Defending the campus juniper nerworks

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
Defending the
Campus
Ed Lopez – Emerging Technologies

2Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
“The Headlines”
 “‟MafiaBoy‟ DDoS Attack Via University Network”
 “Postdoc Arrest Linked to Intellectual Property Theft from University
Labs”
 “Hack on University Exposes 1.4M Social Security Numbers”
 “Universities Fear 6th of Month as Klez Virus Re-erupts”
 “RIAA Sues Campus File-Swappers”
 “Weak Security Causes University to Ban Unauthorized Wi-Fi on
Campus Nets”
 “Campus Networks: Havens for Spammers?”
 “Vital Files Exposed in University Hacking, 32,000 Students and
Employees Affected”

Our Users – Our Problem
 Students – Bandwidth, Active Threat, No Standards
 Faculty – Openess, Intellectual Property, Communication
 Administration – Privacy/Financial/Academic Data, Web
Services
 Facilities/Security – Operations, Logistics, Emergency
Services
 Health Services – HIPPA, Medical Support Systems
 Externals – Support for Gov‟t Projects, External/Joint
Academics, Libraries, Research

Security is in How We Access Our
Networks
 Dormitories – Wired/Wireless, >1 host to 1 student
 Libraries – Shared systems, public/anonymous access
 Commons – Wireless, rogues, „evil twins‟
 Telecommuters – Commuting Students, Off-Campus
Housing, Fraternities/Sororities, „Starbucks‟ and other
community outlets
 Educational Areas – May have specialized requirements,
especially science departments
 Health Services & Administration – Autonomous but
linked
 Externals – Dedicated support requirements, threat from
external security breaches

Campuses – Crucibles for New
Technologies and Security Issues
 Varied OS Support: Windows (multiple versions),
MacOS, Linux, BSD, Palm, PocketPC, new handhelds
 No Personal Firewall/Anti-Virus Standards
 VoIP: Internally supported, Vonage, etc.
 Authentication: Passwords (weak), Tokens, SSN vs.
Unique Number, Single Sign-On vs. Segmentation
 Wireless vs. Wired
 Many Back Channels: POP3, IM, IRC, P2P, FTP, etc.
 Music: P2P vs. Legal Downloads

What We Intended

What We Ended Up With
Social Engineering

Firewalls Alone Are Not Enough
 A TCP/80 client session:
• Is it MSIE?
• Is it Mozilla Firefox?
• Is it a Warez P2P Session?
 Firewalls, even with application intelligence, only deal with Layer 3&4
 But with convergence of multiple applications around well-known ports &
protocols, how do we differentiate the legitimate ones from the rogue
ones?

Layered Threats – Layered Defenses

Domino Effect

Security Is Not Required for Applications &
Networks to Function!
 Everything works in the lab!
 Trust is inherent to design!
 What are your policies?
 How are they enforced?
 How do you detect/prevent malicious traffic,
rogue host/apps, and misuse?
 What is really on your network?

Security Requirements for the Campus
 Access Defense at Network/Data Centers – No effective perimeters, no
control of end-user hosts
 Network Awareness – Variable users/access/technologies make for
quickly changing threats
 QoS - defending bandwidth for necessary resources, mitigating DoS
attacks, policy conformance
 Segregation of IP Networks – With use of common infrastructure
 Standardization Where Possible – Enforcement of security processes
is a must for applications, data centers, and systems holding sensitive
data
 Provisioned Services – Key to consistant delivery of managable
services

Securing Access
 Wireless Access = Remote Access
 Common solution sets mean ease of deployment and common user
experience
• Can implement roles-based policies
 SSL VPNs are your friend
• Clientless – Just need a browser
• Encryption offers confidentiality, integrity of traffic
• Defend Remote Access, Wireless Access, Access to Data Centers
 You can‟t rely on host-based defenses, defend at the ingress
• Perimeter defenses (Firewall, ACL)
• NAV and Anti-spam on campus web/mail services

Securing Data Centers
 Best defenses are based on knowing what to
defend
• You may not control the clients, but you do
control the servers
 Tight perimeter defenses
 Portaling
 Intrusion Detection/Prevention
 Honeypots / Honeynets

Importance of Network Awareness
 “Network awareness now a new mindset for
security professionals.”
 “Every component of the network is part of the
ecosystem.”
 “The end user is the moving chess piece of the
network board.”
 “The really good intruders study the environment
before attacking.”
Source: Network Awareness,
whitepaper by BlackHat Consulting

IDS – Intrusion Detection System
Typically out of line of the data flow on a tap. Evaluates deeper
into the packet to validate protocol, search for exploits and
anomalies. All 7 layers of the OSI model can be parsed.
IDS
HELP
Dynamic ACL
request sent to the
router/firewall, or
TCP RESET sent to
close the session

IPS – Intrusion Prevention System
Typically inline of the data flow. Evaluates deeper into the packet
to validate protocol, search for exploits and anomalies. All 7
layers of the OSI model can be parsed. Does not have to rely on
other devices in the network to complete it‟s task.
IPS

Network Awareness – Know Your Threat!
 Who is peering
with your critical
systems?
 Who are the IRC
bots?
 Who is probing
your network?
 Correlate
security events
to hosts/network
objects

Network QoS – Managed Unfairness
 Bandwidth isn‟t free and all traffic is not equal
 Migration continues toward converged network, with multiple services over IP
 Need to distinguish between the multiple services on the converged network infrastructure
 Examples: voice and real-time video
 Implementing QoS allows us to utilize existing bandwidth better
 QoS tools can be used as security tools to safeguard priority network services and
applications
VoIP
Gold
Silver
Best
Effort
VoIPGold
Classify
Silver
Schedule
VoIPGoldSilver
Transmit

Segregating IP Networks - MPLS
Wireless Access
Housing
Remote Campus
VoIP
Internet Access
Campus Network
IP/MPLS
Multiple IP nets / Common Infrastructure
Security, Access Control at the Edge
Provisioned Services - Managability
PE PCE

Standardization
 Openness applies to the user community, not to
campus administration and staff
 Deployed network applications and services
must be tightly defined
 IDS/IPS to look for malicious traffic within these
applications and services
 Standardized authentication systems –
centralized online identity control
 Operational & management support is key to
policy enforcement

Provisioned Services
 Bring all of these security concepts together
• Portaling – Present services in a consistent fashion,
roles-based authentication
• Network Awareness – Defining and provisioning
services provides a clear scope
• QoS – Protect service resources
• Segregation – Reduces threat vectors and malicious
logic trees between services
• Standardization – Building security in what we deploy
 Create an atmosphere of what we can do, vs. what we
can‟t

23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Juniper Networks Portfolio
M-series T-series
Large Core Metro
Aggregation
E-series
BRAS & Circuit Aggregation
Policy & Service
Control
Small/Med Core
Circuit Aggregation
Secure Access SSL VPN
Intrusion Detection and Prevention
Integrated Firewall/IPSEC VPN
Central Policy-based Management
NMC-RX
JUNOScope
Secure Meeting
Enterprise Routing
J-series

Defending the campus juniper nerworks

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (18)

Similaire à Defending the campus juniper nerworks

Similaire à Defending the campus juniper nerworks (20)

Dernier

Dernier (20)

Defending the campus juniper nerworks