Threats to a network - University of Washington
Download
Report
Transcript Threats to a network - University of Washington
A Multi-Zone
Security Model
David Morton
Lori Stevens
17 October 2007
University of Washington
Multi-Zoned Security
• Each Zone plays a role in security of
system
• Layered defenses within each Zone
University of Washington
Zones
University of Washington
The Connector Zone
Introduction
•Joins networks together
•Goals:
–Protect the infrastructure
–Low latency, high performance is key
–Traffic is originated elsewhere
–Connector policies establish rules
–Examples: PNWGP, PacificWave
University of Washington
The Connector Zone
PacificWave Infrastructure
University of Washington
The Connector Zone
Pacific Wave Security
• Since Pacific Wave is a layer-2 exchange, it cannot directly mitigate
and address participant behavior above layer-2, such as:
– using BGP-4 for peering
– routing traffic without an established peering agreement
– generating traffic other than IP
• Must work together in order to collectively mitigate such activities
– Develop processes and procedures for proper escalation in the
event of malicious or unauthorized activities are discovered
• Implement policies and protections to:
– Limit the hosts/networks that can manage the network devices
– Make use of token based login or one time passwords
– Limit which network devices (by MAC) can directly connect
University of Washington
The Connector Zone
Layered Security
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
University of Washington
The Campus Zone
Introduction
•Aggregates users to the connector
•Goals:
–Stop “bad” traffic with no impact to “good”
–Isolate threats from the community
–Control SPAM, Phishing and virus threats
–Provide extra layers of protection as needed
–Mitigate security incidents quickly
–Minimize the impacts
University of Washington
The Campus Zone
Infrastructure
• 120,000 devices
• NO PERIMETER
FIREWALLS
• IPS at the core
University of Washington
The Campus Zone
Intrusion Prevention
•Tipping Point IPS
– Rich rule set to
block “bad” traffic
– Blocked at least 70 million attacks in 2006
–That’s nearly 185,000 attacks a day
– Ability to route some traffic around IPS for
performance or policy
University of Washington
The Campus Zone
Email Defense Options
• Appliance
– Easy to setup
– Simplified maintenance
– Less flexible
• Software Solution
– Often more flexible, extensible to meet needs
– Separate hardware platform and OS to maintain
University of Washington
The Campus Zone
Spam at the UW
• January daily volume avg: ~3,040,000
messages, 76.6% spam
• August daily volume avg: ~4,100,000
messages, 80.1% spam
• Sept daily volume avg: ~4,560,000
messages, 88.5% spam
University of Washington
The Campus Zone
Spam at the UW
• As much spam this year as all mail
processed in 2006 and nearly twice as
much total mail as we processed from
2003-2005
• Be prepared for growth!
University of Washington
The Campus Zone
Email-born Viruses at the UW
• 2003: 9,375,000 viruses detected in email
• 2004: 20,000,000 viruses in email
• 2007: 2,632,000 viruses
• Not the threat it once was….
University of Washington
The Campus Zone
UW 2003-2006 Mail Stats
University of Washington
The Campus Zone
Network Firewalls
• Two varieties
– Logical Firewall
– Subnet Firewall
• Logical Firewall (self managed)
• Selectively allows hosts to participate
• http://staff.washington.edu/corey
• Subnet Firewall (centrally managed)
• Gibraltar (linux) or Cisco FW Services
Module
University of Washington
The Campus Zone
Incident Response
• Established incident response procedures
• Automated protections against worms
• Able to remotely capture network traffic
• Partner with industry, peers, etc for
up-to-date intelligence
University of Washington
The Campus Zone
Layered Security
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
University of Washington
The Dorm Zone
Introduction
•Student housing
•Goals:
–Protect Dorms from world
–And the world from the Dorms :)
–Provide high bandwidth for acedemics, etc
–Control illegal filesharing
–Enforce administrative policies (ie no servers)
University of Washington
The Dorm Zone
Infrastructure
• ~ 5,000 residents
• IPS sandwich
• Packeteer traffic
shaper
• Firewall policy
enforcement
University of Washington
The Dorm Zone
Layered Security
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
University of Washington
The User/Host Zone
Hosts: Defending Against Threats
• Anti-virus sw is critical to keeping our
networked-hosts clean
– configure to update itself automatically
– use other features such as buffer overflow
and web (http) browsing protection, where
appropriate
• Stay current on security updates and virus
definitions/signatures
University of Washington
The User/Host Zone
Hosts: Defending Against Threats
• Use complex passwords for critical devices, e.g.
hosts, routers
• Use logs to catch attacks or compromises
• Software to detect inconsistencies
• Best place for firewall as it’s easiest to define
“good” traffic
– can be complex to manage
University of Washington
The User/Host Zone
Hosts: Defending Against Threats
• Isolation approach
– Separate services across hosts
– So one passwd doesn’t get you to everything
• Block services that aren’t relevant
– For example, block port 25/tcp to and from all hosts
that are not mail servers
University of Washington
The User/Host Zone
Hosts: Defending Against Threats
• Security is part of everything
– design, build, implement, and buy
• Fewer compromises where pervasive
layer protection implemented
University of Washington
The User/Host Zone
Layered Security
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
University of Washington
Questions?
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
David Morton
[email protected]
+1 (206) 221-7814
Lori Stevens
[email protected]
+1 (206) 685-6227
University of Washington
Resources
• TippingPoint:
http://www.tippingpoint.com/products_ips.html
• PureMessage:
http://sophos.com/products/enterprise/email/securityand-control/unix/index.html
• General Security Info:
http://www.securityfocus.com/
http://www.sans.org/network_security.php
http://onguardonline.gov/index.html
University of Washington
Questions?
University of Washington