Enterprise Security Protecting the Campus Network Paul Kennedy Security & Compliance Group Leader Information Services
Objectives <ul><li>An introduction to practical IT security </li></ul><ul><li>Some background on enterprise issues </li></...
What is an enterprise? <ul><li>“ a unit of economic organization or activity;  especially   :  a business organization” </...
Enterprise security <ul><li>So what is enterprise security about? </li></ul><ul><ul><li>Protection of an entity where the ...
The University enterprise <ul><ul><li>Facts & Figures </li></ul></ul><ul><ul><ul><li>An international University with camp...
Campus Network <ul><li>12000 machines on the campus network </li></ul><ul><ul><ul><li>Servers, desktops, laptops, network ...
 
The Academic Business <ul><ul><li>The business: </li></ul></ul><ul><ul><ul><li>Financial management of £380m </li></ul></u...
Academic Risk Profile <ul><li>We are a business AND an academic institution and must provide security accordingly! </li></...
Security Facts & Figures <ul><li>We reject 3.5m spam emails per day </li></ul><ul><li>We saw alerts on suspicious behaviou...
Security Model <ul><li>The University Security Model </li></ul><ul><ul><li>Policy, IT Security, Physical Security </li></u...
Security Policy <ul><ul><li>You MUST have a security policy, approved by senior management in order to have enforceable se...
The Technology <ul><li>At the perimeter / gateway / network level </li></ul><ul><ul><li>Enterprise firewall </li></ul></ul...
At the Perimeter <ul><li>Enterprise Firewall </li></ul><ul><ul><li>Inspects packets entering or leaving the network agains...
Email Gateway <ul><ul><li>Currently an open source solution on linux </li></ul></ul><ul><ul><ul><li>Exim, MailScanner, Spa...
Email RBL Blocking Mail Relayed Viruses Identified Spam Identified Incoming Mail Queue
Internet Traffic
Secure Web Gateway <ul><li>Over 80% of incoming network traffic from the Internet is the result of web browsing </li></ul>...
Web Gateway Capabilities <ul><li>Active real-time content inspection for detection and blocking of unknown attacks </li></...
Processing Web Content
 
Anomaly Detection <ul><ul><li>In 2006 IS was looking for a solution to provide better monitoring of traffic across the net...
Detection Example <ul><li>Example: In August 2003, the University was hit by the Blaster worm. </li></ul><ul><ul><li>1500 ...
Network Access Control <ul><ul><li>At the start of each academic year 8000 student owned computers are connected to the St...
Campus Manager I <ul><ul><li>In 2005 IS introduced Campus Manager which performs pre-connection health checks on student c...
Sophos Upgrade <ul><li>Just upgraded from Sophos A/V to Sophos Security & Control  </li></ul><ul><li>No longer just A/V, n...
Sophos Architecture Sophos Console & EM Library Signature distribution file server (Univ Park: Campus Network) Signature d...
Social Engineering <ul><li>Humans are usually the weakest link in any chain of security </li></ul><ul><li>You can provide ...
Network Abuse <ul><ul><li>Misconduct, gross misconduct and criminal activity by University members </li></ul></ul><ul><ul>...
Summary <ul><li>Enterprise security is about scale </li></ul><ul><li>You need policy, planning and architecture </li></ul>...
Upcoming SlideShare
Loading in …5
×

Overview of IT Security at Nottingham

478 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
478
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Overview of IT Security at Nottingham

  1. 1. Enterprise Security Protecting the Campus Network Paul Kennedy Security & Compliance Group Leader Information Services
  2. 2. Objectives <ul><li>An introduction to practical IT security </li></ul><ul><li>Some background on enterprise issues </li></ul><ul><li>The campus network </li></ul><ul><li>Samples of some technologies used </li></ul><ul><li>Examples from the battlefront </li></ul><ul><li>Technology Demo (if time allows) </li></ul>
  3. 3. What is an enterprise? <ul><li>“ a unit of economic organization or activity; especially :  a business organization” </li></ul><ul><li>What defines an enterprise: scale, purpose and cohesion </li></ul><ul><li>Is the University an enterprise? Yes! </li></ul><ul><ul><li>“ A place of learning, research, academic endeavour, advancement of knowledge” </li></ul></ul><ul><ul><li>“ A £380m global business with 5500 staff and 36000 customers” </li></ul></ul>
  4. 4. Enterprise security <ul><li>So what is enterprise security about? </li></ul><ul><ul><li>Protection of an entity where the scale is a factor in the decisions made (e.g. number of users, computers; size of network or bandwidth of the links; cost of solutions) </li></ul></ul><ul><ul><li>Protection of an entity where the aims of the organisation need to be taken into consideration (e.g. business requirements) </li></ul></ul><ul><ul><li>Protection of an organisation where the human factor becomes critical to success </li></ul></ul>
  5. 5. The University enterprise <ul><ul><li>Facts & Figures </li></ul></ul><ul><ul><ul><li>An international University with campuses in the UK, China and Malaysia </li></ul></ul></ul><ul><ul><ul><li>36000 students and 5500 staff in the UK </li></ul></ul></ul><ul><ul><ul><li>Numerous campuses </li></ul></ul></ul><ul><ul><ul><ul><li>In Nottingham </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Univ Park, Jubilee, Sutton Bonnington, King’s Meadow, QMC, City Hospital, Shakespeare St </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>the East Midlands </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>DCGH, DRI, Mansfield, Lincoln, Boston, Grantham </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><li>and further afield </li></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Offices in London, Brazil, Shanghai, overseas campuses </li></ul></ul></ul></ul></ul>
  6. 6. Campus Network <ul><li>12000 machines on the campus network </li></ul><ul><ul><ul><li>Servers, desktops, laptops, network equipment, lab equipment, printers, VoIP devices, CCTV cameras, temperature sensors, cash tills, door access, building management system </li></ul></ul></ul><ul><li>8000 computers on the student network (SNS) </li></ul><ul><li>10 Gbps across the campus backbone </li></ul><ul><li>2 x 1Gbps + 1 x 100Mbps connections to East Midlands MAN (EMMAN) and JANET </li></ul><ul><li>State-of-the-art “lights-out” primary data centre at KMC, secondary data centre (inc HPC) at CCC South </li></ul><ul><li>Is this a LAN or a WAN or a MAN? </li></ul>
  7. 8. The Academic Business <ul><ul><li>The business: </li></ul></ul><ul><ul><ul><li>Financial management of £380m </li></ul></ul></ul><ul><ul><ul><li>HR management of 5500 staff records </li></ul></ul></ul><ul><ul><ul><li>SR management of 36000 student records </li></ul></ul></ul><ul><ul><li>UK legislation </li></ul></ul><ul><ul><ul><li>Data Protection Act (DPA), Freedom of Information (FoI), Human Rights Act (HRA) and more </li></ul></ul></ul><ul><ul><ul><li>Regulation of Investigatory Powers Act (RIPA) </li></ul></ul></ul><ul><ul><li>Corporate Governance </li></ul></ul><ul><ul><ul><li>External auditors, Internal Audit Service (IAS) </li></ul></ul></ul>
  8. 9. Academic Risk Profile <ul><li>We are a business AND an academic institution and must provide security accordingly! </li></ul><ul><ul><li>We’ll never have security like a bank </li></ul></ul><ul><ul><li>We can’t enforce corporate standards </li></ul></ul><ul><ul><li>We must support a wide range of teaching and research and a degree of choice in the tools that staff and students can use </li></ul></ul>
  9. 10. Security Facts & Figures <ul><li>We reject 3.5m spam emails per day </li></ul><ul><li>We saw alerts on suspicious behaviour from 7000 external network addresses yesterday </li></ul><ul><li>Anti-virus reported 120 desktop interceptions on campus yesterday </li></ul><ul><li>We intercept around 100-150 email borne malware items per day </li></ul><ul><li>We detect and report 5-10 previous unseen viruses to Sophos each year </li></ul>
  10. 11. Security Model <ul><li>The University Security Model </li></ul><ul><ul><li>Policy, IT Security, Physical Security </li></ul></ul><ul><ul><li>Defence in depth (the security “Onion”) </li></ul></ul><ul><ul><li>Multiple, overlapping layers of security </li></ul></ul><ul><ul><li>Security at different points in the network </li></ul></ul><ul><ul><ul><li>At the perimeter / gateway / choke points </li></ul></ul></ul><ul><ul><ul><li>On the server / at the service layer </li></ul></ul></ul><ul><ul><ul><li>At the desktop </li></ul></ul></ul><ul><ul><ul><li>Across the network backbone </li></ul></ul></ul><ul><ul><li>But … Business first, Technology Second! </li></ul></ul>
  11. 12. Security Policy <ul><ul><li>You MUST have a security policy, approved by senior management in order to have enforceable security </li></ul></ul><ul><ul><li>ISO 27001 (aka ISO 17799, BS 7799) is the international standard for Information Security Management Systems </li></ul></ul><ul><ul><ul><li>Security policy; Organisation of information security; Asset management; Human resources security; Physical and environmental security; Communications and operations management; Access control; Information systems acquisition, development and maintenance; Information security incident management; Business continuity management; Compliance. </li></ul></ul></ul><ul><ul><ul><li>Based on the Plan-Do-Check-Act model </li></ul></ul></ul><ul><ul><li>The University security policy is based on ISO 27001 but we are unlikely to seek certification at present </li></ul></ul>
  12. 13. The Technology <ul><li>At the perimeter / gateway / network level </li></ul><ul><ul><li>Enterprise firewall </li></ul></ul><ul><ul><ul><li>Allow or deny traffic based a set of rules </li></ul></ul></ul><ul><ul><li>Email Gateway </li></ul></ul><ul><ul><ul><li>Spam and malware detection and prevention </li></ul></ul></ul><ul><ul><li>Secure web gateway </li></ul></ul><ul><ul><ul><li>Proxying web traffic to check for malware </li></ul></ul></ul><ul><ul><li>Bandwidth management </li></ul></ul><ul><ul><ul><li>Limit or guarantee bandwidth available for services </li></ul></ul></ul><ul><ul><li>Virtual LANs (VLANs) </li></ul></ul><ul><ul><ul><li>Restrict the parts of the network specific traffic can reach </li></ul></ul></ul><ul><ul><li>Anomaly detection </li></ul></ul><ul><ul><ul><li>Measure network activity against a “normal” baseline </li></ul></ul></ul><ul><ul><li>Network access control </li></ul></ul>
  13. 14. At the Perimeter <ul><li>Enterprise Firewall </li></ul><ul><ul><li>Inspects packets entering or leaving the network against a defined rule set </li></ul></ul><ul><ul><li>Allows or denies based on src and dest IP address and port </li></ul></ul><ul><ul><li>Default Deny (“Deny everything except those services/protocols specifically required”) not Default Allow (“Allow everything, deny only known dangerous ports”) </li></ul></ul><ul><ul><li>2 x Juniper NetScreen 5200s with failover (Gigabit capable) </li></ul></ul><ul><ul><li>Stateful packet inspection: knows which “conversations” are already in progress (prevents certain scans and attacks) </li></ul></ul><ul><ul><li>Over 1200 firewall change requests since 2004 </li></ul></ul><ul><ul><li>Over 600 rules in our firewall rule set (Spitzer: 200 is complex) </li></ul></ul><ul><ul><li>At default deny, network traffic dropped 50%, attacks 90% </li></ul></ul>
  14. 15. Email Gateway <ul><ul><li>Currently an open source solution on linux </li></ul></ul><ul><ul><ul><li>Exim, MailScanner, SpamAssassin, Sophos </li></ul></ul></ul><ul><ul><li>10 mail relays! (5 incoming, 5 outgoing) </li></ul></ul><ul><ul><ul><li>3.5m incoming emails per day of which 200000 are accepted for processing (5%) </li></ul></ul></ul><ul><ul><li>Have employed “tag and pass” for too long!!! </li></ul></ul><ul><ul><ul><li>Decisions are not only about technological solutions </li></ul></ul></ul><ul><ul><li>Spam and malware handling is now a commodity item so we are outsourcing to a managed service provider Webroot </li></ul></ul>
  15. 16. Email RBL Blocking Mail Relayed Viruses Identified Spam Identified Incoming Mail Queue
  16. 17. Internet Traffic
  17. 18. Secure Web Gateway <ul><li>Over 80% of incoming network traffic from the Internet is the result of web browsing </li></ul><ul><ul><li>Attack payloads via email are dropping </li></ul></ul><ul><ul><li>Attacks initiated from a HTML formatted web page with the payload delivered via the web are increasing </li></ul></ul><ul><li>Current Squid proxy logs traffic and reduces risk of malware getting off campus but … </li></ul><ul><li>… this does not protect against most incoming threats </li></ul><ul><li>So implementing a Finjan Secure Web Gateway </li></ul>
  18. 19. Web Gateway Capabilities <ul><li>Active real-time content inspection for detection and blocking of unknown attacks </li></ul><ul><li>Zero-hour vulnerability protection via virtual patching </li></ul><ul><li>Corporate Anti-Spyware solution for stopping known and unknown Spyware at the gateway </li></ul><ul><li>Anti-Crimeware protects your sensitive business data </li></ul><ul><li>Anti-Phishing prevents identity theft </li></ul><ul><li>SSL Inspection for “in-box” scanning of HTTPS traffic and enforcement of SSL certificates </li></ul><ul><li>Choice of leading Anti-Virus engines for protection against known viruses </li></ul><ul><li>Choice of leading URL Filtering engines for full control over your organization’s web browsing </li></ul>
  19. 20. Processing Web Content
  20. 22. Anomaly Detection <ul><ul><li>In 2006 IS was looking for a solution to provide better monitoring of traffic across the network </li></ul></ul><ul><ul><ul><li>Looked at Intrusion Detection and Intrusion Prevention Systems (IDS/IDP) </li></ul></ul></ul><ul><ul><ul><li>Decided these were not suitable for the wide range of research traffic on our network (which can break firewalls) </li></ul></ul></ul><ul><ul><ul><li>Discovered the alternative approach of anomaly detection! </li></ul></ul></ul><ul><ul><li>It learns what is normal network behaviour for each computer on the network and alerts to significant changes in that behaviour </li></ul></ul>
  21. 23. Detection Example <ul><li>Example: In August 2003, the University was hit by the Blaster worm. </li></ul><ul><ul><li>1500 computers were infected in a few hours </li></ul></ul><ul><ul><li>The immediate incident lasted two weeks </li></ul></ul><ul><ul><li>Complete clean up took four months </li></ul></ul><ul><li>We can now detect a worm infected computer within minutes and, in most cases, prevent it from causing an outbreak before it affects the network </li></ul>
  22. 24. Network Access Control <ul><ul><li>At the start of each academic year 8000 student owned computers are connected to the Student Network Service (SNS) in Hall study bedrooms </li></ul></ul><ul><ul><li>These computers arrive as unseen and unknown quantities; often they are not properly secured and are already infected with viruses and other malware </li></ul></ul><ul><ul><li>They represent a potential threat to their fellow students, the SNS network and the wider campus network BUT IS is obliged to make them part of our community as soon as possible </li></ul></ul>
  23. 25. Campus Manager I <ul><ul><li>In 2005 IS introduced Campus Manager which performs pre-connection health checks on student computers before it allows them access to the SNS and campus networks </li></ul></ul><ul><ul><li>Campus Manager ensures that student machines </li></ul></ul><ul><ul><ul><li>Are fully patched with critical updates </li></ul></ul></ul><ul><ul><ul><li>Have anti-virus protection installed </li></ul></ul></ul><ul><ul><ul><li>Represent a minimal risk to the campus network </li></ul></ul></ul>
  24. 26. Sophos Upgrade <ul><li>Just upgraded from Sophos A/V to Sophos Security & Control </li></ul><ul><li>No longer just A/V, now an End Point security solution </li></ul><ul><ul><li>Anti-virus, anti-spyware, anti-adware </li></ul></ul><ul><ul><li>Desktop firewall, detection of PUA, HIPS </li></ul></ul><ul><li>In Future Releases </li></ul><ul><ul><li>NAC, device (USB, Bluetooth, IR), port & mobile control, data leak prevention </li></ul></ul>
  25. 27. Sophos Architecture Sophos Console & EM Library Signature distribution file server (Univ Park: Campus Network) Signature distribution web server Signature distribution file server (Jubilee Campus) Signature distribution file server (Sutton Bonnington) Signature distribution file server (King’s Meadow) Signature distribution file server (Univ Park: Student Network) Sophos DBMS (sccapps) Desktop Clients Updates from Sophos Signatures & product updates, remediation Status information, interception reports
  26. 28. Social Engineering <ul><li>Humans are usually the weakest link in any chain of security </li></ul><ul><li>You can provide policies and best practice, but you can’t force people to read it </li></ul><ul><li>University members do respond to phishing attacks from time to time </li></ul><ul><li>The best solutions to social engineering issue are usually ones that use technology in place to allow for possible human failings </li></ul>
  27. 29. Network Abuse <ul><ul><li>Misconduct, gross misconduct and criminal activity by University members </li></ul></ul><ul><ul><li>Yes, it does happen, but thankfully not that often </li></ul></ul><ul><ul><li>Gross misconduct can lead to dismissal from the University </li></ul></ul><ul><ul><li>Criminal activity can lead to prison </li></ul></ul><ul><ul><li>IS does provide evidence for hearings, tribunals and police investigations and court cases </li></ul></ul><ul><ul><li>ssshhh – Credit Card Scam Story </li></ul></ul>
  28. 30. Summary <ul><li>Enterprise security is about scale </li></ul><ul><li>You need policy, planning and architecture </li></ul><ul><li>You must consider the business before technology </li></ul><ul><li>Technology can sometimes reduce human factors but can’t always make up for human failings (or social engineering) </li></ul>

×