Research activity in 1998
The Department of Computer Science has been officially given the leadership of a long-lasting Project on “Information Systems Security Policy and its practical implications” involving almost all Departments, Faculties and Service Units of the University of Turin.
The main purpose of this research project is to achieve valuable results in enforcing the global security of computers and networks that belong to that campus organization. The related activities are going on since January, 1998 and some goals have already been achieved. Some advanced technical solutions have been tested and some new software security tools have been (or are going to be) installed and evaluated. Intranets and firewalls are ones of major concern in the project development.
After a one-year period some positive facts are important and they can be described in summary as it follows:
Near all employees at the University of Turin (who are concerned at various levels of responsibility with the development and management of the Information Systems) are well aware of security risks and damages that may be caused by hackers’ attacks.
Therefore a joint effort has been undertaken to get ready, as soon as possible, to setup the best effective security resources.
Some case studies and detailed analysis have been made with focus pointing at the management staff and at the organizational and technical staff.
A well-suited global security policy has been submitted to the top academic leaders, in order to get their proper approval.
As a side effect of this main project, a software package for user password checking (in the MS Windows NT operating environment) has been implemented and made available (with its source code) by some bright researchers of our Computer Science Department. By means of this tool, every user is forced to setup a complex password for his/her own account, as that password must be compliant with some well defined constraints (and expiration date).
At our Department secure Apache WWW servers have also been installed, with embedded SSLeay package. They allow encrypted packet traffic (“Secure Socket Layer” protocol) with client browsers (Netscape and MS Internet Explorer). The true origin of the information and all private documents published on the secure WWW servers are really trusted, as long as both the machine that is hosting the web database and its operating system are fully protected against possible attacks. By example, the relevant administrative documents of the Universita' di Torino are access restricted to internal personnel and they are protected this way.
Public key certification is the most critical aspect of communication privacy and authentication, especially when digital signatures are involved. A Certification Authority (CA) at our Department is devoted to trust the user to public key correspondence, in the form of a public key certificate, for all people of the University of Turin. In such a way, user authentication is achieved besides the usual login/password association.
At last the research activity going on in this security project is aimed to experiment advanced technical solutions for firewall protected intranets, the extensive use of TCP wrappers and client-server SSL applications (SSLtelnet, SSLftp…)
Our main interest is on application firewalls (proxies). One has been installed and properly configured to safeguard our student laboratories (Unix & Windows NT). By means of some access lists, all ingoing and outgoing IP packets are routed to/from the firewall itself (so all traffic is monitored and logged). A severe policy of control of the internet connections has been successfully adopted and some anti-spam e-mail filters installed.Encrypted communications between firewalls in WAN area is our next goal.
