Developing an Effective & Affordable Security Infrastructure in a Small College Environment.

Slides:



Advertisements
Similar presentations
Short for incumbent local exchange carrier. An ILEC is a telephone company that provides local service.
Advertisements

The Approach to Security in CLRC Gareth Smith With acknowledgements to all the members of the CLRC Computer Network and Security Group, especially Trevor.
NETWORK TRANSFORMATION THROUGH VIRTUALIZATION
Student Guide Access List.
Chapter 1: Introduction to Scaling Networks
Access Control Lists. Types Standard Extended Standard ACLs Use only the packets source address for comparison 1-99.
CCENT Study Guide Chapter 12 Security.
DMZ (De-Militarized Zone)
DMZ (De-Militarized Zone)
Route Optimisation RD-CSY3021.
Chapter 7: Intranet LAN Design
Firewall Simulation Teaching Information Security Using: Visualization Tools, Case Studies, and Hands-on Exercises May 23, 2012.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Security Firewall Firewall design principle. Firewall Characteristics.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
CCSE NETWORK STRUCTURE. CCSE NETWORK OUTLINE Mid-sized Building Network spanning over Building 22 and Building 23. Autonomous from ITC’s KFUPM Domain.
Chapter 12 Network Security.
Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.
Group Presentation Design and Implementation of a company- wide networking & communication technologies strategy 9 th December 2003 Prepared By: …………
This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
CNIL Report April 4 th, CNIL Report (Apr 4 th, 2005) Two Major Goals: –Improvement of Instructional Services –Strengthening research IT infrastructure.
SIRT Contact Orientation Security Incident Response Team Departmental Security Contacts April 16, 2004.
Security Issues on Distributed Systems 7 August, 1999 S 1 Prepared by : Lorrien K. Y. Lau Student I.D. : August 1999 The Chinese University.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
ACACIA Threaded Case Study Seamus Burns Ronan Conaghan Eugene Cullen.
INTRODUCTION TO COMPUTER NETWORKS Navpreet Singh Computer Centre Indian Institute of Technology Kanpur Kanpur INDIA (Ph : ,
Firewall Slides by John Rouda
Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.
Virtual Private Network
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
EDUCAUSE Security 2006 Internet John Brown University.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
Virtual Company Group 8 Presentation Date: June /04/2017
IT Update Faculty Senate September 1, 2004 University of Houston Information Technology.
Chapter 5 Networks Communicating and Sharing Resources
1 October 20-24, 2014 Georgian Technical University PhD Zaza Tsiramua Head of computer network management center of GTU South-Caucasus Grid.
Introduction to Information and Computer Science Security Lecture b This material (Comp4_Unit8b) was developed by Oregon Health and Science University,
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter.
Component 4: Introduction to Information and Computer Science Unit 8: Security Lecture 2 This material was developed by Oregon Health & Science University,
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
DECS Community IT DIVISION OF ENGINEERING COMPUTING SERVICES Michigan State University College of Engineering.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
Access Control List ACL. Access Control List ACL.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Module 11: Remote Access Fundamentals
1 Second ATLAS-South Caucasus Software / Computing Workshop & Tutorial October 24, 2012 Georgian Technical University PhD Zaza Tsiramua Head of computer.
University of Palestine Faculty of Applied Engineering and Urban Planning Software Engineering Department INTRODUCTION TO COMPUTER NETWORKS Dr. Abdelhamid.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Introducing Network Design Concepts Designing and Supporting Computer Networks.
Washington School District Project. General Requirements: Functional =7-10 Years 100X Growth in LAN 2X Growth in WAN 10X Growth in Internet Connectivity.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Introducing Network Design Concepts Designing and Supporting Computer Networks.
Discovery 2 Internetworking Module 8 JEOPARDY K. Martin.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Security fundamentals Topic 10 Securing the network perimeter.
Purpose Present Drivers and Context for Firewalls Define Firewall Technology Present examples of Firewall Technology Discuss Design Issues Discuss Service.
“Lines of Defense” against Malware.. Prevention: Keep Malware off your computer. Limit Damage: Stop Malware that gets onto your computer from doing any.
SemiCorp Inc. Presented by Danu Hunskunatai GGU ID #
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Security fundamentals
Working at a Small-to-Medium Business or ISP – Chapter 8
Firewalls.
Security in Networking
IS4550 Security Policies and Implementation
Firewalls Jiang Long Spring 2002.
Presentation transcript:

Developing an Effective & Affordable Security Infrastructure in a Small College Environment

About Penn College Williamsport Technical Institute, founded 1941 Williamsport Technical Institute, founded 1941 Williamsport Area Community College, founded 1965 Williamsport Area Community College, founded 1965 Pennsylvania College of Technology, founded 1989 Pennsylvania College of Technology, founded 1989 Special Mission Affiliate of Penn State University Special Mission Affiliate of Penn State University Accredited - Middle States Association of Colleges and Secondary Schools Accredited - Middle States Association of Colleges and Secondary Schools 6,358 headcount - 5,891 FTE 6,358 headcount - 5,891 FTE 288 FTE faculty, 518 FTE staff 288 FTE faculty, 518 FTE staff B.S., A.S. and certificate degrees in over 100 majors B.S., A.S. and certificate degrees in over 100 majors Specialize in vocational and technology-based education Specialize in vocational and technology-based education Strong focus on small class sizes and hands-on instruction Strong focus on small class sizes and hands-on instruction

Williamsport, PA

IT Infrastructure 2,600 College-owned computers, 1,400 student-owned computers in residential complexes 1,600 computers in 50+ academic computer labs, student to computer ratio of 4:1 Standard computer lab software includes Microsoft Windows XP, Office 2003, NetMail POP3 system

IT Infrastructure (contd) 1,000 staff/faculty PCs Standard employee image: Windows XP, Office 2003, Novell GroupWise, iSeries client Novell Directory Services (NDS) IBM iSeries mainframe, home-grown legacy administrative applications WebCT, Sirsi, eRecruiting, Raisers Edge, Cbord Odyssey, EBMS 25 Novell, 15 Microsoft, 3 Linux, 1 Sun, 1 AIX server

IT Infrastructure (contd) 100% Cisco network infrastructure except for Packeteer Packetshaper Fast Ethernet via CAT5 for all building LANs, Gigabit Ethernet via fiber for backbone Dual Cisco 6500s for redundant core Fractional T-3 (30 Mbps) Internet service Dial-up Internet access provided for employees, not students About 50% wireless coverage

Campus Network Layout

Information Technology Services Organization (50 employees) Desktop Computing Academic Computing Technical Support/Help Desk Technical Writer/Trainer Administrative Information Systems Network Applications Mail & Document Services Media Services Telecommunications

Post Y2K IT Security Problem Increasing threats from viruses, trojans, worms, hackers, etc. Lack of security standards No coordinated security response Poor security awareness Minimal security policy No security testing

The Challenge Limitations Budget Staff Time Large backlog of post Y2K projects Balancing security effectiveness with efficient resource management

Solution Analysis Dedicated security staff vs. security team Advantages of team approach: Utilizes existing staff and expertise Spreads/diffuses the importance of security across all functional IT areas Funded through existing budgets Disadvantages: No centralized focus/authority Long lead time to develop expertise Staff time directed away from other projects Not invented here syndrome

The Solution IT management recommended forming a campus security team. Each area of the IT department committed one employee and a percentage of its budget. A senior manager was designated to provide leadership and coordination of this team effort. The team met weekly over an initial 18 month period, then bi-weekly. Rotating duty officer/CERT format

The Context Risk vs. investment Scope and impact for priority Mitigating risk factors Administrative data locked up in IBM iSeries (AS/400) GroupWise system Institutional policy requiring data files to be stored on network drives Centralized IT management and budget culture

7-Layer Security Approach Layer 1 - Physical Layer 1 - Physical Layer 2 - Internet Layer 2 - Internet Layer 3 - Network Layer 3 - Network Layer 4 - ResNet Layer 4 - ResNet Layer 5 - Servers Layer 5 - Servers Layer 6 - Employee PCs Layer 6 - Employee PCs Layer 7 - Social Layer 7 - Social

Layer 1 - Physical Before Distributed servers, not physically secured, some actually in staff/faculty offices Network components not secured Minimal UPS protection After Most non-academic servers moved to secured data center; backup generator Wiring closets secured UPS for all servers and network equipment

Layer 2 - Internet Before Internet router with public IP addresses No filtering of ports After Cisco PIX firewall with PAT translation initially, later acquired additional IPs, changed to NAT ( still occasional problems, need an XLATE clear ) Access control list on Internet router (example)example Packeteer - Although purchased for bandwidth control, provides another layer of protection and detection

Internet Router ACL access-list 115 permit tcp any established access-list 115 permit tcp any established access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip host any access-list 115 deny ip host any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny ip any access-list 115 deny tcp any any eq 135 access-list 115 deny tcp any any eq 135 access-list 115 deny udp any any eq 135 access-list 115 deny udp any any eq 135 access-list 115 deny tcp any any eq 137 access-list 115 deny tcp any any eq 137 access-list 115 deny udp any any eq netbios-ns access-list 115 deny udp any any eq netbios-ns access-list 115 deny tcp any any eq 138 access-list 115 deny tcp any any eq 138 access-list 115 deny udp any any eq netbios-dgm access-list 115 deny udp any any eq netbios-dgm access-list 115 deny tcp any any eq 139 access-list 115 deny tcp any any eq 139 access-list 115 deny udp any any eq netbios-ss access-list 115 deny udp any any eq netbios-ss access-list 115 deny tcp any any eq 445 access-list 115 deny tcp any any eq 445 access-list 115 deny udp any any eq 445 access-list 115 deny udp any any eq 445 access-list 115 deny tcp any any eq 593 access-list 115 deny tcp any any eq 593 access-list 115 deny udp any any eq 593 access-list 115 deny udp any any eq 593 access-list 115 deny tcp any any eq 3333 access-list 115 deny tcp any any eq 3333 access-list 115 deny udp any any eq 3333 access-list 115 deny udp any any eq 3333 access-list 115 deny tcp any any eq 4444 access-list 115 deny tcp any any eq 4444 access-list 115 deny udp any any eq 4444 access-list 115 deny udp any any eq 4444 access-list 115 deny tcp any any eq 69 access-list 115 deny tcp any any eq 69 access-list 115 deny udp any any eq tftp access-list 115 deny udp any any eq tftp access-list 115 deny tcp any any eq 161 access-list 115 deny tcp any any eq 161 access-list 115 deny udp any any eq snmp access-list 115 deny udp any any eq snmp access-list 115 deny tcp any any eq 162 access-list 115 deny tcp any any eq 162 access-list 115 deny udp any any eq snmptrap access-list 115 deny udp any any eq snmptrap access-list 115 deny udp any any eq 1993 access-list 115 deny udp any any eq 1993 access-list 115 deny tcp any any eq 1900 access-list 115 deny tcp any any eq 1900 access-list 115 deny udp any any eq 1900 access-list 115 deny udp any any eq 1900 access-list 115 deny tcp any any eq 5000 access-list 115 deny tcp any any eq 5000 access-list 115 deny udp any any eq 5000 access-list 115 deny udp any any eq 5000 access-list 115 deny udp any any eq 8998 access-list 115 deny udp any any eq 8998 access-list 115 permit icmp any any echo access-list 115 permit icmp any any echo access-list 115 permit icmp any any echo-reply access-list 115 permit icmp any any echo-reply access-list 115 deny ip any any log-input access-list 115 deny ip any any log-input

Layer 3 – Network - Before 10.x.x.x organized geographically; each building complex has a subnet; 10.1.x.x, 10.2.x.x, 10.3.x.x, etc. Any to any routing philosophy Simple telnet to devices No central security scheme

Layer 3 – Network - After 100% VLAN scheme VLANs based on computer/user role Internet style ACLs applied on traffic leaving VLANs Traffic denied entering VLAN if no reason for the traffic Extended today to separate VLANS for point-of-sale stations, HVAC, wireless, dial-up; each with its own ACL SSH required to access devices, coordinated userid/password with Cisco ACS server that LDAPs to our NDS 10.1.x.x network equipment 10.1.x.x network equipment 10.2.x.x servers 10.2.x.x servers 10.3.x.x printers 10.3.x.x printers 10.4.x.x staff 10.4.x.x staff x.x ResNet x.x ResNet Etc. Etc.

Layer 4 – ResNet Before Before Normal network subnet Normal network subnet No restrictions No restrictions ISP attitude ISP attitude No scanning No scanning After – version 1 After – version 1 Single VLAN Single VLAN ACL limited access to other campus VLANs ACL limited access to other campus VLANs After – version 2 After – version 2 VLAN per 48 port switch VLAN per 48 port switch Internet style ACL rule set to block known bad ports such as 445 Internet style ACL rule set to block known bad ports such as 445 Routine scanning and quarantining Routine scanning and quarantining

Layer 5 – Servers - Before Public IP address via firewall conduit Distributed physically No port filtering Inconsistent patch strategy No virus protection Inconsistent HTTPS implementation Many outside of the network department No scanning for vulnerabilities No disaster recovery plan

Layer 5 – Servers - After Servers in data center or managed by server group Servers in data center or managed by server group HTTPS required for any sensitive data HTTPS required for any sensitive data Private IP addresses mapped to public via conduit in the firewall Private IP addresses mapped to public via conduit in the firewall Port filtered in the firewall, deny all, allow those required for specific services Port filtered in the firewall, deny all, allow those required for specific services Port filtered coming out of ResNet and student computer labs Port filtered coming out of ResNet and student computer labs Managed patch strategy, critical patches applied in 24 hours Managed patch strategy, critical patches applied in 24 hours Symantec Anti-Virus on servers Symantec Anti-Virus on servers NetMail/CA eTrust anti-virus and RBL filtering for NetMail/CA eTrust anti-virus and RBL filtering for GWAVA/Symantec Anti-Virus filtering GWAVA/Symantec Anti-Virus filtering GWAVA attachment filtering GWAVA attachment filtering Routine Nessus scanning Routine Nessus scanning Comprehensive disaster recovery plan Comprehensive disaster recovery plan

Layer 6 - Employee PCs After After Private IP address via PAT/NAT Managed Symantec Anti- Virus Push of critical Microsoft security patches via Novell ZenWorks Nessus scanning Before Before Public IP address No anti-virus No patch management No scanning

Layer 7 - Social Before Before Little or no public awareness Little or no public awareness No AUP No AUP Loose user ID and password policies Loose user ID and password policies It wont happen here, we know everyone personally It wont happen here, we know everyone personally After After Acceptable Use Policy Acceptable Use Policy Accounts blocked after 3 failed log in attempts Accounts blocked after 3 failed log in attempts Passwords changed every 180 days Passwords changed every 180 days Regular communication via online newspaper Regular communication via online newspaper Security education classes Security education classes

Whats on the radar screen? Spyware Spyware PC firewall PC firewall Instant Messenging issues Instant Messenging issues VPN VPN Network access control Network access control Two factor authentication Two factor authentication Security as it affects privacy issues Security as it affects privacy issues security security

Conclusion Security team was the right approach for us Security team was the right approach for us Effective, no significant down-time except for Blaster/Welcia, fall 2003 Effective, no significant down-time except for Blaster/Welcia, fall 2003 Cost-efficient Cost-efficient Diffused security awareness across the department Diffused security awareness across the department Developed security skills across ITS Developed security skills across ITS Security Infrastructure Security Infrastructure Cisco PIX firewall Cisco PIX firewall Packeteer Packetshaper Packeteer Packetshaper Cisco VLANs/ACLs Cisco VLANs/ACLs Symantec Anti-Virus Symantec Anti-Virus Novell ZenWorks Novell ZenWorks GWAVA Anti- virus/attachment filtering GWAVA Anti- virus/attachment filtering Nessus Nessus

Discussion

Slide to link

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.