Presentation is loading. Please wait.

Presentation is loading. Please wait.

Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Published byMagdalene Morgan Modified over 9 years ago

Similar presentations

Presentation on theme: "Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin."— Presentation transcript:

1 Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin

2 University of Florida Department of Housing

3 Resident Housing at UF University of Florida Campus A 2,000 acre campus Over 49,000 student enrollment Department of Housing Residence Education 45 Undergraduate buildings, 5 GFH villages Over 8,500 living in Housing Housing IT IT Network and Systems IT Support IT Application Development

4 The Housing Network Ethernet The DHNet backbone is 10 Gig bps Two 10 Gig bps connections to UF campus backbone Over 10,000 student Ethernet connections IEEE 802.1x for authentication Over 90 switches 1/3 Catalyst 6500 Over 90,000 feet of fiber 12 – 48 count

5

6 The Housing Network Wireless 346 Wireless Access Points Support IEEE 802.11 a, g n 2.4 and 5 Gig Hz radios 4 WISMs (Wireless Service Module) WCS (Wireless Control System) PEAP MSCHAP v2 (Protected Extensible Authentication Protocol) IEEE 802.1x for authentication

7

8

9 Network Security Network Cisco FWSM on uplinks to campus Intrusion Detection System (IDS) SourceFire Network monitoring StealthWatch Lancope Authentication XpressConnect Cloudpath Nessus Tenable Employee Computers Web Filter Websense Scan files with Identity Finder Antivirus VIPRE GFI Software

10 Why Posture Assessment? Problem Student computers were being infected with malware Scanning and removing of malware Disruptive Potential for loss of data Time consuming Solution Be proactive with posture assessment

11 Goals with Posture Assessment? Be proactive rather then reactive to malware Minimum reconfiguration of network Minimum disruption to students Cost

12 Network Access Control Evaluation Cisco Bradford Networks Impulse SafeConnect KIS (Minimum reconfiguration of network Components (Single appliance for 10,000 users Cost (Lowest cost of the three Function (Minimum disruption to students Contacted other Installations Florida

13 Impulse SafeConnect Components Policy Enforcer appliance (PE) DB – MySQL, Webserver – Tomcat, Proxy – Squid Management Console Reporting Console Policy Key Lite weight program 1.27 M Router configuration Authentication Server (RADIUS)

14 SafeConnect Connection SafeConnect Appliance (Policy Enforcer and Management Console)

15 Impulse SafeConnect Setup Configure Housing border router NetFlow Policy based routing SSH connection Install Policy Enforcer (PE)appliance Configure authentication server RADIUS Configure Policy Groups, Management Console Device type Location

16 Management Console

17 Reporting Console

18 Impulse SafeConnect Example of Windows Policy Policy Key P2P Anti-virus OS updates Anti-spyware

19 Impulse SafeConnect Connection Process

20 Connection Process Installing Policy Key Computer is configured for 802.1X and SafeConnect policy key is installed with XpressConnect Computer authenticates to the network and information is stored in RADIUS

21 Installing Policy Key How is the Policy Key installed: XpressConnect from DHNet webpage XpressConnect on CD

22 Authentication IEEE 802.1x User Connects Computer Identity Request Identity Response Authentication to Server Authentication Successful / Rejected Authentication to Server Port authorized - access VLAN Port Fail - fail VLAN Radius802.1x SupplicantAuthenticato r Authentication Server Data VLAN Uncontrolled Port Controlled Port

23 Connection Process Detection Blocking Switch sends Netflow information to SafeConnect appliance IP Address and browser agent string RADIUS sends accounting information to SafeConnect (start record, IP address, username and MAC address)

24 Information to Policy Enforcer SafeConnect Appliance (Policy Enforcer and Management Console) NetFlow Information RADIUS start record

25 Connection Process Device Type Is the device a Windows computer or Mac? The device connects No Yes

26 Is the Policy Key Installed? SafeConnect sends a message to the network switch to policy route host traffic to the SafeConnect Appliance Perform host posture assessment Policy Key is installed No

27 If Policy Key wasn’t Installed with XpressConnect SafeConnect Appliance (Policy Enforcer and Management Console) SSH Policy Route Source IP Address added to dynamic ACL

28 Does the host pass posture assessment? SafeConnect sends a message to the network switch to policy route host traffic to the SafeConnect Appliance Host is authenticated, posture assessment complete and connected to the DHNet Intranet Webpage is displayed with custom message relating to the policy that failed No Student updates host

29 Impulse SafeConnect Warning If the Policy Item specifies Warning The policy key will instruct the browser to display the Warning page Policy Based Routing isn’t used The student still has full Internet access Time limits for warning are set in each item of the PE Policy Groups

30 Impulse SafeConnect Quarantine If the Policy Item specifies Quarantine PE sends Policy Based Routing information to the router via SSH The students connection is “Quarantined” sent to PE and presented with a webpage of instructions and URLs Internet access is limited

31

32

33

34 Management Console

35 Impulse SafeConnect Example of Windows Policy Policy Key Quarantine, Immediate P2P Quarantine, Immediate Anti-virus Warning 1 Day, Warning 1 Day, Quarantine OS updates Warning 1 Day, Warning 1 Day, Quarantine Anti-spyware Warning 1 Day, Warning 1 Day, Quarantine

36 Reporting Console

37 Real Time Reporting

38 Anti Spyware

39 Anti-Virus

40 P2P

41 Open Access Per User

42 SafeConnect History

43 Impulse SafeConnect Going Live with Housing NAC Implemented in phases: Internal Summer A 2010 570 students Summer B 2010 2,680 + 350 = 3,030 students Fall 2010 7,530 + 350 = 7,880 students

44 The Results are In After two week Fall 2009 (before SafeConnect) 87 Security events Fall 2010 27 Security events Fall 2009 38% of all UF events came from Housing Fall 2010 3% of all UF events came from Housing After first month 4.5%

45 Impulse SafeConnect Add to Posture Assessment Implemented in phases: Spring 2011 Add monitoring Flash and Java updates Summer A 2011 Enforce Flash and Java updates Summer B 2011 Add GFH Villages 8,500 students

46 Thank You http://www.resnetsymposium.org/rspm/evaluation/

Download ppt "Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin."

Similar presentations

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Network Access Control Systems at Educational Institutions Richard Becker Brian Leslie Kansas State University.

Network Access Control Systems at Educational Institutions Richard Becker Brian Leslie Kansas State University.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
Housing Residence Education Network and Services.

Housing Residence Education Network and Services.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.

Firewall and Proxy Server Director: Dr. Mort Anvari Name: Anan Chen Date: Summer 2000.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.

Course 6421A Module 7: Installing, Configuring, and Troubleshooting the Network Policy Server Role Service Presentation: 60 minutes Lab: 60 minutes Module.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.

Similar presentations

Ads by Google