1. University of Cincinnati Staying Ahead of the Security Curve with Finite Resources Presented by Diana Noelcke Associate Director, Enterprise Communication Systems and Jim Downing Information Security Officer

2. “Some memories last forever”

3. The Way We Were ► 3 Different networks ► 2 ATM networks (Asynchronous Transfer Mode) ► 1 managed by an outside company ► 1 managed by UCit staff ► 1 Fddi network (Fiber Distributed Data Interface) ► Assigning IP’s per machine, maneuvering subnets around, IP conflicts ► Reactive versus pro-active in troubleshooting network problems ► Inaccurate documentation

4. Vision ► To design a one vendor/topology solution ► All network connectivity consistent throughout the campus ► To become pro-active versus reactive ► To support the university network totally from within ► Move into the future with the network design plus position the university for emerging technologies

5. Vision realized ► After 12 months of planning, community endorsements and 8 months of converting 73 buildings and 264 closets the University now has the second largest network in the Greater Cincinnati area, second only to P&G. ► One vendor solution ► Implemented network Security solutions ► Positioned for future technologies (VOIP, Multicast, QoS) ► Stability, Reliability, and Uptime ► Manageability ► Fiber plant, telecommunication closets fully documented

6. UCnet ► 21,000 data connections ► 800+ Network Devices ► 200+ Wireless access points ► Security devices, ► PIX Perimeter firewall, ► IDS (Intrusion Detection System) ► VPN (Virtual Private Network) ► DMZ (Buffer zone between UCnet and Internet) ► 2 nd Tier firewalls

7. Lessons Learned ► It’s very important that policies are written first. Policies are nothing without stated consequences and enforcement of them. ► If you don’t already have a defense in place, you won’t have any time to react. ► Plan for communicating to all users and at various levels ► Executive level, IT governance committees ► IT administrators, System administrators, Business managers ► Website

8. Lessons Learned ► Accurate documentation is very important ► Training of staff is essential prior to implementation ► Educating the end user is key to battling security with finite resources, since security starts at the desktop ► Define network monitoring tools needed prior to implementation

9. Top Security Threats and Challenges ► Wireless network deployment ► Hackers, internal and external ► Viruses, worms and other malicious code ► New students bringing computers on campus ► Employees and management not taking security policies seriously ► Getting our users to use the 2 nd Tier firewall features

10. UCnet Security Features ► Private Addressing ► NAT (Network Address Translation) ► Cisco PIX Firewalls ► DMZ (Buffer Zone between Internet & UCNET) ► VPN (Virtual Private Network) Access ► IDS (Intrusion Detection System)

11. Targets of Opportunity ► Personal Identifiable Information and Personal Health Information ► Identity Theft ► Student Records ► Patient Records ► Financial Records ► Credit card numbers ► Bank account ► Retirement ► Research Data & Other Intellectual Property

12. UC Computer Incidents Primary Cost Categories ► Employee time for investigation, repair, and restoration ► Loss of data Secondary Cost Categories ► Legal liability against University ► Diminished reputation ► Psychological impact (I.e., feeling violated)

13. Academic Incidents ► Moonlight Maze- Russian hacked Sun operating systems and gained access to U.S. university network servers to hide their tracks. ► Distributed Denial of Service (DDoS)- attacks on dot com sites; university sites implicated. ► RIAA- Illegal distribution of Copyrighted material. ► Nimda- Worm attack 1 week after September 11, 2001 Slowed Internet 86,000 Hosts infected 43% USA sites UCNet kept on-line

14. Recent - Academic Incidents ► Blaster- worm compromised windows operating system, flooded network. ► Welchia- similar to Blaster worm, ICMP scans and floods network. ► Sobig- self-replicating worm via email.

15. Layered - Approach ► Policies ► University wide ► Departmental, Unit or College ► Network Architecture Layers ► Internet Perimeter connection ► Network Subnet Switch/Router ► Desktop machine, File Servers or UCit customer ► Abuse Reporting ► Helpdesk Tier 1 ► Network Operations Center Tier 2 ► Network Engineering Tier 3

16. IT Policies ► University Wide (General) ► Policy on the Use of Information Technology ► Perimeter Firewall Policy ► Information Technology Management ► Student Code of Conduct ► http://bluewhite.sltech.uc.edu/conduct/conduct.html http://bluewhite.sltech.uc.edu/conduct/conduct.html ► Residential Hall ► http://www.uc.edu/housing/resnet/default.asp http://www.uc.edu/housing/resnet/default.asp ► UCit- Organizational Computer policies ► http://www.ucit.uc.edu/policies http://www.ucit.uc.edu/policies

17. Policies Unit Policies ► UC College of Nursing ► http://nursing.uc.edu/Overview/ITAcceptableUsePolicy.htm http://nursing.uc.edu/Overview/ITAcceptableUsePolicy.htm ► Clermont College ► http://www.clc.uc.edu/tech/clermont_computer_use_policy.asp http://www.clc.uc.edu/tech/clermont_computer_use_policy.asp ► UC Dept. of Geography JCGIS - SA ► http://www.gissa.uc.edu/Support/policy.html http://www.gissa.uc.edu/Support/policy.html

18. Network Security Layers ► Perimeter Pix Firewall, Cisco Intrusion Detection, VPN ► Distribution Layer Cisco IOS firewall feature & IDS blades ► Access Layer Departmental servers and desktops

19. Abuse Reporting ► UCit HelpDesk – Tier 1 Support, document and resolve minor security breaches ► Network Operations Center –Tier 2 Monitor and analyze security data collection ► Network Engineering – Tier 3 Resolve major abuse issues

20. Overcoming Finite Resources ► Have written, acceptable and enforceable policies in place ► When you can’t hire new staff ► Educate and train your current staff along with your users ► Take a Tiered approach to support your network ► When you don’t have trained staff ► Use outside contacts with local and governmental agencies ► Partner with your Network/Security Vendor ► What are our next steps ► Ongoing research and testing of new security products ► Data mining, review and refresh our IDS architecture Diana.Noelcke@uc.edu Jim.Downing@uc.edu Copyright Diana Noelcke, Jim Downing, 2003 This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.