90 likes | 200 Views
Wireless and Post OA Security Review. Mike Memory. ESCC Ohio State University July 21 – 22, 2004. Outline. Administrative Issues Purchasing Policy Credit Cards ADP Approval Documentation Policy Procedure Configuration Management. Outline Cont. Technical Issues Wireless
E N D
Wireless and Post OA Security Review Mike Memory ESCC Ohio State University July 21–22, 2004
Outline • Administrative Issues • Purchasing Policy • Credit Cards • ADP Approval • Documentation • Policy • Procedure • Configuration Management
Outline Cont. • Technical Issues • Wireless • Issues with Technology • Lab daily users • Lab Guest • Flat Network Security Model • Enclaves • Access control
Administrative Issues • Purchasing • What purchases are for network capable items? • ADP approval required for a gas analyzer, key lock box, etc.? • Need better control from procurement regarding credit cards and requisitions • Once purchased, how do we deal with it • Documentation • User awareness of Policies and CSPP • Risk assessments • Procedures regarding testing and deployment of new technology • Configuration Management for hosts, network devices, etc.
Technical Issues - Wireless • WEP was not in use on our Guest/Conference Wireless • Needed WEP and a Firewall (or ACL in router) at minimum • Limit access to the site and to the Internet • WEP was in use on the JLab user wireless network • But that is not enough • Suggested VPN, IPSec, Firewall • Need to treat WEP keys like user passwords • Storing, Changing, Distributing issues • Need detection for rouge access points • Other suggestions - 802.1x, 802.11i, etc.
Technical Issues - Network • Problem • Flat Network Security Model • Users can access most (not all) networks freely • Resolution • Segmentation of network • Enclaves need to be created based on: • security requirements, work group, functionality • Greater access controls between enclaves with ACL’s • Access to DAQ systems from desktop? No.
Fixing The Issues • Most issues we knew about and had plan for • Tough to implement with limited resources • Our timelines for implementation were seen as taking to long • Developed 5 Teams – Driven by our CIO • Network Security Team • Wireless Security Team • X11 • Host Configuration and Management • Authentication and Authorization
What we have done since OA • Determined Risk Assessment for all issues via teams • Tightened down our conference network • Done - WEP and ACL now limiting access • Deploying more VLANs as we categorize users and services for enclave assignment • Evaluating other wireless solutions for new technologies • Policies for purchasing changes well underway • Working hard to get more human resources
Conclusion • The OA review was educational • Lots of work has already occurred • Lots of work still to do in all areas of computing • Collaboration with other Labs a must to help us “NOT” re-invent the wheel