20050214-Juniper-Lopez

Download Report

Transcript 20050214-Juniper-Lopez 

Defending the
Campus
Ed Lopez – Emerging Technologies
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
1
“The Headlines”
 “’MafiaBoy’ DDoS Attack Via University Network”
 “Postdoc Arrest Linked to Intellectual Property Theft from University
Labs”
 “Hack on University Exposes 1.4M Social Security Numbers”
 “Universities Fear 6th of Month as Klez Virus Re-erupts”
 “RIAA Sues Campus File-Swappers”
 “Weak Security Causes University to Ban Unauthorized Wi-Fi on Campus
Nets”
 “Campus Networks: Havens for Spammers?”
 “Vital Files Exposed in University Hacking, 32,000 Students and
Employees Affected”
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
2
Our Users – Our Problem
 Students – Bandwidth, Active Threat, No Standards
 Faculty – Openess, Intellectual Property, Communication
 Administration – Privacy/Financial/Academic Data, Web
Services
 Facilities/Security – Operations, Logistics, Emergency
Services
 Health Services – HIPPA, Medical Support Systems
 Externals – Support for Gov’t Projects, External/Joint
Academics, Libraries, Research
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
3
Security is in How We Access Our
Networks
Dormitories – Wired/Wireless, >1 host to 1 student
Libraries – Shared systems, public/anonymous access
Commons – Wireless, rogues, ‘evil twins’
Telecommuters – Commuting Students, Off-Campus
Housing, Fraternities/Sororities, ‘Starbucks’ and other
community outlets
 Educational Areas – May have specialized requirements,
especially science departments
 Health Services & Administration – Autonomous but linked
 Externals – Dedicated support requirements, threat from
external security breaches




Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
4
Campuses – Crucibles for New
Technologies and Security Issues
 Varied OS Support: Windows (multiple versions), MacOS,
Linux, BSD, Palm, PocketPC, new handhelds
 No Personal Firewall/Anti-Virus Standards
 VoIP: Internally supported, Vonage, etc.
 Authentication: Passwords (weak), Tokens, SSN vs. Unique
Number, Single Sign-On vs. Segmentation
 Wireless vs. Wired
 Many Back Channels: POP3, IM, IRC, P2P, FTP, etc.
 Music: P2P vs. Legal Downloads
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
5
What We Intended
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
6
What We Ended Up With
Social Engineering
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
7
Firewalls Alone Are Not Enough

A TCP/80 client session:
• Is it MSIE?
• Is it Mozilla Firefox?
• Is it a Warez P2P Session?

Firewalls, even with application intelligence, only deal with Layer 3&4

But with convergence of multiple applications around well-known ports &
protocols, how do we differentiate the legitimate ones from the rogue ones?
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
8
Layered Threats – Layered
Defenses
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
9
Domino Effect
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
10
Security Is Not Required for
Applications & Networks to Function!
 Everything works in the lab!
 Trust is inherent to design!
 What are your policies?
 How are they enforced?
 How do you detect/prevent malicious traffic, rogue
host/apps, and misuse?
 What is really on your network?
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
11
Security Requirements for the Campus
 Access Defense at Network/Data Centers – No effective perimeters, no
control of end-user hosts
 Network Awareness – Variable users/access/technologies make for
quickly changing threats
 QoS - defending bandwidth for necessary resources, mitigating DoS
attacks, policy conformance
 Segregation of IP Networks – With use of common infrastructure
 Standardization Where Possible – Enforcement of security processes is a
must for applications, data centers, and systems holding sensitive data
 Provisioned Services – Key to consistant delivery of managable services
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
12
Securing Access

Wireless Access = Remote Access

Common solution sets mean ease of deployment and common user experience
• Can implement roles-based policies

SSL VPNs are your friend
• Clientless – Just need a browser
• Encryption offers confidentiality, integrity of traffic
• Defend Remote Access, Wireless Access, Access to Data Centers

You can’t rely on host-based defenses, defend at the ingress
• Perimeter defenses (Firewall, ACL)
• NAV and Anti-spam on campus web/mail services
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
13
Securing Data Centers
 Best defenses are based on knowing what to
defend
• You may not control the clients, but you do
control the servers
 Tight perimeter defenses
 Portaling
 Intrusion Detection/Prevention
 Honeypots / Honeynets
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
14
Importance of Network Awareness
 “Network awareness now a new mindset for
security professionals.”
 “Every component of the network is part of the
ecosystem.”
 “The end user is the moving chess piece of the
network board.”
 “The really good intruders study the environment
before attacking.”
Source: Network Awareness,
whitepaper by BlackHat Consulting
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
15
IDS – Intrusion Detection System
Typically out of line of the data flow on a tap. Evaluates deeper into
the packet to validate protocol, search for exploits and anomalies.
All 7 layers of the OSI model can be parsed.
IDS
Copyright © 2004 Juniper Networks, Inc.
HELP
Dynamic ACL request
sent to the
router/firewall, or TCP
RESET sent to close
the session
Proprietary and Confidential
www.juniper.net
16
IPS – Intrusion Prevention System
Typically inline of the data flow. Evaluates deeper into the packet to
validate protocol, search for exploits and anomalies. All 7 layers of
the OSI model can be parsed. Does not have to rely on other devices
in the network to complete it’s task.
IPS
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
17
Network Awareness – Know Your Threat!
 Who is peering
with your critical
systems?
 Who are the IRC
bots?
 Who is probing
your network?
 Correlate security
events to
hosts/network
objects
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
18
Network QoS – Managed Unfairness
Classify
Schedule
Transmit
VoIP
Gold
Gold
VoIP
Silver
Silver
Silver
Gold
VoIP
Best
Effort

Bandwidth isn’t free and all traffic is not equal

Migration continues toward converged network, with multiple services over IP

Need to distinguish between the multiple services on the converged network infrastructure
 Examples: voice and real-time video

Implementing QoS allows us to utilize existing bandwidth better

QoS tools can be used as security tools to safeguard priority network services and applications
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
19
Segregating IP Networks - MPLS
Wireless Access
Multiple IP nets / Common Infrastructure
Security, Access Control at the Edge
Provisioned Services - Managability
Campus Network
IP/MPLS
Remote Campus
Housing
CE
PE
P
VoIP
Internet Access
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
20
Standardization
 Openness applies to the user community, not to
campus administration and staff
 Deployed network applications and services must
be tightly defined
 IDS/IPS to look for malicious traffic within these
applications and services
 Standardized authentication systems – centralized
online identity control
 Operational & management support is key to policy
enforcement
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
21
Provisioned Services
 Bring all of these security concepts together
• Portaling – Present services in a consistent fashion,
roles-based authentication
• Network Awareness – Defining and provisioning services
provides a clear scope
• QoS – Protect service resources
• Segregation – Reduces threat vectors and malicious
logic trees between services
• Standardization – Building security in what we deploy
 Create an atmosphere of what we can do, vs. what we can’t
Copyright © 2004 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
22
Juniper Networks Portfolio
Secure Meeting
Policy & Service
Control
Secure Access SSL VPN
Central Policy-based Management
Integrated Firewall/IPSEC VPN
Intrusion Detection and Prevention
NMC-RX
JUNOScope
Enterprise Routing
J-series
Copyright © 2004 Juniper Networks, Inc.
Large Core Metro
Aggregation
BRAS & Circuit Aggregation Small/Med Core
Circuit Aggregation
E-series
M-series
T-series
Proprietary and Confidential
www.juniper.net
23
Thank You!
[email protected]