Protection Solutions for Campus Networks

Gary Geddes, CISSPX-Force Protection ServicesInternet Security Systems

Copyright Gary Geddes, 2002. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Agenda

• Network Security Principles

• Current State of Campus Network Security

• Protection Solutions

• Putting it Together

• Summary

Traditional Approach to Security

APPLICATIONSAPPLICATIONS

DATABASESDATABASES

OPERATING SYSTEMSOPERATING SYSTEMS

NETWORK SERVICESNETWORK SERVICES

Internet

Risks at all Layers of the Infrastructure

Defense in Depth Approach• Perimeter Security

• Firewall, filtering router• Modem security

• Network Defenses• Intrusion Detection• Encrypted Transmission

• Host Security• Hardening and Patches• System Log Monitoring

• Application Defenses• Passwords, Tokens• Audit Trails

• Data and Resources• Encryption• Permissions, entitlements

Layered Security

• An effective security architecture is built on sound policy and implements layers of technical controls supported by robust management processes and a well trained security staff.

TECHNOLOGY

PEO

PLE

PRO

CESS

SECURITY POLICY

The “Three Pillars”

Policy Provides the Foundation

• Defines the guiding principles for information protection

• Sets security requirements necessary to meet business objectives

• States management’s commitment to information security

• Shows the organization’s approach for managing information security

• Defines the importance of information security as a business enabler

People

• Management

• Must sponsor and actively support security program

• Security Staff

• Must be sensitive to business requirements for IT

• Network and System Administrators

• Must support and cooperate with security team

• Users

• Security aware and vigilant

Process• Critical security management processes

• User management (account set up and termination)

• Change control / configuration mgt

• Vulnerability scanning and remediation

• Security incident response

• Log review and analysis

• Data classification

• User awareness

Technology

• Exclusion – Keeping the “bad guys” out• Perimeter security• Firewalls, IDS, Anti-virus etc.• Scanning, patching, system hardening

• Inclusion – Letting the “good guys” in• Identification and authentication• Authorization and access control• VPNs, PKI, and encryption

Security Management Principles

• Confidentiality - ensuring that information is accessible only to those authorized to have access

• Integrity - safeguarding the accuracy and completeness of information processing

• Availability - ensuring that authorized users have access to information and associated assets when required

Additional Concerns

• Authentication – assurance that the identity of the users is known

• Authorization – validating whether or not an entity is allowed to perform a specific action

• Non-repudiation – proof that an entity performed a specific action

All at the expense of …

• Privacy

General Security Trends

• Standardization of technology

• TCP/IP, UNIX, Windows, Common application sets

• Rapid rate of new vulnerabilities

• 10 to 20 new announcements / month

• More sophisticated threats

• Automated scans and attacks

• Lack of skilled security staff

• Hackers are often one step ahead

The Hybrid Threat

• Convergence of worms, viruses, hacking, and denial of service

• Fully automated, multi-vector attack• Nimda, Code Red etc.• No one security mechanism will protect

against the hybrid threat

• Security of research data

• Privacy of student information

• Regulatory issues (FERPA)

• Software piracy / swapping etc

• Malicious / unauthorized use

• Downstream liability

• Not “PC” activities (harassment …)

• Gaming, downloading and other bandwidth hogs

Campus Network Security Issues

Current State of Campus Networks

• Large, sprawling networks• Tight budgets• Lack of awareness• Resistance to security• Transient students• Freedom to “tinker” with equipment• Minimal accountability• Little or no pay for security staff• Research grants restrictive on usage

Current State of Campus Networks• "Universities were a major contributor to the DDOS

attacks. They've always been a major contributor to security problems.” – Jeffrey Hunker, NSC

• "Why were universities so involved in these attacks? Because they're naked, they're sitting out there on the Internet with no firewalls or anything.” - Stephen Northcutt, SANS

• "In many universities, there's really no way for IT staff to know what machines are out there, especially in the research areas," - Randy Marchany, Virginia Polytechnic Institute

• EDUCAUSE formed a task force on systems security that's disseminating to university IT departments some tactical guidelines for DDOS detection, prevention and response.

• EDUCAUSE has several security working groups, including a fast-hit program to try to get universities to at least address the top 10 vulnerabilities and an awareness committee to educate nontechnical university officials and research faculty.

• "Every one of those 1,800 campuses involved in our program is working on their own campus security now, so you're already starting to see some change. But it'll probably take a year or two to educate everyone." - Mark Lukor, EDUCAUSE

Current State of Campus Networks

The Paradox

• How do we build a network security

architecture that provides reasonable

protection for the campus information

assets, but preserves the freedom of

expression traditionally found within

academic environments?

Perimeter Security

• Your first line of defense• Filtering routers• Firewalls• Modem security• Wireless access points

• Primarily a preventative control• Will normally deter casual hackers • A determined attacker can often penetrate • Will not stop an intruder who has a stolen

UserID and password

Simple Firewall Architecture

Internal Netw ork

F irewall

Internet

W eb DNS FTP Mail

"DMZ"

DMZ or “Screened Subnet”

“Trusted” Network

“Untrusted” Network

Border or “Screening” Router

Firewall has threeNetwork Interfaces

Common View of the Firewall

• Internal users can get out

• External attackers can’t get in

x

Internal NetworkInternet

Web Server

Internal Server

Internal User

Hacker

• The firewall allows many “untrusted” external connections to internal servers

The Reality of Firewalls

DNS Server

Web Server

Email Server

DNS Request

HTTP Connection

SMTP Connection

Internal Network

Network Protection• The second line of defense

• Segment the network internally• Monitor for malicious activity• Encrypt sensitive network traffic• Scan incoming files for malware (viruses, worms, etc)

• Protection from attacks that come through or around the firewall, or originate from within

Network Intrusion Detection

Internal Netw ork

F irewall

Internet

W eb DNS FTP Mail

"DMZ"

IDS in DMZ

IDS in front of Firewall

IDS behind Firewall

IDS on the Internal Network

Managed Firewall & IDS by HP/ISS

• Puts security in the hands of experts

• Built on best of breed technology

• Ensures most up to date protection

• Active responses to security incidents

• Advanced configuration and tuning

• Lower cost of ownership

• Reduced risk

Malicious Code• File downloads, email attachments, and

applets can carry malicious content through the perimeter defenses

• Hybrid threats can replicate and propagate using trusted network services

• Defense in depth strategy essential to AV• Gateway• Server• Desktop• Wireless

Ethernet

Host Security• The third line of defense

• Strong authentication• System hardening• Host-based IDS and personal firewalls

• Internal protection of applications and data• File permissions• Access Control Lists

• Protects against the authorized user, hostile insider, and determined attacker

Vulnerability ScanningFind the holes before the hackers do!

• Inventory the active IP’s in your address space

• Identify the OS and active network services

• Scan for known vulnerabilities• Brute force test for weak passwords• Test the application and database security• Integrate with configuration management

and trouble ticketing• Assessment service using ISS technology

offered in conjunction with HP

System Hardening

• Basic system lock down• Eliminate default accounts• Enforce strong passwords• Minimize network services• Restrict file sharing (NFS)• Be careful with trust relationships• Minimize access to root account• Use file permissions and ACLs• Apply the patches in a timely manner

HP Virtual Vault

Mission critical Internet applications• Trusted operating system

• Partitioned web runtime environment

• “Vaulted" web server

• Web proxy module

Desktops, Laptops, and Workstations

• End user systems more at risk than ever• Applications and OS’s highly vulnerable to attack• Often have highly sensitive data stored on drive• Usually connected to multiple networks, bypassing

perimeter controls

• Defending the desktop• Minimize active services• Avoid dual connecting• Run a “personal firewall” or desktop IDS• Hard drive encryption on mobile systems

Remote Access - Dial Up

• Protect ALL access paths to internal net

• Dial up security defenses

• User authentication (password, token)

• Warning banners

• Call back modems

• Monitoring

• Encryption

• Inactivity time outs

Messaging and P2P• Risks

• Infected files• Open sharing• Copyright Infringement• Clear text messages• Reveals internal IP addresses

• Counter-measures• Deny access to login servers at the firewall• Highly customizable making port blocking difficult• Network IDS can detect IM and P2P traffic• Use a more secure IM application such as Lotus

Sametime

Wireless LAN Security• Tremendous value and user convenience

driving explosive growth

• Serious security issues need addressed

• Unauthorized/unprotected Access Points

• Standard encryption is weak (WEP)

• Opens internal network to easy attack

• Wireless LANs can be deployed securely

• Integrate with RADIUS authentication (LEAP)

• Implement wireless PKI (TLS)

Virtual Private Networks• Create a private network over a public network

using encryption, authentication and tunneling

• May be more cost effective than leased lines

• VPN security features• Authentication of VPN end points

• Confidentiality and integrity of data in transit

• Allows remote users to securely access resources as if they were on the internal network

• HP offers line of VPN server appliances• complete, secure, end-to-end connections • reduced telecommunications costs • intuitive interfaces for easy configuration and management

VPN Architectures

VPN Gateway

InternalCorporateNetwork

Internet

VPN Tunnel

Gateway to Gateway VPN

BranchOffice

Network

Firewall/VPN Gateway

VPN Gateway

Mobile User

Mobile User

InternalNetwork

Home OfficeUser

Internet

VPN Tunnel

Client to Gateway VPN • Mobile users • Small/home office user

• Branch office to headquarters• Site to site extranet

• No VPN gateway • End to end security

VPN ClientVPN Client

Corporate

Network

Internet

VPN Tunnel

Client to Client VPN

Remote

Network

Authentication, Authorization & Access

• Authentication – proving you are who you say you are• Something you know• Something you have• Something you are

• Authorization – ensuring you are entitled to do what you are doing

• Access Control – managing user access to resources

What is HP-UX AAA Server?

• The HP-UX AAA Server is used for authentication, authorization and accounting of user network access.

• Performs critical network access functions for service providers and enterprises requiring security and accounting at the access points to the network.

• Includes authentication of user identities and passwords, authorization of services and applications, and accounting for user activity on the network. 

HP AAA Server Deployment

Putting it all Together

User WorkstationsUser WorkstationsCoreCoreServersServers

Dial-in LinksDial-in Links

ExtranetsExtranets

Intranet ServersIntranet Servers

Routers/SwitchesRouters/Switches

DMZ ServersDMZ Servers

User ID:Password:SecureID

ThreatsThreats

Keys to Effective Security Management

Treat security as a business process, not a project

Base security program on sound policies

Conduct a risk assessment to establish requirements

Implement a full lifecycle approach

Address People, Process, and Technology

Implement a “Defense in Depth” strategy

Security is complicated, consider outsourcing it

Useful Links• www.hp.com/security

• www.iss.net

• www.georgetown.edu/uis/help/CompuSec/

• www.itc.virginia.edu/security/checklist/

• http://web.mit.edu/security/www/cuispnew/policies.htm

• www.net.tamu.edu/network/using.html

• www.unt.edu/ccadmin/security/security%20manual/index.htm

• http://ita.berkeley.edu:4259/security/swg.report.html