Developing an Effective
-
Upload
webhostingguy -
Category
Documents
-
view
148 -
download
0
Transcript of Developing an Effective
Developing an Effective & Affordable Security Infrastructure in
a Small College Environment
About Penn College Williamsport Technical Institute, founded 1941Williamsport Technical Institute, founded 1941 Williamsport Area Community College, founded 1965Williamsport Area Community College, founded 1965 Pennsylvania College of Technology, founded 1989Pennsylvania College of Technology, founded 1989 Special Mission Affiliate of Penn State UniversitySpecial Mission Affiliate of Penn State University Accredited - Middle States Association of Colleges and Accredited - Middle States Association of Colleges and
Secondary Schools Secondary Schools 6,358 headcount - 5,891 FTE6,358 headcount - 5,891 FTE 288 FTE faculty, 518 FTE staff288 FTE faculty, 518 FTE staff B.S., A.S. and certificate degrees in over 100 majorsB.S., A.S. and certificate degrees in over 100 majors Specialize in vocational and technology-based educationSpecialize in vocational and technology-based education Strong focus on small class sizes and hands-on instructionStrong focus on small class sizes and hands-on instruction www.pct.eduwww.pct.edu
Williamsport, PA
IT Infrastructure
2,600 College-owned computers, 1,400 student-owned computers in residential complexes
1,600 computers in 50+ academic computer labs, student to computer ratio of 4:1
Standard computer lab software includes Microsoft Windows XP, Office 2003, NetMail POP3 e-mail system
IT Infrastructure (cont’d)
1,000 staff/faculty PCs Standard employee image: Windows XP,
Office 2003, Novell GroupWise, iSeries client
Novell Directory Services (NDS) IBM iSeries mainframe, home-grown
legacy administrative applications WebCT, Sirsi, eRecruiting, Raiser’s Edge,
Cbord Odyssey, EBMS 25 Novell, 15 Microsoft, 3 Linux, 1 Sun, 1
AIX server
IT Infrastructure (cont’d) 100% Cisco network infrastructure
except for Packeteer Packetshaper Fast Ethernet via CAT5 for all building
LANs, Gigabit Ethernet via fiber for backbone
Dual Cisco 6500s for redundant core Fractional T-3 (30 Mbps) Internet
service Dial-up Internet access provided for
employees, not students About 50% wireless coverage
Campus Network Layout
Information Technology Services
Organization (50 employees) Desktop Computing
Academic ComputingTechnical Support/Help DeskTechnical Writer/Trainer
Administrative Information Systems Network Applications Mail & Document Services Media Services Telecommunications
Post Y2K IT Security “Problem”
Increasing threats from viruses, trojans, worms, hackers, etc.
Lack of security standards No coordinated security response Poor security awareness Minimal security policy No security testing
The “Challenge”
Limitations Budget Staff Time
Large backlog of post Y2K projects Balancing security effectiveness with
efficient resource management
Solution Analysis
Dedicated security staff vs. security team Advantages of team approach:
Utilizes existing staff and expertise Spreads/diffuses the importance of security
across all functional IT areas Funded through existing budgets
Disadvantages: No centralized focus/authority Long lead time to develop expertise Staff time directed away from other projects Not invented here syndrome
The “Solution” IT management recommended forming a
campus “security team.” Each area of the IT department
committed one employee and a percentage of its budget.
A senior manager was designated to provide leadership and coordination of this team effort.
The team met weekly over an initial 18 month period, then bi-weekly.
Rotating duty officer/CERT format
The Context Risk vs. investment Scope and impact for priority Mitigating risk factors
Administrative data locked up in IBM iSeries (AS/400)
GroupWise e-mail systemInstitutional policy requiring data files
to be stored on network drivesCentralized IT management and
budget culture
7-Layer Security Approach
Layer 1 - PhysicalLayer 1 - Physical Layer 2 - InternetLayer 2 - Internet Layer 3 - NetworkLayer 3 - Network Layer 4 - ResNetLayer 4 - ResNet Layer 5 - ServersLayer 5 - Servers Layer 6 - Employee PCsLayer 6 - Employee PCs Layer 7 - SocialLayer 7 - Social
Layer 1 - Physical Before
Distributed servers, not physically secured, some actually in staff/faculty offices
Network components not secured
Minimal UPS protection
After Most non-academic
servers moved to secured data center; backup generator
Wiring closets secured
UPS for all servers and network equipment
Layer 2 - Internet Before
Internet router with public IP addresses
No filtering of ports
After Cisco PIX firewall with PAT translation initially,
later acquired additional IPs, changed to NAT (still occasional problems, need an XLATE clear)
Access control list on Internet router (example) Packeteer - Although purchased for bandwidth
control, provides another layer of “protection” and “detection”
Internet Router ACL access-list 115 permit tcp any 0.0.0.0 255.255.255.0 access-list 115 permit tcp any 0.0.0.0 255.255.255.0
establishedestablished access-list 115 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 115 deny ip 10.0.0.0 0.255.255.255 any access-list 115 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 115 deny ip 127.0.0.0 0.255.255.255 any access-list 115 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 115 deny ip 172.16.0.0 0.15.255.255 any access-list 115 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 115 deny ip 192.168.0.0 0.0.255.255 any access-list 115 deny ip 224.0.0.0 15.255.255.255 anyaccess-list 115 deny ip 224.0.0.0 15.255.255.255 any access-list 115 deny ip host 0.0.0.0 anyaccess-list 115 deny ip host 0.0.0.0 any access-list 115 deny ip 12.23.198.0 0.0.0.255 anyaccess-list 115 deny ip 12.23.198.0 0.0.0.255 any access-list 115 deny ip 12.23.199.0 0.0.0.255 anyaccess-list 115 deny ip 12.23.199.0 0.0.0.255 any access-list 115 deny ip any 0.0.0.255 255.255.255.0access-list 115 deny ip any 0.0.0.255 255.255.255.0 access-list 115 deny tcp any any eq 135access-list 115 deny tcp any any eq 135 access-list 115 deny udp any any eq 135access-list 115 deny udp any any eq 135 access-list 115 deny tcp any any eq 137access-list 115 deny tcp any any eq 137 access-list 115 deny udp any any eq netbios-nsaccess-list 115 deny udp any any eq netbios-ns access-list 115 deny tcp any any eq 138access-list 115 deny tcp any any eq 138 access-list 115 deny udp any any eq netbios-dgmaccess-list 115 deny udp any any eq netbios-dgm access-list 115 deny tcp any any eq 139access-list 115 deny tcp any any eq 139 access-list 115 deny udp any any eq netbios-ssaccess-list 115 deny udp any any eq netbios-ss access-list 115 deny tcp any any eq 445access-list 115 deny tcp any any eq 445 access-list 115 deny udp any any eq 445access-list 115 deny udp any any eq 445
access-list 115 deny tcp any any eq 593access-list 115 deny tcp any any eq 593 access-list 115 deny udp any any eq 593access-list 115 deny udp any any eq 593 access-list 115 deny tcp any any eq 3333access-list 115 deny tcp any any eq 3333 access-list 115 deny udp any any eq 3333access-list 115 deny udp any any eq 3333 access-list 115 deny tcp any any eq 4444access-list 115 deny tcp any any eq 4444 access-list 115 deny udp any any eq 4444access-list 115 deny udp any any eq 4444 access-list 115 deny tcp any any eq 69access-list 115 deny tcp any any eq 69 access-list 115 deny udp any any eq tftpaccess-list 115 deny udp any any eq tftp access-list 115 deny tcp any any eq 161access-list 115 deny tcp any any eq 161 access-list 115 deny udp any any eq snmpaccess-list 115 deny udp any any eq snmp access-list 115 deny tcp any any eq 162access-list 115 deny tcp any any eq 162 access-list 115 deny udp any any eq snmptrapaccess-list 115 deny udp any any eq snmptrap access-list 115 deny udp any any eq 1993access-list 115 deny udp any any eq 1993 access-list 115 deny tcp any any eq 1900access-list 115 deny tcp any any eq 1900 access-list 115 deny udp any any eq 1900access-list 115 deny udp any any eq 1900 access-list 115 deny tcp any any eq 5000access-list 115 deny tcp any any eq 5000 access-list 115 deny udp any any eq 5000access-list 115 deny udp any any eq 5000 access-list 115 deny udp any any eq 8998access-list 115 deny udp any any eq 8998 access-list 115 permit icmp any any echoaccess-list 115 permit icmp any any echo access-list 115 permit icmp any any echo-replyaccess-list 115 permit icmp any any echo-reply access-list 115 deny ip any any log-inputaccess-list 115 deny ip any any log-input
Layer 3 – Network - Before
10.x.x.x organized geographically; each “building complex” has a subnet; 10.1.x.x, 10.2.x.x, 10.3.x.x, etc.
Any to any routing philosophy Simple telnet to devices No central security scheme
Layer 3 – Network - After
100% VLAN scheme VLANs based on
computer/user role Internet style ACLs applied
on traffic leaving VLANs Traffic denied entering VLAN if
no reason for the traffic Extended today to separate VLANS for point-of-sale
stations, HVAC, wireless, dial-up; each with its own ACL
SSH required to access devices, coordinated userid/password with Cisco ACS server that LDAPs to our NDS
10.1.x.x network 10.1.x.x network equipmentequipment10.2.x.x servers10.2.x.x servers10.3.x.x printers10.3.x.x printers10.4.x.x staff10.4.x.x staff10.100.x.x ResNet10.100.x.x ResNetEtc.Etc.
Layer 4 – ResNet
BeforeBeforeNormal network Normal network
subnetsubnet
No restrictionsNo restrictions
ISP attitudeISP attitude
No scanningNo scanning
After – version 1After – version 1 Single VLANSingle VLAN
ACL limited access to other ACL limited access to other campus VLANscampus VLANs
After – version 2After – version 2 VLAN per 48 port switchVLAN per 48 port switch
Internet style ACL “rule set” Internet style ACL “rule set” to block known bad ports to block known bad ports such as 445such as 445
Routine scanning and Routine scanning and quarantiningquarantining
Layer 5 – Servers - Before
Public IP address via firewall conduit Distributed physically No port filtering Inconsistent patch strategy No virus protection Inconsistent HTTPS implementation Many outside of the “network” department No scanning for vulnerabilities No disaster recovery plan
Layer 5 – Servers - After
Servers in data center or managed by server groupServers in data center or managed by server group HTTPS required for any sensitive dataHTTPS required for any sensitive data Private IP addresses mapped to public via “conduit” in the firewallPrivate IP addresses mapped to public via “conduit” in the firewall Port filtered in the firewall, deny all, allow those required for Port filtered in the firewall, deny all, allow those required for
specific servicesspecific services Port filtered coming out of ResNet and student computer labsPort filtered coming out of ResNet and student computer labs Managed patch strategy, critical patches applied in 24 hoursManaged patch strategy, critical patches applied in 24 hours Symantec Anti-Virus on serversSymantec Anti-Virus on servers NetMail/CA eTrust anti-virus and RBL filtering for e-mailNetMail/CA eTrust anti-virus and RBL filtering for e-mail GWAVA/Symantec Anti-Virus e-mail filteringGWAVA/Symantec Anti-Virus e-mail filtering GWAVA attachment filteringGWAVA attachment filtering Routine Nessus scanningRoutine Nessus scanning Comprehensive disaster recovery planComprehensive disaster recovery plan
Layer 6 - Employee PCs AfterAfter
Private IP address via PAT/NAT
Managed Symantec Anti-Virus
“Push” of critical Microsoft security patches via Novell ZenWorks
Nessus scanning
BeforeBefore Public IP address
No anti-virus
No patch management
No scanning
Layer 7 - Social BeforeBefore
Little or no public Little or no public awarenessawareness
No AUPNo AUP Loose user ID and Loose user ID and
password policiespassword policies ““It won’t happen It won’t happen
here, we know here, we know everyone personallyeveryone personally
AfterAfter Acceptable Use Policy Acceptable Use Policy Accounts blocked after Accounts blocked after
3 failed log in attempts3 failed log in attempts Passwords changed Passwords changed
every 180 daysevery 180 days Regular communication Regular communication
via online newspapervia online newspaper Security education Security education
classesclasses
What’s on the radar screen?What’s on the radar screen?
SpywareSpyware PC firewallPC firewall Instant Messenging issuesInstant Messenging issues VPNVPN Network access controlNetwork access control Two factor authenticationTwo factor authentication Security as it affects privacy issuesSecurity as it affects privacy issues E-mail securityE-mail security
Conclusion
Security team was the right Security team was the right approach for usapproach for us Effective, no significant Effective, no significant
down-time except for down-time except for Blaster/Welcia, fall 2003Blaster/Welcia, fall 2003
Cost-efficientCost-efficient
Diffused security Diffused security awareness across the awareness across the departmentdepartment
Developed security skills Developed security skills across ITSacross ITS
Security InfrastructureSecurity Infrastructure Cisco PIX firewallCisco PIX firewall Packeteer PacketshaperPacketeer Packetshaper Cisco VLANs/ACLsCisco VLANs/ACLs Symantec Anti-VirusSymantec Anti-Virus Novell ZenWorksNovell ZenWorks GWAVA Anti-GWAVA Anti-
virus/attachment filteringvirus/attachment filtering NessusNessus
DiscussionDiscussion
Slide to linkSlide to link