NETWORK PLANNING TASK FORCE Information Security - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

NETWORK PLANNING TASK FORCE Information Security

Description:

Vulnerable machines could be quarantined until they are remediated. ... Risk Analytics (LAN Switchboard) Bluesocket, Vernier authenticating gateways. 8. Timeline ... – PowerPoint PPT presentation

Number of Views:53
Avg rating:3.0/5.0
Slides: 17
Provided by: nail7
Category:

less

Transcript and Presenter's Notes

Title: NETWORK PLANNING TASK FORCE Information Security


1
NETWORK PLANNING TASK FORCE Information Security
10/31/05
2
Agenda
  • Overview of ISCs Security Architecture
  • Discussion
  • Scan and block
  • Edge filtering
  • VPN or other options
  • Local firewall support
  • Critical host policy

3
Security Architecture
4
Scan and Block
  • Opportunity Networks of unmanaged machines
    would be more secure if we could scan them at
    network connection time and then periodically
    (e.g. every four hours) for common backdoors.
    Vulnerable machines could be quarantined until
    they are remediated. Hacked machines could be
    kept off the network until remediated.
  • Solution Deploy a scan and block system to
    help prevent network access by compromised or
    vulnerable computers.
  • Authenticated wired and wireless network access,
    with brief scan of hosts for major
    vulnerabilities at connection time.
  • Quarantine those with problems found, until they
    can be patched or repaired.
  • Allow those that pass the scan to access the
    network.
  • Schedule deeper scans once connected.
  • Advantages
  • Limits the spread of worms, and will be more
    effective when coupled with edge filtering.
  • Requires logging in.
  • Disadvantages
  • False positives
  • Adds complexity to network access and makes
    troubleshooting difficult.
  • Requires logging in.
  • Implementation Considerations
  • Planned for implementation in the residential
    system Summer, 2006.
  • What are the possibilities of implementing this
    in other transient networks like wireless Law,
    Dental, Library, etc.
  • Funding required.

5
Scan and Block
To PennNet
Production Service Network
Remediation Server
Scanning Server
-OR-
Quarantine and Remediation Network
Access Network
6
Scan and Block
To PennNet
Production Service Network
Remediation Server
Scanning Server
-OR-
Quarantine and Remediation Network
Access Network
7
Some of the vendors with products in this
(relatively new) space
  • Cisco Clean Access (nee Perfigo)
  • Lockdown Networks
  • Bradford Networks
  • Impulse Point
  • Risk Analytics (LAN Switchboard)
  • Bluesocket, Vernier authenticating gateways

8
Timeline
  • ISC work to design a solution for Network Access
    Protection started in summer 2004.
  • SUG and IT Roundtable talks in June 2004.
  • Evaluations of packaged vendor solutions began in
    September 2005.
  • Goal of deployment in residential buildings for
    start of Fall 2006. Could be expanded thereafter.

9
Edge Filtering
  • Opportunity Windows machines at Penn get hacked
    more frequently than they would if there were
    better perimeter protection blocking NetBios at
    the edge.
  • Option 1 Block NetBios on internal router
    interfaces (subnets) upon local request.
  • Advantages
  • Provides protection from the most common worms
    and attacks for only those subnets where such
    protection is desired.
  • Disadvantages
  • More complex to administer
  • Limited protection
  • May not be as granular as people want
  • Would reduce mobility local campus access
    across subnets would be blocked.

10
Edge Filtering (cont.)
  • Option 2 Block NetBios at edge routers.
  • Advantages
  • More complete protection
  • Allows mobility on campus
  • Disadvantages
  • May necessitate a campus VPN solution
  • Implementation Considerations
  • Primary implementation timing considerations are
  • Availability of a VPN or some other option to
    provide secure remote access to NetBios services
  • The need to broadly communicate that filtering
    will be implemented and how to get secure, remote
    access. This is probably a 3-5 month
    communication effort.
  • Determining the exception lists will add to
    delivery time.
  • Need to pick a firm date for implementation like
    July 1, 2006.
  • This approach above could be implemented with
    existing funding.
  • We recommend option 2.

11
VPN or Other Options
  • Opportunity If NetBios is blocked either at the
    edge or on internal routers, faculty, staff,
    students with legitimate need for remote access
    to Windows file sharing, Exchange, etc. need a
    mechanism or approach to get through the filters.
  • Option 1 Central Campus VPN Service
  • Advantages
  • Besides providing remote access to Netbios, also
    provides network encryption for those
    applications that arent amenable to a network
    encryption solution.
  • Disadvantages
  • Cost
  • Complexity, both centrally for ISC and for users
  • Implementation considerations Could be
    implemented FY07 if funded.

12
VPN or Other Options
  • Option 2 Allow NetBios in a reserved range of
    addresses. External traffic bound for Netbios
    services on all other Penn IP addresses would be
    blocked. NetBios would be remotely available for
    machines in the subnet.
  • Advantages
  • Cost saving over VPN solution
  • User simplicity
  • Local IT control
  • Disadvantages
  • Requires renumbering IP addresses by LSPs
  • Implementation Considerations
  • Could be implemented FY06 with existing funding
  • Requires work-arounds to support Windows
    browsing.
  • Option 3 Block NetBios at the edge and manage
    host-by-host exception lists in the edge
    filtering rules.
  • Advantages
  • Cost saving over VPN solution
  • User simplicity
  • Disadvantages
  • Complex administration
  • Reduced control for server administrators
    compared to option 2.
  • Implementation Considerations

13
VPN or Other Options
  • Option 4 Replace remote access to NetBios
    services with functional equivalents that dont
    use NetBios e.g. Exchange Server 2003 RPC over
    HTTP and a campus MyFiles service, likely using
    WebDAV.
  • Advantages
  • File Handing Better way to share large
    documents without email.
  • Less complex for end users and support providers.
  • Built in clients.
  • Disadvantages
  • Requires changes from Exchange Administrators and
    individual end users.
  • End users must run Outlook 2003
  • Implementation Considerations
  • Could be implemented FY07 if funded.
  • More investigation required.

14
Local Firewall Support
  • Opportunity There is currently no supported
    firewall product. Each group that implements a
    firewall has to climb the learning curve
    independently.
  • Proposed Solutions
  • ISC to select a recommended firewall product.
  • ISC to provide a for-fee firewall consulting
    service.
  • Streamline ISC intake for this service to
    coordinate with TSS, Networking and Security.
    Work to improve awareness of ISCs support for
    local firewalls.
  • Recommend external consultants.
  • Implementation Considerations
  • Target to implement May 2006.

15
Rationale for Distributing Security Responsibility
  • Goal Find the proper balance of what security
    services to provide centrally vs. perform
    locally.
  • Planning Assumption For local services, you may
    either do-it-yourself or hire ISC for-fee.
  • Rationale
  • Provide services centrally when they can be most
    efficiently and effectively done over the
    network.
  • Provide security services locally when it is more
    effective and efficient to perform them locally.
  • Examples
  • Vulnerability and compromise scans be effectively
    and efficiently performed centrally, except for
    machines behind firewalls.
  • Password cracking can be most effectively and
    efficiently done locally with host-based password
    cracking software.

16
Proposed Next Version Critical Host Proposed
Services
Write a Comment
User Comments (0)
About PowerShow.com