1. Network Security In Education A Balancing Act Doug Klein CTO Vernier Networks, Inc

2. Agenda Why are we talking? What’s really going on? Can we do anything? How are others approaching the problem?

3. We’re under attack Network intrusions up 41% since 2001 Internal intrusions account for 59% of attacks Global recovery costs from single worm $1.2b - $2.6b Security events caused $23b losses in 2003 Spending on security labor growing at 32% annually We can’t pretend that it’s an outside attack anymore!

4. It’s not just the computers! "IOS has had a number of these problems in the past, and Cisco has quietly fixed them," says Frank Dzubeck, president of consulting firm Communications Network Architects. "They never made a big deal about them, the way Microsoft does. Now the question becomes, is IOS the next Windows in terms of a security problem?" Cisco last week warned of several vulnerabilities in its IOS software that attackers could use to bring down routers in enterprise and service provider networks. Network World, 1/31/05 Cisco is not the only one with vulnerable routing software. Juniper this week is telling all M- and T-Series router customers running releases of JUNOS software developed prior to Jan. 7, 2005, to upgrade the software or suffer a "serious security vulnerability." Network World, 1/27/05

5. The Drive for Urgency Be Afraid!No Sweat :) WiFi Guests Contractors Laptops Desktops Printers, etc The Spectrum of Sensitivity The Increased Awareness Time from problem to crisis..

6. Security vs Connectivity Security approach: start closed, selectively open Infrastructure approach: start open, selectively close Effective network security requires an approach that optimizes connectivity while ensuring protection for all critical resources

7. An Infrastructure Security Approach Admission Management Who gets on the network and what they can do. It’s the good traffic What you don’t want on your network. It’s the bad traffic Intrusion Prevention

8. Admission Management User Authentication ✓ Who are you? Device Verification ✓ What’s going on with your PC? Access Authorization ✓ What are you allowed to access/see? Focus on Eliminating the Possibility of Attack

9. Example: Policy Enforcement Network Infrastructure Remediation Services Internet Public Intranet Private Intranet Suspect devices Guests Students IT Admins Faculty

10. Implementations Gateway Port control Integrated DMZ LAN End User AAA End User 802.1x Policy Manager

11. Intrusion Prevention L1/L2L3/L4 Payload Access Control Intrusion Prevention Header processing - Common ACL rules - Fast, ASIC processing Payload processing - “deep packet inspection” - Typically regular expression parsing

12. Typical Deployments Core Distribution Fabric Access Edge IPS in front of critical resources Distribution fabric used to “prune” traffic down to just what is headed towards critical resources Concerns: No protection for the infrastructure itself No protection for “horizontal” attacks

13. Evolving Implementations Core Distribution Fabric Access Edge IPS at the edge Access Control to “prune” traffic Ability to control peer-to-peer traffic and to protect the infrastructure

14. Industry Initiatives NAC NAP TCG/TNC What are they? Are they different?

15. Industry Initiatives network access device policy manager client device status aggregatorresults aggregator security client security servers directory service Common Thread: Standard Framework for Status Aggregation

16. Vernier Overview Network Admission Management User Authentication Vulnerability/Compliance Verification Fine grained, user specific access control Centralized system policy management, distributed edge enforcement

17. Questions/Discussion