Download presentation
Presentation is loading. Please wait.
Published byMeghan Lorena Owens Modified over 5 years ago
1
Network Security in Academia: an Oxymoron?
Terry Gray Director, Networks & Distributed Computing Computing & Communications University of Washington April 8, 1999
2
Contradictions Researchers want open access
Clinicians, administrators want closed access Everyone wants fast access Almost everyone wears more than one hat Traditional network security measures are based on physical locality and constrained use
3
Threats Probing, Sniffing (when done by foes) Denial of Service (DOS)
Penetration Account take-over Connection hijacking Data Crimes Theft/Disclosure Corruption/Destruction Impersonation/Fraud (e.g. web spoofing)
4
Security is not free In fact: Security is very expensive
Costs include: inconvenience reduced performance complexity; management overhead requiring more staff, more time Use "Appropriate technology"
5
Threat Sources Outsiders Insiders Outsiders who become insiders
Insiders who become outsiders >> Benign neglect is also a threat!
6
Security Perimeters Physical/Topological: Logical/Organizational: site
subnet host Logical/Organizational: consortium or community of interest enterprise campus department workgroup individual
7
Security Policy Defining who can/cannot do what to whom...
Identification and prioritization of threats Identification of assumptions, e.g. Security perimeters Trusted systems and infrastructure Policy drives security… lack of policy drives insecurity
8
Security approaches (Guns, Fences, Hounddogs, Camouflage)
Network Perimeter security (Firewalls, NATs) Path isolation (Switches, VPNs, IPsec) System Host OS security (wrappers, patches, etc) Application security (SSH, SSL, Steganography...) Other Vulnerability detection Intrusion detection Better development tools and developers!
9
Security Usually Implies Isolation
Network security = network isolation (what's wrong with that picture?) Physical isolation Separate wires/fiber low-level multiplexing, e.g. TDM Logical isolation Access control Encryption
10
Defense in Depth Security is additive No single solution
Examine cost/benefit of each approach vs. cost of security incidents Focus first on biggest vulnerabilities Then knock off the “easy to do” items
11
Cost: Time & Inconvenience
In order of increasing sys-admin time: Application security Vulnerability & intrusion detection Path isolation (VPNs) Perimeter security (Firewalls) Host security Incident cleanup (compound frustration!) In order of increasing user inconvenience: Incident cleanup
12
The Dark Side of Firewalls
Firewalls are often viewed as a security panacea But they don’t live up to the hype, because they: Assume fixed security perimeter Give false sense of security May inhibit legitimate activities May be hard to manage Won't stop many threats Are a performance bottleneck
13
Assessing the value of Firewalls
Let E = % of attacks originating outside firewall B = % of external attacks actually blocked H = Number of hosts to be protected P = Number of security policies Firewall Value ~ E * B * H / P In the limit, P may approach H ! Must weigh cost of managing v. alternatives
14
Campus Network "Firewalls” (Router packet filtering)
Criteria: Low impact on network performance High degree of campus consensus; no flaming C&C! Can't reasonably be done at end-systems Now: Prevent source address spoofing Other possibilities under consideration
15
Even with Firewalls... Bad guys aren’t always "outside" the moat
One person’s “security perimeter” is another’s “broken network” Organization boundaries and filtering requirements constantly change Security perimeters only protect against a limited percentage of threats… must examine entire system: Cannot ignore end-system management Use of secure applications is a key strategy
16
Conclusions… Security: "pay now or pay later”
No silver bullets, only thankless effort Computer ownership has responsibilities… Each hacked system is a threat to neighbors Organizational boundaries rarely map to physical topology Suggested security priorities: Application > Host > Path > Perimeter
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.