defending the campus juniper nerworks
DESCRIPTION
More info :http://goo.gl/LYQussTRANSCRIPT
Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
Defending the Campus
Ed Lopez – Emerging Technologies
2Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
“The Headlines” “’MafiaBoy’ DDoS Attack Via University Network”
“Postdoc Arrest Linked to Intellectual Property Theft from University Labs”
“Hack on University Exposes 1.4M Social Security Numbers”
“Universities Fear 6th of Month as Klez Virus Re-erupts”
“RIAA Sues Campus File-Swappers”
“Weak Security Causes University to Ban Unauthorized Wi-Fi on Campus Nets”
“Campus Networks: Havens for Spammers?”
“Vital Files Exposed in University Hacking, 32,000 Students and Employees Affected”
3Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Our Users – Our Problem Students – Bandwidth, Active Threat, No Standards
Faculty – Openess, Intellectual Property, Communication
Administration – Privacy/Financial/Academic Data, Web Services
Facilities/Security – Operations, Logistics, Emergency Services
Health Services – HIPPA, Medical Support Systems
Externals – Support for Gov’t Projects, External/Joint Academics, Libraries, Research
4Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security is in How We Access Our Networks
Dormitories – Wired/Wireless, >1 host to 1 student Libraries – Shared systems, public/anonymous
access Commons – Wireless, rogues, ‘evil twins’ Telecommuters – Commuting Students, Off-Campus
Housing, Fraternities/Sororities, ‘Starbucks’ and other community outlets
Educational Areas – May have specialized requirements, especially science departments
Health Services & Administration – Autonomous but linked
Externals – Dedicated support requirements, threat from external security breaches
5Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Campuses – Crucibles for New Technologies and Security Issues
Varied OS Support: Windows (multiple versions), MacOS, Linux, BSD, Palm, PocketPC, new handhelds
No Personal Firewall/Anti-Virus Standards
VoIP: Internally supported, Vonage, etc.
Authentication: Passwords (weak), Tokens, SSN vs. Unique Number, Single Sign-On vs. Segmentation
Wireless vs. Wired
Many Back Channels: POP3, IM, IRC, P2P, FTP, etc.
Music: P2P vs. Legal Downloads
6Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
What We Intended
7Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
What We Ended Up With
?Social Engineering
8Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Firewalls Alone Are Not Enough
A TCP/80 client session:
• Is it MSIE?
• Is it Mozilla Firefox?
• Is it a Warez P2P Session?
Firewalls, even with application intelligence, only deal with Layer 3&4
But with convergence of multiple applications around well-known ports & protocols, how do we differentiate the legitimate ones from the rogue ones?
9Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Layered Threats – Layered Defenses
10Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Domino Effect
11Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security Is Not Required for Applications & Networks to Function!
Everything works in the lab!
Trust is inherent to design!
What are your policies?
How are they enforced?
How do you detect/prevent malicious traffic, rogue host/apps, and misuse?
What is really on your network?
12Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security Requirements for the Campus
Access Defense at Network/Data Centers – No effective perimeters, no control of end-user hosts
Network Awareness – Variable users/access/technologies make for quickly changing threats
QoS - defending bandwidth for necessary resources, mitigating DoS attacks, policy conformance
Segregation of IP Networks – With use of common infrastructure
Standardization Where Possible – Enforcement of security processes is a must for applications, data centers, and systems holding sensitive data
Provisioned Services – Key to consistant delivery of managable services
13Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Securing Access Wireless Access = Remote Access
Common solution sets mean ease of deployment and common user experience
• Can implement roles-based policies
SSL VPNs are your friend
• Clientless – Just need a browser
• Encryption offers confidentiality, integrity of traffic
• Defend Remote Access, Wireless Access, Access to Data Centers
You can’t rely on host-based defenses, defend at the ingress
• Perimeter defenses (Firewall, ACL)
• NAV and Anti-spam on campus web/mail services
14Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Securing Data Centers Best defenses are based on knowing what
to defend
• You may not control the clients, but you do control the servers
Tight perimeter defenses
Portaling
Intrusion Detection/Prevention
Honeypots / Honeynets
15Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Importance of Network Awareness
“Network awareness now a new mindset for security professionals.”
“Every component of the network is part of the ecosystem.”
“The end user is the moving chess piece of the network board.”
“The really good intruders study the environment before attacking.”
Source: Network Awareness,whitepaper by BlackHat Consulting
16Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IDS – Intrusion Detection SystemTypically out of line of the data flow on a tap. Evaluates
deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed.
IDSHELP
Dynamic ACL request sent to
the router/firewall, or TCP RESET sent
to close the session
17Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IPS – Intrusion Prevention SystemTypically inline of the data flow. Evaluates deeper into the
packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed. Does not have to rely on other devices in the network to complete it’s task.
IPS
18Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Network Awareness – Know Your Threat!
Who is peering with your critical systems?
Who are the IRC bots?
Who is probing your network?
Correlate security events to hosts/network objects
19Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Network QoS – Managed Unfairness
Bandwidth isn’t free and all traffic is not equal
Migration continues toward converged network, with multiple services over IP
Need to distinguish between the multiple services on the converged network infrastructure
Examples: voice and real-time video
Implementing QoS allows us to utilize existing bandwidth better
QoS tools can be used as security tools to safeguard priority network services and applications
VoIPVoIP
GoldGold
SilverSilver
Best EffortBest Effort
VoIPVoIPGoldGold
Classify
SilverSilver
Schedule
VoIPVoIPGoldGoldSilverSilver
Transmit
20Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Segregating IP Networks - MPLS Wireless AccessWireless Access
HousingHousing
Remote CampusRemote Campus
VoIVoIPP
Internet AccessInternet Access
Campus Campus NetworkNetwork
IP/MPLS
Multiple IP nets / Common Infrastructure
Security, Access Control at the EdgeProvisioned Services - Managability
PE PCE
21Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Standardization Openness applies to the user community,
not to campus administration and staff Deployed network applications and
services must be tightly defined IDS/IPS to look for malicious traffic within
these applications and services Standardized authentication systems –
centralized online identity control Operational & management support is key
to policy enforcement
22Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Provisioned Services Bring all of these security concepts together
• Portaling – Present services in a consistent fashion, roles-based authentication
• Network Awareness – Defining and provisioning services provides a clear scope
• QoS – Protect service resources• Segregation – Reduces threat vectors and
malicious logic trees between services• Standardization – Building security in what we
deploy Create an atmosphere of what we can do, vs.
what we can’t
23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Juniper Networks Portfolio
M-series T-series
Large Core Metro Aggregation
E-series
BRAS & Circuit Aggregation
Policy & Service Control
Small/Med Core
Circuit Aggregation
Secure Access SSL VPN
Intrusion Detection and Prevention
Integrated Firewall/IPSEC VPN
Central Policy-based Management
NMC-RX
JUNOScope
Secure Meeting
Enterprise Routing
J-series
Thank You!