140 likes | 250 Views
uw network security 2003. Terry Gray University of Washington Computing & Communications 17 October 2003. UW campus network (backbone). border router. border router. backbone switches. ~ 30 level one routers. subnets (733 total; 150 c&c); over 60,000 live devices.
E N D
uw network security2003 Terry Gray University of Washington Computing & Communications 17 October 2003
UW campus network (backbone) border router border router backbone switches ~ 30 level one routers subnets (733 total; 150 c&c); over 60,000 live devices
UW campus network (typical subnet) Level One Router • campus subnets are a mixture of • shared 10Mbps • switched 10Mbps • switched 10/100Mbps Aggregation Switch Edge Switch Edge Switch Edge Switch
Pacific Northwest Gigapop • The PNW’s access point to next generation Internets, including Internet2, high performance USA Federal Networks, and high speed commodity Internet • A high speed peering point for regional and international networks • R&D testbed inviting national and international experimentation with advanced Internet-based applications
Pacific Northwest Gigapop national & internat’nl nets Internet2 3 diverse network providers • Internet2 2.5Gbps • (10Gbps upgrade underway) • Three different 1Gbps • connections to the Internet • Multiple gigabits of connections • to other networks 30+ network customers uw border uw border
K20 Network Sites Public Baccalaureate (50) Community/Technical College (73) K-12 (307) Library (65 in process) Independent Colleges (9 approved)
seven security axioms • Network security is maximized when we assume there is no such thing. • Large security perimeters mean large vulnerability zones. • Firewalls are such a good idea, every computer should have one. Seriously. • Remote access is fraught with peril, just like local access. • One person's security perimeter is another's broken network. • Isolation strategies are limited by how many PCs you want on your desk. • Network security is about psychology as much as technology. Bonus: never forget that computer ownership is not for the feint-hearted.
credo • focus first on the edge(perimeter protection paradox) • add defense in depth as needed • keep it manageable • provide for local policy choice... • avoid one-size-fits-all
gray’s defense-in-depth conjecture • MTTE (exploit) = k * N**2 • MTTI (innovation) = k * N**2 • MTTR (repair) = k * N**2where N = number of layers
C&C security activities • logical firewalls • project 172 • network infrastructure protection • reverse IDS (local infection detection) • auto-block; self-reenable • traffic monitoring tools • who/where traceability tools • nebula • proactive probing • honeypots • security operations • training; consulting