Network Security Network Security OverviewOverview

Tales from the trenchesTales from the trenches

Why security?Why security?

increasingly hostile public networkincreasingly hostile public network

cost of downtimecost of downtime

value of the informationvalue of the information

Increasingly hostile public networkIncreasingly hostile public network

Increasingly hostile public network(2)Increasingly hostile public network(2)

intruders are prepared and organizedInternet attacks are easy, low risk, and hard to traceintruder tools are- increasingly sophisticated- easy to use, especially by novice intruders- designed to support large-scale attackssource code is not required to find vulnerabilitiesthe complexity of the Internet, protocols, and applications are all increasing along with our reliance on them

Increasingly hostile public network(3)Increasingly hostile public network(3)

Cost of downtimeCost of downtime

Value of the informationValue of the information

Large stores of Credit Card information Large stores of Credit Card information stored on DB serversstored on DB servers

Intellectual property valued in the Millions Intellectual property valued in the Millions

Basic CategoriesBasic Categories

PolicyPolicy

Physical Physical

IP basedIP based

Software/OS basedSoftware/OS based

Holistic approach Holistic approach

Application

PhysicalIP Based

SecurityPolicy

PolicyPolicy

Email usageEmail usage

External services allowedExternal services allowed

Acceptable useAcceptable use

User and resource architectureUser and resource architecture

Virus responseVirus response

IP basedIP based

RoutersRouters Packet filtering Packet filtering

FirewallsFirewalls Packet inspection versus packet filterPacket inspection versus packet filter Ability to build rulesetsAbility to build rulesets

Switches/VLANSwitches/VLAN Isolating IP segments using VLANSIsolating IP segments using VLANS

SoftwareSoftware

Proxy serversProxy servers

Software firewalls vs. hardware Software firewalls vs. hardware

OS security Unix/MSOS security Unix/MS

Patches and updatesPatches and updates

Patches and updatesPatches and updates

Remote accessRemote access

security versus usabilitysecurity versus usability P: drive accessP: drive access

options for remote accessoptions for remote access extranetextranet web accessweb access VPNVPN Private dial upPrivate dial up

ExtranetExtranet

Secure web site with access to specific dataSecure web site with access to specific data

Requires loginRequires login

Can provide access to all information available Can provide access to all information available “on site”“on site”

VPNVPN

Virtual private networkVirtual private network

Creates a Secure Tunnel between two points Creates a Secure Tunnel between two points on a networkon a network

All data traveling on the tunnel is encryptedAll data traveling on the tunnel is encrypted

Should use encryption for tunnel creationShould use encryption for tunnel creation

Physical securityPhysical security

Data center accessData center access

Multi-homed Multi-homed

Redundant utilities (power, HVAC)Redundant utilities (power, HVAC)

Fire suppressionFire suppression