Housing Residence Education Network and Services.

Slides:



Advertisements
Similar presentations
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Advertisements

Enterprise CAL Overview. Different Types of CALs Standard CAL base A component Standard CAL is a base CAL that provides access rights to basic features.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
802.1X Configuration Terena 802.1X workshop the Netherlands, Amsterdam, March 30 th Paul Dekkers.
Chapter 7 HARDENING SERVERS.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
© 2003, Cisco Systems, Inc. All rights reserved. FWL 1.0— © 2003, Cisco Systems, Inc. All rights reserved.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialBCMSN Configuring Wireless LANs BCMSN Module 6 Lesson 6.
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—7-1 Minimizing Service Loss and Data Theft Understanding Switch Security Issues.
Using RADIUS Within the Framework of the School Environment Charles Bolen Systems Engineer December 6, 2011.
Mobile Computing and Security Authenticated Network Access (ANA) Jon Peters Associate Director Dave Packham Manager of Network Engineering NetCom University.
Wireless Security with 802.1X Copyright 2005 Michael Griego This work is the intellectual property of the author. Permission is granted for this material.
802.1x Port Authentication via RADIUS By Oswaldo Perdomo cs580 Network Security.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Wireless Security and Accounting with 802.1X. Introduction Background Why 802.1X? What is 802.1X? Implementing 802.1X at UTD The future of 802.1X and.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
VLANs.ppt CCNA Exploration Semester 3 Chapter 3
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 1 ver.2 Module 7 City College.
Virtual Company Group 8 Presentation Date: June /04/2017
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
Configuring Routing and Remote Access(RRAS) and Wireless Networking
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Azfar Mian and Charles Benjamin.
Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17
1 Week #7 Network Access Protection Overview of Network Access Protection How NAP Works Configuring NAP Monitoring and Troubleshooting NAP.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Network Security Department of Housing and Resident Education Charles Benjamin.
Altai Certification Training Backend Network Planning
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. 1 NGWC – Central Webauth (CWA) using ISE 3850 and 5760 Viten Patel – RTP Wireless.
70-411: Administering Windows Server 2012
Implementing Network Access Protection
COEN 252 Computer Forensics Collecting Network-based Evidence.
1 Chapter Overview Using the New Connection Wizard to configure network and Internet connections Using the New Connection Wizard to configure outbound.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Network Infrastructure Configuration for MAB Port Configuration Interface fastethernet 0/1 description Trustsec:802.1X+MAB+MultiAuth switchport access.
Module 8: Configuring Network Access Protection
Windows Small Business Server 2003 Setting up and Connecting David Overton Partner Technical Specialist.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
Securing Wired Local Area Networks(LANs)
Module 9: Designing Network Access Protection. Scenarios for Implementing NAP Verifying the health of: Roaming laptops Desktop computers Visiting laptops.
Page 1 TCP/IP Networking and Remote Access Lecture 9 Hassan Shuja 11/23/2004.
© 2015 Mohamed Samir YouTube channel All rights reserved. Samir Part V: Monitoring Campus Networks.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.
Cisco 3 - Switch Perrine. J Page 111/6/2015 Chapter 5 At which layer of the 3-layer design component would users with common interests be grouped? 1.Access.
Configuring Network Access Protection
Supporting a Wireless Network By Gareth Ayres.
1350 TAC Training © 2000, Cisco Systems, Inc. Wireless Lab.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
Network Infrastructure Microsoft Windows 2003 Network Infrastructure MCSE Study Guide for Exam
Switching Topic 2 VLANs.
Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.
7.4 Update - ISE Session.
Enterprise Messaging & Collaboration. e-Interact Modules.
IS 4506 Windows NTFS and IIS Security Features.  Overview Windows NTFS Server security Internet Information Server security features Securing communication.
So how to identify exactly who and what is on your network at any point in time? Andrew Noonan, SE ForeScout February 2015.
Implementing Network-Edge Security with 802.1x
Change of VLAN for Wired Guest
Implementing Network Access Protection
Chapter 5: Switch Configuration
Chapter 2: Basic Switching Concepts and Configuration
Chapter 5: Switch Configuration
Designing IIS Security (IIS – Internet Information Service)
Agenda Comware 5 and Comware 7 device based AAA:
What’s New In WatchGuard Wi-Fi Cloud v8.6
Presentation transcript:

Housing Residence Education Network and Services

Network Traffic Student and Employee Internet traffic Student and Employee door Key Card Lock System Employee Phone System, Voice over IP Employee Services Monitoring and Control Systems

Other Student Affairs Departments HRE Supports Vice President Office Dean of Students Office Off Campus Life Multicultural Affairs Student Legal Services RecSports Counseling Center

Network

Network Ethernet One Ethernet port per student in Residence Halls Catalyst Switches with sup720 (12.2(18) switch 8.5(8)) 6515 – – – , Every Ethernet Port is: 10/100/1000 capable but configured for 10/100 PoE (Cisco pre-standard PoE) and 802.3af

Network Ethernet (cont.) Residence Halls Ports: 802.1x DHCP Snooping Roadmap Upgrade Catalyst switches from Cat OS to IOS (12.2(33)SXH3a) Add QoS

Network Backbone Fiber between buildings OSPF is the routing protocol Single connection to UF Backbone OSPF ASBR Roadmap Add 2nd connection to Backbone Add QoS Upgrade bandwidth to 10 gig

Network Wireless Currently Wireless in: Residence Halls (1232, ) Maguire / UVS (1510, ) 802.1x Authentication and Encryption dhw (PEAP MSCHAP v2) dhwInstructions Wireless Controller (4402 and WiSM – 2 each)

Disaster Recovery BRP Facility (Hume) UPS Generators LeftHand Networks SANs ( IQ8.0 ) Backups (Tivoli) Waterford Tech MailMeter Archive Individual Investigate Shadow Copy (files)

Network Services Redundant DHCP (ISC-DHCPD 3.0.5) Redundant DNS Redundant Active Directory (2003) Redundant ACS (4.1) Redundant RADIUS (FreeBSD 7.0, FreeRadius 2.0) Redundant MySQL (FreeBSD 7.0 MySQL ) Redundant SQL (Windows 2003 Server SQL 2005)

Network Security Ethernet and Wireless 802.1x authentication McAfee Endpoint Encryption ( ) McAfee Anti-Virus (8.7) McAfee Anti-Spyware (8.7) Diskeeper (2008 Professional) ACL and FWSM SPAM Redundant Barracuda 400 SPAM filter SpamAssassin (3.2.5)

Authentication 802.1x Is an IEEE standard for port based authentication Provides for encryption of credentials Consists of three components 1.Supplicant - Software in computer’s OS 2.Authentication Server - RADIUS server 3.Authenticator - Cisco network switches

Authentication Supplicant Solution Program called XpressConnect from Cloudpath: Configures supplicant Scans for programs; conflicting, P2P Available: CD Webpage

Authentication 802.1x (cont.) User Connects Computer Identity Request Identity Response Authentication to Server Authentication Successful / Rejected Authentication to Server Port authorized - access VLAN Port Fail - fail VLAN Radius802.1x SupplicantAuthenticato r Authentication Server Data VLAN Uncontrolled Port

Authentication Authentication Server (cont.) UFAD Global Local DB Global Local DB User Name Password Domain Domain Equals: Global Guest Conference Radius HRE ADUF AD Other Empty My SQL

VLANs VLAN 30X Ethernet Student VLAN = Authenticated VLAN 321 Fail VLAN = Failed to Authenticated VLAN 40X Restricted VLAN = P2P Detected VLAN 502 Instructions VLAN = Wireless Configure Supplicant

Sample Switch Configuration 802.1x on IOS dot1x dot1x system-auth-control ! interface switchport access vlan 301 switchport mode access dot1x pae authenticator dot1x port-control auto dot1x auth-fail vlan 401

Sample Switch Configuration AAA and Radius on IOS aaa new-model aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius ! radius-server attribute nas-port format b radius-server host auth-port 1812 acct-port 1813 key xxxx radius-server host auth-port 1812 acct-port 1813 key xxxx radius-server vsa send accounting radius-server vsa send authentication

Sample Switch Configuration VLAN and Interface on IOS vlan 301 (301 – 30X) name Student301 vlan 321 name RESTRICTED vlan 401 (401 – 40X) name Failed401 vlan 502 name Instruction502 ! interface GigabitEthernet1/0/1 switchport access vlan 301 switchport mode access dot1x auth-fail vlan 401

Authentication and VLANs Student VLAN VLAN 30X Ethernet Authenticated

Authentication and VLANs (cont.) Fail VLAN VLAN 40X Ethernet Failed to Authenticate

Authentication and VLANs (cont.) Instructions VLAN VLAN 502 Ethernet Configure Wireless Supplicant SSID dhwInstructions

Network Security (cont.) WebSense WebFilter (7.0.1) Audible Magic CopySense (4.1) Identity Finder Enterprise, DB and Web search Tenable Nessus (3.2.1) with Nessquik SourceFire 3500 IPS ( ) Road Map: Add OSSEC HIDS for employee computers Add Cisco NAC for employee computers

Detection 2. CopySense generates reports: File Sharing (Seeding) Copyrighted Encrypted P2P Monitor PortControl Port CopySense ApplianceDHNet Program Spanning Port Spanning Port sends all DHNet traffic to and from Internet to CopySense appliance.

Action DHNet Program Query CopySense Query DHCP Add User to Restricted Group Query Device Table Query Radius Bounce / Re- authenticate Port Create Case Send IP Address MAC Address IP Address MAC Address Switch IP Address IP Address MAC Address Switch IP Address Port ID User Name Switch IP Address Port ID

Action DHNet Program (cont.) Query CopySense Query DHCP Query Device Table IP Address MAC Address IP Address MAC Address Switch IP Address CopySense Appliance Query every 5 minutes IP of Violation Copyright File sharing Encrypted P2P DHCP (Tailing) Query MAC of IP MAC Address DHCP Log My SQL Tables Device Subnet Association Query IP of Switch Switch IP Address

Action DHNet Program (cont.) Add User to Restricted Group Query Radius IP Address MAC Address Switch IP Address Port ID User Name Switch IP Address Port ID My SQL Table radacct Accounting Startup User name Port ID User Authenticates Table usergroup Query Port ID User Name User ID

Action DHNet Program (cont.) Bounce / Re- authenticate Port set port disable m/p set port enable m/p set port dot1x m/p re-authenticate Cat OS Expect Script Sends VLAN 30X VLAN 321 Bounce / Re- authenticate Port interface shut no shut dot1x reauthentication IOS Expect Script Sends VLAN 30XVLAN 321 Cat OS IOS

Authentication and VLANs (cont.) Restricted VLAN VLAN 321 Ethernet

Remediation Acceptable Use Policy Compliance I will comply Description Case Number Name Violation Status Detection Date

Remediation DHNet Program Query Pending Cases Remove User from Restricted Group Time > Range Bounce / Re- authenticate Port noyes VLAN 321VLAN 30X My SQL Query every 5 minutes

Student and Employee Card Lock System Installed in all the Residence Halls GE Diamond II Software Magnetic and Proximity Card Readers ACU (Access Control Units) - 128

Employee Phone System Voice over IP VoIP PBX, Cisco CallManager Publisher (4.1(3)sr5d) Subscriber redundant load sharing Phones (7960 / 7961 / 7940 / 7941 / 7921 / 7914 / 7936) – 460 SCCP IP Communicator Attendant Console Gateway T1 Blade in Catalyst, MGCP

Employee Phone System Voice over IP (cont.) Voic Cisco UNITY (5.0(1)) Redundant hot spare Auto Attendant Check voic from phone or Outlook

Employee Services VMware ESX (3.5 U2) – 21 services Microsoft Exchange 2003 and Webmail File and Print Services Microsoft Office SharePoint (2007) Design Positive FlashPageFlip RIM Blackberry (4.1) Simplicity Judicial Affairs Management System

Employee Services (cont.) Windows Mobile Active Sync OpenFire (3.6.3) with Spark PHPLive Chat Support (3.1) Microsoft Configuration Manger (2007) McAfee EPolicy Orchestrator (4.0) TMASystems Maintenance Management

Employee Services Web Hosting Apache 2 or IIS (6.0 and 7.0) Portal support, Jboss (4.3) and JetSpeed (1.6) Web Sites DHNet Website RecSports Website – Reitz Scholars – Mayor’s Council Website mayorscouncil.housing.ufl.edu Dean of Students Office Website –

DHNet Home Page

RecSports Home Page

Monitoring and Control Systems CiscoWorks (3.0) Cacti VMware Infrastructure TMA Trouble ticket system WCS (Wireless Control System) WLC (Wireless LAN Controller) P2P Monitoring, CopySense and DHNet Program Automated Logic WebCTRL APC InfraStruXure Manager

CiscoWorks

Cacti

VMware Infrastructure

APC InfraStruXure Manager

Trouble Ticket

Trouble Tickets Month # Opened# ClosedAvg Opened/DayAvg Closed/DayAvg Time to Close Jan Feb Mar

Reports Bandwidth (First 24 hours)

Reports Bandwidth (2 nd week, 24 hours)

Reports P2P by Direction (2 nd week, 24 hours)

Reports P2P by Direction (8th week, 24 hours)

Reports Case Data (1st week)

Reports Case Data (4th week)

Thank you

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.