Transcript Information Security

Protection Solutions for
Campus Networks
Gary Geddes, CISSP
X-Force Protection Services
Internet Security Systems
Copyright Gary Geddes, 2002. This work is the intellectual property of the author. Permission
is granted for this material to be shared for non-commercial, educational purposes, provided
that this copyright statement appears on the reproduced materials and notice is given that the
copying is by permission of the author. To disseminate otherwise or to republish requires
written permission from the author.
Agenda
• Network Security Principles
• Current State of Campus Network Security
• Protection Solutions
• Putting it Together
• Summary
Traditional Approach to Security
Risks at all Layers of the Infrastructure
APPLICATIONS
DATABASES
OPERATING SYSTEMS
NETWORK SERVICES
Internet
Defense in Depth Approach
• Perimeter Security
• Firewall, filtering router
• Modem security
• Network Defenses
• Intrusion Detection
• Encrypted Transmission
• Host Security
• Hardening and Patches
• System Log Monitoring
• Application Defenses
• Passwords, Tokens
• Audit Trails
• Data and Resources
• Encryption
• Permissions, entitlements
Layered Security
The “Three Pillars”
• An effective security architecture is built on
sound policy and implements layers of
technical controls supported by robust
management processes and a well trained
security staff.
TECHNOLOGY
SECURITY POLICY
Policy Provides the Foundation
• Defines the guiding principles for information
protection
• Sets security requirements necessary to meet
business objectives
• States management’s commitment to
information security
• Shows the organization’s approach for
managing information security
• Defines the importance of information security
as a business enabler
People
• Management
• Must sponsor and actively support security program
• Security Staff
• Must be sensitive to business requirements for IT
• Network and System Administrators
• Must support and cooperate with security team
• Users
• Security aware and vigilant
Process
• Critical security management processes
• User management (account set up and
termination)
• Change control / configuration mgt
• Vulnerability scanning and remediation
• Security incident response
• Log review and analysis
• Data classification
• User awareness
Technology
• Exclusion – Keeping the “bad guys” out
• Perimeter security
• Firewalls, IDS, Anti-virus etc.
• Scanning, patching, system hardening
• Inclusion – Letting the “good guys” in
• Identification and authentication
• Authorization and access control
• VPNs, PKI, and encryption
Security Management Principles
• Confidentiality - ensuring that information is
accessible only to those authorized to have
access
• Integrity - safeguarding the accuracy and
completeness of information processing
• Availability - ensuring that authorized users
have access to information and associated
assets when required
Additional Concerns
• Authentication – assurance that the identity
of the users is known
• Authorization – validating whether or not an
entity is allowed to perform a specific action
• Non-repudiation – proof that an entity
performed a specific action
All at the expense of …
• Privacy
General Security Trends
• Standardization of technology
• TCP/IP, UNIX, Windows, Common
application sets
• Rapid rate of new vulnerabilities
• 10 to 20 new announcements / month
• More sophisticated threats
• Automated scans and attacks
• Lack of skilled security staff
• Hackers are often one step ahead
The Hybrid Threat
• Convergence of worms, viruses,
hacking, and denial of service
• Fully automated, multi-vector attack
• Nimda, Code Red etc.
• No one security mechanism will protect
against the hybrid threat
Campus Network Security Issues
• Security of research data
• Privacy of student information
• Regulatory issues (FERPA)
• Software piracy / swapping etc
• Malicious / unauthorized use
• Downstream liability
• Not “PC” activities (harassment …)
• Gaming, downloading and other
bandwidth hogs
Current State of Campus Networks
•
•
•
•
•
•
•
•
•
Large, sprawling networks
Tight budgets
Lack of awareness
Resistance to security
Transient students
Freedom to “tinker” with equipment
Minimal accountability
Little or no pay for security staff
Research grants restrictive on usage
Current State of Campus Networks
• "Universities were a major contributor to the DDOS
attacks. They've always been a major contributor to
security problems.” – Jeffrey Hunker, NSC
• "Why were universities so involved in these attacks?
Because they're naked, they're sitting out there on
the Internet with no firewalls or anything.” - Stephen
Northcutt, SANS
• "In many universities, there's really no way for IT
staff to know what machines are out there, especially
in the research areas," - Randy Marchany, Virginia
Polytechnic Institute
Current State of Campus Networks
• EDUCAUSE formed a task force on systems security
that's disseminating to university IT departments
some tactical guidelines for DDOS detection,
prevention and response.
• EDUCAUSE has several security working groups,
including a fast-hit program to try to get universities
to at least address the top 10 vulnerabilities and an
awareness committee to educate nontechnical
university officials and research faculty.
• "Every one of those 1,800 campuses involved in our
program is working on their own campus security
now, so you're already starting to see some change.
But it'll probably take a year or two to educate
everyone." - Mark Lukor, EDUCAUSE
The Paradox
• How do we build a network security
architecture that provides reasonable
protection for the campus information
assets, but preserves the freedom of
expression traditionally found within
academic environments?
Perimeter Security
• Your first line of defense
•
•
•
•
•
•
•
•
Filtering routers
Firewalls
Modem security
Wireless access points
Primarily a preventative control
Will normally deter casual hackers
A determined attacker can often penetrate
Will not stop an intruder who has a stolen
UserID and password
Simple Firewall Architecture
“Untrusted” Network
Internet
Border or
“Screening” Router
DMZ or
“Screened Subnet”
Web
DNS
FTP
"DMZ"
Firewall has three
Network Interfaces
Firewall
Internal Network
“Trusted” Network
Mail
Common View of the Firewall
• Internal users can get out
• External attackers can’t get in
Internet
Internal Network
Web Server
Internal User
x
Hacker
Internal Server
The Reality of Firewalls
• The firewall allows many “untrusted”
external connections to internal servers
DNS Request
Internal Network
DNS Server
HTTP Connection
Web Server
SMTP Connection
Email Server
Network Protection
• The second line of defense
•
•
•
•
Segment the network internally
Monitor for malicious activity
Encrypt sensitive network traffic
Scan incoming files for malware (viruses, worms, etc)
• Protection from attacks that come through
or around the firewall, or originate from
within
Network Intrusion Detection
Internet
IDS in DMZ
IDS in front of
Firewall
Web
FTP
DNS
Mail
"DMZ"
Firewall
IDS on the
Internal Network
IDS behind
Firewall
Internal Network
Managed Firewall & IDS by HP/ISS
•
•
•
•
•
•
•
Puts security in the hands of experts
Built on best of breed technology
Ensures most up to date protection
Active responses to security incidents
Advanced configuration and tuning
Lower cost of ownership
Reduced risk
Malicious Code
• File downloads, email attachments, and
applets can carry malicious content through
the perimeter defenses
• Hybrid threats can replicate and propagate
using trusted network services
• Defense in depth strategy essential to AV
•
•
•
•
Gateway
Server
Desktop
Wireless
Host Security
• The third line of defense
• Strong authentication
• System hardening
• Host-based IDS and personal firewalls
• Internal protection of applications and data
• File permissions
• Access Control Lists
• Protects against the authorized user, hostile
insider, and determined attacker
Vulnerability Scanning
Find the holes before the hackers do!
• Inventory the active IP’s in your address
space
• Identify the OS and active network
services
• Scan for known vulnerabilities
• Brute force test for weak passwords
• Test the application and database security
• Integrate with configuration management
and trouble ticketing
• Assessment service using ISS technology
offered in conjunction with HP
System Hardening
• Basic system lock down
•
•
•
•
•
•
•
•
Eliminate default accounts
Enforce strong passwords
Minimize network services
Restrict file sharing (NFS)
Be careful with trust relationships
Minimize access to root account
Use file permissions and ACLs
Apply the patches in a timely manner
HP Virtual Vault
Mission critical Internet applications
•
•
•
•
Trusted operating system
Partitioned web runtime environment
“Vaulted" web server
Web proxy module
Desktops, Laptops, and Workstations
• End user systems more at risk than ever
• Applications and OS’s highly vulnerable to attack
• Often have highly sensitive data stored on drive
• Usually connected to multiple networks, bypassing
perimeter controls
• Defending the desktop
•
•
•
•
Minimize active services
Avoid dual connecting
Run a “personal firewall” or desktop IDS
Hard drive encryption on mobile systems
Remote Access - Dial Up
• Protect ALL access paths to internal net
• Dial up security defenses
• User authentication (password, token)
• Warning banners
• Call back modems
• Monitoring
• Encryption
• Inactivity time outs
Messaging and P2P
• Risks
•
•
•
•
•
Infected files
Open sharing
Copyright Infringement
Clear text messages
Reveals internal IP addresses
• Counter-measures
•
•
•
•
Deny access to login servers at the firewall
Highly customizable making port blocking difficult
Network IDS can detect IM and P2P traffic
Use a more secure IM application such as Lotus
Sametime
Wireless LAN Security
• Tremendous value and user convenience
driving explosive growth
• Serious security issues need addressed
• Unauthorized/unprotected Access Points
• Standard encryption is weak (WEP)
• Opens internal network to easy attack
• Wireless LANs can be deployed securely
• Integrate with RADIUS authentication (LEAP)
• Implement wireless PKI (TLS)
Virtual Private Networks
• Create a private network over a public network
using encryption, authentication and tunneling
• May be more cost effective than leased lines
• VPN security features
• Authentication of VPN end points
• Confidentiality and integrity of data in transit
• Allows remote users to securely access
resources as if they were on the internal network
• HP offers line of VPN server appliances
• complete, secure, end-to-end connections
• reduced telecommunications costs
• intuitive interfaces for easy configuration and management
VPN Architectures
• Mobile users
• Small/home office user
Client to Gateway VPN
Mobile User
Internet
Internal
Network
VPN Tunnel
Home Office
User
VPN Gateway
Mobile User
• Branch office to headquarters
• Site to site extranet
Gateway to Gateway VPN
Internet
Branch
Office
Network
Internal
Corporate
Network
VPN Tunnel
Firewall/VPN Gateway
VPN Gateway
• No VPN gateway
• End to end security
Client to Client VPN
Internet
Remote
Network
VPN Client
VPN Tunnel
Corporate
Network
VPN Client
Authentication, Authorization & Access
• Authentication – proving you are
who you say you are
• Something you know
• Something you have
• Something you are
• Authorization – ensuring you are
entitled to do what you are doing
• Access Control – managing user
access to resources
What is HP-UX AAA Server?
• The HP-UX AAA Server is used for
authentication, authorization and accounting
of user network access.
• Performs critical network access functions for
service providers and enterprises requiring
security and accounting at the access points
to the network.
• Includes authentication of user identities and
passwords, authorization of services and
applications, and accounting for user activity
on the network.
HP AAA Server Deployment
Putting it all Together
DMZ Servers
Extranets
Dial-in Links
Intranet Servers
User ID:
Password:
SecureID
Core
Servers
User Workstations
Routers/Switches
Threats
Keys to Effective Security Management
 Treat security as a business process, not a project
 Base security program on sound policies
 Conduct a risk assessment to establish requirements
 Implement a full lifecycle approach
 Address People, Process, and Technology
 Implement a “Defense in Depth” strategy
 Security is complicated, consider outsourcing it
Useful Links
• www.hp.com/security
• www.iss.net
• www.georgetown.edu/uis/help/CompuSec/
• www.itc.virginia.edu/security/checklist/
• http://web.mit.edu/security/www/cuispnew/policies.htm
• www.net.tamu.edu/network/using.html
• www.unt.edu/ccadmin/security/security%20manual/index.htm
• http://ita.berkeley.edu:4259/security/swg.report.html