Slide 1

Download Report

Transcript Slide 1 

To block or not to block
5 IT Managers share their experiences
© The Association of Independent Schools of NSW
Knox Grammar School
Mike Israel – IT Manager
© The Association of Independent Schools of NSW
Network Topology
© The Association of Independent Schools of NSW
Internal Network
 Cisco Switches and Access Points
 Using VLAN’s
 Originally no wireless security
 Wireless WPA-TKIP with PEAP authentication.
When machine is joined to domain it is issued with
a certificate to join the network
© The Association of Independent Schools of NSW
Bandwidth Control
Packeteer
 Provides bandwidth control
 Can monitor and control how
bandwidth is being used eg. iTunes
downloads, max total 5Mbps, any
one connection <256kbps
 Can designate slices of bandwidth
to particular ports protocols
 Can block programs and protocols
eg, encrypted tunnelling over port
80
© The Association of Independent Schools of NSW
Using ACL’s
Access Control Lists enable the control of certain VLAN’s to
specified servers/addresses/ports/services
ACL’s on core router to
block student access to
servers
© The Association of Independent Schools of NSW
Spam and Anti-virus
Spam is detected, marked
as spam and delivered
to Junk mail folder via
Exchange.
Spam Assassin,
Clam AV (free)
ClamAV does initial
filtering of malware.
Trend Micro performs
second pass on
incoming mail.
Symantec Client used on
client machines
© The Association of Independent Schools of NSW
Symantec Client
Updates
Trend Micro
Filtering - ContentKeeper
Can block all unmanaged
sites to students which
takes care of proxy
bypass. Also blocks
keyword searches on
popular search
engines, block
protocols (backup to
Packeteer)
Firewall prevents access
to certain IP address
ranges on certain ports
© The Association of Independent Schools of NSW
ContentKeeper Filtering Groups
 Users default to general profile with filtering based
on student needs
 Staff identified through their login (LDAP) to more
open filtering
 Pages can be blocked/coached/time of day. All
unmanaged sites blocked for students
© The Association of Independent Schools of NSW
Web Access Policy
 Technology Usage Policy published in school diary
and condition to login. Also Year 7 sign when they
take delivery of their school laptop
 MySpace and Youtube blocked, Facebook OK
 Streaming media is limited so as not to clog
Internet access
© The Association of Independent Schools of NSW
Contact Details
Mike Israel Knox Grammar School
7 Woodville Ave Wahroonga
Phone (02) 9473 9773 Fax (02) 9473 9759
Email [email protected]
© The Association of Independent Schools of NSW
Danebank Anglican School for Girls
John Tuffs – IT Director
© The Association of Independent Schools of NSW
Network History
 < 2005 Microsoft ISA Firewall + DCHP/DNS
with no E-mail filtering
 2005 – 2008 ISONet HTTP & SMTP filtering
ISA Firewall + DCHP/DNS
 2008 Cisco ASA Firewall + SONAR filtering
Windows server for DHCP/DNS
© The Association of Independent Schools of NSW
Danebank Network Layout
© The Association of Independent Schools of NSW
Internal Network
 HP Procurve Switches
 1 Management VLAN for Procurve Manager
 1 VLAN for the rest
 Wireless Access Points using only WEP & MAC
security (ie no security)
© The Association of Independent Schools of NSW
Antivirus / SPAM / Web Filtering
 Symantec System Centre and local clients for AV
 SPAM handled by Sonar Appliance – not using
challenge option
 Filtering handled by Sonar Appliance
(Initial install and support provided by Accucom)
© The Association of Independent Schools of NSW
Sonar Filtering Groups
 IT Staff
 General Staff / Teachers
 Senior School (7-12)
 Junior School (K-6)
 Lunch Filter (7-12)
© The Association of Independent Schools of NSW
Custom Block Message
© The Association of Independent Schools of NSW
Web Access Policy
 Internet Acceptable Use policy signed by students
 All social networking is blocked
 Youtube is blocked to students – teachers can
show videos
 Streaming media is blocked due to bandwidth
constraints
© The Association of Independent Schools of NSW
Contact Details
John Tuffs
IT Director
80-98 Park Rd Hurstville NSW 2220
Phone (02) 9580 1415 Fax (02) 9579 3450
Email [email protected]
© The Association of Independent Schools of NSW
Security Workshop
SCEGGS Darlinghurst
© The Association of Independent Schools of NSW
Topology Overview
© The Association of Independent Schools of NSW
ISOnet topology
© The Association of Independent Schools of NSW
SCEGGS’
Topology
© The Association of Independent Schools of NSW
ISOnet: Intrusion Detection
 Two layers of Intrusion Prevention using
 McAfee IntruShield and TippingPoint.
 Both are set to blocking mode for all medium to high
threats.
 There have been 13,777,987 Exploits
blocked…This week!
 There have been 1,830,537 policy Violations
blocked…This week!
© The Association of Independent Schools of NSW
ISOnet: Denial of Service
 Peakflow DDoS technology from Arbor Networks.
 There have been 1,830,537 policy Violations
blocked…This week!
 Up to 60% of traffic bound for schools is blocked by
ISONet as it is unsolicited. Schools only pay for
what they use.
© The Association of Independent Schools of NSW
ISOnet: Spam/Av
 ISOnet uses a cluster of McAfee and IronPort
AV/Spam/Content filter appliances.
 Filters based on policies set by individual school
 Actions taken by the filter is specified as part of the
policy determined by the school
 For staff – messages sent to spam@sceggs. This mailbox
is searchable by staff through a proxy arrangement.
 For students spam messages are dropped
© The Association of Independent Schools of NSW
ISONet Policies

Real-time blackhole list (RBL) checking – Identifies whether the IP address is
an open relay or spam organisation.

IP Reputation checking – Identifies whether an IP address has been known to
send exploits, worms, trojans or sites known to be hacked.

Anti-spoofing verifications – Determines if sender is attempting to forge as an
internal address.

All scanning modules listed in the attached document (AV checks, spam
checks, content-filtering checks, anti-phishing checks, file filtering, etc.)

Integrity Analysis – Examine header, layout and organisation of the message.

Spam scoring - Positive and negative scoring of emails based on known spam
traits.

Bayesian Learning - Custom created spam signatures based on feedback
system – false-positive and false-negative verification.

Blacklists and whitelists – customer based trusted and untrusted email
senders.
© The Association of Independent Schools of NSW
From Outside: SCEGGS Policy
Email Setting
Status
Severity
Configuration Detail (Action)
Anti-spam
Enabled
Medium
When spam identified:
Refuse original data and return a rejection code
Forward the original email to [email protected]
Anti-virus
Enabled
High
Anti-Phishing
Enabled
Compliancy
Disabled
Corrupt Content
Enabled
When corrupt content detected:
Replace the content with an HTML alert
Encrypted Content
Enabled
When encrypted content detected:
Allow through
File Filtering
Disabled
-
HTML Settings
Disabled
-
Mail Settings
Disabled
-
Mail Size Filtering
Disabled
-
When the message is larger than 10240 kilobytes:
Refuse the original data and return a rejection code
Deliver a notification email to the sender
Protected Content
Enabled
-
When protected content is detected:
Allow through
Enabled
-
When a denial of service protection limit is exceeded:
Replace the content with an HTML alert
Enabled
-
When signed content is detected:
Allow changes to break signed email
When identified:
Attempt to clean
If cleaning fails replace content with an HTML alert and quarantine the original email
When identified:
Forward the original email to [email protected]
-
© The Association of Independent Schools of NSW
Contact Details
Ian Ralph
IT Manager – SCEGGS Darlinghurst
215 Forbes St Darlinghurst NSW 2010
Phone (02) 99332 1133 Fax (02) 9332 1858
Web sceggs.nsw.edu.au
Email [email protected]
© The Association of Independent Schools of NSW
Arndell Anglican College
Network Security Overview
© The Association of Independent Schools of NSW
VLAN’s
Low Level VLAN Map
© The Association of Independent Schools of NSW
What’s Great About VLAN’s
 Allows use of ACL’s
 Segments Broadcast Traffic
 More Devices
© The Association of Independent Schools of NSW
How Does it Translate Into a Physical Layout?
© The Association of Independent Schools of NSW
Content Filtering at Arndell
 Blacklists - Various Categories Updated Regularly
 Scanning of log’s regularly
 Students summoned to explain actions
 Culture has changed now that students know they
will be caught if they do the wrong thing
 Internet traffic is forced to content filter dependent
on VLAN assignment
© The Association of Independent Schools of NSW
Spam and Anti - Virus
 Sophos Anti - Virus used across the network
 Sophos plug - in for mail server
 Spam filtered using Spam Assassin
 Blacklist lookups like SORBS
© The Association of Independent Schools of NSW
Contact Details
Rohan Smith
Coordinator IT Services
Arndell Anglican College
118 Wolseley Road Oakville NSW 2765
Phone: +61 2 4572 3633 Fax: +61 2 4573 3849
Website: http://www.arndell.nsw.edu.au
Email: [email protected]
© The Association of Independent Schools of NSW
The King’s School
Michael Eggenhuizen
© The Association of Independent Schools of NSW
The School
The King’s School – Some Statistics:
 Anglican Church School
 Established in 1832 (176 years)
 300 acres in North Parramatta
 K-12 Boys School with 1450 Students
 400 Boarders
 Multiple Residences on Property
© The Association of Independent Schools of NSW
Internet Bandwidth
Internet Connection Bandwidth:
 2005 – 2.5Mb ADSL/ISDN
 2006 – 10Mb Ethernet
 2007 – 20Mb Ethernet
 2008 – 50Mb Ethernet
 2009 – 100Mb Ethernet
 ISP – The Somerville Group
© The Association of Independent Schools of NSW
Internet Access
All Staff and Students have Access to:
 YouTube, MySpace, FaceBook, ...
 Hotmail, Yahoo Mail, Gmail, ...
 MSN Messenger, ...
 Most if not all Web 2.0 Technologies
 Changes to filtering (lead by ICT Services) provide staff and
students with a real and relatively unrestricted learning
experience
© The Association of Independent Schools of NSW
Internet & Email Filtering
Filtering is multi-layered:
 Email Filtering
 Internet Filtering
© The Association of Independent Schools of NSW
Network Box
Weekly Email Activity (Incoming Average)
 Spam (95.5%) - 485,647
 Virus (1.5%) - 7,608
 Delivered (3%) - 15,615
 Total (100%) - 508,870
© The Association of Independent Schools of NSW
Network Box
Weekly Internet Activity (Average)
 URL's Visited - 13,254,949
 URL's Blocked due to Virus Activity - 71
 URL's Blocked due to Policy Rules - 3,326
 Threat Signature Updates - 843
 Internet Download (GB) – 398
 Monthly Internet Download (TB) – 1.6
© The Association of Independent Schools of NSW
Contact Details
Michael Eggenhuizen
Director ICT
PO Box 1 Parramatta NSW 2124
Phone (02) 9683 8650 Fax (02) 9683 8565
www.kings.edu.au
[email protected]
© The Association of Independent Schools of NSW