Developing an effective affordable security infrastructure in a small college environment
Download
1 / 28

Developing an Effective Affordable Security Infrastructure in a Small College Environment - PowerPoint PPT Presentation


  • 351 Views
  • Uploaded on

Developing an Effective & Affordable Security Infrastructure in a Small College Environment About Penn College Williamsport Technical Institute, founded 1941 Williamsport Area Community College, founded 1965 Pennsylvania College of Technology, founded 1989

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Developing an Effective Affordable Security Infrastructure in a Small College Environment' - adamdaniel


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

About penn college l.jpg
About in a Small College EnvironmentPenn College

  • Williamsport Technical Institute, founded 1941

  • Williamsport Area Community College, founded 1965

  • Pennsylvania College of Technology, founded 1989

  • Special Mission Affiliate of Penn State University

  • Accredited - Middle States Association of Colleges and Secondary Schools

  • 6,358 headcount - 5,891 FTE

  • 288 FTE faculty, 518 FTE staff

  • B.S., A.S. and certificate degrees in over 100 majors

  • Specialize in vocational and technology-based education

  • Strong focus on small class sizes and hands-on instruction

  • www.pct.edu


Slide3 l.jpg

Williamsport, PA in a Small College Environment


It infrastructure l.jpg
IT in a Small College EnvironmentInfrastructure

  • 2,600 College-owned computers, 1,400 student-owned computers in residential complexes

  • 1,600 computers in 50+ academic computer labs, student to computer ratio of 4:1

  • Standard computer lab software includes Microsoft Windows XP, Office 2003, NetMail POP3 e-mail system


It infrastructure cont d l.jpg
IT in a Small College EnvironmentInfrastructure (cont’d)

  • 1,000 staff/faculty PCs

  • Standard employee image: Windows XP, Office 2003, Novell GroupWise, iSeries client

  • Novell Directory Services (NDS)

  • IBM iSeries mainframe, home-grown legacy administrative applications

  • WebCT, Sirsi, eRecruiting, Raiser’s Edge, Cbord Odyssey, EBMS

  • 25 Novell, 15 Microsoft, 3 Linux, 1 Sun, 1 AIX server


It infrastructure cont d6 l.jpg
IT Infrastructure (cont’d) in a Small College Environment

  • 100% Cisco network infrastructure except for Packeteer Packetshaper

  • Fast Ethernet via CAT5 for all building LANs, Gigabit Ethernet via fiber for backbone

  • Dual Cisco 6500s for redundant core

  • Fractional T-3 (30 Mbps) Internet service

  • Dial-up Internet access provided for employees, not students

  • About 50% wireless coverage


Campus network layout l.jpg
Campus Network Layout in a Small College Environment


Information technology services l.jpg

Organization (50 employees) in a Small College Environment

Desktop Computing

Academic Computing

Technical Support/Help Desk

Technical Writer/Trainer

Administrative Information Systems

Network Applications

Mail & Document Services

Media Services

Telecommunications

Information Technology Services


Post y2k it security problem l.jpg
Post Y2K IT Security “Problem” in a Small College Environment

  • Increasing threats from viruses, trojans, worms, hackers, etc.

  • Lack of security standards

  • No coordinated security response

  • Poor security awareness

  • Minimal security policy

  • No security testing


The challenge l.jpg
The “Challenge” in a Small College Environment

  • Limitations

    • Budget

    • Staff

    • Time

  • Large backlog of post Y2K projects

  • Balancing security effectiveness with efficient resource management


Solution analysis l.jpg
Solution Analysis in a Small College Environment

  • Dedicated security staff vs. security team

  • Advantages of team approach:

    • Utilizes existing staff and expertise

    • Spreads/diffuses the importance of security across all functional IT areas

    • Funded through existing budgets

  • Disadvantages:

    • No centralized focus/authority

    • Long lead time to develop expertise

    • Staff time directed away from other projects

    • Not invented here syndrome


The solution l.jpg
The “Solution” in a Small College Environment

  • IT management recommended forming a campus “security team.”

  • Each area of the IT department committed one employee and a percentage of its budget.

  • A senior manager was designated to provide leadership and coordination of this team effort.

  • The team met weekly over an initial 18 month period, then bi-weekly.

  • Rotating duty officer/CERT format


The context l.jpg
The Context in a Small College Environment

  • Risk vs. investment

  • Scope and impact for priority

  • Mitigating risk factors

    • Administrative data locked up in IBM iSeries (AS/400)

    • GroupWise e-mail system

    • Institutional policy requiring data files to be stored on network drives

    • Centralized IT management and budget culture


7 layer security approach l.jpg
7-Layer Security Approach in a Small College Environment

  • Layer 1 - Physical

  • Layer 2 - Internet

  • Layer 3 - Network

  • Layer 4 - ResNet

  • Layer 5 - Servers

  • Layer 6 - Employee PCs

  • Layer 7 - Social


Layer 1 physical l.jpg

Before in a Small College Environment

Distributed servers, not physically secured, some actually in staff/faculty offices

Network components not secured

Minimal UPS protection

After

Most non-academic servers moved to secured data center; backup generator

Wiring closets secured

UPS for all servers and network equipment

Layer 1 - Physical


Layer 2 internet l.jpg
Layer 2 - Internet in a Small College Environment

  • Before

    • Internet router with public IP addresses

    • No filtering of ports

  • After

    • Cisco PIX firewall with PAT translation initially, later acquired additional IPs, changed to NAT (still occasional problems, need an XLATE clear)

    • Access control list on Internet router (example)

    • Packeteer - Although purchased for bandwidth control, provides another layer of “protection” and “detection”


Internet router acl l.jpg

access-list 115 permit tcp any 0.0.0.0 255.255.255.0 established

access-list 115 deny ip 10.0.0.0 0.255.255.255 any

access-list 115 deny ip 127.0.0.0 0.255.255.255 any

access-list 115 deny ip 172.16.0.0 0.15.255.255 any

access-list 115 deny ip 192.168.0.0 0.0.255.255 any

access-list 115 deny ip 224.0.0.0 15.255.255.255 any

access-list 115 deny ip host 0.0.0.0 any

access-list 115 deny ip 12.23.198.0 0.0.0.255 any

access-list 115 deny ip 12.23.199.0 0.0.0.255 any

access-list 115 deny ip any 0.0.0.255 255.255.255.0

access-list 115 deny tcp any any eq 135

access-list 115 deny udp any any eq 135

access-list 115 deny tcp any any eq 137

access-list 115 deny udp any any eq netbios-ns

access-list 115 deny tcp any any eq 138

access-list 115 deny udp any any eq netbios-dgm

access-list 115 deny tcp any any eq 139

access-list 115 deny udp any any eq netbios-ss

access-list 115 deny tcp any any eq 445

access-list 115 deny udp any any eq 445

access-list 115 deny tcp any any eq 593

access-list 115 deny udp any any eq 593

access-list 115 deny tcp any any eq 3333

access-list 115 deny udp any any eq 3333

access-list 115 deny tcp any any eq 4444

access-list 115 deny udp any any eq 4444

access-list 115 deny tcp any any eq 69

access-list 115 deny udp any any eq tftp

access-list 115 deny tcp any any eq 161

access-list 115 deny udp any any eq snmp

access-list 115 deny tcp any any eq 162

access-list 115 deny udp any any eq snmptrap

access-list 115 deny udp any any eq 1993

access-list 115 deny tcp any any eq 1900

access-list 115 deny udp any any eq 1900

access-list 115 deny tcp any any eq 5000

access-list 115 deny udp any any eq 5000

access-list 115 deny udp any any eq 8998

access-list 115 permit icmp any any echo

access-list 115 permit icmp any any echo-reply

access-list 115 deny ip any any log-input

Internet Router ACL


Layer 3 network before l.jpg
Layer 3 – Network - Before established

  • 10.x.x.x organized geographically; each “building complex” has a subnet; 10.1.x.x, 10.2.x.x, 10.3.x.x, etc.

  • Any to any routing philosophy

  • Simple telnet to devices

  • No central security scheme


Layer 3 network after l.jpg

100% VLAN scheme established

VLANs based on computer/user role

Internet style ACLs applied on traffic leaving VLANs

Traffic denied entering VLAN ifno reason for the traffic

Extended today to separate VLANS for point-of-sale stations, HVAC, wireless, dial-up; each with its own ACL

SSH required to access devices, coordinated userid/password with Cisco ACS server that LDAPs to our NDS

Layer 3 – Network - After

  • 10.1.x.x network equipment

  • 10.2.x.x servers

  • 10.3.x.x printers

  • 10.4.x.x staff

  • 10.100.x.x ResNet

  • Etc.


Layer 4 resnet l.jpg

Before established

Normal network subnet

No restrictions

ISP attitude

No scanning

After – version 1

Single VLAN

ACL limited access to other campus VLANs

After – version 2

VLAN per 48 port switch

Internet style ACL “rule set” to block known bad ports such as 445

Routine scanning and quarantining

Layer 4 – ResNet


Layer 5 servers before l.jpg
Layer 5 – Servers - Before established

  • Public IP address via firewall conduit

  • Distributed physically

  • No port filtering

  • Inconsistent patch strategy

  • No virus protection

  • Inconsistent HTTPS implementation

  • Many outside of the “network” department

  • No scanning for vulnerabilities

  • No disaster recovery plan


Layer 5 servers after l.jpg
Layer 5 – Servers - After established

  • Servers in data center or managed by server group

  • HTTPS required for any sensitive data

  • Private IP addresses mapped to public via “conduit” in the firewall

  • Port filtered in the firewall, deny all, allow those required for specific services

  • Port filtered coming out of ResNet and student computer labs

  • Managed patch strategy, critical patches applied in 24 hours

  • Symantec Anti-Virus on servers

  • NetMail/CA eTrust anti-virus and RBL filtering for e-mail

  • GWAVA/Symantec Anti-Virus e-mail filtering

  • GWAVA attachment filtering

  • Routine Nessus scanning

  • Comprehensive disaster recovery plan


Layer 6 employee pcs l.jpg

After established

Private IP address via PAT/NAT

Managed Symantec Anti-Virus

“Push” of critical Microsoft security patches via Novell ZenWorks

Nessus scanning

Before

Public IP address

No anti-virus

No patch management

No scanning

Layer 6 - Employee PCs


Layer 7 social l.jpg

Before established

Little or no public awareness

No AUP

Loose user ID and password policies

“It won’t happen here, we know everyone personally

After

Acceptable Use Policy

Accounts blocked after 3 failed log in attempts

Passwords changed every 180 days

Regular communication via online newspaper

Security education classes

Layer 7 - Social


What s on the radar screen l.jpg
What’s on the radar screen? established

  • Spyware

  • PC firewall

  • Instant Messenging issues

  • VPN

  • Network access control

  • Two factor authentication

  • Security as it affects privacy issues

  • E-mail security


Conclusion l.jpg

Security team was the right approach for us established

Effective, no significant down-time except for Blaster/Welcia, fall 2003

Cost-efficient

Diffused security awareness across the department

Developed security skills across ITS

Security Infrastructure

Cisco PIX firewall

Packeteer Packetshaper

Cisco VLANs/ACLs

Symantec Anti-Virus

Novell ZenWorks

GWAVA Anti-virus/attachment filtering

Nessus

Conclusion


Discussion l.jpg
Discussion established


Slide to link l.jpg
Slide to link established


ad