A Layered Security Stance For Higher Education
Download
Report
Transcript A Layered Security Stance For Higher Education
SecurED:
A Layered Security Stance
For Higher Education
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
1
A Recognized Leader in Secure Networking
Addressing the challenges of enterprises
that require strategic value from their
networks
A no-compromise, systems-based
approach to high performance with
security at scale
Best-in-class products, solutions, and
services for enterprises and public sector
organizations
Proven record of meeting challenging
and dynamic application environments
#1 In Secure Access
#1 High End Routing
#1 High End Firewall
92 of Fortune 100
Top 30 Service Providers
$2.5B Revenue, 4800 Employees
47 of 50 US State Govts
NASDAQ 100 Company
20,000+ Global Customers
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
2
Gartner Magic Quadrants
Juniper, a proven leader in all categories
SSL VPN
FW/VPN
IPS
Copyright © 2007 Juniper Networks, Inc.
WAN Optimization
IPSec
Proprietary and Confidential
www.juniper.net
3
Sampling of Juniper Great Lakes Customers
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
4
Hundreds of Education and Research Customers
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
5
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
6
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
7
CSU ITRP2 Typical Security Deployment
Off Campus Office
Server Farm/
Data Center
RemoteAcess or
Extranet DMZ
DMZ
Campus Security Zones
Residence Halls
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
8
Today’s Discussion
Today’s Security Threats
An Extended Campus Model
Building a Layered Security Stance
Firewall Architecture Considerations
Remote Access Architecture Considerations
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
9
Compromised PC,
U-turn attacks,
hijacked remote
session
Today’s Security Threats
Commuter
Changing levels of trust
Business
Partner
• Widening range of network
access including faculty
Worms, viruses,
and students, remote
Trojan attacks
students, business
partners, customers and
suppliers
Ubiquitous access to the
Internet
• Availability of Internet
everywhere has provided
a potential entry point for
attacks
Regional
Office
Internet2
Internet
Intrusion over
WLAN
DMZ
Wireless
Network
Internal attacks,
roaming, malicious
users
Administration
Campus
Living
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
10
Today’s Security Threats - continued
Attack sophistication
• New types of attacks extending into the application
layer
Restructuring the DMZ
• Increased access to applications within the DMZ and
server consolidation efforts
Internal attacks
• Intentional or unintentional security attacks by students
and even faculty
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
11
The Extended Campus Model
Network
Perimeter
Campus
MAN/LAN
Extended
Campus
Distance Learning
Remote Faculty
Remote Access
Commuters
Administration
Business
Partners
Library
Finance
DMZ
Branch
Campus
Locations
Department
Servers
Remote Data Center
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
Site-to-Site
www.juniper.net
12
A Layered Security Stance – Firewalls
The First Layer of Defense
Foundation for creating a security policy on campus
Performs stateful inspection of incoming traffic to protect
network from malicious content
• Source and destination IP addresses
• Source and destination port numbers
• Packet sequence numbers
Provides Denial of Service (DoS) attack protection
• SYN flood attacks, UDP flood and Port Scan
Strengthens user access control and authentication
Allows network segmentation (zones) and user containment
• Secure virtual segments (administration, student accounts, faculty)
Track Sessions
Session Level
Protection
Stateful
Inspection
Firewall
YYYYY
YYYYY
Network
Copyright © 2007 Juniper Networks, Inc.
Packets
XXXXX
XXXXX
XXXXX
XXXXX
YYYYY
Proprietary and Confidential
XXXXX
YYYYY
XXXXX
www.juniper.net
13
Flexible Security Zones by Policy
Virtualized
Storage
Approach:
• Using firewalls
capabilities
• Standards-based,
open solutions
• Security that doesn't
impact applications
• Assured performance
for all applications
Principal’s
Zone
Student
Records
Virtualized
Storage
Student
Records
E-Mail
FTP
E-Mail
FTP
Payroll &
Procurement
Virtualized
Storage
Teacher’s
Zone
Parent or
Volunteer’s
Zone
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
14
The Extended Campus Model
Firewalls
Network
Perimeter
Campus
MAN/LAN
Extended
Campus
Distance Learning
Remote Faculty
Remote Access
Commuters
Administration
Business
Partners
Library
Finance
DMZ
Branch
Campus
Locations
Department
Servers
Remote Data Center
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
Site-to-Site
www.juniper.net
15
A Layered Security Stance – IDP
The Second Layer of Defense
IDP (Intrusion Detection and Prevention)
• Application-level attack protection at the campus perimeter by
looking for “hidden” security threats in common applications like
email & IM
• We’re digging deeper into the packet to enforce rules of the
protocol and block traffic with known malicious signatures
• Stops worms, Trojans, Spyware, malware and others from
penetrating and proliferating across the network
Application Level
Protection
Intrusion
Prevention
System (IPS)
Application attack
Protocol conformance
Reassemble, normalize, eliminate ambiguity
Track Sessions
Session Level
Protection
Stateful
Inspection
Firewall
YYYYY
YYYYY
Network
Copyright © 2007 Juniper Networks, Inc.
Packets
XXXXX
XXXXX
XXXXX
XXXXX
YYYYY
Proprietary and Confidential
XXXXX
YYYYY
XXXXX
www.juniper.net
16
A Layered Security Stance - UTM
Unified Threat Management (UTM)
• Anti-Virus, Anti-Spyware, Anti-Phishing, Anti-Spam,
Web filtering
• Additional file level protection to protect critical network
assets – scanning incoming email and web traffic
File Level
Protection
Application Level
Protection
Inspect Files
Gateway
Antivirus
System
Intrusion
Prevention
System (IPS)
File: xx.exe
File: yy.exe
Application attack
Protocol conformance
Reassemble, normalize, eliminate ambiguity
Track Sessions
Session Level
Protection
Stateful
Inspection
Firewall
YYYYY
YYYYY
Network
Copyright © 2007 Juniper Networks, Inc.
Packets
XXXXX
XXXXX
XXXXX
XXXXX
YYYYY
Proprietary and Confidential
XXXXX
YYYYY
XXXXX
www.juniper.net
17
The Extended Campus Model
Firewalls + IDP
Network
Perimeter
Campus
MAN/LAN
Extended
Campus
Distance Learning
Remote Faculty
Remote Access
Commuters
Administration
Business
Partners
Library
Finance
DMZ
Branch
Campus
Locations
Department
Servers
Remote Data Center
If it isn’t really a safe web
page, then fix it!
Copyright © 2007 Juniper Networks, Inc.
Malicious
Javascript
Site-to-Site
Port 80 P2P
Proprietary and Confidential
www.juniper.net
18
IPSec VPN vs. SSL VPN
Distance
Learning
Remote
Faculty
Sales
Branch Campus
HR
Finance
Department
Servers
Remote Data
Center
DMZ-1
Main
Campus
Commuters
Business
Partners,
Customers,
Contractors
Application Type
Commuter, Remote Faculty,
Partner Extranet and
Network access
Fixed
Type of Connection
Mobile or Fixed
VPN Type
IPSec VPN
VPN Type
SSL VPN
Access Requirement
Network Access
Access Requirement
Per Application Access
Control Requirement
IP to IP control
Control Requirement
User to Application control
Remote Network Security
Managed, Trusted
Remote Network Security
UnManaged, UnTrusted
Application Type
Branch Campus
Type of Connection
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
19
Coordinated Threat Control
SSL VPN + IDP Coordination
Identify specific attacks originating from remote student via SSL
VPN and quarantine the user (and only the offending user)
1. Student logs in using SSL VPN & deliberate or inadvertent attacks are launched
2. IDP detect the attack and block requests to the internal resources
3. IDP sends identifying data to SA SSL VPN gateway
4. Based on data from IDP, SA quarantine and notifies the user
Quarantine
Identifying Data
Infected
Attack
Attack
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
20
The Extended Campus Model
Firewalls + IDP + IPSec and SSL/VPN
Network
Perimeter
Campus
MAN/LAN
Extended
Campus
Distance Learning
Remote Faculty
Remote Access
Commuters
Administration
Business
Partners
Library
Finance
DMZ
Branch
Campus
Locations
Department
Servers
Remote Data Center
Site-to-Site
IPSec connections available through FW/VPN
SSL/VPN connections using SA 4000
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
21
A Layered Security Stance - UAC
Centralized Access Policy Manager for the
campus LAN/MAN
• Single, centralized policy engine that provides access
using a combination of identity-based policy and
endpoint intelligence
Standards-based solution
• Interoperates with wide variety of AAA authentication
servers like RADIUS, LDAP, etc
• Dynamically provisioned TNC-compliant UAC agent
that allows real-time network policy management
• Interoperates with firewalls for Layer 3 enforcement
and with switches and Access Points that are 802.1Xcompliant in both wired and wireless environments
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
22
The Extended Campus Model
Firewalls + IDP + IPSec and SSL/VPN + UAC
Network
Perimeter
Campus
MAN/LAN
Extended
Campus
Distance Learning
Remote Faculty
Remote Access
Commuters
Administration
Business
Partners
Library
Finance
DMZ
Branch
Campus
Locations
Department
Servers
Remote Data Center
Site-to-Site
IPSec connections available through FW/VPN
SSL/VPN connections using SA 4000
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
23
Firewall Architecture Considerations
How many firewalls do you currently have deployed?
What are the throughput requirements of the
FW/VPN?
How are you controlling access between different
departments?
How do you protect your critical assets from
application attacks?
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
24
Firewall Architecture Considerations
Has your network ever been affected by any worms
or viruses?
Do you require a full mesh FW/VPN solution to allow
for redundant physical paths in the network,
providing maximum resiliency and uptime?
How do you handle attacks at the perimeter gateway
with so much traffic going in and out of the network?
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
25
Remote Access Architecture Considerations
What are you using today to provide secure access?
Do users have problems with their laptops caused by the IPSec
code resulting in calls to your Help Desk?
Do you need to connect partners (other universities or companies
involved in joint research, etc.) so they can access documents or
other resources?
Are you worried about students infecting your network when they
connect?
Do you have a Pandemic Plan, Disaster Recovery Plan, or Business
Continuity Plan?
Do users need to access resources from multiple PCs or any PC
that is handy?
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
26
The JUNOS Software Advantage
Intelligent Modularity
Independent functional operation
• Dedicated resources, protected
Module
Memory space
X
Module
• Handles adversity, contains faults
X
Module
• Flexible integration through
X
defined interfaces
Development Discipline
Customer Benefits
•High Availability
•Security
•Lower TCO
8.1
8.2
8.3
8.4
8.5
9.0
Q406
Q107
Q207
Q307
Q407
Q108
•Extensibility
Development without compromise
• One code set, 4 predictable releases a year
• One implementation, consistent feature set
• Full regression testing per release
–– Deployed since 1998 · 30,000+ deployments · TL9000 engineering certification ––
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
27
Our Architecture principles
No-compromise
• Security
• Performance & scale
• Reliability & flexibility
• Accessibility
Modularity
Manageability
3rd party support
• Superior availability &
reliability
• Flexibility
• Common programmatic
interface
• Consistent user interface
• Common management
platform
Copyright © 2007 Juniper Networks, Inc.
• Standards support
• Consistent inbound &
outbound interfaces
• Documentation
Proprietary and Confidential
www.juniper.net
28
Copyright © 2007 Juniper Networks, Inc.
Proprietary and Confidential
www.juniper.net
29