Transcript Securing the Campus Network

Securing the Campus Network
Rita Anderson
Ronni Wilkinson
University of South Carolina
Copyright, University of South Carolina (2004). This work is the
intellectual property of the University of South Carolina. Permission is
granted for this material to be shared for non-commercial, educational
purposes, provided that this copyright statement appears on the
reproduced materials and notice is given that the copying is by
permission of the University of South Carolina. To disseminate
otherwise or to republish requires written permission from the
University of South Carolina.
Agenda
•
•
•
•
•
•
•
•
USC’s Network During Fall, 2003
Call to Action
Defining a Security Policy
Implementing the Strategy
Technology Choices
Expectations of Fall, 2004
Risks & Mitigating Factors
Lessons Learned
The University of South Carolina
• Centered in Downtown
Columbia, SC
• Over 200 Year History
• Total Enrollment of 34,000 +
(Based on Spring 2003, All USC Campuses)
• Over 350 Degree Programs
• 155 Facilities Spread Over
358 Acres
Network Connections at USC
• Extensive Wireless Implementation Across Campus
• USC Rated 30th “Most Connected” campus in the
country by The Princeton Review.
-Forbes Magazine, October 2003
http://www.forbes.com/2003/10/01/conncampusland.html
• Residential Network
– 28 Residential Halls Plus Greek Housing, Married Student
Apartments, etc.
– Approximate Capacity – 7500 Students
– 40% of Undergraduate Population Lives on Campus
Move-In Weekend:
A USC Tradition
• The Weekend Just Before Fall Classes
Begin, Faculty and Staff Assist New Students
Move Into the Dorms
• Students Register Their PC’s Via NetReg
and Agree to Abide by USC’s Guidelines for
Responsible Computing
The Reality of Move-In Weekend
• Many PC’s Have Been Offline for Weeks
• Many Freshmen Bring New PC’s Still in
the Box
– The OS Image is Typically Months Old
• ~7500 New Connections
– Majority Unpatched
– Majority Unprotected from Viruses
– Cross-Infections Abound
Move-In 2003
• Blaster Worm Was Introduced Just Prior to MoveIn
• Faculty/Staff Urged to Patch, Patch, Patch
• Approximately 3,000 Systems Infected During the
First 2 Weeks of the Semester
• Help Desk Stretched
to Its Limits
• All IT Staff Became
Student Support Staff
Can Education Solve the Problem?
•
Questionable
– Emails, Web Posts, News Articles, Banner Pages on
Common Applications All Help…
– Fall 2003 Was Certainly a Learning Opportunity
•
By Feb, 2004, When Bagle.J Was Unleashed,
Total Infection Count Was ~500
•
By April, When Sasser.B Was Unleashed,
Total Infection Count Declined
•
By May, Virus Alert Web Page Hits Averaged > 1,000/Day
~ 4,000 New Students to Educate Every Fall!
Call To Action
• Know Who/What Is Connecting to
the Network
• Ensure that All Systems That
Connect Are “Clean”
• Quarantine “Unclean” Systems
Until They are “Cleaned”
• Automate the Process
2004 Strategy:
Supplement Education
With Automation
1.
Adopt a Strong Network
Access Policy
2.
Implement Proactive Measures
–
–
3.
Automate Reactive Measures
–
–
4.
Automate Scheduled Operating System Patches
Automate Scheduled Anti-Virus Updates
Validate that PC’s are Current Prior to Connecting to the Network
Quarantine and Remedy PC’s that are Not Current
Start Today With Technology Available Today
Adopting the Policy
• Goal State: 1 University, 1 Network
• Challenge: Concur on the Policy
• Historically
– Networking Began in Academic
Units
– Leading Edge Experimentation
• Today
– Multiple, Distinct Implementations
Across Campus
– Community of Network Managers
Adopting the Security Policy: Authentication
• Authentication Became a Key Requirement
• Domain Level or Network
• Multiple Methods in Place
– LDAP / LDAPS for
Most Applications
– Active Directory in
Some Colleges
• Not Ready to Move
to “Single Sign-On”
Username
Password
Adopting the Security Policy: Authentication
• Librarians Objected to “No Unauthenticated Access”
“We protect each library user's right to privacy and
confidentiality with respect to information sought or
received and resources consulted, borrowed,
acquired or transmitted.”
- Code of Ethics of the American Library Association (June 28, 1995)
www.ala.org
• Campus Libraries Serve Community Beyond USC
• Resolution
– Isolate Public Access Workstations from Remainder of
Network
– Obtain Approval from USC Office of General Counsel
Adopting the Security Policy:
Network Management
• Centralized Team for
Network Monitoring
– Manages Intrusion
Detection and Firewalls
– Monitors Network Activity
and Operations
• Distributed Administration
– Most Larger Academic
Units Have Dedicated IT
People
– Manage Labs and
Student/Faculty Access
• Adopted:
– Centralized Registration of
All Systems on Campus
– Delegation of Network
Management & Monitoring
Authority
– Centralized Definition of
Minimal Security Standards
– Distributed Enforcement
Adopting the Security Policy
 Network Access Requires Authentication
 All Systems Must Be Registered

MAC Address, User Name, Userid
 All Servers Must Be Registered
& Approved
 Students Can Not Run Servers in Dorms.
 No Personal Machine Can Route Traffic Through USC
Network
 All Wireless Traffic Must Be Encrypted
 All User Systems Must Meet Minimum Security
Requirements
Where to Start Implementation
•
•
•
•
•
•
Faculty/Staff Wired Network
Wireless Network
Student Residential Network
Student Labs
RAS Connections
VPN Connections
 Start with the Student
Residential Network
USC Residential Network Infrastructure
Internet
Firewall
Core
Router
Student
Router
Area Switch
Area Switch
Dorm Switch
Area Switch
Dorm Switch
Dorm Switch
Defining the Minimum Security Requirements
• Student PC
– Current Anti-Virus Software
– Clean System Report
– Current Operating System
Patches
– Personal Firewall
– Use of Strong Passwords
 Required
 Too Expensive
 Required
 Future
 Future
• Network
– Elimination of Peer-to-Peer
 Too Restrictive
Automating the Proactive Measures:
Anti-Virus Software
• Provide Anti-Virus Software for All University PC’s
– Faculty, Staff, Students
• Provide Install Option When Student Registers PC
• Set Default Options
– Run Initial Scan at Install
– Run Scan At Least Every Other Week
– Run Updates Daily
A-V
Automating the Proactive Measures:
OS Patch Management
• Microsoft Automatic
Updates
– Configured Per Desktop
System
– Desktop Polls Microsoft Site
for Updates
– Downloads Critical Updates
– Installs at Scheduled Time
or Upon User Approval
http://windowsupdate.microsoft.com
1. Poll
5. Install
Updates
2. Applicable
Update List
4. Download
New Updates
3. Determine
What is
Already
Installed
Automating the Proactive Measures:
OS Patch Management
• Microsoft Software Update
Services (SUS)
– Primary SUS Server Configured
to Poll Microsoft Site
– Local SUS Servers Pull
Patches from Primary Server
– Administrator Can Specify
Updates to be Distributed
– Desktop Polls Distribution Server
for Updates
http://windowsupdate.microsoft.com
1. Poll
SUS Server
2. Download
Applicable
Update List
3. Determine
What to
Distribute
4. Poll & Download
New Updates
5. Poll & Download
New Updates
Local SUS
Servers
Automating the Proactive Measures:
OS Patch Management
• Many Commercial Products
• Limiting Factor
– Students Desktops are NOT University Property
– USC Does not Provide the Desktop OS
• Patch Management
– Implement SUS as an Option for Faculty/Staff
– Implement Automatic Updates as an Option for
Students
Automating Reactive Measures:
Validation of Minimum Security Requirements
User Opens
Internet Browser on
Workstation
User is Requested
to Enter UserID
and Password
(Authentication)
Are Patches YES
& A-V Software
Up to Date?
Complete
Connection to
Internet
NO
User Installs
Necessary Patches
Or A-V Updates
NO
Are Patches YES
& A-V Software
Up to Date?
User Instructed to
Download A-V
and/or OS Patches
Complete
Connection to
Internet
Network Access
Restricted to
“Remedial” Sites
(Quarantine)
Re-validation will be required on
a scheduled basis.
Validation Software Requirements
 Software Solution
 Compatible with NetReg and DHCP
 Implement a Remediation Quarantine
 Do Not Allow Network Access Unless Validated
 Ideally, Isolate PC’s from Cross-Infections
 Redundancy
 No Dependency on Particular Switch Configuration
 Central or Tiered Management / Distributed Enforcement
 Support for Non-Windows OS’s
 Automate Exception Process
 Flexible Configuration of Validation Tests
 Server or Network Based Licensing
Technology Options:
Validation Software
• Server-Based Scanning
– Nessus Scans
– Effective for Identifying Vulnerabilities
– Benefit
• No Modification to Student Desktop
– Risk
• Personal Firewalls Can Block Scans
• Can Not Validate Security Configuration
• Validation Client Software
– Can Be Configured to Validate Configuration
– Benefit - Validate Configuration
– Risks
• Forcing Installation of Client on Student Desktop
• Frequent False Positives
• Difficult to Provide Direct Feedback to Students
Technology Options:
Quarantine Implementation
• DHCP Re-Direction (NetReg)
– Unauthenticated Access Starts with IP Address with Limited Access
• Registration Site
• Remediation Sites
– Once Validated, IP is configured for Student Community Network
– Benefits
• Easy to Implement
– Risks
• Users Who Hard Code IP Addresses Can By-Pass Validation
• Limited Validation and No “Forced” Remediation
• Typically, No Quarantine for Cross-Infections
Remediation
IP Address
Authenticate &
Validate
Student Network
IP Address
Technology Options:
Quarantine Implementation
• Dynamic VLAN Assignment
–
–
–
–
Dynamically Configures the VLAN Assignment Per Port
Unauthenticated Access Starts in Isolated VLAN
Once Validated, Port is Configured into Student VLAN
Benefits
• Eliminates Cross-Infection, True Quarantine
– Risks
• Requires Network Infrastructure to Support Dynamic VLANs
• Switch Reconfiguration Via Software
• Shared ports can not be supported
Switch Port Configured
For Isolated VLAN
Authenticate &
Validate
Switch Port Configured
For Student VLAN
Technology Options:
Quarantine Implementation
• Private VLANs
– No Communication Among Nodes on the VLAN
– Unauthenticated Access Starts in Private VLAN
• Firewall or ACLs Prevent Communication Between VLANs
– Once Validated, Port Can be Reconfigured for Community VLAN
– Benefits
• Eliminates Cross-Infection, True Quarantine
– Risks
• Requires Network Infrastructure to Support Private VLANs
• Switch Reconfiguration Via Software
Switch Port Configured
For Private VLAN
Complete
Registration
Switch Port Configured
For Community VLAN
Technology Options:
Quarantine Implementation
• Subnet Masks
–
–
–
–
–
Many Subnets, Allowing 1 Machine Per Subnet
Unauthenticated Access Starts in Masked Subnet
Non-Validated Role “Quarantined” by Access Control List on Router
Benefits - Prevents Cross-Infection, No Dynamic Switch Config
Risks
• Managing Lots of Little Subnets
• Can be Circumvented by Clever User
•  Current Plan of Record
Access Control List
Denies
Authenticate &
Validate
Access Control List
Allows
Status of the Project
• Proactive Measures
– Anti-Virus Software
Download
– SUS Implementation for
Faculty/Staff In Progress
– Automatic Updates
Configuration Download
Available to Students
• Reactive Measures –
Validation
– Computer Services
Network as Test
– Plan to Implement
Perfigo CleanMachinesTM
– Pilot in Summer Dorms
During July
– Introduce at Move-In
Weekend
Expectations of Move-In
• Move-In Weekend Support Should Last
Two Days!
• Limit Cross-Infections of New PC’s
• Significantly Reduce Overall Infection
Incidents
• Expect Increased Help Desk Calls
– New Process Will Generate More Calls
– Expect “Do I Have To….” Questions
Key Risks
• “Big Brother” Image
• Leading Edge Technology
• New Virus or Worm
Introduced that Weekend
• Pre-Infected Machines
• Ease of Use of the Process
• End User Education
Mitigating the Risks
• Focus on End User Education & Support
–
–
–
–
–
“How to Connect” Brochures in Each Dorm Room
Extensive Help Screens
Campus Newspaper Articles
Campus Cable TV Spot
Support Persons Available
in the Dorm
• Minimize the Hassle
What We’ve Learned Thus Far
• Involve the Legal Team
• Minimize Modification to
Student Desktops
• Communicate Early & Plenty
• Make Good Security as
Painless as Possible
• Emphasize the Benefits
– Network Availability
Next Steps
• Implement the Student Network For Fall
– Scan for Vulnerabilities
– Validate Anti-Virus Software and OS Patches
– Force Re-Validation Once a Week
– Monitor Feedback Closely
• If Successful,
– Implement for Campus Wireless for Spring
– Then, Begin Deployment to Faculty/Staff
Subnets
References & Acknowledgements
• Reference Sites
–
–
–
–
–
–
–
www.ala.org
www.cisco.com
www.forbes.com
www.microsoft.com
www.netreg.org
www.perfigo.com
www.sc.edu