-

 



U.S. DEPARTMENT OF LABOR
Employment and Training Administration
Washington, D. C. 20210

CLASSIFICATION

UI

CORRESPONDENCE SYMBOL

TEURA

ISSUE DATE

June 3, 1996

RESCISSIONS

None

EXPIRATION DATE

March 15, 1997

DIRECTIVE

:

UNEMPLOYMENT INSURANCE PROGRAM LETTER NO. 24-96

 

TO

:

ALL STATE EMPLOYMENT SECURITY AGENCIES

 

FROM

:

MARY ANN WYRSCH
Director
Unemployment Insurance Service

 

SUBJECT

:

Security Enhancements for Unemployment Insurance (UI) SUN Computer Systems

  1. Purpose. To announce security enhancements for the UI Sun SPARC 10 computer systems and provide guidelines for the State System Administrators (SSAs) to improve computer system security.

  2. Background. Since 1986 the National Office has been providing each State with a computer system to operate nationally mandated programs such as Quality Control and UI Required Reporting. With the advent of Internet connectivity for some SUN systems and connection of the SUNs to Local Area Networks (LANs) and Wide Area Networks (WANs), security for the State systems has become increasingly more important. In order to help the SESAs protect their SUN systems and the data residing on the systems, the National Office is adding software which will provide SSAs with additional capabilities to protect the system from unauthorized access.

    The Unemployment Insurance Service (UIS) will provide SSAs with technical assistance and guidelines necessary to strengthen system security. The security programs will restrict access to the SUN computer systems and help identify security weaknesses so that SSAs can take action to protect against unwanted access.

  3. Software. 

    1. "TCP/IP Wrapper", developed at the Eindhoven University of Technology and freely available on the Internet, will be used to restrict Internet connectivity to the State SUN systems. A paper describing the software in detail is included as Attachment 1. The software is scheduled for release in May.

    2. "Crack", by Alec D. E. Muffett, and freely available on the Internet allows system administrators to check their system for users who have weak passwords. The software will be programmed to run periodically and send the local system administrator a list of users on the system who have weak passwords. A copy of the report will also be sent to the National Office. A paper describing the software in detail is included as Attachment 2. Crack is currently scheduled for release in early July.

    3. The "Computer Oracle & Password System (COPS)", developed by Dan Farmer, is also available freely on the Internet. The COPS utility is basically a large set of scripts which investigates many security risk areas on a system, such as ID's without passwords or files that can be written to by anyone. COPS simply reports potential security problems; it does not change or fix any system files. COPS will be run once a month in each State and a report will be sent to SSAs and the National Office for review of any security weaknesses. A paper describing the software in detail is included as Attachment 3. COPS is currently scheduled for release in early July, along with the Crack software.

  4. Firewalls. Firewalls are machines that restrict connectivity to local networks from external networks. States can enhance the security of the SPARC 10 by placing them behind firewalls on corporate State networks. For sites with Internet connectivity, this is strongly encouraged, but not required by the National Office. States are requested to allow unrestricted access to the SPARC from the National Office Network, (Network IP Number 166.97.204.0). This will allow the elimination of the modem on the SPARC 10, resulting in cost savings and better service.

  5. Responsibilities.

    1. National Office. The National Office Hotline will assist State System administrators, as required, with configuration of the TCP/IP Wrapper software. They will also review reports from security scanning software and assist State System Administrators with correcting potential security problems.

    2. States. State System Administrators should supply the Hotline with Internet addresses for friendly computer systems that need to connect to the SPARC 10 systems. They should review reports from the security scanning software and work with end users and the National Office Hotline to correct potential security problems. They should work with local network administrators as needed to implement firewalls.

  6. Action Required. State Administrators are requested to provide SUN System Administrators with a copy of this document.

  7. Questions. All questions concerning State security policies can be directed to Gordon Washington at (202) 219-4630. If technical assistance is required, SSAs should contact the National Office Hotline. The Hotline can be reached at 1-800-473-0188.