PPT - EDUCAUSE Library

Download Report

Transcript PPT - EDUCAUSE Library

University of Cincinnati
Staying Ahead of the Security Curve with Finite
Resources
Presented by
Diana Noelcke
Associate Director, Enterprise Communication Systems
and
Jim Downing
Information Security Officer
“Some memories
last forever”
The Way We Were
►
►
►
►
3 Different networks
► 2 ATM networks (Asynchronous Transfer Mode)
► 1 managed by an outside company
► 1 managed by UCit staff
► 1 Fddi network (Fiber Distributed Data Interface)
Assigning IP’s per machine, maneuvering subnets
around, IP conflicts
Reactive versus pro-active in troubleshooting network
problems
Inaccurate documentation
Vision
►
►
►
►
►
To design a one vendor/topology solution
All network connectivity consistent throughout the
campus
To become pro-active versus reactive
To support the university network totally from within
Move into the future with the network design plus
position the university for emerging technologies
Vision realized
►
►
►
►
►
►
►
After 12 months of planning, community endorsements and
8 months of converting 73 buildings and 264 closets the
University now has the second largest network in the
Greater Cincinnati area, second only to P&G.
One vendor solution
Implemented network Security solutions
Positioned for future technologies (VOIP, Multicast, QoS)
Stability, Reliability, and Uptime
Manageability
Fiber plant , telecommunication closets fully documented
UCnet
►
►
►
►
21,000 data connections
800+ Network Devices
200+ Wireless access
points
Security devices,
►
►
►
►
►
PIX Perimeter firewall,
IDS (Intrusion Detection
System)
VPN (Virtual Private
Network)
DMZ (Buffer zone between
UCnet and Internet)
2nd Tier firewalls
Lessons Learned
►
It’s very important that policies are written first. Policies are
nothing without stated consequences and enforcement of
them.
►
If you don’t already have a defense in place, you won’t have any
time to react.
►
Plan for communicating to all users and at various levels
► Executive level, IT governance committees
► IT administrators, System administrators, Business managers
► Website
Lessons Learned
►
Accurate documentation is very important
►
Training of staff is essential prior to implementation
►
Educating the end user is key to battling security with finite
resources, since security starts at the desktop
►
Define network monitoring tools needed prior to
implementation
Top Security Threats and Challenges
►
Wireless network deployment
►
Hackers, internal and external
►
Viruses, worms and other malicious code
►
New students bringing computers on campus
►
Employees and management not taking security policies
seriously
►
Getting our users to use the 2nd Tier firewall features
UCnet Security Features
►
►
►
►
Private Addressing
► NAT (Network Address Translation)
Cisco PIX Firewalls
► DMZ (Buffer Zone between Internet & UCNET)
VPN (Virtual Private Network) Access
IDS (Intrusion Detection System)
Targets of Opportunity
►
►
►
►
►
Personal Identifiable Information and Personal Health
Information
► Identity Theft
Student Records
Patient Records
Financial Records
► Credit card numbers
► Bank account
► Retirement
Research Data & Other Intellectual Property
UC Computer Incidents
Primary Cost Categories
►
►
Employee time for
investigation, repair, and
restoration
Loss of data
Computer Incidents
150
Secondary Cost Categories
►
►
►
Legal liability against
University
Diminished reputation
Psychological impact
(I.e., feeling violated)
85
120
105
90
60
30
7
23 28 31
25
0
1997
1998
1999
2000
2001
2002
2003
Academic Incidents
►
►
►
Moonlight Maze- Russian hacked Sun operating systems and gained access to U.S.
university network servers to hide their tracks.
Distributed Denial of Service (DDoS)- attacks on dot com sites; university sites implicated.
RIAA- Illegal distribution of Copyrighted material.
500000
450000
► Nimda- Worm attack
1 week after
September 11, 2001
Slowed Internet
86,000 Hosts infected
43% USA sites
UCNet kept on-line
400000
350000
300000
250000
200000
150000
100000
50000
0
Sept.
15
Sept.
17
Sept.
19
Sept.
21
Sept.
23
Internal UC
Attacks
Total Nimda
Attacks
Recent - Academic Incidents
►
►
►
Blaster- worm compromised windows operating system, flooded network.
Welchia- similar to Blaster worm, ICMP scans and floods network.
Sobig- self-replicating worm via email.
Worm Attacks on UCNet
August - September 2003
UC-Internet
500000
Internet-UC
450000
TOTAL
400000
350000
300000
250000
200000
150000
100000
50000
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Layered - Approach
►
►
►
Policies
► University wide
► Departmental, Unit or College
Network Architecture Layers
► Internet Perimeter connection
► Network Subnet Switch/Router
► Desktop machine, File Servers or UCit customer
Abuse Reporting
► Helpdesk Tier 1
► Network Operations Center Tier 2
► Network Engineering Tier 3
IT Policies
►
University Wide (General)
►
►
►
►
Policy on the Use of Information Technology
Perimeter Firewall Policy
Information Technology Management
Student Code of Conduct
►
►
Residential Hall
►
►
http://bluewhite.sltech.uc.edu/conduct/conduct.html
http://www.uc.edu/housing/resnet/default.asp
UCit- Organizational Computer policies
►
http://www.ucit.uc.edu/policies
Policies
Unit Policies
►
UC College of Nursing
►
►
Clermont College
►
►
http://nursing.uc.edu/Overview/ITAcceptableUsePolicy.htm
http://www.clc.uc.edu/tech/clermont_computer_use_policy.asp
UC Dept. of Geography JCGIS - SA
►
http://www.gissa.uc.edu/Support/policy.html
Network Security Layers
►
►
►
Perimeter
Pix Firewall, Cisco Intrusion Detection, VPN
Distribution Layer
Cisco IOS firewall feature & IDS blades
Access Layer
Departmental servers and desktops
Abuse Reporting
HelpDesk – Tier 1
Support, document and resolve minor security breaches
► UCit
Operations Center –Tier 2
Monitor and analyze security data collection
► Network
Engineering – Tier 3
Resolve major abuse issues
► Network
Overcoming Finite Resources
►
►
Have written, acceptable and enforceable policies in place
When you can’t hire new staff
Educate and train your current staff along with your users
► Take a Tiered approach to support your network
►
►
When you don’t have trained staff
Use outside contacts with local and governmental agencies
► Partner with your Network/Security Vendor
►
►
What are our next steps
Ongoing research and testing of new security products
► Data mining, review and refresh our IDS architecture
►
[email protected]
[email protected]
Copyright Diana Noelcke, Jim Downing, 2003
This work is the intellectual property of the author. Permission is granted for
this material to be shared for non-commercial, educational purposes, provided that this
copyright statement appears on the reproduced materials and notice is given that the
copying is by permission of the author. To disseminate otherwise or to
republish requires written permission from the author.