSAC that favor internet security when other options exist for accessing our systems remotely. For example, access to acom.ucar.edu must be via ssh to gate.ucar.edu. This is less convenient than direct access, but protects ACOM from Internet attack.

The Security Standards For Exposed Hosts document describes in detail security considerations for our semi-exposed hosts such as acom.ucar.edu. To list a few here:

  • Unencrypted passwords will not be used to authenticate to acom.ucar.edu
  • ftp files can be made available via anonymous ftp, but we do not support an anonymous capability for outside users to deliver files to us. For such users, we would prefer to set up an account and have the user go through a formal account application process.
  • We do not allow group accounts -- in ACOM we require that each account have a single individual responsible for that account such that there is a one to one correspondance between accounts and individuals.
  • Setting up services for the outside world is at the discretion of the ACOM Computing section head and must abide by the CSAC security policy.
  • The CSAC security policy may make some services impossible in spite of every effort on the part of CSAC and Systems Staffs. In such cases, it is ACOM policy that the service will be disallowed. That is, we will not set up fully exposed hosts or hosts outside of the security perimeter just to allow the service.
  • Connecting personal computers such as laptops to an internal network such as the 128.117.32.x subnet is allowed, but only after approval of a Systems Administrator. Generally the Systems Administrator will perform the network setups on such personal computers.

Accessing Windows Systems remotely

 

We do not currently have a secure mechanism for viewing the screen of a PC computer remotely from outside of the security perimeter. From within the security perimeter, VNC software or Remote Desktop can be installed -- a server which runs as a service on XP or MacOS systems, and a client which is available on a variety of platforms.

Remote Desktop or VNC may also be used over an approved VPN connection.  Such a connection requires authentication with a one-time password token (CRYPTOCard or YubiKey)

Screen sharing software other than Remote Desktop or VNC may not be used on computers connected to UCAR networks.  Examples include:

  • TeamViewer
  • GoToMyPC
  • Logmein
  • PC Anywhere

Computers running non-Unix operating systems may not run as exposed hosts to the Internet.

Types of PC's allowed inside of the security perimeter

 

PC Computers running Microsoft Windows and existing within the security perimeter can run services such that they are accessible from other hosts within the security perimeter. 

PC Computers on the UCAR network and existing within the security perimeter must be on the CIT domain. PC computers which are not on the CIT domain must be on a guest or external network (such as wireless), or protected behind a firewall device or front-end machine as defined by the UCAR legacy hosts policy.  Generally we use the guest wireless network for approved devices not owned or managed by a UCAR system administrator.  For UCAR-owned equipment which cannot be placed on the network due to policy, the firewall device is the best option.

Transferring Files from Remote locations

 

We have a specific service available which allows you to scp or sftp files from a remote location to the /scratch directory on acom.ucar.edu. This is enabled on a per-request case-by-case basis. For details, please submit a work request to your System Administrator (sysadmin@acom.ucar.edu)

UCAR/NCAR Share

                  

                  

ACOM | Atmospheric Chemistry Observations & Modeling