Upload
cory-austin
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Protection Solutions for Campus Networks
Gary Geddes, CISSPX-Force Protection ServicesInternet Security Systems
Copyright Gary Geddes, 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Agenda
• Network Security Principles
• Current State of Campus Network Security
• Protection Solutions
• Putting it Together
• Summary
Traditional Approach to Security
APPLICATIONSAPPLICATIONS
DATABASESDATABASES
OPERATING SYSTEMSOPERATING SYSTEMS
NETWORK SERVICESNETWORK SERVICES
Internet
Risks at all Layers of the Infrastructure
Defense in Depth Approach• Perimeter Security
• Firewall, filtering router• Modem security
• Network Defenses• Intrusion Detection• Encrypted Transmission
• Host Security• Hardening and Patches• System Log Monitoring
• Application Defenses• Passwords, Tokens• Audit Trails
• Data and Resources• Encryption• Permissions, entitlements
Layered Security
• An effective security architecture is built on sound policy and implements layers of technical controls supported by robust management processes and a well trained security staff.
TECHNOLOGY
PEO
PLE
PRO
CESS
SECURITY POLICY
The “Three Pillars”
Policy Provides the Foundation
• Defines the guiding principles for information protection
• Sets security requirements necessary to meet business objectives
• States management’s commitment to information security
• Shows the organization’s approach for managing information security
• Defines the importance of information security as a business enabler
People
• Management
• Must sponsor and actively support security program
• Security Staff
• Must be sensitive to business requirements for IT
• Network and System Administrators
• Must support and cooperate with security team
• Users
• Security aware and vigilant
Process• Critical security management processes
• User management (account set up and termination)
• Change control / configuration mgt
• Vulnerability scanning and remediation
• Security incident response
• Log review and analysis
• Data classification
• User awareness
Technology
• Exclusion – Keeping the “bad guys” out• Perimeter security• Firewalls, IDS, Anti-virus etc.• Scanning, patching, system hardening
• Inclusion – Letting the “good guys” in• Identification and authentication• Authorization and access control• VPNs, PKI, and encryption
Security Management Principles
• Confidentiality - ensuring that information is accessible only to those authorized to have access
• Integrity - safeguarding the accuracy and completeness of information processing
• Availability - ensuring that authorized users have access to information and associated assets when required
Additional Concerns
• Authentication – assurance that the identity of the users is known
• Authorization – validating whether or not an entity is allowed to perform a specific action
• Non-repudiation – proof that an entity performed a specific action
All at the expense of …
• Privacy
General Security Trends
• Standardization of technology
• TCP/IP, UNIX, Windows, Common application sets
• Rapid rate of new vulnerabilities
• 10 to 20 new announcements / month
• More sophisticated threats
• Automated scans and attacks
• Lack of skilled security staff
• Hackers are often one step ahead
The Hybrid Threat
• Convergence of worms, viruses, hacking, and denial of service
• Fully automated, multi-vector attack• Nimda, Code Red etc.• No one security mechanism will protect
against the hybrid threat
• Security of research data
• Privacy of student information
• Regulatory issues (FERPA)
• Software piracy / swapping etc
• Malicious / unauthorized use
• Downstream liability
• Not “PC” activities (harassment …)
• Gaming, downloading and other bandwidth hogs
Campus Network Security Issues
Current State of Campus Networks
• Large, sprawling networks• Tight budgets• Lack of awareness• Resistance to security• Transient students• Freedom to “tinker” with equipment• Minimal accountability• Little or no pay for security staff• Research grants restrictive on usage
Current State of Campus Networks• "Universities were a major contributor to the DDOS
attacks. They've always been a major contributor to security problems.” – Jeffrey Hunker, NSC
• "Why were universities so involved in these attacks? Because they're naked, they're sitting out there on the Internet with no firewalls or anything.” - Stephen Northcutt, SANS
• "In many universities, there's really no way for IT staff to know what machines are out there, especially in the research areas," - Randy Marchany, Virginia Polytechnic Institute
• EDUCAUSE formed a task force on systems security that's disseminating to university IT departments some tactical guidelines for DDOS detection, prevention and response.
• EDUCAUSE has several security working groups, including a fast-hit program to try to get universities to at least address the top 10 vulnerabilities and an awareness committee to educate nontechnical university officials and research faculty.
• "Every one of those 1,800 campuses involved in our program is working on their own campus security now, so you're already starting to see some change. But it'll probably take a year or two to educate everyone." - Mark Lukor, EDUCAUSE
Current State of Campus Networks
The Paradox
• How do we build a network security
architecture that provides reasonable
protection for the campus information
assets, but preserves the freedom of
expression traditionally found within
academic environments?
Perimeter Security
• Your first line of defense• Filtering routers• Firewalls• Modem security• Wireless access points
• Primarily a preventative control• Will normally deter casual hackers • A determined attacker can often penetrate • Will not stop an intruder who has a stolen
UserID and password
Simple Firewall Architecture
Internal Netw ork
F irewall
Internet
W eb DNS FTP Mail
"DMZ"
DMZ or “Screened Subnet”
“Trusted” Network
“Untrusted” Network
Border or “Screening” Router
Firewall has threeNetwork Interfaces
Common View of the Firewall
• Internal users can get out
• External attackers can’t get in
x
Internal NetworkInternet
Web Server
Internal Server
Internal User
Hacker
• The firewall allows many “untrusted” external connections to internal servers
The Reality of Firewalls
DNS Server
Web Server
Email Server
DNS Request
HTTP Connection
SMTP Connection
Internal Network
Network Protection• The second line of defense
• Segment the network internally• Monitor for malicious activity• Encrypt sensitive network traffic• Scan incoming files for malware (viruses, worms, etc)
• Protection from attacks that come through or around the firewall, or originate from within
Network Intrusion Detection
Internal Netw ork
F irewall
Internet
W eb DNS FTP Mail
"DMZ"
IDS in DMZ
IDS in front of Firewall
IDS behind Firewall
IDS on the Internal Network
Managed Firewall & IDS by HP/ISS
• Puts security in the hands of experts
• Built on best of breed technology
• Ensures most up to date protection
• Active responses to security incidents
• Advanced configuration and tuning
• Lower cost of ownership
• Reduced risk
Malicious Code• File downloads, email attachments, and
applets can carry malicious content through the perimeter defenses
• Hybrid threats can replicate and propagate using trusted network services
• Defense in depth strategy essential to AV• Gateway• Server• Desktop• Wireless
Ethernet
Host Security• The third line of defense
• Strong authentication• System hardening• Host-based IDS and personal firewalls
• Internal protection of applications and data• File permissions• Access Control Lists
• Protects against the authorized user, hostile insider, and determined attacker
Vulnerability ScanningFind the holes before the hackers do!
• Inventory the active IP’s in your address space
• Identify the OS and active network services
• Scan for known vulnerabilities• Brute force test for weak passwords• Test the application and database security• Integrate with configuration management
and trouble ticketing• Assessment service using ISS technology
offered in conjunction with HP
System Hardening
• Basic system lock down• Eliminate default accounts• Enforce strong passwords• Minimize network services• Restrict file sharing (NFS)• Be careful with trust relationships• Minimize access to root account• Use file permissions and ACLs• Apply the patches in a timely manner
HP Virtual Vault
Mission critical Internet applications• Trusted operating system
• Partitioned web runtime environment
• “Vaulted" web server
• Web proxy module
Desktops, Laptops, and Workstations
• End user systems more at risk than ever• Applications and OS’s highly vulnerable to attack• Often have highly sensitive data stored on drive• Usually connected to multiple networks, bypassing
perimeter controls
• Defending the desktop• Minimize active services• Avoid dual connecting• Run a “personal firewall” or desktop IDS• Hard drive encryption on mobile systems
Remote Access - Dial Up
• Protect ALL access paths to internal net
• Dial up security defenses
• User authentication (password, token)
• Warning banners
• Call back modems
• Monitoring
• Encryption
• Inactivity time outs
Messaging and P2P• Risks
• Infected files• Open sharing• Copyright Infringement• Clear text messages• Reveals internal IP addresses
• Counter-measures• Deny access to login servers at the firewall• Highly customizable making port blocking difficult• Network IDS can detect IM and P2P traffic• Use a more secure IM application such as Lotus
Sametime
Wireless LAN Security• Tremendous value and user convenience
driving explosive growth
• Serious security issues need addressed
• Unauthorized/unprotected Access Points
• Standard encryption is weak (WEP)
• Opens internal network to easy attack
• Wireless LANs can be deployed securely
• Integrate with RADIUS authentication (LEAP)
• Implement wireless PKI (TLS)
Virtual Private Networks• Create a private network over a public network
using encryption, authentication and tunneling
• May be more cost effective than leased lines
• VPN security features• Authentication of VPN end points
• Confidentiality and integrity of data in transit
• Allows remote users to securely access resources as if they were on the internal network
• HP offers line of VPN server appliances• complete, secure, end-to-end connections • reduced telecommunications costs • intuitive interfaces for easy configuration and management
VPN Architectures
VPN Gateway
InternalCorporateNetwork
Internet
VPN Tunnel
Gateway to Gateway VPN
BranchOffice
Network
Firewall/VPN Gateway
VPN Gateway
Mobile User
Mobile User
InternalNetwork
Home OfficeUser
Internet
VPN Tunnel
Client to Gateway VPN • Mobile users • Small/home office user
• Branch office to headquarters• Site to site extranet
• No VPN gateway • End to end security
VPN ClientVPN Client
Corporate
Network
Internet
VPN Tunnel
Client to Client VPN
Remote
Network
Authentication, Authorization & Access
• Authentication – proving you are who you say you are• Something you know• Something you have• Something you are
• Authorization – ensuring you are entitled to do what you are doing
• Access Control – managing user access to resources
What is HP-UX AAA Server?
• The HP-UX AAA Server is used for authentication, authorization and accounting of user network access.
• Performs critical network access functions for service providers and enterprises requiring security and accounting at the access points to the network.
• Includes authentication of user identities and passwords, authorization of services and applications, and accounting for user activity on the network.
HP AAA Server Deployment
Putting it all Together
User WorkstationsUser WorkstationsCoreCoreServersServers
Dial-in LinksDial-in Links
ExtranetsExtranets
Intranet ServersIntranet Servers
Routers/SwitchesRouters/Switches
DMZ ServersDMZ Servers
User ID:Password:SecureID
ThreatsThreats
Keys to Effective Security Management
Treat security as a business process, not a project
Base security program on sound policies
Conduct a risk assessment to establish requirements
Implement a full lifecycle approach
Address People, Process, and Technology
Implement a “Defense in Depth” strategy
Security is complicated, consider outsourcing it
Useful Links• www.hp.com/security
• www.iss.net
• www.georgetown.edu/uis/help/CompuSec/
• www.itc.virginia.edu/security/checklist/
• http://web.mit.edu/security/www/cuispnew/policies.htm
• www.net.tamu.edu/network/using.html
• www.unt.edu/ccadmin/security/security%20manual/index.htm
• http://ita.berkeley.edu:4259/security/swg.report.html