A Conversation on

1
A Conversation on Ohio States Enterprise
Infrastructure with The Offices of the CIO July
26, 2007 Mount Hall Auditorium
2
(No Transcript)
3
Topics

• Welcome Mike Veres
• Enterprise Security Chuck Morrow-Jones
• Enterprise Identity Management Greg Niemeyer
• OSU Wireless Bob Corbin
• Infrastructure Services Mitch Dysart
• Buckeye Secure Mitch Dysart
• OSUNet Charlie Clay
• Voice Services Charlie Clay
• Carmen Joanne Dehoney
• CIO LAN Project Brian Newcomb
• Hardware Maintenance Larry Glover
• Central Email Improvements John Ellinger

4
EnterpriseSecurity
5
Security Standards

• Minimum Computer Security Standard
• Critical Computer Security Standard
• Database Computer Security Standard
• Webservices Computer Security Standard

6
Minimum Computer Security Standard (MCSS)

• Turn on and configure the host-based firewall
• Install, update and patch current OS and
  applications
• Run and regularly update anti-malware software
• Use passwords or other appropriate authentication
  mechanisms to control device access

7
Minimum Computer Security Standard

• Exception handling and compensating controls will
  need to be worked out
• Compliance must be automated and auditable
• Non-compliant machines must be isolated
• Compliance must be certified

8
MCSS Timeline

• Network Readiness and Solution Options
• Inventory, review and analyze current central and
  distributed networks to determine MCSS readiness
• Identify automated and auditable solutions
• June - August, 2007

9
MCSS Timeline

• CIO Resources
• Plan and pilot NAC or equivalent for CIO
  resources wireless, public labs, classrooms
• Coordinate through Internal Audit to develop
  appropriate audit plan incorporating IT into
  university certification process
• September - December, 2007

10
MCSS Timeline

• Unit Resources
• Pilot and phase in an automatic and auditable
  campus wide solution
• December, 2007 - April, 2008

11
Critical Computer Security Standard

• Server standard for critical computers (usually
  servers).
• Critical computers must also meet MCSS
• Critical computers must be registered with CIO
  Security
• Comply with physical protection standards
• Comply with a number of best practices to insure
  that critical computers are adequately
  administered and monitored.

12
Database Computer Security Standard

• Server standard for database servers containing
  restricted data - must also meet CCSS and MCSS
• Employ strong security practices (e.g.
  encryption) when restricted data are stored in
  database
• Appropriately isolate database computers
• Install and configure database to eliminate
  common vulnerabilities

13
Webservices Computer Security Standard

• Server standard for web servers, especially those
  that provide access to restricted data - must
  also meet CCSS and MCSS
• Developers must follow standards (such as OWASP)
  to prevent exploitable flaws
• Appropriately control and monitor web-based
  access to data, especially restricted data

14
Timeline For Remaining Standards

• Collaboratively develop remaining standards, and
  assure appropriate inter-relationships among the
  standards.
• June-August, 2007

15
Firewalls

• We currently provide firewalls through 2 venues
• Operations supports firewalls for servers hosted
  at KRC
• Security supports departmental firewalls through
  consulting/support services and through our own
  firewall product.
• The security group firewalls are rack mounted
  Intel boxes running OpenBSD, booting from a flash
  drive

16
Firewalls

• A RFP is being prepared to purchase a large
  Enterprise-class firewall that we can use to
  provide virtual firewalls to replace our current
  hardware
• Operations and Security will continue to provide
  the firewall services that we currently provide

17
Scanning

• We scan the OSU networks with various tools
  looking for security issues that need to be
  corrected
• Most of these tools are available either for free
  or through a site license, so you can use them
  also
• Scanning your local network is useful, since we
  cannot see through your firewall

18
Scanning - Open Source Tools

• nmap is an open source port scanner - we scan OSU
  weekly using it
• nessus is an open source vulnerability scanning
  tool, similar to Internet Security Scanner
  (ISS). We have been experimenting with this to
  see how it compares to ISS.

19
Scanning

• ISS Internet Scanner is a commercial
  vulnerability scanner that we have site licensed.
  
• We currently scan everything in the Office of the
  CIO once a month
• We will be scanning everything at OSU once a
  quarter using this or nessus

20
Scanning

• appscan is a commercial web application scanning
  tool which we use to find SQL Injection
  vulnerabilities on OSU web servers. We do not
  have a site license.
• sqlix is an open source SQL Injection scanning
  tool that we also use.

21
Scanning

• Web application scans and other scans can be
  scheduled by sending email to security_at_osu.edu.

22
Two Factor Authentication

• !!!! FINALLY !!!!

23
Two Factor Authentication

• Initial funding request in February, 2005
• Project expanded from its initial scope
• Lengthy purchasing process for RSA
• Equipment received in June, 2007

24
Two Factor Authentication Project Objectives

• Provide a robust infrastructure with capacity of
  up to 20,000 users
• Replace two existing 2-factor environments within
  CIO offices (50 users)
• Provide two factor services to the Enterprise LAN
  project (300 users)
• Provide services to OSU Library users (900 users)
• Provide services to SIS core users (3,000 users)

25
Two Factor Authentication Architecture

• First factor (what you know) is password
• Second factor (what you have - one time password)
  is a time based 6 digit number, changing every
  minute.
• Hosted by replicated RSA SecureID appliances in
  separate locations
• Uses an RSA Client running on applications e.g.
  PeopleSoft
• User client (optional) allows auto-insertion of
  onetime password
• Uses RSA SecurID 800 Hardware Tokens

26
(No Transcript)
27
Intrusion Detection/Prevention

• We use a variety of techniques to identify
  malicious network activity and respond to it
• We use bro to detect various sorts of network
  activity (spam, SQL injection attempts, unusual
  ssh and ftp activity, cmd.exe backdoors)
• We also look for signs of scanning in our netflow
  logs

28
Intrusion Detection/Prevention

• We are proficient at finding IRC based botnets.
• We also use darknet monitoring to find computers
  that are scanning.

29
Intrusion Detection/Prevention

• We respond to malicious activity by blocking
  compromised computers or by sending warnings to
  their administrators.
• We hope in the future to be able to quarantine
  people (through NAC systems that will be deployed
  on campus) based on detected activity.

30
Enterprise Identity and Access Management
31
What is Identity Management?

• Identity Management (IdM) is a combination of the
  business processes and supporting infrastructure
  required to create, maintain, and use digital
  identities throughout their lifecycle within an
  organization.

Drivers
Institutional Goals
Constituent Requirements
Policy Governance
Standards
Budget
Project Management
Ability to Implement
Technology
Practices
Products
Staff Skills/Expertise
Source Vandenberg, 2006
32
Functional Aspects of a Complete Identity and
Access Management (IAM) Platform

• Password Management
• Authentication and Authorization
• Auditing / Reporting
• Provisioning / De-Provisioning
• Reduced (Simplified) Sign-On
• Self Service
• Information Consolidation
• Federation Services
• Enterprise IdM Reduces Risk
• Unifies accounts and passwords
• Grants the right access to the right user at the
  right time
• Enables strong audit of all account activities
• Reduces risk of tampering with sensitive data

33
Top Reasons to Build an Identity Management
Solution for Higher Education

• Growing Service Needs
• Legislation and Compliance
• Publicity and Public Relations
• Services Available from the Federal Government

Source EduCause http//www.educause.edu/2006Surve
yResources/10236
34
Current Status

• Authentication and Authorization Identity
  Repository
• MS Active Directory (LDAP)
• Initially providing Authentication for SIS
• RFP
• New RFP to be released
• Focused on initial IDM goals
• Provisioning / De-provisioning
• Password management
• Identity repository for authentication and
  authorization
• Auditing and Reporting
• Enterprise wide systems for initial integration
• Technical requirements will mostly be unchanged
• Phase 1 Build IdM Infrastructure

35
(No Transcript)
36
Current Status

• 2977 access points installed (as of 7/20/07)
• 22 wireless controllers, one mobility domain
• Over 3,400 peak concurrent users
• Aruba OS/Mobility Management Systems release
  timeline
• 9/5/2006 (AOS 2.5.3, MMS 1.0)
• 7/20/2007 (AOS 3.1.0.11, MMS 2.1.0.2)

37
Current Status Installation Details

• Student Affairs Wireless Installation
• 2100 access points (APs) installed in 38
  residence halls on Main Campus
• 270 APs at Buckeye Village
• 155 APs at Regional Campus
• 10 APs in Fawcett Center
• 52 APs in Blackwell Hotel
• Student Gathering Areas
• 215 APs in over 70 buildings
• Installation of additional SGA coverage (105
  APs) in progress
• Customer Requests and AP Swaps (OSUWeb.net)
• 175 APs

38
Significant Milestones

• Implementation of Wireless Guest Access at
  Fawcett Center and Wexner Center
• VLAN pooling implemented to balance client leases
  across multiple VLANs
• Distributed management functionality (available
  in MMS 2.1) was implemented for APs managed by
  Student Affairs IT
• Pilot (in OIT) of departmental wireless access
  with VLAN derivation to access local network
  resources
• Implementation of OSUVOICE across all
  non-residence hall APs
• Currently processing 58 Customer Requests
  (Surveys, SLAs, Installation)

39

• Infrastructure Services

40
Infrastructure Services

• Central Disk Storage
• Improved performance
• Fibre channel and iSCSI
• Central Backup Services
• Networker
• Search underway for continuous data backup
  product for personal computers
• Data Center Co-location
• Floor and rack space at both data centers

41
More Infrastructure Services

• VMware Server Availability
• Server provisioning for temporary or permanent
  use
• Database Administration
• MS SQL
• Oracle
• Operator Services

42
Even More Infrastructure

• System Administration Services
• Microsoft
• Linux
• Unix (Solaris, HP-UX, AIX, FreeBSD)
• Enterprise LAN

43

• Buckeye Secure

44
Buckeye Secure

• Originally, a program that encompassed
• Identity Management
• SSN Remediation
• Legacy SSN Protection
• Now, a brand used by the CIO
• Governance structure continues as coordinating
  team for CIO security projects

45

• OSUNet

46
OSUNet

• Current Project
• GigE upgrade
• BLUECAT networks DNS/DHCP in production
• Network performance monitoring
• Border router upgrade
• I1 and I2 connectivity
• NAC
• Centralized/virtual firewalls

47

• Voice Services

48
Voice Services

• SL100 upgraded to CS2100 in April
• Supports native VoIP services
• PSTN to VoIP gateway (wired/wireless)
• New I3 Call Center in production and expanding
• Voice mail upgrade
• Initiated projects to replace system (1-2 yrs)
• Moving to a Unified Messaging solution
• Requires Input from the Campus community

49

• CARMEN

50
Carmen Updates

• Upgrade
• Improved performance- gradebook and quizzes
• Sortable column and calculated column in
  gradebook
• New functions, especially for tracking college
  and department level objectives
• Metadata console
• Access
• Standardized temporary accounts for non-OSU users
• Distributed Support aka Carmen Superusers
• 90 participants across all colleges and many
  departments

51
In Pilot for Fall

• Lockdown browser
• Version 8.2
• Adding temporary account creation to
  authorities of Carmen Superusers (L3)

52
Winter 2008

• Version 8.2 upgrade
• Sortable auto-generated columns in gradebook
• Reporting database
• Additional accessibility improvements
• D2L SDK

53

• CIO LAN Project

54
CIO LAN PROJECT

• To develop a secure, scalable LAN solution that
  provides reliable file and print sharing for all
  staff within the offices of the CIO.

55
Progress

• Active Directory built
• Namespace at ad.service.osu.edu
• Full integration with new DNS/DHCP solution
• Half of the storage is ready now, the rest is due
  in August
• SharePoint services to be included
• Enhancements provided to 8HELP support tools
• Ability for 8HELP staff to reset passwords and
  view account information

56
Progress

• Altiris desktop management tool procurement in
  process
• Costing model being developed
• GOAL be ready to offer as a service outside CIO
  by September 1, 2007
• All inclusive service
• This LAN solution will meet all requirements of
  the MCSS

57

• Hardware Maintenance

58
Hardware Maintenance

• An RFP was generated for the maintenance of
  approximately 250 servers at KRC, TNC and Baker
  Systems
• QSGIs bid met all of the requirements at about a
  30 savings, in comparison to the contract that
  expired on June 30th

59
Hardware Maintenance

• Highlights of the new agreement
• 24x7 support, a 15 minute call back 2 hour
  on-site
• Certified parts/full systems support in Columbus
• Offer fixed pricing for maintenance
• Offer time materials
• Will have Sun, HP and IBM on day one
• Dell can be added
• Monthly/quarterly meetings to assure service
  goals are being met

60
Hardware Maintenance

• Contact
• Zachary Miller
• 866-303-9672
• 651-365-0303
• Zachary.Miller_at_qsgi.com

61

• Central Email Improvements

62

• Upgrade current e-mail environment to the
  following
• Sun Java System Messaging 6.3 Message Store
  (with Sun Cluster 3.1)
• Sun Java System Directory Server 6.0 Calendar and
  Messaging
• Sun Java System Messaging 6.3 MTA
• Sun Java System Communications Express 6.3
• Sun Java System Messaging POP/IMAP MMP
• Replacement of servers reaching end-of-support
• Increase of default mail storage available (TBD)
• Implementation target October 2007