SlideShare una empresa de Scribd logo

Developing an Effective

Descargar como PPS, PDF
W
webhostingguy
1 de 28
Developing an Effective & Affordable Security Infrastructure in a Small College Environment
About Penn College  Williamsport Technical Institute, founded 1941Williamsport Technical Institute, founded 1941  Williamsport Area Community College, founded 1965Williamsport Area Community College, founded 1965  Pennsylvania College of Technology, founded 1989Pennsylvania College of Technology, founded 1989  Special Mission Affiliate of Penn State UniversitySpecial Mission Affiliate of Penn State University  Accredited - Middle States Association of Colleges andAccredited - Middle States Association of Colleges and Secondary SchoolsSecondary Schools  6,358 headcount - 5,891 FTE6,358 headcount - 5,891 FTE  288 FTE faculty, 518 FTE staff288 FTE faculty, 518 FTE staff  B.S., A.S. and certificate degrees in over 100 majorsB.S., A.S. and certificate degrees in over 100 majors  Specialize in vocational and technology-based educationSpecialize in vocational and technology-based education  Strong focus on small class sizes and hands-on instructionStrong focus on small class sizes and hands-on instruction  www.pct.eduwww.pct.edu
Williamsport, PA
IT Infrastructure  2,600 College-owned computers, 1,400 student-owned computers in residential complexes  1,600 computers in 50+ academic computer labs, student to computer ratio of 4:1  Standard computer lab software includes Microsoft Windows XP, Office 2003, NetMail POP3 e-mail system
IT Infrastructure (cont’d)  1,000 staff/faculty PCs  Standard employee image: Windows XP, Office 2003, Novell GroupWise, iSeries client  Novell Directory Services (NDS)  IBM iSeries mainframe, home-grown legacy administrative applications  WebCT, Sirsi, eRecruiting, Raiser’s Edge, Cbord Odyssey, EBMS  25 Novell, 15 Microsoft, 3 Linux, 1 Sun, 1 AIX server
IT Infrastructure (cont’d)  100% Cisco network infrastructure except for Packeteer Packetshaper  Fast Ethernet via CAT5 for all building LANs, Gigabit Ethernet via fiber for backbone  Dual Cisco 6500s for redundant core  Fractional T-3 (30 Mbps) Internet service  Dial-up Internet access provided for employees, not students  About 50% wireless coverage
Campus Network Layout
Information Technology Services Organization (50 employees)  Desktop Computing Academic Computing Technical Support/Help Desk Technical Writer/Trainer  Administrative Information Systems  Network Applications  Mail & Document Services  Media Services  Telecommunications
Post Y2K IT Security “Problem”  Increasing threats from viruses, trojans, worms, hackers, etc.  Lack of security standards  No coordinated security response  Poor security awareness  Minimal security policy  No security testing
The “Challenge”  Limitations  Budget  Staff  Time  Large backlog of post Y2K projects  Balancing security effectiveness with efficient resource management
Solution Analysis  Dedicated security staff vs. security team  Advantages of team approach:  Utilizes existing staff and expertise  Spreads/diffuses the importance of security across all functional IT areas  Funded through existing budgets  Disadvantages:  No centralized focus/authority  Long lead time to develop expertise  Staff time directed away from other projects  Not invented here syndrome
The “Solution”  IT management recommended forming a campus “security team.”  Each area of the IT department committed one employee and a percentage of its budget.  A senior manager was designated to provide leadership and coordination of this team effort.  The team met weekly over an initial 18 month period, then bi-weekly.  Rotating duty officer/CERT format
The Context  Risk vs. investment  Scope and impact for priority  Mitigating risk factors Administrative data locked up in IBM iSeries (AS/400) GroupWise e-mail system Institutional policy requiring data files to be stored on network drives Centralized IT management and budget culture
7-Layer Security Approach  Layer 1 - PhysicalLayer 1 - Physical  Layer 2 - InternetLayer 2 - Internet  Layer 3 - NetworkLayer 3 - Network  Layer 4 - ResNetLayer 4 - ResNet  Layer 5 - ServersLayer 5 - Servers  Layer 6 - Employee PCsLayer 6 - Employee PCs  Layer 7 - SocialLayer 7 - Social
Layer 1 - Physical  Before  Distributed servers, not physically secured, some actually in staff/faculty offices  Network components not secured  Minimal UPS protection  After  Most non-academic servers moved to secured data center; backup generator  Wiring closets secured  UPS for all servers and network equipment
Layer 2 - Internet  Before  Internet router with public IP addresses  No filtering of ports  After  Cisco PIX firewall with PAT translation initially, later acquired additional IPs, changed to NAT (still occasional problems, need an XLATE clear)  Access control list on Internet router (example)  Packeteer - Although purchased for bandwidth control, provides another layer of “protection” and “detection”
Internet Router ACL  access-list 115 permit tcp any 0.0.0.0 255.255.255.0access-list 115 permit tcp any 0.0.0.0 255.255.255.0 establishedestablished  access-list 115 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 115 deny ip 10.0.0.0 0.255.255.255 any  access-list 115 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 115 deny ip 127.0.0.0 0.255.255.255 any  access-list 115 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 115 deny ip 172.16.0.0 0.15.255.255 any  access-list 115 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 115 deny ip 192.168.0.0 0.0.255.255 any  access-list 115 deny ip 224.0.0.0 15.255.255.255 anyaccess-list 115 deny ip 224.0.0.0 15.255.255.255 any  access-list 115 deny ip host 0.0.0.0 anyaccess-list 115 deny ip host 0.0.0.0 any  access-list 115 deny ip 12.23.198.0 0.0.0.255 anyaccess-list 115 deny ip 12.23.198.0 0.0.0.255 any  access-list 115 deny ip 12.23.199.0 0.0.0.255 anyaccess-list 115 deny ip 12.23.199.0 0.0.0.255 any  access-list 115 deny ip any 0.0.0.255 255.255.255.0access-list 115 deny ip any 0.0.0.255 255.255.255.0  access-list 115 deny tcp any any eq 135access-list 115 deny tcp any any eq 135  access-list 115 deny udp any any eq 135access-list 115 deny udp any any eq 135  access-list 115 deny tcp any any eq 137access-list 115 deny tcp any any eq 137  access-list 115 deny udp any any eq netbios-nsaccess-list 115 deny udp any any eq netbios-ns  access-list 115 deny tcp any any eq 138access-list 115 deny tcp any any eq 138  access-list 115 deny udp any any eq netbios-dgmaccess-list 115 deny udp any any eq netbios-dgm  access-list 115 deny tcp any any eq 139access-list 115 deny tcp any any eq 139  access-list 115 deny udp any any eq netbios-ssaccess-list 115 deny udp any any eq netbios-ss  access-list 115 deny tcp any any eq 445access-list 115 deny tcp any any eq 445  access-list 115 deny udp any any eq 445access-list 115 deny udp any any eq 445  access-list 115 deny tcp any any eq 593access-list 115 deny tcp any any eq 593  access-list 115 deny udp any any eq 593access-list 115 deny udp any any eq 593  access-list 115 deny tcp any any eq 3333access-list 115 deny tcp any any eq 3333  access-list 115 deny udp any any eq 3333access-list 115 deny udp any any eq 3333  access-list 115 deny tcp any any eq 4444access-list 115 deny tcp any any eq 4444  access-list 115 deny udp any any eq 4444access-list 115 deny udp any any eq 4444  access-list 115 deny tcp any any eq 69access-list 115 deny tcp any any eq 69  access-list 115 deny udp any any eq tftpaccess-list 115 deny udp any any eq tftp  access-list 115 deny tcp any any eq 161access-list 115 deny tcp any any eq 161  access-list 115 deny udp any any eq snmpaccess-list 115 deny udp any any eq snmp  access-list 115 deny tcp any any eq 162access-list 115 deny tcp any any eq 162  access-list 115 deny udp any any eq snmptrapaccess-list 115 deny udp any any eq snmptrap  access-list 115 deny udp any any eq 1993access-list 115 deny udp any any eq 1993  access-list 115 deny tcp any any eq 1900access-list 115 deny tcp any any eq 1900  access-list 115 deny udp any any eq 1900access-list 115 deny udp any any eq 1900  access-list 115 deny tcp any any eq 5000access-list 115 deny tcp any any eq 5000  access-list 115 deny udp any any eq 5000access-list 115 deny udp any any eq 5000  access-list 115 deny udp any any eq 8998access-list 115 deny udp any any eq 8998  access-list 115 permit icmp any any echoaccess-list 115 permit icmp any any echo  access-list 115 permit icmp any any echo-replyaccess-list 115 permit icmp any any echo-reply  access-list 115 deny ip any any log-inputaccess-list 115 deny ip any any log-input
Layer 3 – Network - Before  10.x.x.x organized geographically; each “building complex” has a subnet; 10.1.x.x, 10.2.x.x, 10.3.x.x, etc.  Any to any routing philosophy  Simple telnet to devices  No central security scheme
Layer 3 – Network - After  100% VLAN scheme  VLANs based on computer/user role  Internet style ACLs applied on traffic leaving VLANs  Traffic denied entering VLAN if no reason for the traffic  Extended today to separate VLANS for point-of-sale stations, HVAC, wireless, dial-up; each with its own ACL  SSH required to access devices, coordinated userid/password with Cisco ACS server that LDAPs to our NDS 10.1.x.x network10.1.x.x network equipmentequipment 10.2.x.x servers10.2.x.x servers 10.3.x.x printers10.3.x.x printers 10.4.x.x staff10.4.x.x staff 10.100.x.x ResNet10.100.x.x ResNet Etc.Etc.
Layer 4 – ResNet  BeforeBefore Normal networkNormal network subnetsubnet No restrictionsNo restrictions ISP attitudeISP attitude No scanningNo scanning  After – version 1After – version 1  Single VLANSingle VLAN  ACL limited access to otherACL limited access to other campus VLANscampus VLANs  After – version 2After – version 2  VLAN per 48 port switchVLAN per 48 port switch  Internet style ACL “rule set”Internet style ACL “rule set” to block known bad portsto block known bad ports such as 445such as 445  Routine scanning andRoutine scanning and quarantiningquarantining
Layer 5 – Servers - Before  Public IP address via firewall conduit  Distributed physically  No port filtering  Inconsistent patch strategy  No virus protection  Inconsistent HTTPS implementation  Many outside of the “network” department  No scanning for vulnerabilities  No disaster recovery plan
Layer 5 – Servers - After  Servers in data center or managed by server groupServers in data center or managed by server group  HTTPS required for any sensitive dataHTTPS required for any sensitive data  Private IP addresses mapped to public via “conduit” in the firewallPrivate IP addresses mapped to public via “conduit” in the firewall  Port filtered in the firewall, deny all, allow those required forPort filtered in the firewall, deny all, allow those required for specific servicesspecific services  Port filtered coming out of ResNet and student computer labsPort filtered coming out of ResNet and student computer labs  Managed patch strategy, critical patches applied in 24 hoursManaged patch strategy, critical patches applied in 24 hours  Symantec Anti-Virus on serversSymantec Anti-Virus on servers  NetMail/CA eTrust anti-virus and RBL filtering for e-mailNetMail/CA eTrust anti-virus and RBL filtering for e-mail  GWAVA/Symantec Anti-Virus e-mail filteringGWAVA/Symantec Anti-Virus e-mail filtering  GWAVA attachment filteringGWAVA attachment filtering  Routine Nessus scanningRoutine Nessus scanning  Comprehensive disaster recovery planComprehensive disaster recovery plan
Layer 6 - Employee PCs  AfterAfter  Private IP address via PAT/NAT  Managed Symantec Anti- Virus  “Push” of critical Microsoft security patches via Novell ZenWorks  Nessus scanning  BeforeBefore  Public IP address  No anti-virus  No patch management  No scanning
Layer 7 - Social  BeforeBefore  Little or no publicLittle or no public awarenessawareness  No AUPNo AUP  Loose user ID andLoose user ID and password policiespassword policies  ““It won’t happenIt won’t happen here, we knowhere, we know everyone personallyeveryone personally  AfterAfter  Acceptable Use PolicyAcceptable Use Policy  Accounts blocked afterAccounts blocked after 3 failed log in attempts3 failed log in attempts  Passwords changedPasswords changed every 180 daysevery 180 days  Regular communicationRegular communication via online newspapervia online newspaper  Security educationSecurity education classesclasses
What’s on the radar screen?What’s on the radar screen?  SpywareSpyware  PC firewallPC firewall  Instant Messenging issuesInstant Messenging issues  VPNVPN  Network access controlNetwork access control  Two factor authenticationTwo factor authentication  Security as it affects privacy issuesSecurity as it affects privacy issues  E-mail securityE-mail security
Conclusion  Security team was the rightSecurity team was the right approach for usapproach for us  Effective, no significantEffective, no significant down-time except fordown-time except for Blaster/Welcia, fall 2003Blaster/Welcia, fall 2003  Cost-efficientCost-efficient  Diffused securityDiffused security awareness across theawareness across the departmentdepartment  Developed security skillsDeveloped security skills across ITSacross ITS  Security InfrastructureSecurity Infrastructure  Cisco PIX firewallCisco PIX firewall  Packeteer PacketshaperPacketeer Packetshaper  Cisco VLANs/ACLsCisco VLANs/ACLs  Symantec Anti-VirusSymantec Anti-Virus  Novell ZenWorksNovell ZenWorks  GWAVA Anti-GWAVA Anti- virus/attachment filteringvirus/attachment filtering  NessusNessus
DiscussionDiscussion
Slide to linkSlide to link

Recomendados

CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPNmohannadalhanahnah
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4Irsandi Hasan
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context TrainingTariq Bader
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overviewali raza
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewallAnwesh Dixit
 

Recomendados

CCNP Security-VPN
CCNP Security-VPNCCNP Security-VPN
CCNP Security-VPNmohannadalhanahnah
 
CCNA Security - Chapter 4
CCNA Security - Chapter 4CCNA Security - Chapter 4
CCNA Security - Chapter 4Irsandi Hasan
 
ASA Multiple Context Training
ASA Multiple Context TrainingASA Multiple Context Training
ASA Multiple Context TrainingTariq Bader
 
Understanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATUnderstanding and Troubleshooting ASA NAT
Understanding and Troubleshooting ASA NATCisco Russia
 
Cisco ASA Firepower
Cisco ASA FirepowerCisco ASA Firepower
Cisco ASA FirepowerAnwesh Dixit
 
NSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabNSO: Network Service Orchestrator enabled by Tail-f Hands-on Lab
NSO: Network Service Orchestrator enabled by Tail-f Hands-on LabCisco Canada
 
Chapter 3 overview
Chapter 3 overviewChapter 3 overview
Chapter 3 overviewali raza
 
Cisco asa cx firwewall
Cisco asa cx firwewallCisco asa cx firwewall
Cisco asa cx firwewallAnwesh Dixit
 
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Arie Vayner
 
CCIE Service Provider
CCIE Service ProviderCCIE Service Provider
CCIE Service ProviderCisco Canada
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Securemohannadalhanahnah
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewallmohannadalhanahnah
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLIHoàng Hải Nguyễn
 
Ccnp enterprise workbook v1.0 ospf-updated
Ccnp enterprise workbook v1.0 ospf-updatedCcnp enterprise workbook v1.0 ospf-updated
Ccnp enterprise workbook v1.0 ospf-updatedSagarR24
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityPraetorian
 
Honeywell 7847i-l-install-guide
Honeywell 7847i-l-install-guideHoneywell 7847i-l-install-guide
Honeywell 7847i-l-install-guideAlarm Grid
 
Honeywell 7847i-install-guide
Honeywell 7847i-install-guideHoneywell 7847i-install-guide
Honeywell 7847i-install-guideAlarm Grid
 
08 (IDNOG01) ARP Guard in IXP by Eric Choy
08 (IDNOG01) ARP Guard in IXP by Eric Choy08 (IDNOG01) ARP Guard in IXP by Eric Choy
08 (IDNOG01) ARP Guard in IXP by Eric ChoyIndonesia Network Operators Group
 
Introduction to Medicine and the Internet
Introduction to Medicine and the InternetIntroduction to Medicine and the Internet
Introduction to Medicine and the Internetwebhostingguy
 
"Fully-baked as both an e-mail and
"Fully-baked as both an e-mail and "Fully-baked as both an e-mail and
"Fully-baked as both an e-mail and webhostingguy
 
Running the Apache Web Server
Running the Apache Web ServerRunning the Apache Web Server
Running the Apache Web Serverwebhostingguy
 
Developing an Effective
Developing an Effective Developing an Effective
Developing an Effective webhostingguy
 
Download PowerPoint Presenation
Download PowerPoint PresenationDownload PowerPoint Presenation
Download PowerPoint Presenationwebhostingguy
 
E-business development plan.ppt
E-business development plan.pptE-business development plan.ppt
E-business development plan.pptwebhostingguy
 
Next Generation Campus Switching: Are You Ready
Next Generation Campus Switching: Are You ReadyNext Generation Campus Switching: Are You Ready
Next Generation Campus Switching: Are You ReadyCisco Canada
 

Más contenido relacionado

La actualidad más candente

Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Arie Vayner
 
CCIE Service Provider
CCIE Service ProviderCCIE Service Provider
CCIE Service ProviderCisco Canada
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsERPScan
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems qqlan
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLIHoàng Hải Nguyễn
 
Ccnp enterprise workbook v1.0 ospf-updated
Ccnp enterprise workbook v1.0 ospf-updatedCcnp enterprise workbook v1.0 ospf-updated
Ccnp enterprise workbook v1.0 ospf-updatedSagarR24
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallIT Tech
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemAleksandr Timorin
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXCisco Canada
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityPraetorian
 
Honeywell 7847i-l-install-guide
Honeywell 7847i-l-install-guideHoneywell 7847i-l-install-guide
Honeywell 7847i-l-install-guideAlarm Grid
 
Honeywell 7847i-install-guide
Honeywell 7847i-install-guideHoneywell 7847i-install-guide
Honeywell 7847i-install-guideAlarm Grid
 

La actualidad más candente (15)

Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
 
CCIE Service Provider
CCIE Service ProviderCCIE Service Provider
CCIE Service Provider
 
Architecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platformsArchitecture vulnerabilities in SAP platforms
Architecture vulnerabilities in SAP platforms
 
CCNP Security-Secure
CCNP Security-SecureCCNP Security-Secure
CCNP Security-Secure
 
Techniques of attacking ICS systems
Techniques of attacking ICS systems Techniques of attacking ICS systems
Techniques of attacking ICS systems
 
CCNP Security-Firewall
CCNP Security-FirewallCCNP Security-Firewall
CCNP Security-Firewall
 
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLICCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
CCNA Security Lab 9 - Enabling SSH and HTTPS access to Cisco IOS Routers - CLI
 
Ccnp enterprise workbook v1.0 ospf-updated
Ccnp enterprise workbook v1.0 ospf-updatedCcnp enterprise workbook v1.0 ospf-updated
Ccnp enterprise workbook v1.0 ospf-updated
 
How to configure cisco asa virtual firewall
How to configure cisco asa virtual firewallHow to configure cisco asa virtual firewall
How to configure cisco asa virtual firewall
 
Safety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical SystemSafety vs Security: How to Create Insecure Safety-Critical System
Safety vs Security: How to Create Insecure Safety-Critical System
 
Deploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CXDeploying Next Generation Firewalling with ASA - CX
Deploying Next Generation Firewalling with ASA - CX
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's SecurityTop 9 Critical Findings - Dramatically Improve Your Organization's Security
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
 
Honeywell 7847i-l-install-guide
Honeywell 7847i-l-install-guideHoneywell 7847i-l-install-guide
Honeywell 7847i-l-install-guide
 
Honeywell 7847i-install-guide
Honeywell 7847i-install-guideHoneywell 7847i-install-guide
Honeywell 7847i-install-guide
 
08 (IDNOG01) ARP Guard in IXP by Eric Choy
08 (IDNOG01) ARP Guard in IXP by Eric Choy08 (IDNOG01) ARP Guard in IXP by Eric Choy
08 (IDNOG01) ARP Guard in IXP by Eric Choy
 

Destacado

Introduction to Medicine and the Internet
Introduction to Medicine and the InternetIntroduction to Medicine and the Internet
Introduction to Medicine and the Internetwebhostingguy
 
"Fully-baked as both an e-mail and
"Fully-baked as both an e-mail and "Fully-baked as both an e-mail and
"Fully-baked as both an e-mail and webhostingguy
 
Running the Apache Web Server
Running the Apache Web ServerRunning the Apache Web Server
Running the Apache Web Serverwebhostingguy
 
Developing an Effective
Developing an Effective Developing an Effective
Developing an Effective webhostingguy
 
Download PowerPoint Presenation
Download PowerPoint PresenationDownload PowerPoint Presenation
Download PowerPoint Presenationwebhostingguy
 
E-business development plan.ppt
E-business development plan.pptE-business development plan.ppt
E-business development plan.pptwebhostingguy
 

Destacado (6)

Introduction to Medicine and the Internet
Introduction to Medicine and the InternetIntroduction to Medicine and the Internet
Introduction to Medicine and the Internet
 
"Fully-baked as both an e-mail and
"Fully-baked as both an e-mail and "Fully-baked as both an e-mail and
"Fully-baked as both an e-mail and
 
Running the Apache Web Server
Running the Apache Web ServerRunning the Apache Web Server
Running the Apache Web Server
 
Developing an Effective
Developing an Effective Developing an Effective
Developing an Effective
 
Download PowerPoint Presenation
Download PowerPoint PresenationDownload PowerPoint Presenation
Download PowerPoint Presenation
 
E-business development plan.ppt
E-business development plan.pptE-business development plan.ppt
E-business development plan.ppt
 

Similar a Developing an Effective

Next Generation Campus Switching: Are You Ready
Next Generation Campus Switching: Are You ReadyNext Generation Campus Switching: Are You Ready
Next Generation Campus Switching: Are You ReadyCisco Canada
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network ArchitecturesEnergySec
 
Commissioning, Managing & Troubleshooting Industrial Networks
Commissioning, Managing & Troubleshooting Industrial NetworksCommissioning, Managing & Troubleshooting Industrial Networks
Commissioning, Managing & Troubleshooting Industrial NetworksCreekside Marketing Group, LLC
 
Cisco 300-115 SWITCH VCE Braindumps
Cisco 300-115 SWITCH VCE BraindumpsCisco 300-115 SWITCH VCE Braindumps
Cisco 300-115 SWITCH VCE BraindumpsTestinsides
 
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPROIDEA
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)Michael Smith
 
Network Critical @ Sharkfest 2008
Network Critical @ Sharkfest 2008Network Critical @ Sharkfest 2008
Network Critical @ Sharkfest 2008Denny K
 
Здоровье важнее - Fortinet решения для удаленных сотрудников
Здоровье важнее - Fortinet решения для удаленных сотрудниковЗдоровье важнее - Fortinet решения для удаленных сотрудников
Здоровье важнее - Fortinet решения для удаленных сотрудниковMUK Extreme
 
Www.kutub.info 13178
Www.kutub.info 13178Www.kutub.info 13178
Www.kutub.info 13178Elbahi Wadie
 
Kafka Reliability - When it absolutely, positively has to be there
Kafka Reliability - When it absolutely, positively has to be thereKafka Reliability - When it absolutely, positively has to be there
Kafka Reliability - When it absolutely, positively has to be thereGwen (Chen) Shapira
 
Apache Kafka Reliability Guarantees StrataHadoop NYC 2015
Apache Kafka Reliability Guarantees StrataHadoop NYC 2015 Apache Kafka Reliability Guarantees StrataHadoop NYC 2015
Apache Kafka Reliability Guarantees StrataHadoop NYC 2015 Jeff Holoman
 
謝續平
謝續平謝續平
謝續平9577601
 
United Electric One Series Safety Transmitter
United Electric One Series Safety TransmitterUnited Electric One Series Safety Transmitter
United Electric One Series Safety TransmitterMiller Energy, Inc.
 
Manual cisco 2950
Manual cisco 2950Manual cisco 2950
Manual cisco 2950liviuisr
 
Cisco catalyst3750presspresentation
Cisco catalyst3750presspresentationCisco catalyst3750presspresentation
Cisco catalyst3750presspresentationho nguyen
 
Webinar - Manage Firewall with Puppet
Webinar - Manage Firewall with PuppetWebinar - Manage Firewall with Puppet
Webinar - Manage Firewall with PuppetOlinData
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Jim Gilsinn
 

Similar a Developing an Effective (20)

Next Generation Campus Switching: Are You Ready
Next Generation Campus Switching: Are You ReadyNext Generation Campus Switching: Are You Ready
Next Generation Campus Switching: Are You Ready
 
Unidirectional Network Architectures
Unidirectional Network ArchitecturesUnidirectional Network Architectures
Unidirectional Network Architectures
 
Commissioning, Managing & Troubleshooting Industrial Networks
Commissioning, Managing & Troubleshooting Industrial NetworksCommissioning, Managing & Troubleshooting Industrial Networks
Commissioning, Managing & Troubleshooting Industrial Networks
 
Cisco 300-115 SWITCH VCE Braindumps
Cisco 300-115 SWITCH VCE BraindumpsCisco 300-115 SWITCH VCE Braindumps
Cisco 300-115 SWITCH VCE Braindumps
 
DEVNET-2744.pdf
DEVNET-2744.pdfDEVNET-2744.pdf
DEVNET-2744.pdf
 
AAA Implementation
AAA ImplementationAAA Implementation
AAA Implementation
 
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian PasternackiPLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
PLNOG16: Bezpieczeństwo w sieci operatora, Sebastian Pasternacki
 
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
BlackHat 2011 - Exploiting Siemens Simatic S7 PLCs (slides)
 
Network Critical @ Sharkfest 2008
Network Critical @ Sharkfest 2008Network Critical @ Sharkfest 2008
Network Critical @ Sharkfest 2008
 
Здоровье важнее - Fortinet решения для удаленных сотрудников
Здоровье важнее - Fortinet решения для удаленных сотрудниковЗдоровье важнее - Fortinet решения для удаленных сотрудников
Здоровье важнее - Fortinet решения для удаленных сотрудников
 
Www.kutub.info 13178
Www.kutub.info 13178Www.kutub.info 13178
Www.kutub.info 13178
 
NETWORK RESUME
NETWORK RESUMENETWORK RESUME
NETWORK RESUME
 
Kafka Reliability - When it absolutely, positively has to be there
Kafka Reliability - When it absolutely, positively has to be thereKafka Reliability - When it absolutely, positively has to be there
Kafka Reliability - When it absolutely, positively has to be there
 
Apache Kafka Reliability Guarantees StrataHadoop NYC 2015
Apache Kafka Reliability Guarantees StrataHadoop NYC 2015 Apache Kafka Reliability Guarantees StrataHadoop NYC 2015
Apache Kafka Reliability Guarantees StrataHadoop NYC 2015
 
謝續平
謝續平謝續平
謝續平
 
United Electric One Series Safety Transmitter
United Electric One Series Safety TransmitterUnited Electric One Series Safety Transmitter
United Electric One Series Safety Transmitter
 
Manual cisco 2950
Manual cisco 2950Manual cisco 2950
Manual cisco 2950
 
Cisco catalyst3750presspresentation
Cisco catalyst3750presspresentationCisco catalyst3750presspresentation
Cisco catalyst3750presspresentation
 
Webinar - Manage Firewall with Puppet
Webinar - Manage Firewall with PuppetWebinar - Manage Firewall with Puppet
Webinar - Manage Firewall with Puppet
 
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
Using Cyber-Vulnerability Assessment (CVA) to Optimize Control System Upgrade...
 

Más de webhostingguy

Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Frameworkwebhostingguy
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guidewebhostingguy
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3webhostingguy
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serverswebhostingguy
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidationwebhostingguy
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreementwebhostingguy
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...webhostingguy
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...webhostingguy
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructurewebhostingguy
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.pptwebhostingguy
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy webhostingguy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandiserswebhostingguy
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Productswebhostingguy
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mbwebhostingguy
 

Más de webhostingguy (20)

File Upload
File UploadFile Upload
File Upload
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Framework
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guide
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web servers
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreement
 
Notes8
Notes8Notes8
Notes8
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructure
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.ppt
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandisers
 
OLUG_xen.ppt
OLUG_xen.pptOLUG_xen.ppt
OLUG_xen.ppt
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Products
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mb
 
Reseller's Guide
Reseller's GuideReseller's Guide
Reseller's Guide
 

Developing an Effective

  • 1. Developing an Effective & Affordable Security Infrastructure in a Small College Environment
  • 2. About Penn College  Williamsport Technical Institute, founded 1941Williamsport Technical Institute, founded 1941  Williamsport Area Community College, founded 1965Williamsport Area Community College, founded 1965  Pennsylvania College of Technology, founded 1989Pennsylvania College of Technology, founded 1989  Special Mission Affiliate of Penn State UniversitySpecial Mission Affiliate of Penn State University  Accredited - Middle States Association of Colleges andAccredited - Middle States Association of Colleges and Secondary SchoolsSecondary Schools  6,358 headcount - 5,891 FTE6,358 headcount - 5,891 FTE  288 FTE faculty, 518 FTE staff288 FTE faculty, 518 FTE staff  B.S., A.S. and certificate degrees in over 100 majorsB.S., A.S. and certificate degrees in over 100 majors  Specialize in vocational and technology-based educationSpecialize in vocational and technology-based education  Strong focus on small class sizes and hands-on instructionStrong focus on small class sizes and hands-on instruction  www.pct.eduwww.pct.edu
  • 4. IT Infrastructure  2,600 College-owned computers, 1,400 student-owned computers in residential complexes  1,600 computers in 50+ academic computer labs, student to computer ratio of 4:1  Standard computer lab software includes Microsoft Windows XP, Office 2003, NetMail POP3 e-mail system
  • 5. IT Infrastructure (cont’d)  1,000 staff/faculty PCs  Standard employee image: Windows XP, Office 2003, Novell GroupWise, iSeries client  Novell Directory Services (NDS)  IBM iSeries mainframe, home-grown legacy administrative applications  WebCT, Sirsi, eRecruiting, Raiser’s Edge, Cbord Odyssey, EBMS  25 Novell, 15 Microsoft, 3 Linux, 1 Sun, 1 AIX server
  • 6. IT Infrastructure (cont’d)  100% Cisco network infrastructure except for Packeteer Packetshaper  Fast Ethernet via CAT5 for all building LANs, Gigabit Ethernet via fiber for backbone  Dual Cisco 6500s for redundant core  Fractional T-3 (30 Mbps) Internet service  Dial-up Internet access provided for employees, not students  About 50% wireless coverage
  • 8. Information Technology Services Organization (50 employees)  Desktop Computing Academic Computing Technical Support/Help Desk Technical Writer/Trainer  Administrative Information Systems  Network Applications  Mail & Document Services  Media Services  Telecommunications
  • 9. Post Y2K IT Security “Problem”  Increasing threats from viruses, trojans, worms, hackers, etc.  Lack of security standards  No coordinated security response  Poor security awareness  Minimal security policy  No security testing
  • 10. The “Challenge”  Limitations  Budget  Staff  Time  Large backlog of post Y2K projects  Balancing security effectiveness with efficient resource management
  • 11. Solution Analysis  Dedicated security staff vs. security team  Advantages of team approach:  Utilizes existing staff and expertise  Spreads/diffuses the importance of security across all functional IT areas  Funded through existing budgets  Disadvantages:  No centralized focus/authority  Long lead time to develop expertise  Staff time directed away from other projects  Not invented here syndrome
  • 12. The “Solution”  IT management recommended forming a campus “security team.”  Each area of the IT department committed one employee and a percentage of its budget.  A senior manager was designated to provide leadership and coordination of this team effort.  The team met weekly over an initial 18 month period, then bi-weekly.  Rotating duty officer/CERT format
  • 13. The Context  Risk vs. investment  Scope and impact for priority  Mitigating risk factors Administrative data locked up in IBM iSeries (AS/400) GroupWise e-mail system Institutional policy requiring data files to be stored on network drives Centralized IT management and budget culture
  • 14. 7-Layer Security Approach  Layer 1 - PhysicalLayer 1 - Physical  Layer 2 - InternetLayer 2 - Internet  Layer 3 - NetworkLayer 3 - Network  Layer 4 - ResNetLayer 4 - ResNet  Layer 5 - ServersLayer 5 - Servers  Layer 6 - Employee PCsLayer 6 - Employee PCs  Layer 7 - SocialLayer 7 - Social
  • 15. Layer 1 - Physical  Before  Distributed servers, not physically secured, some actually in staff/faculty offices  Network components not secured  Minimal UPS protection  After  Most non-academic servers moved to secured data center; backup generator  Wiring closets secured  UPS for all servers and network equipment
  • 16. Layer 2 - Internet  Before  Internet router with public IP addresses  No filtering of ports  After  Cisco PIX firewall with PAT translation initially, later acquired additional IPs, changed to NAT (still occasional problems, need an XLATE clear)  Access control list on Internet router (example)  Packeteer - Although purchased for bandwidth control, provides another layer of “protection” and “detection”
  • 17. Internet Router ACL  access-list 115 permit tcp any 0.0.0.0 255.255.255.0access-list 115 permit tcp any 0.0.0.0 255.255.255.0 establishedestablished  access-list 115 deny ip 10.0.0.0 0.255.255.255 anyaccess-list 115 deny ip 10.0.0.0 0.255.255.255 any  access-list 115 deny ip 127.0.0.0 0.255.255.255 anyaccess-list 115 deny ip 127.0.0.0 0.255.255.255 any  access-list 115 deny ip 172.16.0.0 0.15.255.255 anyaccess-list 115 deny ip 172.16.0.0 0.15.255.255 any  access-list 115 deny ip 192.168.0.0 0.0.255.255 anyaccess-list 115 deny ip 192.168.0.0 0.0.255.255 any  access-list 115 deny ip 224.0.0.0 15.255.255.255 anyaccess-list 115 deny ip 224.0.0.0 15.255.255.255 any  access-list 115 deny ip host 0.0.0.0 anyaccess-list 115 deny ip host 0.0.0.0 any  access-list 115 deny ip 12.23.198.0 0.0.0.255 anyaccess-list 115 deny ip 12.23.198.0 0.0.0.255 any  access-list 115 deny ip 12.23.199.0 0.0.0.255 anyaccess-list 115 deny ip 12.23.199.0 0.0.0.255 any  access-list 115 deny ip any 0.0.0.255 255.255.255.0access-list 115 deny ip any 0.0.0.255 255.255.255.0  access-list 115 deny tcp any any eq 135access-list 115 deny tcp any any eq 135  access-list 115 deny udp any any eq 135access-list 115 deny udp any any eq 135  access-list 115 deny tcp any any eq 137access-list 115 deny tcp any any eq 137  access-list 115 deny udp any any eq netbios-nsaccess-list 115 deny udp any any eq netbios-ns  access-list 115 deny tcp any any eq 138access-list 115 deny tcp any any eq 138  access-list 115 deny udp any any eq netbios-dgmaccess-list 115 deny udp any any eq netbios-dgm  access-list 115 deny tcp any any eq 139access-list 115 deny tcp any any eq 139  access-list 115 deny udp any any eq netbios-ssaccess-list 115 deny udp any any eq netbios-ss  access-list 115 deny tcp any any eq 445access-list 115 deny tcp any any eq 445  access-list 115 deny udp any any eq 445access-list 115 deny udp any any eq 445  access-list 115 deny tcp any any eq 593access-list 115 deny tcp any any eq 593  access-list 115 deny udp any any eq 593access-list 115 deny udp any any eq 593  access-list 115 deny tcp any any eq 3333access-list 115 deny tcp any any eq 3333  access-list 115 deny udp any any eq 3333access-list 115 deny udp any any eq 3333  access-list 115 deny tcp any any eq 4444access-list 115 deny tcp any any eq 4444  access-list 115 deny udp any any eq 4444access-list 115 deny udp any any eq 4444  access-list 115 deny tcp any any eq 69access-list 115 deny tcp any any eq 69  access-list 115 deny udp any any eq tftpaccess-list 115 deny udp any any eq tftp  access-list 115 deny tcp any any eq 161access-list 115 deny tcp any any eq 161  access-list 115 deny udp any any eq snmpaccess-list 115 deny udp any any eq snmp  access-list 115 deny tcp any any eq 162access-list 115 deny tcp any any eq 162  access-list 115 deny udp any any eq snmptrapaccess-list 115 deny udp any any eq snmptrap  access-list 115 deny udp any any eq 1993access-list 115 deny udp any any eq 1993  access-list 115 deny tcp any any eq 1900access-list 115 deny tcp any any eq 1900  access-list 115 deny udp any any eq 1900access-list 115 deny udp any any eq 1900  access-list 115 deny tcp any any eq 5000access-list 115 deny tcp any any eq 5000  access-list 115 deny udp any any eq 5000access-list 115 deny udp any any eq 5000  access-list 115 deny udp any any eq 8998access-list 115 deny udp any any eq 8998  access-list 115 permit icmp any any echoaccess-list 115 permit icmp any any echo  access-list 115 permit icmp any any echo-replyaccess-list 115 permit icmp any any echo-reply  access-list 115 deny ip any any log-inputaccess-list 115 deny ip any any log-input
  • 18. Layer 3 – Network - Before  10.x.x.x organized geographically; each “building complex” has a subnet; 10.1.x.x, 10.2.x.x, 10.3.x.x, etc.  Any to any routing philosophy  Simple telnet to devices  No central security scheme
  • 19. Layer 3 – Network - After  100% VLAN scheme  VLANs based on computer/user role  Internet style ACLs applied on traffic leaving VLANs  Traffic denied entering VLAN if no reason for the traffic  Extended today to separate VLANS for point-of-sale stations, HVAC, wireless, dial-up; each with its own ACL  SSH required to access devices, coordinated userid/password with Cisco ACS server that LDAPs to our NDS 10.1.x.x network10.1.x.x network equipmentequipment 10.2.x.x servers10.2.x.x servers 10.3.x.x printers10.3.x.x printers 10.4.x.x staff10.4.x.x staff 10.100.x.x ResNet10.100.x.x ResNet Etc.Etc.
  • 20. Layer 4 – ResNet  BeforeBefore Normal networkNormal network subnetsubnet No restrictionsNo restrictions ISP attitudeISP attitude No scanningNo scanning  After – version 1After – version 1  Single VLANSingle VLAN  ACL limited access to otherACL limited access to other campus VLANscampus VLANs  After – version 2After – version 2  VLAN per 48 port switchVLAN per 48 port switch  Internet style ACL “rule set”Internet style ACL “rule set” to block known bad portsto block known bad ports such as 445such as 445  Routine scanning andRoutine scanning and quarantiningquarantining
  • 21. Layer 5 – Servers - Before  Public IP address via firewall conduit  Distributed physically  No port filtering  Inconsistent patch strategy  No virus protection  Inconsistent HTTPS implementation  Many outside of the “network” department  No scanning for vulnerabilities  No disaster recovery plan
  • 22. Layer 5 – Servers - After  Servers in data center or managed by server groupServers in data center or managed by server group  HTTPS required for any sensitive dataHTTPS required for any sensitive data  Private IP addresses mapped to public via “conduit” in the firewallPrivate IP addresses mapped to public via “conduit” in the firewall  Port filtered in the firewall, deny all, allow those required forPort filtered in the firewall, deny all, allow those required for specific servicesspecific services  Port filtered coming out of ResNet and student computer labsPort filtered coming out of ResNet and student computer labs  Managed patch strategy, critical patches applied in 24 hoursManaged patch strategy, critical patches applied in 24 hours  Symantec Anti-Virus on serversSymantec Anti-Virus on servers  NetMail/CA eTrust anti-virus and RBL filtering for e-mailNetMail/CA eTrust anti-virus and RBL filtering for e-mail  GWAVA/Symantec Anti-Virus e-mail filteringGWAVA/Symantec Anti-Virus e-mail filtering  GWAVA attachment filteringGWAVA attachment filtering  Routine Nessus scanningRoutine Nessus scanning  Comprehensive disaster recovery planComprehensive disaster recovery plan
  • 23. Layer 6 - Employee PCs  AfterAfter  Private IP address via PAT/NAT  Managed Symantec Anti- Virus  “Push” of critical Microsoft security patches via Novell ZenWorks  Nessus scanning  BeforeBefore  Public IP address  No anti-virus  No patch management  No scanning
  • 24. Layer 7 - Social  BeforeBefore  Little or no publicLittle or no public awarenessawareness  No AUPNo AUP  Loose user ID andLoose user ID and password policiespassword policies  ““It won’t happenIt won’t happen here, we knowhere, we know everyone personallyeveryone personally  AfterAfter  Acceptable Use PolicyAcceptable Use Policy  Accounts blocked afterAccounts blocked after 3 failed log in attempts3 failed log in attempts  Passwords changedPasswords changed every 180 daysevery 180 days  Regular communicationRegular communication via online newspapervia online newspaper  Security educationSecurity education classesclasses
  • 25. What’s on the radar screen?What’s on the radar screen?  SpywareSpyware  PC firewallPC firewall  Instant Messenging issuesInstant Messenging issues  VPNVPN  Network access controlNetwork access control  Two factor authenticationTwo factor authentication  Security as it affects privacy issuesSecurity as it affects privacy issues  E-mail securityE-mail security
  • 26. Conclusion  Security team was the rightSecurity team was the right approach for usapproach for us  Effective, no significantEffective, no significant down-time except fordown-time except for Blaster/Welcia, fall 2003Blaster/Welcia, fall 2003  Cost-efficientCost-efficient  Diffused securityDiffused security awareness across theawareness across the departmentdepartment  Developed security skillsDeveloped security skills across ITSacross ITS  Security InfrastructureSecurity Infrastructure  Cisco PIX firewallCisco PIX firewall  Packeteer PacketshaperPacketeer Packetshaper  Cisco VLANs/ACLsCisco VLANs/ACLs  Symantec Anti-VirusSymantec Anti-Virus  Novell ZenWorksNovell ZenWorks  GWAVA Anti-GWAVA Anti- virus/attachment filteringvirus/attachment filtering  NessusNessus

Notas del editor

  1. As a medium-size (6,000 FTE) 2 and 4 year degree-granting institution, Penn College’s IT resources are always stretched to the limit ( not unlike most other higher education IT organizations). We wanted an IT security solution that could work within our current organizational structure, leverage existing staff expertise, not substantially drain our financial resources and yet provide an effective level of cyber-threat protection
  2. IT management recommended the formation of a campus “security team.” Each area of the IT department committed one employee from part of their normal assignments to be part of the security team. Each area also “contributed” a percentage of their normal budget to fund the hardware and software. A senior manager was designated to provide leadership and coordination of this team effort. The team met regularly over an initial 18 month period to brainstorm, expand their knowledgebase, investigate solutions, recommend strategies, develop plans, and implement the initial layer of security infrastructure.
  3. 100% VLAN scheme VLANs based on computer/user role: ITS staff, college employees, computer labs, server farm, ResNet, HVAC, security, network equipment Internet style ACLs applied between VLANs to limit access Student lab PCs can’t “see” staff VLAN ResNet PCs can’t “see” staff VLAN Extended today to separate VLANS for point-of-sale stations, HVAC, wireless, dial-up; each with its own ACL