300 likes | 310 Views
Learn about practical IT security and how to protect the enterprise campus network. Explore technologies used and examples from the field. Includes a technology demo if time allows.
E N D
Enterprise Security Protecting the Campus Network Paul Kennedy Security & Compliance Group Leader Information Services
Objectives • An introduction to practical IT security • Some background on enterprise issues • The campus network • Samples of some technologies used • Examples from the battlefront • Technology Demo (if time allows)
What is an enterprise? • “a unit of economic organization or activity; especially: a business organization” • What defines an enterprise: scale, purpose and cohesion • Is the University an enterprise? Yes! • “A place of learning, research, academic endeavour, advancement of knowledge” • “A £380m global business with 5500 staff and 36000 customers”
Enterprise security • So what is enterprise security about? • Protection of an entity where the scale is a factor in the decisions made (e.g. number of users, computers; size of network or bandwidth of the links; cost of solutions) • Protection of an entity where the aims of the organisation need to be taken into consideration (e.g. business requirements) • Protection of an organisation where the human factor becomes critical to success
The University enterprise • Facts & Figures • An international University with campuses in the UK, China and Malaysia • 36000 students and 5500 staff in the UK • Numerous campuses • In Nottingham • Univ Park, Jubilee, Sutton Bonnington, King’s Meadow, QMC, City Hospital, Shakespeare St • the East Midlands • DCGH, DRI, Mansfield, Lincoln, Boston, Grantham • and further afield • Offices in London, Brazil, Shanghai, overseas campuses
Campus Network • 12000 machines on the campus network • Servers, desktops, laptops, network equipment, lab equipment, printers, VoIP devices, CCTV cameras, temperature sensors, cash tills, door access, building management system • 8000 computers on the student network (SNS) • 10 Gbps across the campus backbone • 2 x 1Gbps + 1 x 100Mbps connections to East Midlands MAN (EMMAN) and JANET • State-of-the-art “lights-out” primary data centre at KMC, secondary data centre (inc HPC) at CCC South • Is this a LAN or a WAN or a MAN?
The Academic Business • The business: • Financial management of £380m • HR management of 5500 staff records • SR management of 36000 student records • UK legislation • Data Protection Act (DPA), Freedom of Information (FoI), Human Rights Act (HRA) and more • Regulation of Investigatory Powers Act (RIPA) • Corporate Governance • External auditors, Internal Audit Service (IAS)
Academic Risk Profile • We are a business AND an academic institution and must provide security accordingly! • We’ll never have security like a bank • We can’t enforce corporate standards • We must support a wide range of teaching and research and a degree of choice in the tools that staff and students can use
Security Facts & Figures • We reject 3.5m spam emails per day • We saw alerts on suspicious behaviour from 7000 external network addresses yesterday • Anti-virus reported 120 desktop interceptions on campus yesterday • We intercept around 100-150 email borne malware items per day • We detect and report 5-10 previous unseen viruses to Sophos each year
Security Model • The University Security Model • Policy, IT Security, Physical Security • Defence in depth (the security “Onion”) • Multiple, overlapping layers of security • Security at different points in the network • At the perimeter / gateway / choke points • On the server / at the service layer • At the desktop • Across the network backbone • But … Business first, Technology Second!
Security Policy • You MUST have a security policy, approved by senior management in order to have enforceable security • ISO 27001 (aka ISO 17799, BS 7799) is the international standard for Information Security Management Systems • Security policy; Organisation of information security; Asset management; Human resources security; Physical and environmental security; Communications and operations management; Access control; Information systems acquisition, development and maintenance; Information security incident management; Business continuity management; Compliance. • Based on the Plan-Do-Check-Act model • The University security policy is based on ISO 27001 but we are unlikely to seek certification at present
The Technology • At the perimeter / gateway / network level • Enterprise firewall • Allow or deny traffic based a set of rules • Email Gateway • Spam and malware detection and prevention • Secure web gateway • Proxying web traffic to check for malware • Bandwidth management • Limit or guarantee bandwidth available for services • Virtual LANs (VLANs) • Restrict the parts of the network specific traffic can reach • Anomaly detection • Measure network activity against a “normal” baseline • Network access control
At the Perimeter • Enterprise Firewall • Inspects packets entering or leaving the network against a defined rule set • Allows or denies based on src and dest IP address and port • Default Deny (“Deny everything except those services/protocols specifically required”) not Default Allow (“Allow everything, deny only known dangerous ports”) • 2 x Juniper NetScreen 5200s with failover (Gigabit capable) • Stateful packet inspection: knows which “conversations” are already in progress (prevents certain scans and attacks) • Over 1200 firewall change requests since 2004 • Over 600 rules in our firewall rule set (Spitzer: 200 is complex) • At default deny, network traffic dropped 50%, attacks 90%
Email Gateway • Currently an open source solution on linux • Exim, MailScanner, SpamAssassin, Sophos • 10 mail relays! (5 incoming, 5 outgoing) • 3.5m incoming emails per day of which 200000 are accepted for processing (5%) • Have employed “tag and pass” for too long!!! • Decisions are not only about technological solutions • Spam and malware handling is now a commodity item so we are outsourcing to a managed service provider Webroot
Secure Web Gateway • Over 80% of incoming network traffic from the Internet is the result of web browsing • Attack payloads via email are dropping • Attacks initiated from a HTML formatted web page with the payload delivered via the web are increasing • Current Squid proxy logs traffic and reduces risk of malware getting off campus but … • … this does not protect against most incoming threats • So implementing a Finjan Secure Web Gateway
Web Gateway Capabilities • Active real-time content inspection for detection and blocking of unknown attacks • Zero-hour vulnerability protection via virtual patching • Corporate Anti-Spyware solution for stopping known and unknown Spyware at the gateway • Anti-Crimeware protects your sensitive business data • Anti-Phishing prevents identity theft • SSL Inspection for “in-box” scanning of HTTPS traffic and enforcement of SSL certificates • Choice of leading Anti-Virus engines for protection against known viruses • Choice of leading URL Filtering engines for full control over your organization’s web browsing
Anomaly Detection • In 2006 IS was looking for a solution to provide better monitoring of traffic across the network • Looked at Intrusion Detection and Intrusion Prevention Systems (IDS/IDP) • Decided these were not suitable for the wide range of research traffic on our network (which can break firewalls) • Discovered the alternative approach of anomaly detection! • It learns what is normal network behaviour for each computer on the network and alerts to significant changes in that behaviour
Detection Example • Example: In August 2003, the University was hit by the Blaster worm. • 1500 computers were infected in a few hours • The immediate incident lasted two weeks • Complete clean up took four months • We can now detect a worm infected computer within minutes and, in most cases, prevent it from causing an outbreak before it affects the network
Network Access Control • At the start of each academic year 8000 student owned computers are connected to the Student Network Service (SNS) in Hall study bedrooms • These computers arrive as unseen and unknown quantities; often they are not properly secured and are already infected with viruses and other malware • They represent a potential threat to their fellow students, the SNS network and the wider campus network BUT IS is obliged to make them part of our community as soon as possible
Campus Manager I • In 2005 IS introduced Campus Manager which performs pre-connection health checks on student computers before it allows them access to the SNS and campus networks • Campus Manager ensures that student machines • Are fully patched with critical updates • Have anti-virus protection installed • Represent a minimal risk to the campus network
Sophos Upgrade • Just upgraded from Sophos A/V to Sophos Security & Control • No longer just A/V, now an End Point security solution • Anti-virus, anti-spyware, anti-adware • Desktop firewall, detection of PUA, HIPS • In Future Releases • NAC, device (USB, Bluetooth, IR), port & mobile control, data leak prevention
Sophos DBMS (sccapps) Updates from Sophos Sophos Console & EM Library Signature distribution web server Signature distribution file server (Univ Park: Campus Network) Signature distribution file server (Univ Park: Student Network) Signature distribution file server (Jubilee Campus) Signature distribution file server (Sutton Bonnington) Signature distribution file server (King’s Meadow) Signatures & product updates, remediation Status information, interception reports Desktop Clients Sophos Architecture
Social Engineering • Humans are usually the weakest link in any chain of security • You can provide policies and best practice, but you can’t force people to read it • University members do respond to phishing attacks from time to time • The best solutions to social engineering issue are usually ones that use technology in place to allow for possible human failings
Network Abuse • Misconduct, gross misconduct and criminal activity by University members • Yes, it does happen, but thankfully not that often • Gross misconduct can lead to dismissal from the University • Criminal activity can lead to prison • IS does provide evidence for hearings, tribunals and police investigations and court cases • ssshhh – Credit Card Scam Story
Summary • Enterprise security is about scale • You need policy, planning and architecture • You must consider the business before technology • Technology can sometimes reduce human factors but can’t always make up for human failings (or social engineering)