Presentation is loading. Please wait.

Presentation is loading. Please wait.

Firewalls, VPNs, and Intrusion Detection Systems in a University Environment Bob Winding, CISSP Information Security University of Notre Dame Copyright.

Published byDarcy Williamson Modified over 8 years ago

Similar presentations

Presentation on theme: "Firewalls, VPNs, and Intrusion Detection Systems in a University Environment Bob Winding, CISSP Information Security University of Notre Dame Copyright."— Presentation transcript:

1 Firewalls, VPNs, and Intrusion Detection Systems in a University Environment Bob Winding, CISSP Information Security University of Notre Dame Copyright Robert Winding 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Introduction History and Culture Security Zones A layered approach –Network and host firewalls –Network and host IDS –VPNs to group users and provide remote access Implementation Issues, outcomes, and evolution Q&A

3 History and Culture 12,000 Students, 3,000 employees, private institution Notre Dame launched its network with a Class B address space and no perceptible border Culture values the notions of convenience, “Unfettered access”, and privacy Security is not perceived to be an issue

4 History and Culture 3 years ago ND created an InfoSec group First step was to look at the network –Hacked servers –Viruses –Endless probing We had some near misses

5 Security Zones OIT decided that it would first protect assets it owned, and/or, that were housed in the datacenter The datacenter is considered one of several security zones Secure the datacenter with an eye on applying appropriate security to other campus entities

6 Zone Approach

7 Policy Ideally security controls would support specific policies ND has made some significant progress in this area, including a password strength policy, clear text credential policy, etc. As more specific policies are developed we rely on the acceptable use policy as the basis of our controls

8 Layered Approach

9 Tripwire @ ND Tripwire is termed both a host IDS and host integrity assurance tool It has both an open source variant, Tripwire Academic Source Release (ASR) and a commercial version The commercial version has security features that prevent the compromise of tripwire itself and provide central management

10 Tripwire @ ND Tripwire works by applying a tripwire policy to the file system of a server This policy can be thought of as extended file attributes Tripwire policies can monitor many attributes of files or directories

11 Tripwire @ ND Many compromises (rooting) of servers often change system files or registry settings Things like netstat, dir/ls, ps, etc. This is done to cover the hacker’s tracks The complexity in Tripwire is in the policy construction and management ND uses Tripwire as an after-the-fact alert that our other protections have failed

12 Firewalls Packet Filtering Stateful Inspection Application Proxy Host –McAfee Desktop Firewall –Windows 2003 IP Security –IP filters Network – Sidewinder and PIX

13 Host Firewalls Host based firewalls were selected and implemented for each platform used in the datacenter Host firewalls were implemented by individual support engineers based on templates developed in consultation with InfoSec The rulesets were designed to be liberal with outbound traffic and strict with inbound traffic

14 Host Firewalls Ruleset templates were developed for servers that would reside behind the firewall The desire was to simplify the ruleset and govern intra-zone peer traffic The basic principles are –Trust the firewall –Drop local LAN traffic not explicitly permitted (peer dependencies)

15 Datacenter Security

16 The Datacenter Firewall Secure Computing Sidewinder G2, in High Availability configuration Balance security and ruleset complexity –Highly constrained public service access –Group related services to reduce rules –All servers have basic net services outbound. –Monitoring and SysAdmin zones have special privilege Alerting and auditing detect problems early, ease management

17 Datacenter Security

18 VPN-SA and Monitor Zone The VPN for System Administrators Access granted by 2 factor authn/authz Can access any server via admin protocols or through an IP KVM Monitoring zone can access any server with defined monitoring protocols, snmp icmp, etc. Systems in these zones have no inbound public access

19 Core Services Zone This zone provides services to other servers Some direct database connections by “fat” client applications and “power user” administrators are allowed Backups via this zone are permitted To provide a compensating control access to these services are restricted by group VPN and or subnet

20 Admin-DMZ Zone This zone houses servers that support the administrative operations of the University Servers in this zone have some form of restricted access, by VPN or subnet The address restriction is tied to the audience, ex. Administrative Offices, Health Services, etc.

21 DMZ Zone This zone houses the publicly accessible services By public we mean there is no source address restriction These services can be accessed from anywhere in the world

22 NO-NAT DMZ Zone This zone houses servers whose services/protocols are broken by NAT All other “internal” zones are privately addressed

23 VPNs VPNs are used to group user traffic, provide remote access, and insure confidentiality where no other cryptography is employed A Cisco 3060 concentrator and FreeRADIUS server are integrated into our Enterprise Directory to provide Authentication and Authorization for VPN Groups The result is a trusted address that is used by the firewall to provide location independent access

24 Issues (General) Most early issues were the result of diverse opinions and philosophies among our engineering and security staff regarding security The tuning and management of Tripwire was problematic

25 Issues (FW) Knowledge of networking and host firewalls was limited among some our system administrators and the learning curve was a significant challenge Knowledge of how products work at the port/protocol level can be problematic ND’s unfamiliarity of FW performance and reliability

26 Issues (networking) Components of our network were designed for speed and or availability without consideration of security Retrofitting security devices like firewalls and IDS sensors is not always easy or completely effective.

27 Outcomes ND implemented major components of its security architecture We’ve migrated over 100 servers behind the firewall including ND’s new ERP system There have been no servers compromised behind the datacenter firewall ND has adopted build standards for servers and a fairly robust change control process

28 Outcomes IDS has become instrumental in detecting hacked machines and viruses IDS in conjunction with other devices is used to suppress viruses and encourage users to fix their machines through “SoftDisco” Security is becoming a proactive part of system design

29 Outcomes There is still some friction when security issues threaten a project deadline Areas like Operations, Networking, and Security need to work much more closely and complementary Policy development remains an area that requires a lot of effort

30 Evolution ND is implementing additional security zones with Cisco PIX and Sidewinder firewalls –Ticketing office –Police station and Hotel –Academic services We are still debating the issue of a general border firewall There is still debate over implementing a separate administrative network

31 Evolution SSL Termination Failover in the event of a major component failure, router, BigIP, Firewall Re-architecting the IDS

32 Questions?

Download ppt "Firewalls, VPNs, and Intrusion Detection Systems in a University Environment Bob Winding, CISSP Information Security University of Notre Dame Copyright."

Similar presentations

Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.

Computer Security II Lecturer – Lynn Ackler – Office – CSC 222 – Office Hours 9:00 – 10:00 M,W Course – CS 457 – CS 557.
Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University

Firewalls Dr.P.V.Lakshmi Information Technology GIT,GITAM University
Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau 2004. This work is the intellectual property of the authors. Permission is granted for.

Copyright Tom Parker, Ron DiNapoli, Andrea Beesing, Joy Veronneau This work is the intellectual property of the authors. Permission is granted for.
University of Notre Dame Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the.

University of Notre Dame Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright This work is the.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of.

Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright This work is the intellectual property of.
Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Module 3 Windows Server 2008 Branch Office Scenario.

Module 3 Windows Server 2008 Branch Office Scenario.
Firewall Configuration Strategies

Firewall Configuration Strategies
Firewall Planning and Design Chapter 1. Learning Objectives Understand the misconceptions about firewalls Realize that a firewall is dependent on an effective.

Firewall Planning and Design Chapter 1. Learning Objectives Understand the misconceptions about firewalls Realize that a firewall is dependent on an effective.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Similar presentations

Ads by Google