Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.
-
date post
20-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.
![Page 1: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/1.jpg)
Providing secure Providing secure open-access open-access
networksnetworksOliver GorwitsOliver Gorwits
Oxford University Computing Oxford University Computing ServicesServices
![Page 2: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/2.jpg)
Providing secure open-access networks
Workshop OutlineWorkshop Outline
Review of the Problem DomainReview of the Problem Domain Designing secure open-access networksDesigning secure open-access networks
Incl. software and hardware choicesIncl. software and hardware choices Implementing secure open-access Implementing secure open-access
networksnetworks OUCS and LibrariesOUCS and Libraries
Q & AQ & A
![Page 3: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/3.jpg)
Providing secure open-access networks
Problem DomainProblem Domain
Summer 2003 : large-scale Internet Summer 2003 : large-scale Internet wormsworms
Widespread laptop useWidespread laptop use Catch-22 for software updatesCatch-22 for software updates Network security Network security University University
businessbusiness
![Page 4: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/4.jpg)
Providing secure open-access networks
Statutes and RegulationsStatutes and Regulations
ICTC RegulationsICTC Regulations Monitoring (4)Monitoring (4) Viruses (7.11)Viruses (7.11) Resources (13.2, 13.3)Resources (13.2, 13.3)
JANET Acceptable Use PolicyJANET Acceptable Use Policy Non-member useNon-member use
![Page 5: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/5.jpg)
Providing secure open-access networks
Designing the NetworkDesigning the Network
![Page 6: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/6.jpg)
Providing secure open-access networks
Use Cases (1)Use Cases (1)
Vital!Vital! Humans - WhoHumans - Who Applications - WhatApplications - What Computers - HowComputers - How Locations – Where & WhenLocations – Where & When
![Page 7: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/7.jpg)
Providing secure open-access networks
Use Cases (2)Use Cases (2)
OUCS HelpcentreOUCS Helpcentre MS, Antivirus updatesMS, Antivirus updates
Building visitorsBuilding visitors Lectures, ConferencesLectures, Conferences
Larger scale non-full-memberLarger scale non-full-member Library Readers – odd servicesLibrary Readers – odd services
![Page 8: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/8.jpg)
Providing secure open-access networks
Network Integration (1)Network Integration (1)
Cabling and Switch-gearCabling and Switch-gear Mix-in with existing infrastructureMix-in with existing infrastructure New or refurbished facilityNew or refurbished facility
Labelling and IdentificationLabelling and Identification Distribution cablesDistribution cables Port faceplatesPort faceplates
![Page 9: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/9.jpg)
Providing secure open-access networks
Network Integration (2)Network Integration (2)
IP spaceIP space Address and port translationAddress and port translation
Hardware ConfigurationHardware Configuration Backup managementBackup management Avoid the replacement-exposure Avoid the replacement-exposure
problemproblem
![Page 10: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/10.jpg)
Providing secure open-access networks
Managing UsersManaging Users
Controlled accessControlled access Physical, to the buildingPhysical, to the building Virtual, to the networkVirtual, to the network
AccountingAccounting Open-access means unknown user?Open-access means unknown user?
SupervisionSupervision
![Page 11: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/11.jpg)
Providing secure open-access networks
Network AccessNetwork Access
Firewall rulesFirewall rules Refer to the Use CaseRefer to the Use Case
OUCS – restrictedOUCS – restricted Official service servers onlyOfficial service servers only Transparent HTTP redirectTransparent HTTP redirect Default deny in both directionsDefault deny in both directions
![Page 12: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/12.jpg)
Providing secure open-access networks
Basic TopologiesBasic Topologies
VLANsVLANs Vendor supportVendor support
NATNAT Software or ApplianceSoftware or Appliance
DHCPDHCP Client support (MacOS pre-X)Client support (MacOS pre-X)
![Page 13: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/13.jpg)
Providing secure open-access networks
HardwareHardware
Off the shelf appliancesOff the shelf appliances Cisco PIX – DHCP & NATCisco PIX – DHCP & NAT
Open SourceOpen Source Linux/*BSD with daemonsLinux/*BSD with daemons
Black box solutionsBlack box solutions Bluesocket – Web interfaceBluesocket – Web interface
![Page 14: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/14.jpg)
Providing secure open-access networks
SoftwareSoftware
Packet FilteringPacket Filtering iptables / ipfwiptables / ipfw
ScanningScanning CommercialCommercial
Various - see GoogleVarious - see Google Non-commercialNon-commercial
nmap, nessusnmap, nessus
![Page 15: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/15.jpg)
Providing secure open-access networks
Implementing the NetworkImplementing the Network
![Page 16: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/16.jpg)
Providing secure open-access networks
OUCS Visitors Network (1)OUCS Visitors Network (1)
Mix-in with existing helpcentre networkMix-in with existing helpcentre network VLAN per user into managing devicesVLAN per user into managing devices Minimum ongoing maintenanceMinimum ongoing maintenance No peer to peer communicationsNo peer to peer communications Intended for MS/AV updates and Intended for MS/AV updates and
teachersteachers Restrictive serviceRestrictive service
![Page 17: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/17.jpg)
Providing secure open-access networks
OUCS Visitors Network (2)OUCS Visitors Network (2)
C2950
Helpcentre Distribution Switch
Vlan100
VlanTrunk
Vlan100Vlan103
Protected Ports
Cisco PIX 515
Backbone
![Page 18: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/18.jpg)
Providing secure open-access networks
OUCS Visitors Network (3)OUCS Visitors Network (3)
Access Control List:Access Control List: Default deny Incoming and OutgoingDefault deny Incoming and Outgoing OUCS : NTP, DNS, SMTP, HFS, NNTP, VPNOUCS : NTP, DNS, SMTP, HFS, NNTP, VPN Also SSH, FTP, POP, IMAP to anywhereAlso SSH, FTP, POP, IMAP to anywhere OLIS on the telnet portOLIS on the telnet port
Transparent HTTP redirect via OUCS Transparent HTTP redirect via OUCS proxyproxy
Minimal accounting; limited availabilityMinimal accounting; limited availability
![Page 19: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/19.jpg)
Providing secure open-access networksLibraries Reader Network Libraries Reader Network
(1)(1) Permissive service due to user Permissive service due to user
requirementsrequirements Orthogonal to OUCS serviceOrthogonal to OUCS service
Large number of (potential) usersLarge number of (potential) users Need to pre-registerNeed to pre-register
Multiple sites and networksMultiple sites and networks No site-local IT supportNo site-local IT support
![Page 20: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/20.jpg)
Providing secure open-access networksLibraries Reader Network Libraries Reader Network
(2)(2)
PC
Scanning Station
File Server
PC
Library Protected-Port Switch
Library Distribution Switch
Firewall
Backbone
NFSSMB
MAC addresses
![Page 21: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/21.jpg)
Providing secure open-access networksLibraries Reader Network Libraries Reader Network
(3)(3) Known limitations:Known limitations:
Possible post-registration infectionPossible post-registration infection Annual registration expiryAnnual registration expiry
Client Client Scanning Station Scanning Station incompatibilityincompatibility
![Page 22: Providing secure open- access networks Oliver Gorwits Oxford University Computing Services.](https://reader038.fdocuments.us/reader038/viewer/2022110207/56649d435503460f94a1eb29/html5/thumbnails/22.jpg)
Providing secure open-access networks
Q & AQ & A