Innovative Security Solutions CANHEIT 2006Halifax, June 14

1
Innovative Security SolutionsCANHEIT
2006 Halifax, June 14
Jens HaeusserInformation Security
OfficerUniversity of British Columbia
2
The Challenge

• Growing complexity and frequency of security
  threats
• Defense in Depth required
• Secure remote access required
• How do you secure a decentralized infrastructure?

3
Agenda

• About UBC
• Enterprise Collaboration
• RFP Process
• Centralized Departmental Firewalls
• SSL VPN Service
• Other Initiatives

4
About UBC

• 47,000 Students, 12,000 Faculty Staff
• 430 Buildings, 520 Hectares
• Very decentralized university
• Central IT runs network, admin servers
• Departments run autonomous IT shops
• UBC e-Strategy aligns IT with strategic goals

5
Enterprise Collaboration

• Enterprise infrastructure, local control
• Leverage economies of scale
• Centrally locate and support redundant hardware
• Delegate local administration to departmental
  admins
• Puts control and configuration close to users
• Units as partners, not clients

6
RFP Process

• Up front involvement of broad community
• Inclusive requirements gathering stage
• Strict procurement process
• Paper interview based short list
• Extensive lab testing
• Community feedback contributes to final score

7
Centralized Departmental Firewalls

• No firewall at UBC border
• Strong layers of protection on admin systems
• Departments deploy either costly enterprise
  hardware, non-scalable non-redundant, or
  nothing
• Edge routers upgraded for VOIP deployment
• Redundant Cisco 6509s w/ Firewall Service Modules
• Up to 250 Virtual Contexts per FWSM
• Individual resource limits per context

8
Firewall Options

• Standard Filters
• UBC Border
• Departmental VLAN Edge
• Simple to manage via Web (Transmogrifier)
• Not truly stateful (established flag)
• Virtual Firewall Context
• Much more complex rule sets and features
• Extensive management via PDM/SSH
• 5,600 vs 30,000

9
SSL VPN Services

• Problems with current system
• Non-redundant/non-scalable
• PPTP broken
• IPSec client installation, firewall, NAT issues
• Purchased Nortel 3070 SSL VPN solution
• 10,000 redundant SSL/IPSec/PPTP connections
• Multi-platform (Windows/Mac/Linux) support
• Group based subnet assignment
• Virtualization being explored

10
(No Transcript)
11
Other Initiatives

• Network Access Control
• RFP Issued
• 7 Responses received
• Insufficient staff resources to lab test
• Intrusion Prevention System
• Lightweight honeypot based system
• Hardware and Software acquired
• Waiting on staff availability to deploy

12
Questions? Comments?

• jens.haeusser_at_ubc.ca
• http//www.it.ubc.ca
• http//www.e-strategy.ubc.ca