MFA, closing security holes

YK: So far no MFA for Maxwell and NAF. To close a possible breach from compromised Maxwell and NAF accounts, and limit the impact of possible hacks, we will limit the accessibility from Maxwell and NAF systems to the internal network, in a multi-step approach.

• A first step has already been done: Access from the Maxwell and NAF subnets to certain web services, e.g. GO and IAM, is no longer possible. Other web services not related to Maxwell or NAF will follow (e.g. EASY or the Registry).

• A second step is planned for 26.9. 10:00. This will include the following measures:

  Access from the Maxwell and NAF subnets to machines in the internal network via SSH or RDP (Windows) is no longer possible. (Access from the internal network to Maxwell and NAF via SSH remains possible, as well as SSH within the Maxwell and NAF subnets.)

  Access to the Windows infrastructure is no longer possible: All traffic to the subnets .69 and .97 as well as to all Windows Domain Controllers will be blocked, on all ports.

  Access to the Windows Home and Group Volumes ("H:,S:,N:"), is no longer possible.

• Further steps will follow and announced.

If you know of subnets and services that you want to see protected against possible attacks from Maxwell and NAF, please inform us, so that we can include these into a next iteration.

We also know that some users access e.g. beamline gateway systems from a Maxwell display node. Experts should see whether other ways of access are possible (e.g. through bastion+MFA), or whether the IP of such systems should be excluded from the measures above. Please name such systems, if necessary! It must be clear that such an exception should not remain indefinitely, since it is a source of possible intrusion.

Further communication:

• If no veto is issued before Friday 22.9., we will inform users of Maxwell and NAF on Monday 25.9. about the changes (with less details). We want to take action rather soon, since we already observe a increased mis-usage of Maxwell and NAF machines to access internal systems (e.g. desktops) circumventing bastion and MFA.

• If a veto is issued, we ask for concrete reasons. Maybe we can work around, or drop one particular point from the agenda.

• If we go to further rounds of restrictions, we will proceed in a similar manner than for this round.

• After the change, should you observe workflows that do no longer work, and that are mission critical, please contact us asap. Please contact UCO, mentionning the connection that does not work anymore and referring to the change. UCO will then contact NAF, Maxwell or network experts as needed.

• Should workflows of users break, we will investigate them one by one, and find workarounds that enable them to continue their work without compromising security.