www.more.net | University of Missouri


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • The Missouri Research and Education Network (MOREnet) provides Internet connectivity, access to Internet2, technical support, videoconferencing services and training to Missouri's K-12 schools, colleges and universities, public libraries, health care, state government and other affiliated organizations. Established in 1991, MOREnet operates as a unit within the University of Missouri , and is based in Columbia, Mo. The MOREnet network is the foundation infrastructure. Members of the education community interact with each other via data and video services; public sector business applications are built and conducted on it; and Missouri citizens interact with their state government through it. Significant number of tech people are lone ranger.
  • We have a Cisco 10000-series router at each hub to aggregate customer circuits and a Cisco 12000-series router to provide backbone routing. Each hub also has a Dell 2850 server for DNS services. MOREnet currently has two Internet providers: Qwest and Sprint. We have two OC12s (622Mbps) from each provider, one in St. Louis and one in Kansas City. (Ordering OC48 agg circuits CBR of 900MB) MOREnet also has an OC12 (622Mbps) to the Great Plains Network through which we get our Internet2 access. 9 GigE Agg circuits 25 OC3 Agg Circuits (155Mbps) 7 in KC/9 in St. L 1100 end point connections MPLS Inter-campus network for UM System entities with QOS for PeopleSoft QOS on backbone for video services and MOBIUS
  • The things that I am going to talk about are not all technology solutions. We work very hard on education of our members because in the end, that is what lessens out work load. I am going to talk about the technology we use as well as the education we do for our user community.
  • abuse@ and security@ for multiple class B networks. phone support for districts that don’t have a lot of technical knowledge. Netflow reports that watch for certain ports for sort of an advance notification. For ethereal captures - relate story of Hermann. Spammer using their firewall box. sniffer on inside didn’t see anything, sniffer on outside did. hours of pouring thru ethereal captures to find out how they were using a hole inside the firewall to send out spam.
  • members don’t control their own routers so we do things they would do if they could. started 2 years ago. Mostly voluntary if lots of problem, we will sign them up for the service. need numbers of sites that have signed up.
  • Average attendance of about 50 people each month (125 highest attendance) Average of 10-15 playback
  • Sgt Joe Laramie – Internet Crimes Against Children Task Force Det Andy Anderson – Boone County Internet Crimes Task Force Chief Investigator Public Safety Chris Pickering – MO Attorney General Office
  • Security Community – being used to discuss disaster recovery efforts within Boone County. People know who to call and are comfortable asking for help. Relate story of Maryville and Columbia College being used as hot sites for each other.
  • Per e-mail domain (MX record): 1-999 e-mail addresses: $595 1,000 or more e-mail addresses: $1095 Organizations that subscribe to this service after the beginning of the fiscal year will be billed on a prorated by month basis. Postfix is the central feature. First, it checks a DNS-based blacklist that we maintain. Then, it checks policyd. Policyd keeps its information in MySQL. When an email clears those hurdles, the email is sent on to Amavisd-new for some of its checks and attachment parsing. Amavisd-new then has ClamAV scan attachments, if any, for viruses. That is it in a nutshell. 120 EVSF alone – 158 kinetic alone – 278 combining both – most of which are K-12s 83% effective spam removal 2-3 Million messages per day filtered
  • 143 – 2006 133 – 2005 Keynote – John Mallery – 2006 Marty Roesch - 2005
  • usually have a Security Track with average 60 attendees Typically do 10-12 presentations, some hands on
  • Everyone wants firewall management but no one wants to pay for it We filed to be CALEA complaint, but no members filed. TTPs want us to be a TTP for members, but members believe they are private networks. Even though some of these didn’t work, we got some volume purchase agreements in place that gave members better pricing.
  • www.more.net | University of Missouri

    1. 1. Statenet Security on the cheap and easy Beth Young MOREnet Security [email_address]
    2. 2. Objectives <ul><li>Introduction </li></ul><ul><li>What is MOREnet </li></ul><ul><li>Free security services </li></ul><ul><li>Cheap security services </li></ul>
    3. 3. Beth Young <ul><li>Network Security Analyst </li></ul><ul><li>Certified Information System Security Professional (CISSP) </li></ul><ul><li>MOREnet 6 years </li></ul>
    4. 4. What is MOREnet? Missouri Research and Education network <ul><li>ISP for </li></ul><ul><ul><li>K-12 (515), </li></ul></ul><ul><ul><li>higher education (67), </li></ul></ul><ul><ul><li>state libraries (131), </li></ul></ul><ul><ul><li>state government </li></ul></ul><ul><li>Technical support </li></ul><ul><li>Training </li></ul><ul><li>Incident Response </li></ul><ul><li>Video conferencing </li></ul>
    5. 6. Hub Site Services <ul><li>DNS </li></ul><ul><li>Netflow Collectors </li></ul><ul><li>Internet Content Filtering Servers </li></ul><ul><li>E-mail/Web Hosting Servers </li></ul><ul><li>Akamai Servers </li></ul><ul><li>Ruckus Servers </li></ul><ul><li>Multi-Point Conference Units (video) </li></ul>
    6. 7. It isn’t all about the technology
    7. 8. Free Services <ul><li>Incident Response </li></ul><ul><li>Blackhole DNS </li></ul><ul><li>Good Net Neighbor Phase I </li></ul><ul><li>Good Net Neighbor Phase II </li></ul><ul><li>Network Monitoring tools </li></ul><ul><li>Single machine nmap scan </li></ul><ul><li>Open Mail Relay testing </li></ul><ul><li>Monthly Web Seminars </li></ul><ul><li>Security Awareness </li></ul>
    8. 9. Incident response <ul><li>Wait, don’t we all do incident response? </li></ul><ul><ul><li>Reading SecCheck logs </li></ul></ul><ul><ul><li>Reviewing email headers </li></ul></ul><ul><ul><li>Bandwidth reviews </li></ul></ul><ul><ul><li>Netflow reviews </li></ul></ul><ul><ul><li>Ethereal captures </li></ul></ul>
    9. 10. Blackhole DNS http://www.bleedingthreats.net/blackhole-dns/ <ul><li>Another BIND process on current DNS servers </li></ul><ul><li>No changes to the downloaded zone files </li></ul><ul><li>cron job to download/update </li></ul><ul><li>DHCP scope change </li></ul>
    10. 11. Good Net Neighbor – Phase I <ul><li>Block Microsoft file and print sharing ports (135, 137-139, 445) </li></ul><ul><li>Protect members from common viruses </li></ul><ul><li>Stopped a lot of “nuisance” calls </li></ul>
    11. 12. Good Net Neighbor – Phase II <ul><li>Block outbound port 25 traffic except from approved mail servers </li></ul>
    12. 13. Network Monitoring tools <ul><li>Behind our secure portal – MyMOREnet </li></ul><ul><li>Access to MRTG graphs </li></ul><ul><li>Access to Netflow reports </li></ul>
    13. 14. Single machine NMAP scan <ul><li>Behind our secure portal – MyMOREnet </li></ul><ul><li>Only scans the machine you are logged into </li></ul><ul><li>Set a time-out value of 5 minutes </li></ul><ul><li>Can email the report to us for review </li></ul>
    14. 15. Open Mail Relay Test <ul><li>Custom PERL script </li></ul><ul><li>Does 55 tests </li></ul><ul><li>Still occasionally find a misconfigured mail server </li></ul>
    15. 16. Monthly Web Seminars <ul><li>CENTRA product for application sharing </li></ul><ul><li>Any topic can be covered </li></ul><ul><ul><li>Securing Windows </li></ul></ul><ul><ul><li>Securing Linux </li></ul></ul><ul><ul><li>Social Networking do’s and don’ts </li></ul></ul><ul><ul><li>CALEA </li></ul></ul><ul><ul><li>Law Enforcement requests </li></ul></ul><ul><ul><li>Using NMAP and Ethereal </li></ul></ul>
    16. 17. Security Awareness <ul><li>Cyber Security Awareness Month </li></ul><ul><ul><li>Regional Site Visits </li></ul></ul><ul><ul><li>On-line games/scavenger hunts </li></ul></ul><ul><ul><li>Booth at State Teacher Conference </li></ul></ul><ul><ul><li>Internet Safety Night </li></ul></ul><ul><ul><li>Internal Tips </li></ul></ul><ul><li>Internet Safety Night – April 10, 2007 </li></ul><ul><li>http://besafe.more.net </li></ul>
    17. 18. Communication and outreach <ul><li>Security contact at each organization </li></ul><ul><li>Email lists </li></ul><ul><ul><li>Security-l </li></ul></ul><ul><ul><li>MERC-security </li></ul></ul><ul><li>Web site </li></ul><ul><ul><li>breaking news links </li></ul></ul><ul><ul><li>MOREnet status indicator </li></ul></ul><ul><li>Community outreach </li></ul><ul><ul><li>InfraGard </li></ul></ul><ul><ul><li>Security Community </li></ul></ul>
    18. 19. Cheap Services <ul><li>Email Virus and Spam Filtering </li></ul><ul><li>Remote Vulnerability Assessment </li></ul><ul><li>Security Symposium </li></ul><ul><li>SANS@EDU conferences </li></ul><ul><li>MOREnet Connections and HELIX conference </li></ul>
    19. 20. Email Virus and Spam Filtering <ul><li>Solution for hosted mail and web </li></ul><ul><li>Able to expanded to others with little additional effort </li></ul><ul><li>ClamAV </li></ul><ul><li>Greylisting, policyd, other open source products </li></ul>
    20. 21. Remote Vulnerability Assessment <ul><li>Nessus scan </li></ul><ul><li>Nikto report </li></ul><ul><li>Distilled into “human readable” format </li></ul><ul><li>Instructions on mitigating vulnerability </li></ul>
    21. 22. Security Symposium <ul><li>“What works” type sessions from MOREnet members </li></ul><ul><li>Cost covers hotel and breaks so usually $150-200 for 1.5 days </li></ul>
    22. 23. Connections and Helix conferences <ul><li>Held in conjunction </li></ul><ul><li>Spring time - usually over spring break </li></ul><ul><li>Connections - K-12 </li></ul><ul><li>Helix - Higher education </li></ul>
    23. 24. Other Training opportunities <ul><li>SANS@EDU conference </li></ul><ul><ul><li>2006 – 508 Forensics </li></ul></ul><ul><ul><li>2007 – 504 Hacking Techniques, IR </li></ul></ul><ul><ul><li>2007 – 505 Securing Windows </li></ul></ul><ul><ul><li>2008 – ?? </li></ul></ul>
    24. 25. Things that didn’t work so well <ul><li>Firewall Management </li></ul><ul><li>CALEA compliance </li></ul><ul><li>Centralized Anti-Virus </li></ul><ul><li>Comprehensive Network Security Service </li></ul>
    25. 26. Where do we go from here? <ul><li>SANS Mentoring program </li></ul><ul><li>Darknet project </li></ul><ul><li>Writing Security Policy workshop </li></ul><ul><li>Expand Good Net Neighbor Policy </li></ul>
    26. 27. Questions? <ul><li>Beth Young </li></ul><ul><li>(573) 884-9396 </li></ul><ul><li>[email_address] </li></ul><ul><li>http://www.more.net/security </li></ul>