1 information security vision network planning task force 9/29/2003 deke kassabian and dave millar

1

Information Security Vision

Network Planning Task Force9/29/2003

Deke Kassabian and Dave Millar

2

Our Common Problem

■ Productivity Loss■ Slammer worm interrupts Internet connectivity

campus-wide for several hours and in a few locations on campus for longer.

■ 1000+ windows machines compromised in four weeks by Blaster worm.

■ Managing hundreds of disconnections: run a trace, disable the port, contact the owner, get box fixed, get port re-enabled.

■ 1,000 infected email attachments a day.

3

Estimated cost of Blaster/Welchia

ITEM EST. COST

1200 compromised machines

-Manage detection and notification

-Format and rebuild machines

-Remove Blaster from machines

15-25%

15-25%

15-25%

9,000 Vulnerable machines (patched twice)

-20 campus-wide scans, 14 mass notifications of

vulnerability

-4,500 Patch automatically (twice)

-4,500 Patch manually (twice)

2-3%

1-2%

30-40%

Total $287,000

Lost productivity of faculty/staff machines disconnected

?

4

Security Vision: Defense in Depth

■ Prevent■ Patch management tools & services■ Training & education■ Anti-virus filtering on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning

■ Detect■ Intrusion detection

■ Respond■ Find a better way to locate compromised and vulnerable DHCP

and wireless devices.

5

Patch Management

■ Managed vs. Unmanaged■ Managed – LSP runs a Windows Domain Controller; all desktops and workstations are configured

to participate in the domain, all users authenticate to the central Domain Controller. LSP has Administrator rights on all machines in the domain, and can manage domain workstations and desktops remotely – i.e. pushing out patches and service packs, applying group policies, etc.

■ Unmanaged – Users run their Windows desktop or workstation “stand-alone.” The only way that patches can be applied is if the owner or LSP sits down physically at each desktop/workstation.

■ Windows Update ■ Window Update client points to Microsoft’s Windows Update site. ■ Operates in one of three modes: manual, semi-automatic and completely automatic.

■ SUS – Software Update Server■ Allows you to point Windows Update client on your desktops and workstations to your own

“mirror” of Microsoft’s Windows Update site. Allows you to test MS patches before deploying them.

■ Can run either in managed domain or unmanaged workgroup■ SMS – Systems Management Server

■ Administrator downloads patch, creates installation routine, creates query to find machines that need patch, deploys patch to machines from the result of query.

■ Commercial products, e.g. HFNetChk Pro, PatchLink, BigFix■ Simplified management■ Handles application hotfixes as well as operating system

6

Four Patch Management OptionsOption For which

environment?Pros Cons

Windows Update

Managed or unmanaged

Free

No messy hardware to manage

No provision for testing patches – you’re at Microsoft’s mercy. Too risky for servers, but OK for some desktops and workstations.

SUS Managed or unmanaged

Free software?

Allows you to test patches before deploying

Must manage your own SUS server(s)

Testing patches takes time

Critical updates only today. Service packs are still coming in future version.

Won’t support Office Update until SUS 2.0 (February, 2004?)

SMS Managed Powerful, remote management, monitoring tool.

More demanding and complex to manage

Only appropriate for managed machines.

Commercial tools, e.g. HFNetChk Pro

Managed or unmanaged

Support Windows and Office update

Some products handle patches for applications like IIS, SQL server, etc,; service packs and feature updates -- not just Windows OS hotfixes.

Price

7

Critical Challenge: Patching Student machines

■ Distributing patches through SUS requires either that each desktop/workstation join a Microsoft domain, or at least make a registry change on each “managed” machine.

■ Obviously we don’t own student, machines. We will have an easier time figuring out how to manage patches on staff and faculty machines than students’.

# of Windows machines

# infected % infected

Student-owned 2963 501 17%

Penn-owned 8037 700 9%

8

Patch Management Recommendation

■ Establish a policy requiring that by 7/1/04, all campus PennNet-connected Windows systems: servers, desktops and workstations, have all critical updates applied within three business days

■ ………………………………………………………………existing staff■ Create a new ISC service: “Patch Management Services” tasked to:

■ Work with campus LSPs to identify and share best patch management practices

■ Evaluate and license patch management tools■ Create a campus SUS service, testing Microsoft patches against benchmark

platforms.■ Support LSPs implementing their own SUS services■ Provide security patch documentation and conduct training for campus LSPs

■ Estimated Costs■ Staff…………………………………………………………………….$100,000/yr■ Hardware for campus SUS service…………………...$10,000 every 2-3 yrs.■ Campus license for commercial patch management software ■ Software – 1000

seats……………….............................……..…$6/seat/yr

9

Security: Defense in Depth

■ Prevent■ Patch management tools & services■ Training & education■ Virus filtering on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning


■ Respond■ Find a better way to locate compromised and vulnerable

DHCP and wireless devices.

10

Virus Filtering

■ Typical Windows virus spreads via■ Email messages■ Network file transfer■ Network file server shares■ Web traffic■ Other direct attacks over networks■ Removable storage (floppies, CDs, etc)

■ Good anti-virus software on Windows desktops can address all of these.

11

Mail Server Virus Filtering

■ Separate from Spam filtering■ Usually involves checking for virus

signatures in email messages■ Can be implemented on the mail server

directly or on a separate server (local or external ASP).

■ Can help to slow virus spread for Windows desktops without adequate virus protection and OS patches

12

POBOX Virus Filtering

■ Proposing use of an outside virus filtering service, separate from our local server-based Spam control tools

■ Mail destined for POBOX users will take a detour through the service provider for filtering of virus messages

13

Campus-Wide Virus Filtering for email?

■ Two possible implementations, building on the POBOX approach:

■ Replicate the POBOX configuration on other mail servers, but take advantage of the existing business relationship and established pricing

■ Create a new [email protected] mail forwarding service, and have mail to users of that service pass through an outside virus filtering service.

14

Campus-Wide Virus Filtering for email?

Per server virus filtering

-- Pros --

• Involves no change in email address to take advantage of virus filtering

-- Cons --

• Distributes complexity

• Likely will not achieve best pricing

Campus-wide virus filtering based on a new [email protected] service

• Probably easier to implement

• Likely to be much more cost effective

• Virus filtering only available for messages using the new [email protected] format

15






16

Simple Building NetworkR

oute

r

switch

QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.






Sw

itch switch

17

Simple Building Network, Firewall for all of subnetR

oute

r

switch

QuickTime™ and a TIFF (Uncompres s ed) decompres s or are needed to s ee this pic ture.






Sw

itch

switch


Pros:° More coverage from one FW device

Cons:° Blunt instrument, may subject too many things to one set of rules° Problematic for network management

18

Simple Building Network, with firewall for serversR

oute

r

switch

QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.






Sw

itch

switch

swit

ch


Pros:° Excellent server- or service-specific protection possible

Cons:° None

19

Simple Building Network, Firewall for one workgroupR

oute

r

switch







Sw

itch

switchQuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.

Pros:° Group-specific control and protection

Cons:° Can still be a blunt instrument° Still problematic for network management

20

Simple Building Network,using VLAN FirewallR

oute

r

switch







Sw

itch

switch


Pros:° Very flexible in terms of participation° Addresses net management problem

Cons:° Add complexity and cost

21

Perimeter Firewall: Current Situation

Pros:° Provides limited protection from common attacks

Cons:° Collateral damage ° No provision for legitimate access to risky services.

Rou

ter

Rou

ter

switch

QuickT ime™ and a TIFF (Uncompre ssed) decompres sor are needed to s ee this picture.

QuickTime™ and a TIFF (Uncompressed) decompres sor are needed to s ee this picture.

QuickTime™ and a TIFF (Unco mpressed) decompres sor are needed to s ee this picture .

switch

QuickT ime™ and a TIFF (Uncompre ssed) decompres sor are needed to s ee this picture.

QuickTime™ and a TIFF (Uncompressed) decompres sor are needed to s ee this picture.

QuickTime™ and a TIFF (Unco mpressed) decompres sor are needed to s ee this picture .

QuickT ime™ an d a TIF F (Un co mp ressed) decomp res sor are needed to s ee th is picture .

QuickT ime™ an d a TIF F (Un co mp ressed) decomp res sor are nee ded to s ee this picture.

Qu ickT ime™ and a TIF F (Un co mp ressed) decomp res sor are need ed to see th is picture .

switch

QuickT ime™ an d a TIF F (Un co mp ressed) decomp res sor are needed to s ee th is picture .

QuickT ime™ an d a TIF F (Un co mp ressed) decomp res sor are nee ded to s ee this picture.

Qu ickT ime™ and a TIF F (Un co mp ressed) decomp res sor are need ed to see th is picture .

switch

Rou

ter

Internet QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.

QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.

22

Campus VPN Service

Pros:° Allows us to block the most troublesome services and permit legitimate use.

Cons:° Complexity and cost° Traffic is not encrypted on PennNet.° Given the transient nature of PennNet this will at best stave off attacks for a few days

Rou

ter

Rou

ter

switch

Quick Tim e™ an d a TIFF (Un co mpress ed ) decomp res sor are needed to s ee this picture .

Quick Time™ a nd a TIFF (Unco mp ressed) d ec ompres so r are need ed to s ee this pictu re.

Qu ick Time™ a nd a TIFF (Unco mp ress ed) d ec ompres sor are need ed to s ee this picture.

switch

Quick Tim e™ an d a TIFF (Un co mpress ed ) decomp res sor are needed to s ee this picture .

Quick Time™ a nd a TIFF (Unco mp ressed) d ec ompres so r are need ed to s ee this pictu re.

Qu ick Time™ a nd a TIFF (Unco mp ress ed) d ec ompres sor are need ed to s ee this picture.




switch




switch

Rou

ter

Internet QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.

QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.

VP

N G

atew

ayV

PN

Gat

eway

VPN Client

23

Local VPN Service

Pros:° Allows Schools and Centers to implement more restrictive firewall policies.° Unencrypted traffic need not travel over PennNet.Cons:° Complexity and cost

QuickTime™ and a T IFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a T IFF (Uncompressed) decompressor are needed to see this picture.Rou

ter

Rou

ter

switch

Qu ick Tim e™ a n d a TIFF (Un co mpress ed ) decomp res sor are need ed to s ee this pi cture .

Quick Time™ a nd a TIFF (Unco mp ressed ) d ec omp res so r are n eed ed to s ee this pi ctu re.

Qu ick Time™ a nd a TIFF (Un co mp ress ed ) d ec omp res sor are n eed ed to s ee this pi cture.

switch

Qu ick Tim e™ a n d a TIFF (Un co mpress ed ) decomp res sor are need ed to s ee this pi cture .

Quick Time™ a nd a TIFF (Unco mp ressed ) d ec omp res so r are n eed ed to s ee this pi ctu re.

Qu ick Time™ a nd a TIFF (Un co mp ress ed ) d ec omp res sor are n eed ed to s ee this pi cture.

Quick Time™ and a TIFF (Uncompress ed) decompres sor are needed to s ee this picture.

Quick Time™ and a TIFF (Uncompress ed) decompressor are needed to s ee this picture.

QuickTime™ and a TIFF (Uncompress ed) decompres sor are needed to s ee this picture.

switch

Quick Time™ and a TIFF (Uncompress ed) decompres sor are needed to s ee this picture.

Quick Time™ and a TIFF (Uncompress ed) decompressor are needed to s ee this picture.

QuickTime™ and a TIFF (Uncompress ed) decompres sor are needed to s ee this picture.

switch

Rou

ter

Internet

VPN

Gat

eway

VPN

Gat

eway

VPN Client

24

Where to put a perimeter firewall?

Rou

ter

switch







switch

Rou

ter

Internet

Rou

ter

switch







switch

Rou

ter

switch







switchRou

ter

25

Minimal perimeter filtering in edge routers

Rou

ter

switch







switch

Rou

ter

Internet

Rou

ter

switch







switch

Rou

ter

switch







switchRou

ter



26

Minimal perimeter filtering in internal routers

Rou

ter

switch







switch

Rou

ter

Internet

Rou

ter

switch







switch

Rou

ter

switch







switchRou

ter


27

Campus firewall is not a panacea

University Date Netbios ports blocked

# Windows machines

# infected

% infected

Penn 9/11/2003 11,000 1,100 10%

Large state university

7/28/2003 12,000 1,500 13%

Ivy League peer 1/2/2002 18,000 3,146 17%

28

Personal firewallsR

oute

r

switch







Sw

itch switch




29

Firewalls Recommendations & Estimated Costs

Time-frame

Target Recommendations

Long-term

Servers, desktops and workstations

Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting more flexible use of internal and external router filtering/firewall technology…...................................................under evaluation

Near-term


Provide a basic level of network security by implementing router filter rules on external interfaces after campus consultation and on internal interfaces at the request of Schools/Centers

Hardware/software for internal filtering…........................$20,000/bldg every 3 years

Near-term


Enable Schools and Centers to implement tighter local security policies:

-Publish support for VLANs……………..........…………………….N&T Documentation

-Select a campus firewall and VPN standard, avoiding a campus VPN “Tower of Babel”, buying time to patch systems, and enabling Schools and Centers to better implement local firewalls and VPN gateways…………………………under evaluation

Near-term

Desktops and workstations

Evaluate and recommend a personal firewall software product for targeted users and do a pilot evaluation.

Software license for 50-100 users…………………..………$2500 - $5000 for 3 years

30






31

Secure out-of-the box

■ When someone buys a new Dell or IBM machine in the Fall Truckload sale, it is very easy for them to complete the system install without creating an Administrator password. This has led to hundreds of compromised machines within days of going on PennNet.

■ Recommendation: Work with Dell, IBM and Microsoft to create more secure default images for newly purchased Penn machines

………………...…negotiated price < $25/image

32






33

RPC DCOM Scan results

# of Penn Machines Vulnerable

010002000300040005000600070008000

8/1/

2003

8/8/

2003

8/15

/2003

8/22

/2003

8/29

/2003

9/5/

2003

9/12

/2003

9/19

/2003

RPC Round 1

RPC Round 2

34

Campus-Wide Vulnerability Scanning

■ Vulnerability scanning has been a very useful tool in helping to manage the patching process University-wide.

■ Focused, campus-wide scans for single vulnerabilities campus-wide can be done quickly (i.e. in 45 minutes or so). This is very helpful to defend against a particular worm.

■ Broader, campus-wide scans for top twenty vulnerabilities take longer – more like 3-4 weeks. This is very helpful for “good hygiene” to ensure that we stay patched as new machines come onto PennNet over time. Goal: 1-3 weeks/campus-wide scan.

■ Finding contact information for the owners of thousands of DHCP (wired and wireless) is difficult and time-consuming.

■ The effectiveness of campus-wide scans is limited to the extent that laptops come and go at different locations on PennNet. We probably miss many vulnerable laptops if they’re “off-line” at the time we scan.

35

Vulnerability Scanning Recommendations

■ Develop more efficient methods of locating the owners of DHCP (wired and wireless) devices. See “Respond” section below.

36




■ Respond■ Find a better way to locate compromised and vulnerable DHCP and

wireless devices.

37

How do worms spread?

Rou

ter

switch

Quic kTime™ and a T IF F (Unc ompres sed) dec ompres s or a re nee ded to se e th is pic ture .

Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .



Quic k Time™ a nd a TIF F (Unco mpre ss ed) decom pre s so r are nee ded to se e th is pic ture .


switch

Rou

ter

Internet

Rou

ter

switch







switch

Rou

ter

switch







switch

Rou

ter

■ 60% of the time attack Penn systems

■ 40% of the time: attack external systems

38

How did we learn about Blaster/Welchia infected machines?

■ Outsiders automatically send personal firewall logs to central services like MyNetWatchman, who in turn email the report to us.

■ Penn people have automated extracts from their firewall logs and email us the results.

■ We are automatically scanning our firewall logs and extracting the results every four hours.

■ Strengths: simple approach, inexpensive

■ Weaknesses: limited coverage, relies on Penn people’s willingness to continue to devote the time.

39

How could we improve our detection capability?

Rou

ter

switch

Quic kTi me™ and a T IF F (Unc omp res sed) dec omp res s or a re n eed ed to se e thi s pi c ture .

Q uic kTi me™ and a TIFF (U ncomp res s ed) dec omp ress or a re needed to s e e thi s pic ture .

Quic kTi me™ and a T IF F (Unc omp res sed) dec ompres s or are nee ded to s e e th i s pi c ture .

Q uic kTi me™ and a TIFF (U ncomp res s ed) dec omp ress or a re needed to s e e thi s pic ture .

Q uick Time™ a nd a TI F F (U nco mpre ss e d) d ecom pre s so r are nee ded to see th is pic ture.

Q uic k Time ™ a nd a TIFF (U ncomp res s ed) dec ompress o r a re ne eded to s ee th is pi c ture.

switch

Rou

ter

Internet

Rou

ter

switch

Q uickTime™ and a TIF F (U nc ompres sed) decompres s or a re nee ded to s ee th is pi c ture.

Q uick Ti me ™ a nd a TIFF (U n compres s ed ) dec ompress o r are ne eded to s ee th i s pi c ture.

Q uic kTi me™ and a T IF F (U nc omp res sed) dec omp res s or a re n eed ed to s ee thi s pic ture.

Q uick Ti me ™ a nd a TIFF (U n compres s ed ) dec ompress o r are ne eded to s ee th i s pi c ture.

Quic kTi me™ and a TI F F (Uncompress ed) decom pres sor are nee ded to se e th is pic ture .

Quic kTi me ™ a nd a TIFF (Un comp res s ed ) dec omp ress o r a re needed to s e e th i s pi c ture .

switch

Rou

ter

switch

Quic kTi me™ and a T IF F (Unc ompres sed) dec ompres s or are nee ded to s e e th i s pi c ture .

Quic kTi me ™ a nd a TIFF (Un compres s ed ) decomp ress o r a re needed to s e e th i s pi c ture .

Q uickTime™ and a TIF F (U nc ompres sed) decompres s or a re nee ded to s ee th is pi c ture.

Quic kTi me ™ a nd a TIFF (Un compres s ed ) decomp ress o r are needed to s e e th i s pi c ture .

Q uic kTi me™ and a TI F F (U nco mpress ed) decom pres sor are needed to see this pic ture.

Quic kTi me™ and a TIFF (Un comp res s ed ) dec omp ress or a re needed to s e e thi s pi c ture .

switch

Rou

ter

IDS

Box

IDS

Box

IDS

Box

40

How could we improve our detection capability?

Options Pros ConsIDS box connects to local switches

■Inexpensive ■Limited visibility

IDS box connects to internal routers

■Broader visibility ■More expensive equipment – e.g. fiber taps.

IDS box connects to edge routers

■Complete visibility of outbound attacks

■Technically challenging given our redundant internet connectivity.■Most expensive

Use edge router flow logs ■Limited visibility of outbound attacks■Less expensive, challenging than IDS on edge routers.

41

Targeted Intrusion Detection Recommendations & Estimated Costs

Near-term Create policy establishing authority of ISC, Schools and Centers to conduct intrusion detection addressing privacy, log retention and related issues…………....................................no incremental cost

Near-term Deploy and manage six-ten switch-connected IDS boxes to quickly identify compromised campus systems.

Hardware………………………$15,000-$20,000 every 2-3 years

Staff to configure, manage, analyze IDS systems and

follow up on intrusion reports………………….…$100,000/yr

Long-term Evaluate and determine best method to provide router flow logs for intrusion detection……………………………..under evaluation

Long-term Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection

…………............................................................under evaluation

42

Security Vision: Defense in Depth



■ Respond■ Find a better way to locate compromised and vulnerable machines

as well as targets of copyright complaints.

43

How do we find problem machines?

■ Problem machine is reported either by the RIAA, intrusion detection or campus vulnerability scan.

■ If static IP – look it up in assignments.■ If DHCP – ask NOC for a port trace

which translates the DHCP address to a physical location.

44

Current situation

■ Unable to respond to problems with wireless machines on parts of campus. Can’t very well disable the port :-(

■ Had to just drop 40-50 cases of infected machines because of short DHCP lease lengths.

■ Requested 1149 port traces and 126 disconnects in calendar year 2003 (~$45,000). Trend is up (requested 270 this week alone).

■ Had to hold off requesting some disconnects because it would have been unmanageable.

45

Incident Response Recommendations & Estimated Costs

Near-term Provide tools to better support quick lookup of host and DNS contacts………………............…….under evaluation

Near-term Targeted deployment of PennKey authenticated network access in, for example, College Houses, GreekNet, Library…............................................$2,000 - $5,000/bldg

Long-term Full deployment of PennKey authenticated network access on campus

Hardware/Software (one-time)…………..........$1,000,000

Near-term Research ways of ensuring security of newly connected machines:

•Vulnerability scan of machines as they connect to PennNet•Ability to block infected/vulnerable machines based on MAC address

Hardware/Software…………...………..under evaluation

Staff………………………………………under evaluation

46

Summary of Recommendations & Estimated Costs

Near-term Establish a policy requiring that by 7/1/04, all campus PennNet-connected Windows systems: servers, desktops and workstations, have all critical updates applied within three business days………………………………………………………………………………………………………….existing staff

Near-term Create a new ISC service: “Patch Management Services”

Staff……………………………………………………………..………………………………….$100,000/yr

Hardware for campus SUS service………………………………………………...$10,000 every 2-3 yrs.

Campus license for commercial patch management software……………………………….…$6/seat/yr

Near-term Virus filtering……………………………………………………………………………..………….$5-$6/account/year

Long-term Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting more flexible use of internal and external router filtering/firewall technology…................................................................................................................................under evaluation

Near-term Provide a basic level of network security by implementing router filter rules on external interfaces after campus consultation and on internal interfaces at the request of Schools/Centers

Hardware/software for internal filtering…...............................................................$20,000/bldg every 3 years

Near-term Enable Schools and Centers to implement tighter local security policies:

-Publish support for VLANs……………..........………………………………..……………….N&T Documentation

-Select a campus firewall and VPN standard, avoiding a campus VPN “Tower of Babel”, buying time to patch systems, and enabling Schools and Centers to better implement local firewalls and VPN gateways………………………………………………………………………………….………...…under evaluation

Near-term Evaluate and recommend a personal firewall software product for targeted users and do a pilot evaluation.

Software license for 50-100 users…………………..……………………………………$2500 - $5000 for 3 years

47

Summary of Recommendations & Estimated Costs

Near-term Work with Dell, IBM and Microsoft to create more secure default images for newly purchased Penn machines

………………...…………………………………………………………………………negotiated price < $25/image

Near-term Create policy establishing authority of ISC, Schools and Centers to conduct intrusion detection addressing privacy, log retention and related issues…………..................................................................no incremental cost

Near-term Deploy and manage six-ten switch-connected IDS boxes to quickly identify compromised campus systems.

Hardware…………………………………………………………………………$15,000-$20,000 every 2-3 years

Staff to configure, manage, analyze IDS systems and

follow up on intrusion reports…………………………………………………………………………$100,000/yr

Long-term Evaluate and determine best method to provide router flow logs for intrusion detection………………………………………………………………………………………………..under evaluation

Long-term Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection…..................................................................under evaluation

Near-term Provide tools to better support quick lookup of Host and DNS contacts………..………….…….under evaluation

Near-term Targeted deployment of PennKey authenticated network access in, for example, College Houses, GreekNet, Library…...............................................................................................................................$2,000 - $5,000/bldg.

Long-term Full deployment of PennKey authenticated network access on campus

Hardware/Software (one-time)………………………………………………………………................$1,000,000

Near-term Implement two additional functions in PennKey network authentication of DHCP connections:Vulnerability scan of machines as they connect to PennNet

Ability to block infected/vulnerable machines based on MAC address

Hardware/Software…………...………………………………………………..………………..…..under evaluation

Staff……………………………………………………………………………………………………under evaluation

1 information security vision network planning task force 9/29/2003 deke kassabian and dave millar

Documents

windows machines

windows update client

compromised machines

proscons windows update

vulnerable machines

windows domain controller

domain workstations

managed domain