Defending the Campus

Ed Lopez – Emerging Technologies

“The Headlines”

“’MafiaBoy’ DDoS Attack Via University Network”

“Postdoc Arrest Linked to Intellectual Property Theft from University Labs”

“Hack on University Exposes 1.4M Social Security Numbers”

“Universities Fear 6^th of Month as Klez Virus Re-erupts”

“RIAA Sues Campus File-Swappers”

“Weak Security Causes University to Ban Unauthorized Wi-Fi on Campus Nets”

“Campus Networks: Havens for Spammers?”

“Vital Files Exposed in University Hacking, 32,000 Students and Employees Affected”

Our Users – Our Problem

Students – Bandwidth, Active Threat, No Standards

Faculty – Openess, Intellectual Property, Communication

Administration – Privacy/Financial/Academic Data, Web Services

Facilities/Security – Operations, Logistics, Emergency Services

Health Services – HIPPA, Medical Support Systems

Externals – Support for Gov’t Projects, External/Joint Academics, Libraries, Research

Security is in How We Access Our Networks

Dormitories – Wired/Wireless, >1 host to 1 student

Libraries – Shared systems, public/anonymous access

Commons – Wireless, rogues, ‘evil twins’

Telecommuters – Commuting Students, Off-Campus Housing, Fraternities/Sororities, ‘Starbucks’ and other community outlets

Educational Areas – May have specialized requirements, especially science departments

Health Services & Administration – Autonomous but linked

Externals – Dedicated support requirements, threat from external security breaches

Campuses – Crucibles for New Technologies and Security Issues

Varied OS Support: Windows (multiple versions), MacOS, Linux, BSD, Palm, PocketPC, new handhelds

No Personal Firewall/Anti-Virus Standards

VoIP: Internally supported, Vonage, etc.

Authentication: Passwords (weak), Tokens, SSN vs. Unique Number, Single Sign-On vs. Segmentation

Wireless vs. Wired

Many Back Channels: POP3, IM, IRC, P2P, FTP, etc.

Music: P2P vs. Legal Downloads

What We Intended

What We Ended Up With

Firewalls Alone Are Not Enough

A TCP/80 client session:

Is it MSIE?

Is it Mozilla Firefox?

Is it a Warez P2P Session?

Firewalls, even with application intelligence, only deal with Layer 3&4

But with convergence of multiple applications around well-known ports & protocols, how do we differentiate the legitimate ones from the rogue ones?

Layered Threats – Layered Defenses

Domino Effect

Security Is Not Required for Applications & Networks to Function!

Everything works in the lab!

Trust is inherent to design!

What are your policies?

How are they enforced?

How do you detect/prevent malicious traffic, rogue host/apps, and misuse?

What is really on your network?

Security Requirements for the Campus

Access Defense at Network/Data Centers – No effective perimeters, no control of end-user hosts

Network Awareness – Variable users/access/technologies make for quickly changing threats

QoS - defending bandwidth for necessary resources, mitigating DoS attacks, policy conformance

Segregation of IP Networks – With use of common infrastructure

Standardization Where Possible – Enforcement of security processes is a must for applications, data centers, and systems holding sensitive data

Provisioned Services – Key to consistant delivery of managable services

Securing Access

Wireless Access = Remote Access

Common solution sets mean ease of deployment and common user experience

Can implement roles-based policies

SSL VPNs are your friend

Clientless – Just need a browser

Encryption offers confidentiality, integrity of traffic

Defend Remote Access, Wireless Access, Access to Data Centers

You can’t rely on host-based defenses, defend at the ingress

Perimeter defenses (Firewall, ACL)

NAV and Anti-spam on campus web/mail services

Securing Data Centers

Best defenses are based on knowing what to defend

You may not control the clients, but you do control the servers

Tight perimeter defenses

Portaling

Intrusion Detection/Prevention

Honeypots / Honeynets

Importance of Network Awareness

“Network awareness now a new mindset for security professionals.”

“Every component of the network is part of the ecosystem.”

“The end user is the moving chess piece of the network board.”

“The really good intruders study the environment before attacking.”

IDS – Intrusion Detection System

Typically out of line of the data flow on a tap. Evaluates deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed.

IPS – Intrusion Prevention System

Typically inline of the data flow. Evaluates deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed. Does not have to rely on other devices in the network to complete it’s task.

Network Awareness – Know Your Threat!

Who is peering with your critical systems?

Who are the IRC bots?

Who is probing your network?

Correlate security events to hosts/network objects

Network QoS – Managed Unfairness

Bandwidth isn’t free and all traffic is not equal

Migration continues toward converged network, with multiple services over IP

Need to distinguish between the multiple services on the converged network infrastructure

Examples: voice and real-time video

Implementing QoS allows us to utilize existing bandwidth better

QoS tools can be used as security tools to safeguard priority network services and applications

Segregating IP Networks - MPLS

Standardization

Openness applies to the user community, not to campus administration and staff

Deployed network applications and services must be tightly defined

IDS/IPS to look for malicious traffic within these applications and services

Standardized authentication systems – centralized online identity control

Operational & management support is key to policy enforcement

Provisioned Services

Bring all of these security concepts together

Portaling – Present services in a consistent fashion, roles-based authentication

Network Awareness – Defining and provisioning services provides a clear scope

QoS – Protect service resources

Segregation – Reduces threat vectors and malicious logic trees between services

Standardization – Building security in what we deploy

Create an atmosphere of what we can do, vs. what we can’t

Juniper Networks Portfolio

Thank You!

elopez@juniper.net


	“’MafiaBoy’ DDoS Attack Via University Network”
	“Postdoc Arrest Linked to Intellectual Property Theft from University Labs”
	“Hack on University Exposes 1.4M Social Security Numbers”
	“Universities Fear 6^th of Month as Klez Virus Re-erupts”
	“RIAA Sues Campus File-Swappers”
	“Weak Security Causes University to Ban Unauthorized Wi-Fi on Campus Nets”
	“Campus Networks: Havens for Spammers?”
	“Vital Files Exposed in University Hacking, 32,000 Students and Employees Affected”


	Students – Bandwidth, Active Threat, No Standards
	Faculty – Openess, Intellectual Property, Communication
	Administration – Privacy/Financial/Academic Data, Web Services
	Facilities/Security – Operations, Logistics, Emergency Services
	Health Services – HIPPA, Medical Support Systems
	Externals – Support for Gov’t Projects, External/Joint Academics, Libraries, Research


	Dormitories – Wired/Wireless, >1 host to 1 student
	Libraries – Shared systems, public/anonymous access
	Commons – Wireless, rogues, ‘evil twins’
	Telecommuters – Commuting Students, Off-Campus Housing, Fraternities/Sororities, ‘Starbucks’ and other community outlets
	Educational Areas – May have specialized requirements, especially science departments
	Health Services & Administration – Autonomous but linked
	Externals – Dedicated support requirements, threat from external security breaches


	Varied OS Support: Windows (multiple versions), MacOS, Linux, BSD, Palm, PocketPC, new handhelds
	No Personal Firewall/Anti-Virus Standards
	VoIP: Internally supported, Vonage, etc.
	Authentication: Passwords (weak), Tokens, SSN vs. Unique Number, Single Sign-On vs. Segmentation
	Wireless vs. Wired
	Many Back Channels: POP3, IM, IRC, P2P, FTP, etc.
	Music: P2P vs. Legal Downloads


	A TCP/80 client session:
		Is it MSIE?
		Is it Mozilla Firefox?
		Is it a Warez P2P Session?
	Firewalls, even with application intelligence, only deal with Layer 3&4
	But with convergence of multiple applications around well-known ports & protocols, how do we differentiate the legitimate ones from the rogue ones?


	Everything works in the lab!
	Trust is inherent to design!
	What are your policies?
	How are they enforced?
	How do you detect/prevent malicious traffic, rogue host/apps, and misuse?
	What is really on your network?


	Access Defense at Network/Data Centers – No effective perimeters, no control of end-user hosts
	Network Awareness – Variable users/access/technologies make for quickly changing threats
	QoS - defending bandwidth for necessary resources, mitigating DoS attacks, policy conformance
	Segregation of IP Networks – With use of common infrastructure
	Standardization Where Possible – Enforcement of security processes is a must for applications, data centers, and systems holding sensitive data
	Provisioned Services – Key to consistant delivery of managable services


	Wireless Access = Remote Access
	Common solution sets mean ease of deployment and common user experience
		Can implement roles-based policies
	SSL VPNs are your friend
		Clientless – Just need a browser
		Encryption offers confidentiality, integrity of traffic
		Defend Remote Access, Wireless Access, Access to Data Centers
	You can’t rely on host-based defenses, defend at the ingress
		Perimeter defenses (Firewall, ACL)
		NAV and Anti-spam on campus web/mail services


	Best defenses are based on knowing what to defend
		You may not control the clients, but you do control the servers
	Tight perimeter defenses
	Portaling
	Intrusion Detection/Prevention
	Honeypots / Honeynets


	“Network awareness now a new mindset for security professionals.”
	“Every component of the network is part of the ecosystem.”
	“The end user is the moving chess piece of the network board.”
	“The really good intruders study the environment before attacking.”


		Typically out of line of the data flow on a tap. Evaluates deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed.


		Typically inline of the data flow. Evaluates deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed. Does not have to rely on other devices in the network to complete it’s task.


	Who is peering with your critical systems?
	Who are the IRC bots?
	Who is probing your network?
	Correlate security events to hosts/network objects


	Bandwidth isn’t free and all traffic is not equal
	Migration continues toward converged network, with multiple services over IP
	Need to distinguish between the multiple services on the converged network infrastructure
		Examples: voice and real-time video
	Implementing QoS allows us to utilize existing bandwidth better
	QoS tools can be used as security tools to safeguard priority network services and applications


	Openness applies to the user community, not to campus administration and staff
	Deployed network applications and services must be tightly defined
	IDS/IPS to look for malicious traffic within these applications and services
	Standardized authentication systems – centralized online identity control
	Operational & management support is key to policy enforcement


	Bring all of these security concepts together
		Portaling – Present services in a consistent fashion, roles-based authentication
		Network Awareness – Defining and provisioning services provides a clear scope
		QoS – Protect service resources
		Segregation – Reduces threat vectors and malicious logic trees between services
		Standardization – Building security in what we deploy
	Create an atmosphere of what we can do, vs. what we can’t