Transcript Overview of IT Security at Nottingham

Enterprise Security
Protecting the Campus Network
Paul Kennedy
Security & Compliance Group Leader
Information Services
Objectives






An introduction to practical IT security
Some background on enterprise issues
The campus network
Samples of some technologies used
Examples from the battlefront
Technology Demo (if time allows)
What is an enterprise?
 “a unit of economic organization or activity;
especially : a business organization”
 What defines an enterprise: scale, purpose and
cohesion
 Is the University an enterprise? Yes!
 “A place of learning, research, academic endeavour,
advancement of knowledge”
 “A £380m global business with 5500 staff and 36000
customers”
Enterprise security
 So what is enterprise security about?
 Protection of an entity where the scale is a factor in the
decisions made (e.g. number of users, computers; size of
network or bandwidth of the links; cost of solutions)
 Protection of an entity where the aims of the organisation
need to be taken into consideration (e.g. business
requirements)
 Protection of an organisation where the human factor
becomes critical to success
The University enterprise
 Facts & Figures
 An international University with campuses in
the UK, China and Malaysia
 36000 students and 5500 staff in the UK
 Numerous campuses
In Nottingham
» Univ Park, Jubilee, Sutton Bonnington, King’s Meadow,
QMC, City Hospital, Shakespeare St
the East Midlands
» DCGH, DRI, Mansfield, Lincoln, Boston, Grantham
and further afield
» Offices in London, Brazil, Shanghai, overseas campuses
Campus Network
 12000 machines on the campus network
 Servers, desktops, laptops, network equipment, lab equipment,
printers, VoIP devices, CCTV cameras, temperature sensors,
cash tills, door access, building management system
 8000 computers on the student network (SNS)
 10 Gbps across the campus backbone
 2 x 1Gbps + 1 x 100Mbps connections to East
Midlands MAN (EMMAN) and JANET
 State-of-the-art “lights-out” primary data centre
at KMC, secondary data centre (inc HPC) at CCC
South
 Is this a LAN or a WAN or a MAN?
The Academic Business
 The business:
 Financial management of £380m
 HR management of 5500 staff records
 SR management of 36000 student records
 UK legislation
 Data Protection Act (DPA), Freedom of
Information (FoI), Human Rights Act (HRA)
and more
 Regulation of Investigatory Powers Act (RIPA)
 Corporate Governance
 External auditors, Internal Audit Service (IAS)
Academic Risk Profile
 We are a business AND an academic institution
and must provide security accordingly!
 We’ll never have security like a bank
 We can’t enforce corporate standards
 We must support a wide range of teaching and research and
a degree of choice in the tools that staff and students can
use
Security Facts & Figures
 We reject 3.5m spam emails per day
 We saw alerts on suspicious behaviour
from 7000 external network addresses
yesterday
 Anti-virus reported 120 desktop
interceptions on campus yesterday
 We intercept around 100-150 email
borne malware items per day
 We detect and report 5-10 previous
unseen viruses to Sophos each year
Security Model
 The University Security Model




Policy, IT Security, Physical Security
Defence in depth (the security “Onion”)
Multiple, overlapping layers of security
Security at different points in the network




At the perimeter / gateway / choke points
On the server / at the service layer
At the desktop
Across the network backbone
 But … Business first, Technology Second!
Security Policy
 You MUST have a security policy, approved by senior
management in order to have enforceable security
 ISO 27001 (aka ISO 17799, BS 7799) is the international
standard for Information Security Management Systems
 Security policy; Organisation of information security;
Asset management; Human resources security;
Physical and environmental security;
Communications and operations management;
Access control; Information systems acquisition, development
and maintenance; Information security incident management;
Business continuity management; Compliance.
 Based on the Plan-Do-Check-Act model
 The University security policy is based on ISO 27001 but we
are unlikely to seek certification at present
The Technology
 At the perimeter / gateway / network level
 Enterprise firewall
 Allow or deny traffic based a set of rules
 Email Gateway
 Spam and malware detection and prevention
 Secure web gateway
 Proxying web traffic to check for malware
 Bandwidth management
 Limit or guarantee bandwidth available for services
 Virtual LANs (VLANs)
 Restrict the parts of the network specific traffic can reach
 Anomaly detection
 Measure network activity against a “normal” baseline
 Network access control
At the Perimeter
 Enterprise Firewall
 Inspects packets entering or leaving the network against a
defined rule set
 Allows or denies based on src and dest IP address and port
 Default Deny (“Deny everything except those
services/protocols specifically required”) not Default Allow
(“Allow everything, deny only known dangerous ports”)
 2 x Juniper NetScreen 5200s with failover (Gigabit capable)
 Stateful packet inspection: knows which “conversations” are
already in progress (prevents certain scans and attacks)
 Over 1200 firewall change requests since 2004
 Over 600 rules in our firewall rule set (Spitzer: 200 is
complex)
 At default deny, network traffic dropped 50%, attacks 90%
Email Gateway
 Currently an open source solution on linux
 Exim, MailScanner, SpamAssassin, Sophos
 10 mail relays! (5 incoming, 5 outgoing)
 3.5m incoming emails per day of which 200000
are accepted for processing (5%)
 Have employed “tag and pass” for too long!!!
 Decisions are not only about technological
solutions
 Spam and malware handling is now a commodity
item so we are outsourcing to a managed service
provider Webroot
Email RBL Blocking
Mail Relayed
Viruses Identified
Spam Identified
Incoming Mail Queue
Internet Traffic
Secure Web Gateway
 Over 80% of incoming network traffic from the Internet is
the result of web browsing
 Attack payloads via email are dropping
 Attacks initiated from a HTML formatted web page with the
payload delivered via the web are increasing
 Current Squid proxy logs traffic and reduces risk of
malware getting off campus but …
 … this does not protect against most incoming threats
 So implementing a Finjan Secure Web Gateway
Web Gateway Capabilities
 Active real-time content inspection for detection and
blocking of unknown attacks
 Zero-hour vulnerability protection via virtual patching
 Corporate Anti-Spyware solution for stopping known and
unknown Spyware at the gateway
 Anti-Crimeware protects your sensitive business data
 Anti-Phishing prevents identity theft
 SSL Inspection for “in-box” scanning of HTTPS traffic and
enforcement of SSL certificates
 Choice of leading Anti-Virus engines for protection against
known viruses
 Choice of leading URL Filtering engines for full control over
your organization’s web browsing
Processing Web Content
Anomaly Detection
 In 2006 IS was looking for a solution to provide
better monitoring of traffic across the network
 Looked at Intrusion Detection and Intrusion
Prevention Systems (IDS/IDP)
 Decided these were not suitable for the wide
range of research traffic on our network (which
can break firewalls)
 Discovered the alternative approach of
anomaly detection!
 It learns what is normal network behaviour for
each computer on the network and alerts to
significant changes in that behaviour
Detection Example
 Example: In August 2003, the University was hit
by the Blaster worm.
 1500 computers were infected in a few hours
 The immediate incident lasted two weeks
 Complete clean up took four months
 We can now detect a worm infected computer
within minutes and, in most cases, prevent it
from causing an outbreak before it affects the
network
Network Access Control
 At the start of each academic year 8000 student
owned computers are connected to the Student
Network Service (SNS) in Hall study bedrooms
 These computers arrive as unseen and unknown
quantities; often they are not properly secured
and are already infected with viruses and other
malware
 They represent a potential threat to their fellow
students, the SNS network and the wider campus
network BUT IS is obliged to make them part of
our community as soon as possible
Campus Manager I
 In 2005 IS introduced Campus Manager which
performs pre-connection health checks on student
computers before it allows them access to the
SNS and campus networks
 Campus Manager ensures that student machines
 Are fully patched with critical updates
 Have anti-virus protection installed
 Represent a minimal risk to the campus
network
Sophos Upgrade
 Just upgraded from Sophos A/V to Sophos
Security & Control
 No longer just A/V, now an End Point security
solution
 Anti-virus, anti-spyware, anti-adware
 Desktop firewall, detection of PUA, HIPS
 In Future Releases
 NAC, device (USB, Bluetooth, IR), port & mobile control, data
leak prevention
Sophos Architecture
Sophos
DBMS
(sccapps)
Updates
from
Sophos
Sophos
Console &
EM
Library
Signature
distribution
web server
Signature
distribution
file server
(Univ Park:
Campus
Network)
Signature
distribution
file server
(Univ Park:
Student
Network)
Signature
distribution
file server
(Jubilee
Campus)
Signatures & product
updates, remediation
Signature
distribution
file server
(Sutton
Bonnington)
Status information,
interception reports
Desktop Clients
Signature
distribution
file server
(King’s
Meadow)
Social Engineering
 Humans are usually the weakest link in any
chain of security
 You can provide policies and best practice, but
you can’t force people to read it
 University members do respond to phishing
attacks from time to time
 The best solutions to social engineering issue
are usually ones that use technology in place to
allow for possible human failings
Network Abuse
 Misconduct, gross misconduct and criminal
activity by University members
 Yes, it does happen, but thankfully not that often
 Gross misconduct can lead to dismissal from the
University
 Criminal activity can lead to prison
 IS does provide evidence for hearings, tribunals
and police investigations and court cases
 ssshhh – Credit Card Scam Story
Summary
 Enterprise security is about scale
 You need policy, planning and architecture
 You must consider the business before
technology
 Technology can sometimes reduce human
factors but can’t always make up for human
failings (or social engineering)