Defending the campus juniper nerworks

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

Defending the Campus

Ed Lopez – Emerging Technologies

2Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

“The Headlines” “’MafiaBoy’ DDoS Attack Via University Network”

“Postdoc Arrest Linked to Intellectual Property Theft from University Labs”

“Hack on University Exposes 1.4M Social Security Numbers”

“Universities Fear 6th of Month as Klez Virus Re-erupts”

“RIAA Sues Campus File-Swappers”

“Weak Security Causes University to Ban Unauthorized Wi-Fi on Campus Nets”

“Campus Networks: Havens for Spammers?”

“Vital Files Exposed in University Hacking, 32,000 Students and Employees Affected”


Our Users – Our Problem Students – Bandwidth, Active Threat, No Standards

Faculty – Openess, Intellectual Property, Communication

Administration – Privacy/Financial/Academic Data, Web Services

Facilities/Security – Operations, Logistics, Emergency Services

Health Services – HIPPA, Medical Support Systems

Externals – Support for Gov’t Projects, External/Joint Academics, Libraries, Research


Security is in How We Access Our Networks

Dormitories – Wired/Wireless, >1 host to 1 student Libraries – Shared systems, public/anonymous

access Commons – Wireless, rogues, ‘evil twins’ Telecommuters – Commuting Students, Off-Campus

Housing, Fraternities/Sororities, ‘Starbucks’ and other community outlets

Educational Areas – May have specialized requirements, especially science departments

Health Services & Administration – Autonomous but linked

Externals – Dedicated support requirements, threat from external security breaches


Campuses – Crucibles for New Technologies and Security Issues

Varied OS Support: Windows (multiple versions), MacOS, Linux, BSD, Palm, PocketPC, new handhelds

No Personal Firewall/Anti-Virus Standards

VoIP: Internally supported, Vonage, etc.

Authentication: Passwords (weak), Tokens, SSN vs. Unique Number, Single Sign-On vs. Segmentation

Wireless vs. Wired

Many Back Channels: POP3, IM, IRC, P2P, FTP, etc.

Music: P2P vs. Legal Downloads


What We Intended


What We Ended Up With

?Social Engineering


Firewalls Alone Are Not Enough

A TCP/80 client session:

• Is it MSIE?

• Is it Mozilla Firefox?

• Is it a Warez P2P Session?

Firewalls, even with application intelligence, only deal with Layer 3&4

But with convergence of multiple applications around well-known ports & protocols, how do we differentiate the legitimate ones from the rogue ones?


Layered Threats – Layered Defenses


Domino Effect


Security Is Not Required for Applications & Networks to Function!

Everything works in the lab!

Trust is inherent to design!

What are your policies?

How are they enforced?

How do you detect/prevent malicious traffic, rogue host/apps, and misuse?

What is really on your network?


Security Requirements for the Campus

Access Defense at Network/Data Centers – No effective perimeters, no control of end-user hosts

Network Awareness – Variable users/access/technologies make for quickly changing threats

QoS - defending bandwidth for necessary resources, mitigating DoS attacks, policy conformance

Segregation of IP Networks – With use of common infrastructure

Standardization Where Possible – Enforcement of security processes is a must for applications, data centers, and systems holding sensitive data

Provisioned Services – Key to consistant delivery of managable services


Securing Access Wireless Access = Remote Access

Common solution sets mean ease of deployment and common user experience

• Can implement roles-based policies

SSL VPNs are your friend

• Clientless – Just need a browser

• Encryption offers confidentiality, integrity of traffic

• Defend Remote Access, Wireless Access, Access to Data Centers

You can’t rely on host-based defenses, defend at the ingress

• Perimeter defenses (Firewall, ACL)

• NAV and Anti-spam on campus web/mail services


Securing Data Centers Best defenses are based on knowing what

to defend

• You may not control the clients, but you do control the servers

Tight perimeter defenses

Portaling

Intrusion Detection/Prevention

Honeypots / Honeynets


Importance of Network Awareness

“Network awareness now a new mindset for security professionals.”

“Every component of the network is part of the ecosystem.”

“The end user is the moving chess piece of the network board.”

“The really good intruders study the environment before attacking.”

Source: Network Awareness,whitepaper by BlackHat Consulting


IDS – Intrusion Detection SystemTypically out of line of the data flow on a tap. Evaluates

deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed.

IDSHELP

Dynamic ACL request sent to

the router/firewall, or TCP RESET sent

to close the session


IPS – Intrusion Prevention SystemTypically inline of the data flow. Evaluates deeper into the

packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed. Does not have to rely on other devices in the network to complete it’s task.

IPS


Network Awareness – Know Your Threat!

Who is peering with your critical systems?

Who are the IRC bots?

Who is probing your network?

Correlate security events to hosts/network objects


Network QoS – Managed Unfairness

Bandwidth isn’t free and all traffic is not equal

Migration continues toward converged network, with multiple services over IP

Need to distinguish between the multiple services on the converged network infrastructure

Examples: voice and real-time video

Implementing QoS allows us to utilize existing bandwidth better

QoS tools can be used as security tools to safeguard priority network services and applications

VoIPVoIP

GoldGold

SilverSilver

Best EffortBest Effort

VoIPVoIPGoldGold

Classify

SilverSilver

Schedule

VoIPVoIPGoldGoldSilverSilver

Transmit


Segregating IP Networks - MPLS Wireless AccessWireless Access

HousingHousing

Remote CampusRemote Campus

VoIVoIPP

Internet AccessInternet Access

Campus Campus NetworkNetwork

IP/MPLS

Multiple IP nets / Common Infrastructure

Security, Access Control at the EdgeProvisioned Services - Managability

PE PCE


Standardization Openness applies to the user community,

not to campus administration and staff Deployed network applications and

services must be tightly defined IDS/IPS to look for malicious traffic within

these applications and services Standardized authentication systems –

centralized online identity control Operational & management support is key

to policy enforcement


Provisioned Services Bring all of these security concepts together

• Portaling – Present services in a consistent fashion, roles-based authentication

• Network Awareness – Defining and provisioning services provides a clear scope

• QoS – Protect service resources• Segregation – Reduces threat vectors and

malicious logic trees between services• Standardization – Building security in what we

deploy Create an atmosphere of what we can do, vs.

what we can’t

23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net

Juniper Networks Portfolio

M-series T-series

Large Core Metro Aggregation

E-series

BRAS & Circuit Aggregation

Policy & Service Control

Small/Med Core

Circuit Aggregation

Secure Access SSL VPN

Intrusion Detection and Prevention

Integrated Firewall/IPSEC VPN

Central Policy-based Management

NMC-RX

JUNOScope

Secure Meeting

Enterprise Routing

J-series

Thank You!

[email protected]

Defending the campus juniper nerworks

Education

Transcript of Defending the campus juniper nerworks