Developing an Effective

238 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
238
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 5
  • As a medium-size (6,000 FTE) 2 and 4 year degree-granting institution, Penn College’s IT resources are always stretched to the limit ( not unlike most other higher education IT organizations). We wanted an IT security solution that could work within our current organizational structure, leverage existing staff expertise, not substantially drain our financial resources and yet provide an effective level of cyber-threat protection
  • IT management recommended the formation of a campus “security team.” Each area of the IT department committed one employee from part of their normal assignments to be part of the security team. Each area also “contributed” a percentage of their normal budget to fund the hardware and software. A senior manager was designated to provide leadership and coordination of this team effort. The team met regularly over an initial 18 month period to brainstorm, expand their knowledgebase, investigate solutions, recommend strategies, develop plans, and implement the initial layer of security infrastructure.
  • 100% VLAN scheme VLANs based on computer/user role: ITS staff, college employees, computer labs, server farm, ResNet, HVAC, security, network equipment Internet style ACLs applied between VLANs to limit access Student lab PCs can’t “see” staff VLAN ResNet PCs can’t “see” staff VLAN Extended today to separate VLANS for point-of-sale stations, HVAC, wireless, dial-up; each with its own ACL
  • Developing an Effective

    1. 1. Developing an Effective & Affordable Security Infrastructure in a Small College Environment
    2. 2. About Penn College <ul><li>Williamsport Technical Institute, founded 1941 </li></ul><ul><li>Williamsport Area Community College, founded 1965 </li></ul><ul><li>Pennsylvania College of Technology, founded 1989 </li></ul><ul><li>Special Mission Affiliate of Penn State University </li></ul><ul><li>Accredited - Middle States Association of Colleges and Secondary Schools </li></ul><ul><li>6,358 headcount - 5,891 FTE </li></ul><ul><li>288 FTE faculty, 518 FTE staff </li></ul><ul><li>B.S., A.S. and certificate degrees in over 100 majors </li></ul><ul><li>Specialize in vocational and technology-based education </li></ul><ul><li>Strong focus on small class sizes and hands-on instruction </li></ul><ul><li>www.pct.edu </li></ul>
    3. 3. Williamsport, PA
    4. 4. IT Infrastructure <ul><li>2,600 College-owned computers, 1,400 student-owned computers in residential complexes </li></ul><ul><li>1,600 computers in 50+ academic computer labs, student to computer ratio of 4:1 </li></ul><ul><li>Standard computer lab software includes Microsoft Windows XP, Office 2003, NetMail POP3 e-mail system </li></ul>
    5. 5. IT Infrastructure (cont’d) <ul><li>1,000 staff/faculty PCs </li></ul><ul><li>Standard employee image: Windows XP, Office 2003, Novell GroupWise, iSeries client </li></ul><ul><li>Novell Directory Services (NDS) </li></ul><ul><li>IBM iSeries mainframe, home-grown legacy administrative applications </li></ul><ul><li>WebCT, Sirsi, eRecruiting, Raiser’s Edge, Cbord Odyssey, EBMS </li></ul><ul><li>25 Novell, 15 Microsoft, 3 Linux, 1 Sun, 1 AIX server </li></ul>
    6. 6. IT Infrastructure (cont’d) <ul><li>100% Cisco network infrastructure except for Packeteer Packetshaper </li></ul><ul><li>Fast Ethernet via CAT5 for all building LANs, Gigabit Ethernet via fiber for backbone </li></ul><ul><li>Dual Cisco 6500s for redundant core </li></ul><ul><li>Fractional T-3 (30 Mbps) Internet service </li></ul><ul><li>Dial-up Internet access provided for employees, not students </li></ul><ul><li>About 50% wireless coverage </li></ul>
    7. 7. Campus Network Layout
    8. 8. Information Technology Services <ul><li>Organization (50 employees) </li></ul><ul><li>Desktop Computing </li></ul><ul><ul><li>Academic Computing </li></ul></ul><ul><ul><li>Technical Support/Help Desk </li></ul></ul><ul><ul><li>Technical Writer/Trainer </li></ul></ul><ul><li>Administrative Information Systems </li></ul><ul><li>Network Applications </li></ul><ul><li>Mail & Document Services </li></ul><ul><li>Media Services </li></ul><ul><li>Telecommunications </li></ul>
    9. 9. Post Y2K IT Security “Problem” <ul><li>Increasing threats from viruses, trojans, worms, hackers, etc. </li></ul><ul><li>Lack of security standards </li></ul><ul><li>No coordinated security response </li></ul><ul><li>Poor security awareness </li></ul><ul><li>Minimal security policy </li></ul><ul><li>No security testing </li></ul>
    10. 10. The “Challenge” <ul><li>Limitations </li></ul><ul><ul><li>Budget </li></ul></ul><ul><ul><li>Staff </li></ul></ul><ul><ul><li>Time </li></ul></ul><ul><li>Large backlog of post Y2K projects </li></ul><ul><li>Balancing security effectiveness with efficient resource management </li></ul>
    11. 11. Solution Analysis <ul><li>Dedicated security staff vs. security team </li></ul><ul><li>Advantages of team approach: </li></ul><ul><ul><li>Utilizes existing staff and expertise </li></ul></ul><ul><ul><li>Spreads/diffuses the importance of security across all functional IT areas </li></ul></ul><ul><ul><li>Funded through existing budgets </li></ul></ul><ul><li>Disadvantages: </li></ul><ul><ul><li>No centralized focus/authority </li></ul></ul><ul><ul><li>Long lead time to develop expertise </li></ul></ul><ul><ul><li>Staff time directed away from other projects </li></ul></ul><ul><ul><li>Not invented here syndrome </li></ul></ul>
    12. 12. The “Solution” <ul><li>IT management recommended forming a campus “security team.” </li></ul><ul><li>Each area of the IT department committed one employee and a percentage of its budget. </li></ul><ul><li>A senior manager was designated to provide leadership and coordination of this team effort. </li></ul><ul><li>The team met weekly over an initial 18 month period, then bi-weekly. </li></ul><ul><li>Rotating duty officer/CERT format </li></ul>
    13. 13. The Context <ul><li>Risk vs. investment </li></ul><ul><li>Scope and impact for priority </li></ul><ul><li>Mitigating risk factors </li></ul><ul><ul><li>Administrative data locked up in IBM iSeries (AS/400) </li></ul></ul><ul><ul><li>GroupWise e-mail system </li></ul></ul><ul><ul><li>Institutional policy requiring data files to be stored on network drives </li></ul></ul><ul><ul><li>Centralized IT management and budget culture </li></ul></ul>
    14. 14. 7-Layer Security Approach <ul><li>Layer 1 - Physical </li></ul><ul><li>Layer 2 - Internet </li></ul><ul><li>Layer 3 - Network </li></ul><ul><li>Layer 4 - ResNet </li></ul><ul><li>Layer 5 - Servers </li></ul><ul><li>Layer 6 - Employee PCs </li></ul><ul><li>Layer 7 - Social </li></ul>
    15. 15. Layer 1 - Physical <ul><li>Before </li></ul><ul><ul><li>Distributed servers, not physically secured, some actually in staff/faculty offices </li></ul></ul><ul><ul><li>Network components not secured </li></ul></ul><ul><ul><li>Minimal UPS protection </li></ul></ul><ul><li>After </li></ul><ul><ul><li>Most non-academic servers moved to secured data center; backup generator </li></ul></ul><ul><ul><li>Wiring closets secured </li></ul></ul><ul><ul><li>UPS for all servers and network equipment </li></ul></ul>
    16. 16. Layer 2 - Internet <ul><li>Before </li></ul><ul><ul><li>Internet router with public IP addresses </li></ul></ul><ul><ul><li>No filtering of ports </li></ul></ul><ul><li>After </li></ul><ul><ul><li>Cisco PIX firewall with PAT translation initially, later acquired additional IPs, changed to NAT ( still occasional problems, need an XLATE clear ) </li></ul></ul><ul><ul><li>Access control list on Internet router ( example ) </li></ul></ul><ul><ul><li>Packeteer - Although purchased for bandwidth control, provides another layer of “protection” and “detection” </li></ul></ul>
    17. 17. Internet Router ACL <ul><li>access-list 115 permit tcp any 0.0.0.0 255.255.255.0 established </li></ul><ul><li>access-list 115 deny ip 10.0.0.0 0.255.255.255 any </li></ul><ul><li>access-list 115 deny ip 127.0.0.0 0.255.255.255 any </li></ul><ul><li>access-list 115 deny ip 172.16.0.0 0.15.255.255 any </li></ul><ul><li>access-list 115 deny ip 192.168.0.0 0.0.255.255 any </li></ul><ul><li>access-list 115 deny ip 224.0.0.0 15.255.255.255 any </li></ul><ul><li>access-list 115 deny ip host 0.0.0.0 any </li></ul><ul><li>access-list 115 deny ip 12.23.198.0 0.0.0.255 any </li></ul><ul><li>access-list 115 deny ip 12.23.199.0 0.0.0.255 any </li></ul><ul><li>access-list 115 deny ip any 0.0.0.255 255.255.255.0 </li></ul><ul><li>access-list 115 deny tcp any any eq 135 </li></ul><ul><li>access-list 115 deny udp any any eq 135 </li></ul><ul><li>access-list 115 deny tcp any any eq 137 </li></ul><ul><li>access-list 115 deny udp any any eq netbios-ns </li></ul><ul><li>access-list 115 deny tcp any any eq 138 </li></ul><ul><li>access-list 115 deny udp any any eq netbios-dgm </li></ul><ul><li>access-list 115 deny tcp any any eq 139 </li></ul><ul><li>access-list 115 deny udp any any eq netbios-ss </li></ul><ul><li>access-list 115 deny tcp any any eq 445 </li></ul><ul><li>access-list 115 deny udp any any eq 445 </li></ul><ul><li>access-list 115 deny tcp any any eq 593 </li></ul><ul><li>access-list 115 deny udp any any eq 593 </li></ul><ul><li>access-list 115 deny tcp any any eq 3333 </li></ul><ul><li>access-list 115 deny udp any any eq 3333 </li></ul><ul><li>access-list 115 deny tcp any any eq 4444 </li></ul><ul><li>access-list 115 deny udp any any eq 4444 </li></ul><ul><li>access-list 115 deny tcp any any eq 69 </li></ul><ul><li>access-list 115 deny udp any any eq tftp </li></ul><ul><li>access-list 115 deny tcp any any eq 161 </li></ul><ul><li>access-list 115 deny udp any any eq snmp </li></ul><ul><li>access-list 115 deny tcp any any eq 162 </li></ul><ul><li>access-list 115 deny udp any any eq snmptrap </li></ul><ul><li>access-list 115 deny udp any any eq 1993 </li></ul><ul><li>access-list 115 deny tcp any any eq 1900 </li></ul><ul><li>access-list 115 deny udp any any eq 1900 </li></ul><ul><li>access-list 115 deny tcp any any eq 5000 </li></ul><ul><li>access-list 115 deny udp any any eq 5000 </li></ul><ul><li>access-list 115 deny udp any any eq 8998 </li></ul><ul><li>access-list 115 permit icmp any any echo </li></ul><ul><li>access-list 115 permit icmp any any echo-reply </li></ul><ul><li>access-list 115 deny ip any any log-input </li></ul>
    18. 18. Layer 3 – Network - Before <ul><li>10.x.x.x organized geographically; each “building complex” has a subnet; 10.1.x.x, 10.2.x.x, 10.3.x.x, etc. </li></ul><ul><li>Any to any routing philosophy </li></ul><ul><li>Simple telnet to devices </li></ul><ul><li>No central security scheme </li></ul>
    19. 19. Layer 3 – Network - After <ul><li>100% VLAN scheme </li></ul><ul><li>VLANs based on computer/user role </li></ul><ul><li>Internet style ACLs applied on traffic leaving VLANs </li></ul><ul><li>Traffic denied entering VLAN if no reason for the traffic </li></ul><ul><li>Extended today to separate VLANS for point-of-sale stations, HVAC, wireless, dial-up; each with its own ACL </li></ul><ul><li>SSH required to access devices, coordinated userid/password with Cisco ACS server that LDAPs to our NDS </li></ul><ul><li>10.1.x.x network equipment </li></ul><ul><li>10.2.x.x servers </li></ul><ul><li>10.3.x.x printers </li></ul><ul><li>10.4.x.x staff </li></ul><ul><li>10.100.x.x ResNet </li></ul><ul><li>Etc. </li></ul>
    20. 20. Layer 4 – ResNet <ul><li>Before </li></ul><ul><ul><li>Normal network subnet </li></ul></ul><ul><ul><li>No restrictions </li></ul></ul><ul><ul><li>ISP attitude </li></ul></ul><ul><ul><li>No scanning </li></ul></ul><ul><li>After – version 1 </li></ul><ul><ul><li>Single VLAN </li></ul></ul><ul><ul><li>ACL limited access to other campus VLANs </li></ul></ul><ul><li>After – version 2 </li></ul><ul><ul><li>VLAN per 48 port switch </li></ul></ul><ul><ul><li>Internet style ACL “rule set” to block known bad ports such as 445 </li></ul></ul><ul><ul><li>Routine scanning and quarantining </li></ul></ul>
    21. 21. Layer 5 – Servers - Before <ul><li>Public IP address via firewall conduit </li></ul><ul><li>Distributed physically </li></ul><ul><li>No port filtering </li></ul><ul><li>Inconsistent patch strategy </li></ul><ul><li>No virus protection </li></ul><ul><li>Inconsistent HTTPS implementation </li></ul><ul><li>Many outside of the “network” department </li></ul><ul><li>No scanning for vulnerabilities </li></ul><ul><li>No disaster recovery plan </li></ul>
    22. 22. Layer 5 – Servers - After <ul><li>Servers in data center or managed by server group </li></ul><ul><li>HTTPS required for any sensitive data </li></ul><ul><li>Private IP addresses mapped to public via “conduit” in the firewall </li></ul><ul><li>Port filtered in the firewall, deny all, allow those required for specific services </li></ul><ul><li>Port filtered coming out of ResNet and student computer labs </li></ul><ul><li>Managed patch strategy, critical patches applied in 24 hours </li></ul><ul><li>Symantec Anti-Virus on servers </li></ul><ul><li>NetMail/CA eTrust anti-virus and RBL filtering for e-mail </li></ul><ul><li>GWAVA/Symantec Anti-Virus e-mail filtering </li></ul><ul><li>GWAVA attachment filtering </li></ul><ul><li>Routine Nessus scanning </li></ul><ul><li>Comprehensive disaster recovery plan </li></ul>
    23. 23. Layer 6 - Employee PCs <ul><li>After </li></ul><ul><ul><li>Private IP address via PAT/NAT </li></ul></ul><ul><ul><li>Managed Symantec Anti-Virus </li></ul></ul><ul><ul><li>“ Push” of critical Microsoft security patches via Novell ZenWorks </li></ul></ul><ul><ul><li>Nessus scanning </li></ul></ul><ul><li>Before </li></ul><ul><ul><li>Public IP address </li></ul></ul><ul><ul><li>No anti-virus </li></ul></ul><ul><ul><li>No patch management </li></ul></ul><ul><ul><li>No scanning </li></ul></ul>
    24. 24. Layer 7 - Social <ul><li>Before </li></ul><ul><ul><li>Little or no public awareness </li></ul></ul><ul><ul><li>No AUP </li></ul></ul><ul><ul><li>Loose user ID and password policies </li></ul></ul><ul><ul><li>“ It won’t happen here, we know everyone personally </li></ul></ul><ul><li>After </li></ul><ul><ul><li>Acceptable Use Policy </li></ul></ul><ul><ul><li>Accounts blocked after 3 failed log in attempts </li></ul></ul><ul><ul><li>Passwords changed every 180 days </li></ul></ul><ul><ul><li>Regular communication via online newspaper </li></ul></ul><ul><ul><li>Security education classes </li></ul></ul>
    25. 25. What’s on the radar screen? <ul><li>Spyware </li></ul><ul><li>PC firewall </li></ul><ul><li>Instant Messenging issues </li></ul><ul><li>VPN </li></ul><ul><li>Network access control </li></ul><ul><li>Two factor authentication </li></ul><ul><li>Security as it affects privacy issues </li></ul><ul><li>E-mail security </li></ul>
    26. 26. Conclusion <ul><li>Security team was the right approach for us </li></ul><ul><ul><li>Effective, no significant down-time except for Blaster/Welcia, fall 2003 </li></ul></ul><ul><ul><li>Cost-efficient </li></ul></ul><ul><ul><li>Diffused security awareness across the department </li></ul></ul><ul><ul><li>Developed security skills across ITS </li></ul></ul><ul><li>Security Infrastructure </li></ul><ul><ul><li>Cisco PIX firewall </li></ul></ul><ul><ul><li>Packeteer Packetshaper </li></ul></ul><ul><ul><li>Cisco VLANs/ACLs </li></ul></ul><ul><ul><li>Symantec Anti-Virus </li></ul></ul><ul><ul><li>Novell ZenWorks </li></ul></ul><ul><ul><li>GWAVA Anti-virus/attachment filtering </li></ul></ul><ul><ul><li>Nessus </li></ul></ul>
    27. 27. Discussion
    28. 28. Slide to link

    ×