University of Notre Dame Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the.

Slides:



Advertisements
Similar presentations
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Advertisements

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Firewalls Steven M. Bellovin Matsuzaki ‘maz’ Yoshinobu 1.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.
Making the Case for Security: An Application of the NIST Security Assessment Framework to GW January 17, 2003 David Swartz Chief Information Officer Guy.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Southwest Educause 2003 © Baylor University 2003 Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network.
Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright This work is the intellectual property of.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
"Cyberspace Education: Challenges and Opportunities" Presented by: Bob Diveley Manager of Administrative Systems Columbus State University Copyright Bob.
Firewalls, VPNs, and Intrusion Detection Systems in a University Environment Bob Winding, CISSP Information Security University of Notre Dame Copyright.
"Copyright Kevin Lynch This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial,
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.
3/20/20071 IT Strategy and Leadership in Higher Education: Two Case Studies Case 1: Roberts Wesleyan College. Presented by Pradeep (Peter) Saxena, CIO.
INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.
Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.
Embedded Librarian Program: Librarians and Faculty Partnering to Serve Online Students NERCOMP Annual Conference Innovation and Reliability: Finding the.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Rutgers IT Complex Michael R Mundrane 4 December 2001 Rutgers University Computing Services.
Campus Technology 08 Shootout! Bracing for the Next-Gen Student Wave: Myth or Mandate? Next-Gen Students “Speak Up” – Are we listening? Julie Evans Project.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
Effective Uses of Packet- Filtering Devices. Filtering Based on Source Address: The Cisco Standard ACL 1.One of the things that packet-filtering technology.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 6: Packet Filtering
By : Himanshu Mishra Nimish Agarwal CPSC 624.  A system designed to prevent unauthorized access to or from a private network.  It must have at least.
Csci5233 Computer Security1 Bishop: Chapter 27 System Security.
Megan Adams, Swarthmore College Mark Colvson, Bryn Mawr College January 17, 2003 Collaborative Virtual Reference Services: The Tri-College Libraries’ Experience.
The "How" and "Why" of a Large-Scale Wireless Deployment  March 3, 2004  EDUCAUSE Western Regional Conference Sacramento, CA Copyright Philip Reese,
0Gold 11 0Gold 11 LapLink Gold 11 Firewall Service How Connections are Created A Detailed Overview for the IT Manager.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Network and Systems Security Security Awareness, Risk Management, Policies and Network Architecture.
Thoughts on Firewalls: Topologies, Application Impact, Network Management, Tech Support and more Deke Kassabian, April 2007.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco PublicITE I Chapter 6 1 Filtering Traffic Using Access Control Lists Introducing Routing and Switching.
Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.
Firewall Security.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Cdigix at Yale Chuck Powell Director, Academic Media & Technology, ITS Yale University September 15, 2004 Copyright Charles Powell.
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
1 Firewall Rules. 2 Firewall Configuration l Firewalls can generally be configured in one of two fundamental ways. –Permit all that is not expressly denied.
CSCE 201 Network Security Firewalls Fall CSCE Farkas2 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread.
Legal Issues in the “E-Learning Business” Jonathan Alger University of Michigan October 29, 2001 Copyright Jonathan Alger This work is the intellectual.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Role Of Network IDS in Network Perimeter Defense.
© 2009 Pittsburgh Supercomputing Center Server Virtualization and Security Kevin Sullivan Copyright Kevin Sullivan, Pittsburgh Supercomputing.
SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.
SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Access Control Lists Accessing the WAN – Chapter 5.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Copyright Joel Rosenblatt 2010
Working at a Small-to-Medium Business or ISP – Chapter 8
Adapting Enterprise Security to a University Environment
Click to edit Master subtitle style
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Firewalls.
Introducing ACL Operation
6.6 Firewalls Packet Filter (=filtering router)
Access Control Lists CCNA 2 v3 – Module 11
Firewalls Purpose of a Firewall Characteristic of a firewall
FIREWALL By Abhishar Baloni I.D
myIS.neu.edu – presentation screen shots accompany:
Firewalls Chapter 8.
Presentation transcript:

University of Notre Dame Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.

University of Notre Dame Background University networks are open to facilitate teaching and research Most Universities have large public IP blocks and lots of bandwidth This has left the door open to malicious activity The changing security landscape requires re- thinking the definition of open network

University of Notre Dame The Problem Constant probes from Internet looking for trouble – Syslog data shows an average of 10K unique ports used for inbound connection attempts Probe traffic creates too much noise. IDS was receiving 150K+ detects a day at the border Need to reduce malicious traffic without impacting the mission of the University Laws and regulations have consequences for compromises

University of Notre Dame Some Questions Does the whole University participate in network based research? Who really needs “full” network access? Can researchers benefit from protection? – What if my research became public prematurely? – Do these controls impact academic freedom? Should administrator workstations be accessible to students? To the world?

University of Notre Dame Thoughts Your unrestricted access to the Internet is different than the Internet’s unrestricted access to you What’s really needed to support the functions of the University, e.g. academic and administration? Who should be able to host public services? Most people assume their systems are secure

University of Notre Dame The Project Analyze traffic and commonly used services and determine allowed inbound traffic. Everything allowed out, and of course the responses are allowed back (stateful connections) Educating users is critical. – People fear the worst – Transparency is key to success

University of Notre Dame Plan A Use firewall logs to determine what was being used – Implement ACLs to permit everything in use (status quo) Log analysis too complex, we needed to determine a policy independent of the current usage 300 inbound ports being used in just one building Plan is transparent/analytical (too bad it didn’t work)

University of Notre Dame Plan B Determine list of inbound ports that represent traffic for well known services that are in wide use (subjective policy) Vet the list to numerous campus constituencies for consensus Provide a mechanism to exempt machines – No one-off rules, keep the border simple Educate users on alternative methods of access (e.g. VPN) Pilot, then rollout slowly, adjust as we go

University of Notre Dame Why Bother Reduce the exposure of majority of campus systems to unwanted Internet traffic Quiet the network and increase the value of IDS Reduce the vector by which hackers may seek to compromise systems Educate users regarding issues of being exposed to the Internet Provide basic protection layer at the border, not the only layer

University of Notre Dame Perception vs. Reality “The researcher/user becomes a minority voice in how they can use their own system!” “We need to balance our security concerns against our teaching and research mission. I personally think that research/teaching aspects deserve more importance.” “collaborative research with other universities will be severely impacted by this......” “I personally feel that many of the security policies/procedures being considered and/or implemented at Notre Dame are overbearing and will probably cause as many or more problems than they solve.”

University of Notre Dame Perception vs. Reality “It seems that as long as we are act in a responsible manner with those sorts of assets we should be allowed to make well informed mistakes and deal with the consequences.” “I question will the system continue to be usable when it's behind the firewall?” “In the best case, it doesn't seem to add any security value. In the worst case, it can give me a false sense of security and make me complacent. In all the cases, it is annoying :-(“

University of Notre Dame Barriers to implementation Academic freedom Detriment to research and experimentation – What do you mean I can’t run a web server on port – Faculty may be researching Internet attacks Cultural shift – The Windows firewall is good enough – If I’m going to run a public service maybe it should be on a institutionally managed server

University of Notre Dame How it works Cisco Firewall Services Module at border – List of 14 ports allowed in to all addresses – All outbound connections allowed, implicitly allow return traffic Datacenter still sees all traffic, but has it’s own protection layers Unprotected network for exempted systems Resnet will be addressed in zoned network project

University of Notre Dame 14 Desired FunctionRequired SpecsFWSM Specs Multi OSI Layer Protection Layers 2 – 7 Protection Throughput1Gbps5Gbps Simultaneous Connections 300,000 Connections1,000,000 Connections Connections per Second50,000 Connections/sec100,000 Connections/sec High AvailabilityActive/StandbyActive/Standby or Active/Active Virtualization2 or more Virtual Firewalls Up to 250 Virtual Firewalls Multicast Support  Technical Requirements

University of Notre Dame How it works Final consensus denies all but 14 ports (representing 7 services) – Mail (encrypted user , smtp) – Web (https/http) – LDAPS – FTP – SSH – VPN – This is how you get to everything else – Video Conferencing (H.323)

University of Notre Dame 16

University of Notre Dame Pilot OIT “eats its own cooking” – Building subnets placed behind border. Port use goes from 300 inbound used to 5 (of 14 permitted) – One subway service is discovered, otherwise the silence is deafening Next, we solicited participants for an expanded pilot, e.g. Alumni, Law, Performing Arts, Main Building, College of Business, etc. Handful of issues discovered in pilot

University of Notre Dame Pilot Issues Remote Vendor support access Legacy Applications Lexis/Nexis printing remotely to ND printers Remote T1 networks

University of Notre Dame Outcomes Academic Freedom unaffected No impact to University business functions Implementation transparent to vast majority of users 35% of inbound traffic is blocked Less noise on network for IDS – IDS alerts went from 150K/day to 90K/day

University of Notre Dame Future Filter datacenter traffic Provide increased protection or eliminate exempted systems Research net (now exempted systems) with secure access to institutional data Zoned network Resnet – What’s reasonable – Diode protection: Opt in/out – Register public services

University of Notre Dame Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.