Exhibitor session: Efficient IP
•Download as PPTX, PDF•
1 like•3,061 views
Chair: Simon Cooper, trust and identity services group manager, Jisc. How to solve the top five network challenges for higher education in 2017 Speaker: Martin Wellsted, regional manager northern territory, Efficient IP. This session will focus on the new network challenges schools and universities face as competition for enrollment and reputation increases, budgets tighten, and the onslaught of Internet of Things and BYOD continue. Practical solutions to security, IP address management, and process automation problems will be discussed.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Exhibitor session: Efficient IP
Similar to Exhibitor session: Efficient IP (20)
More from Jisc
More from Jisc (20)
Recently uploaded
Recently uploaded (20)
Exhibitor session: Efficient IP
- 1. Exhibitor session 1b Chair: SimonCooper
- 2. Please switch your mobile phones to silent 17:30 - 19:00 No fire alarms scheduled. In the event of an alarm, please follow directions of NCC staff Exhibitor showcase and drinks reception 18:00 - 19:00 Birds of a feather sessions
- 3. Efficient IP
- 4. Solving the Top 5 Network Challenges for Higher Education Nick Fennell, Lead UK Pre-Sales 11 April, 2017
- 5. Page 5Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Top Five Education Network Challenges Network security BYOD: Controlling and securing the network services IT process automation: Decreasing operational costs Network visibility & capacity planning control Digital Learning & Smart Classroom in the Millennial Age
- 6. Page 6Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 1) Network Security
- 7. Page 7Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 DNS Security Context JANET Network faced multiple major DDoS attacks 2015-2016 74% of UK organisations faced DNS attacks- Last 12 months1 DNS is one of the top primary targets2 for application layer attacks 91% of malware uses DNS protocol3 11 Critical DoS Vulnerabilities on BIND in 2016 1 EfficientIP 2016 DNS Security Report 2 Arbor Network 2016 Security Report 3 Cisco 2016 Security Report
- 8. Page 8Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Three Main Reasons Why DNS Is On the Top of a Hacker’s List 3 Not Effectively Protected 2 Easy to Exploit 1 Mission Critical
- 9. Page 9Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Why Is DNS Mission Critical? DNS - DHCP - IPAM NETWORK Customers - Employees - Suppliers - Citizens - Students DNS Services Enable Business Operations by Ensuring Access to Critical Applications & Services Students – Professors – Researchers - Visitors
- 10. Page 10Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Open service by design Connectionless (UDP) Attack target & threat vector Great attack variety and sophistication Not analysed by 68% of organisations 1 Why Is DNS Easy to Exploit? 1Cisco 2016 Security Report
- 11. Page 11Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 UK Damages Incurred From DNS Attacks 35% 23% 13% 16% APPLICATION DOWNTIME COMPROMISED WEBSITE DATA EXFILTRATION BRAND DAMAGE The Effects of DNS Attacks on UK Organisations 2016 SOURCE: EfficientIP 2016 DNS Security Report
- 12. Page 12Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 1. No DNS analytics for behavioural threat detection Only based on DNS packet frequency, request entropy, payload or data encoding signature 2. Complex to deploy & maintain Threats are evolving: configuration & tuning of filtering rules while ensuring consistency 3. Basic mitigation techniques with a high risk of false positives Countermeasures are limited to blocking DNS traffic 4. Not proactive Unable to mitigate new attacks without new filtering rules No mitigation capability of zero-day attacks 5. Not powerful enough to handle volumetric attacks 49% of all DNS DDoS attacks are above 1M QPS 1 Traditional Security Solutions Fail at DNS Protection 1EfficientIP 2016 DNS Security Report
- 13. Page 13Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 2) BYOD
- 14. Page 14Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 More connected devices will create major pressure on network services Higher education networks must ensure application availability to students, faculty and visitors Network service performance must support the increasing amount of connected devices Securing the network is essential, as you don’t control the security level of the connected devices The BYOD Threat
- 15. Page 15Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Average of 3-5 connected devices per student1 Top 10 ranked UK universities provide network access to an average of more than 25,000 students…a potential 125,000+ connected devices to support! A combined 89% of students expect to be able to use their own Apple computers, tablets and phones to access university software2 BYOD Prevalence In Higher Education 1Cisco Visual Networking Index 2Software2 EdTech BYOD Survey 2016
- 16. Confidential-Property of EfficientIP - All rights reserved-Copyright © 2016 The BYOD Threat Illustrated
- 17. Confidential-Property of EfficientIP - All rights reserved-Copyright © 2016 Transaction Analysis for Behavioural Threat Detection - Real-time DNS traffic statistics to detect data exfiltration - No risk of false positives or excluding legitimate customers - Real-time reputation domain Graduated Protection with Smart Countermeasures - Block source IPs of the attacks - Quarantine suspected source IPs of attacks - Ensure service continuity even if the attack source is unidentifiable Using DNS with Built-In Security as a Source of Protection
- 18. Page 18Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 3) Visibility & Capacity Planning
- 19. Page 19Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Visibility: what is connected to the network? Control & detection of unauthorised or unplanned changes Multi-vendor tools and disparate processes are error-prone, putting network availability at risk Repetitive and unitary manual tasks are costly & inefficient Management delegation is risky, advanced skills required Highly complex to enforce policies and standardise operations Network Management Issues
- 20. Page 20Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Creating Comprehensive Network Visibility Devices & Network Equipment Hardware & virtual Device Location Switch-port-VLAN-IP-MAC-name Network Devices Routes L3 switch, router, firewall, load balancer
- 21. Page 21Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Campus Network Capacity Planning Identify physical devices connected to port (versus what is supposed to be connected) Reclaim unused ports Management at the port level Control & optimise switch port occupancy to save money
- 22. Page 22Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 4) IT Process Automation
- 23. Page 23Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Network IT Process Issues Bottlenecks/longer time to complete tasks Fewer skilled employees with access rights- most tasks must be done by these resources, adding strain Automation reduces manual processes with fewer errors, and introduces templates True delegation only possible with automation software in place- enforces best practices & masks complexities Weak integration with cloud or virtual application automation Cannot get the value of cloud when there are still manual processes in place- must automate 100% If DDI is not included in the process of real-time creation of new virtual environments, the process will have to stop to manually obtain definitions Student and research collaboration can be compromised
- 24. Page 24Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Automation Solutions Enable your facility with DDI (DNS-DHCP-IPAM) automation Control, automate & streamline resource deployments Provisioning process automation according to needs Delegation control & workflow management Boost cloud infrastructure/virtualisation agility with integrated DDI
- 25. Page 25Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 5) Millennial Age Learning
- 26. Confidential-Property of EfficientIP - All rights reserved-Copyright © 2016 Millennial Learning Online courses Massive Open Online Courses (MOOC) Connected laboratories for collaborative research Smart classrooms/Active learning platforms and software Alignment with JANET schemas Mobile apps for enrollment, campus services, email, group project collaboration
- 27. Confidential-Property of EfficientIP - All rights reserved-Copyright © 2016 Millennial Learning Foundations • Mobility • Facilities often have multiple locations • Agility • Transition from WIFI to mobile • Flexibility • Multiple operating systems and devices • Control • Tracking devices across multiple networks • Security and forensics • Device audit and identification
- 28. Page 28Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 EfficientIP Solution Suite DNS DHCPIPAM DNS Security Network Automation DDI IPAM, VRF, VLAN & Network Services MVSM Multi-Vendor DNS DHCP Services Management Device Manager Device Deployment Management SPX RIR Declaration Management Hybrid DNS Engine DNS Firewall DNS Guardian DNS Cloud DNS Blast Netchange IPLocator Network Discovery Netchange Network Discovery & Configuration Unified Database and Advanced Reporting Physical & Virtual SOLIDserver Appliance
- 29. Page 29Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 EfficientIP In Brief 24 x 7 Fastest Growing DDI Company* Awarded Technologies Follow-The-Sun Support Services +90 Employees 650+ Customers 5 Continents 110+ Countries HQ EMEA - Paris, France USA - West Chester, PA APAC - Singapore Innovative DDI Company Security - Availability - Agility *IDC 2015 DDI (DNS-DHCP-IPAM) Market Update
- 30. Confidential-Property of EfficientIP - All rights reserved-Copyright © 2017 Thank You! Visit us at Stand 51 for more information on higher education DNS-DHCP-IPAM solutions
- 31. Circle IT
- 32. jisc.ac.uk
- 33. Thank you 12/04/2017Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
Editor's Notes
- Mention JANET incident in April 2016- if this already happened to JANET, it can happen to you! Surprisingly, while the entire internet and its overall services such as browsing, emailing, ToIP, or even printing rely on DNS, its infrastructure remains poorly secured and has become one of the most attractive application layer target for hackers and malware. Additionally, Cisco unveiled that 91% of malware uses DNS protocol in some ways such as for establishing communication path with remote CnC server, operating data exfiltration or spreading deeper into targeted networks. It is even more critical for organizations to understand the risks that most used DNS server engine had 11 critical DoS vulnerabilities in 2016. As a result, 74% of companies have been targeted by DNS attacks at least once in the last 12 months (2016 EfficientIP global DNS Security survey).
- DNS services are a foundation of any IT infrastructure. It translates domain names, which can't be easily memorized by humans, to the numerical IP addresses needed for the purpose of computer services and devices worldwide. Today's applications are all IP based. If a DNS server is not responding with the expected performance or if it is completely down, there is no more access to any application! It has a very fast and direct negative impact on customers and the business.
- Open service by design: As a consequence of their fundamental role in the IT infrastructure, DNS servers must be accessible to everyone. Connectionless: DNS protocol is connectionless, making it easier for hackers to launch an attack as it does not require to establish a connection with the targeted device. It can circumvent security system using for instance IP address spoofing for reflection and amplification DoS attacks. Most firewalls cannot efficiently manage and maintain network security with UDP traffic. Attack target and threat vector: Hackers make use of DNS dual role in the “kill-chain” as either a threat vector (ex: malware use of the DNS protocol to communicate with their remote command and control server) or a direct objective (ex: DoS attack on DNS servers to impact business continuity). Great attack variety and sophistication: The high variety and sophistication of DNS attacks is a result of the previous points. The security context around DNS protocol is complex and DNS threats have become more and more sophisticated, combining multiple vectors in a single attack. Not analysed by 68% of companies: hackers are taking advantage of the inefficiency of traditional security solutions and despite the intensive use of DNS services by malware, more than 68% of companies are not monitoring and analysing DNS traffic. It is a great opportunity for hackers to launch damaging attacks.
- Pick a few and explain quickly on how any of these affect the university
- Today, there are several methods to protect against the large variety of attacks on the DNS. The most common method is to filter the DNS queries, to eliminate those that are illegitimate and support legitimate traffic. While this works in theory, in practice traditional security solutions are too limited to receive and carefully analyze all requests that are sent. They have not been designed from the ground up to secure DNS services and are not able to handle the dynamic nature of the protocol. Lack of performance and intelligence can induce serious security limitations and risks, such as business downtime, customer data or intellectual property theft and damaged reputations. Possible impacts are diverse but very concrete, costing as we have seen previously an average of more than $1 million per attack. IDC, in a recent security survey, concluded that “very little is being done about DNS security and companies feel that the basic protection offered by a firewall is enough. This is a real case of the wrong answer to a real problem.” A modern DNS security system must be agile enough to adapt its protection mechanisms to mitigate the risk of false positives, while ensuring DNS service integrity and continuity to legitimate clients.
- Kings College London implemented a private cloud that enables its students to access a virtual desktop------ http://www.computerweekly.com/feature/BYOD-policy-gives-London-university-users-network-access-flexibility Oxford overhauls technology to create potential for BYOD use on 100,000+ devices--- http://www.itproportal.com/2014/09/05/oxford-university-embraces-byod-overhauls-ancient-communications-systems/ http://edtechnology.co.uk/Article/byod-is-it-right-for-your-school Pearson survey— http://www.pearsoned.com/wp-content/uploads/2015-Pearson-Student-Mobile-Device-Survey-College.pdf
- SLIDE ORIGINALLY ABOUT-----NetChange includes a network discovery tool, NetChange- IPLocator, to locally or remotely discover, identify and inventory the physical and virtual devices and their connections on your network (IP/MAC/VLAN/Switch/ port/Name). Netchange-IPLocator’s thorough network discoveries provide comprehensive visibility of network resource deployment and usage, delivering unparalleled resource control, from organization scheme and deployment to resources consumption and procurement. SOLIDserver’s NetChange-IPL provides a route discovery that is dedicated to the network devices routing tables. The NetChange-IPL displays the existing routes on the layer 3 network devices. All the information displayed is retrieved using the SNMP protocol. Each route corresponds to subnet and has a unique IP address and prefix.
- Elimination of port wastage SOLIDserver's discovery process identifies unused switch ports since a time lap. Based on this information it is easy to determine whether switch port can be released or reallocated. This is particularly important in datacenter to avoid overconsumption of Giga Ethernet port to unused servers.
- https://en.wikipedia.org/wiki/Massive_open_online_course
- Enable your school--- -Unified visibility, consistency control & management -Core network services robustness & availability -Flexibility & adaptability for greater efficiency -Streamlined processes & corporate policy enforcement -Management simplicity with smart automation -Granular role-based delegation & work flow Control, automate & streamline--- -Structure & automate subnet splitting in dedicated IP pools with templates -Control where each IP address type is authorised to be deployed -Guide non-expert users with “easy-to-use” web interface--- stress this point Provisioning--- -Templates of provisioning processes modeling & operational business needs ensures unmatched efficiency, simplicity & control Delegation control--- -Granular role-based delegation with unlimited number of groups -Control “who, where” and also “what” with object classes -Activity tracking and auditing with detailed tasks history & powerful search engine -LDAP, AD, Radius authentication Boost cloud infrastructure--- ----Simplifies and secures resource deployment for instant-start cloud services and cost reduction -Automated IP and DNS resources assignment for VM provisioning -Error-free configuration and inventory consistency -Streamlined deployment with corporate policy enforcement -Global visibility of virtual infrastructures -Improved cloud scalability with DDI capacity planning -High availability of mission-critical DNS & DHCP service
- A one of the world’s fastest growing DDI (DNS-DHCP-IPAM) vendors, EfficientIP helps organisations drive business efficiency through agile, secure and reliable network infrastructures. EfficientIP has continued to expand its reach internationally since its inception in 2004, providing solutions, professional services and 24*7 support all over the world with the help of global business partners. This ensures an efficient and successful deployment to our customers. EfficientIP is committed to thinking differently about the DDI industry- innovation is in our DNA. Our goal is to create value and efficiency for our customers through heightened security, advanced automation, and greater simplicity. We have launched unique features like network reconciliation management which have today become market best practice standards. We invented the advanced SmartArchitecture™ concept, which upgraded the management of DNS and DHCP from service level to architecture level. Additionally, our unique 360° DNS security solution protects data confidentiality and application access from anywhere at any time. Institutions across a variety of industries and government sectors worldwide rely on our offerings to assure business continuity, reduce operating costs and increase the management efficiency of their network and security teams.