Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
Defending the
Campus
Ed Lopez – Eme...
2Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
“The Headlines”
 “‟MafiaBoy‟ DDoS A...
3Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Our Users – Our Problem
 Students –...
4Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security is in How We Access Our
Net...
5Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Campuses – Crucibles for New
Technol...
6Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
What We Intended
7Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
What We Ended Up With
Social Enginee...
8Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Firewalls Alone Are Not Enough
 A T...
9Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Layered Threats – Layered Defenses
10Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Domino Effect
11Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security Is Not Required for Applic...
12Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Security Requirements for the Campu...
13Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Securing Access
 Wireless Access =...
14Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Securing Data Centers
 Best defens...
15Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Importance of Network Awareness
 “...
16Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IDS – Intrusion Detection System
Ty...
17Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IPS – Intrusion Prevention System
T...
18Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Network Awareness – Know Your Threa...
19Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Network QoS – Managed Unfairness
 ...
20Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Segregating IP Networks - MPLS
Wire...
21Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Standardization
 Openness applies ...
22Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Provisioned Services
 Bring all of...
23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23Copyright © 2004 Juniper Networks...
Thank You!
elopez@juniper.net
Upcoming SlideShare
Loading in...5
×

Defending the campus juniper nerworks

125

Published on

More info :http://goo.gl/LYQuss

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
125
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Defending the campus juniper nerworks

  1. 1. Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1 Defending the Campus Ed Lopez – Emerging Technologies
  2. 2. 2Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net “The Headlines”  “‟MafiaBoy‟ DDoS Attack Via University Network”  “Postdoc Arrest Linked to Intellectual Property Theft from University Labs”  “Hack on University Exposes 1.4M Social Security Numbers”  “Universities Fear 6th of Month as Klez Virus Re-erupts”  “RIAA Sues Campus File-Swappers”  “Weak Security Causes University to Ban Unauthorized Wi-Fi on Campus Nets”  “Campus Networks: Havens for Spammers?”  “Vital Files Exposed in University Hacking, 32,000 Students and Employees Affected”
  3. 3. 3Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Our Users – Our Problem  Students – Bandwidth, Active Threat, No Standards  Faculty – Openess, Intellectual Property, Communication  Administration – Privacy/Financial/Academic Data, Web Services  Facilities/Security – Operations, Logistics, Emergency Services  Health Services – HIPPA, Medical Support Systems  Externals – Support for Gov‟t Projects, External/Joint Academics, Libraries, Research
  4. 4. 4Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Security is in How We Access Our Networks  Dormitories – Wired/Wireless, >1 host to 1 student  Libraries – Shared systems, public/anonymous access  Commons – Wireless, rogues, „evil twins‟  Telecommuters – Commuting Students, Off-Campus Housing, Fraternities/Sororities, „Starbucks‟ and other community outlets  Educational Areas – May have specialized requirements, especially science departments  Health Services & Administration – Autonomous but linked  Externals – Dedicated support requirements, threat from external security breaches
  5. 5. 5Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Campuses – Crucibles for New Technologies and Security Issues  Varied OS Support: Windows (multiple versions), MacOS, Linux, BSD, Palm, PocketPC, new handhelds  No Personal Firewall/Anti-Virus Standards  VoIP: Internally supported, Vonage, etc.  Authentication: Passwords (weak), Tokens, SSN vs. Unique Number, Single Sign-On vs. Segmentation  Wireless vs. Wired  Many Back Channels: POP3, IM, IRC, P2P, FTP, etc.  Music: P2P vs. Legal Downloads
  6. 6. 6Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net What We Intended
  7. 7. 7Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net What We Ended Up With Social Engineering
  8. 8. 8Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Firewalls Alone Are Not Enough  A TCP/80 client session: • Is it MSIE? • Is it Mozilla Firefox? • Is it a Warez P2P Session?  Firewalls, even with application intelligence, only deal with Layer 3&4  But with convergence of multiple applications around well-known ports & protocols, how do we differentiate the legitimate ones from the rogue ones?
  9. 9. 9Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Layered Threats – Layered Defenses
  10. 10. 10Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Domino Effect
  11. 11. 11Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Security Is Not Required for Applications & Networks to Function!  Everything works in the lab!  Trust is inherent to design!  What are your policies?  How are they enforced?  How do you detect/prevent malicious traffic, rogue host/apps, and misuse?  What is really on your network?
  12. 12. 12Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Security Requirements for the Campus  Access Defense at Network/Data Centers – No effective perimeters, no control of end-user hosts  Network Awareness – Variable users/access/technologies make for quickly changing threats  QoS - defending bandwidth for necessary resources, mitigating DoS attacks, policy conformance  Segregation of IP Networks – With use of common infrastructure  Standardization Where Possible – Enforcement of security processes is a must for applications, data centers, and systems holding sensitive data  Provisioned Services – Key to consistant delivery of managable services
  13. 13. 13Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Securing Access  Wireless Access = Remote Access  Common solution sets mean ease of deployment and common user experience • Can implement roles-based policies  SSL VPNs are your friend • Clientless – Just need a browser • Encryption offers confidentiality, integrity of traffic • Defend Remote Access, Wireless Access, Access to Data Centers  You can‟t rely on host-based defenses, defend at the ingress • Perimeter defenses (Firewall, ACL) • NAV and Anti-spam on campus web/mail services
  14. 14. 14Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Securing Data Centers  Best defenses are based on knowing what to defend • You may not control the clients, but you do control the servers  Tight perimeter defenses  Portaling  Intrusion Detection/Prevention  Honeypots / Honeynets
  15. 15. 15Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Importance of Network Awareness  “Network awareness now a new mindset for security professionals.”  “Every component of the network is part of the ecosystem.”  “The end user is the moving chess piece of the network board.”  “The really good intruders study the environment before attacking.” Source: Network Awareness, whitepaper by BlackHat Consulting
  16. 16. 16Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IDS – Intrusion Detection System Typically out of line of the data flow on a tap. Evaluates deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed. IDS HELP Dynamic ACL request sent to the router/firewall, or TCP RESET sent to close the session
  17. 17. 17Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IPS – Intrusion Prevention System Typically inline of the data flow. Evaluates deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed. Does not have to rely on other devices in the network to complete it‟s task. IPS
  18. 18. 18Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Network Awareness – Know Your Threat!  Who is peering with your critical systems?  Who are the IRC bots?  Who is probing your network?  Correlate security events to hosts/network objects
  19. 19. 19Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Network QoS – Managed Unfairness  Bandwidth isn‟t free and all traffic is not equal  Migration continues toward converged network, with multiple services over IP  Need to distinguish between the multiple services on the converged network infrastructure  Examples: voice and real-time video  Implementing QoS allows us to utilize existing bandwidth better  QoS tools can be used as security tools to safeguard priority network services and applications VoIP Gold Silver Best Effort VoIPGold Classify Silver Schedule VoIPGoldSilver Transmit
  20. 20. 20Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Segregating IP Networks - MPLS Wireless Access Housing Remote Campus VoIP Internet Access Campus Network IP/MPLS Multiple IP nets / Common Infrastructure Security, Access Control at the Edge Provisioned Services - Managability PE PCE
  21. 21. 21Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Standardization  Openness applies to the user community, not to campus administration and staff  Deployed network applications and services must be tightly defined  IDS/IPS to look for malicious traffic within these applications and services  Standardized authentication systems – centralized online identity control  Operational & management support is key to policy enforcement
  22. 22. 22Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Provisioned Services  Bring all of these security concepts together • Portaling – Present services in a consistent fashion, roles-based authentication • Network Awareness – Defining and provisioning services provides a clear scope • QoS – Protect service resources • Segregation – Reduces threat vectors and malicious logic trees between services • Standardization – Building security in what we deploy  Create an atmosphere of what we can do, vs. what we can‟t
  23. 23. 23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Juniper Networks Portfolio M-series T-series Large Core Metro Aggregation E-series BRAS & Circuit Aggregation Policy & Service Control Small/Med Core Circuit Aggregation Secure Access SSL VPN Intrusion Detection and Prevention Integrated Firewall/IPSEC VPN Central Policy-based Management NMC-RX JUNOScope Secure Meeting Enterprise Routing J-series
  24. 24. Thank You! elopez@juniper.net
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×