a multi zone security model
Download
Skip this Video
Download Presentation
A Multi-Zone Security Model

Loading in 2 Seconds...

play fullscreen
1 / 29

A Multi-Zone Security Model - PowerPoint PPT Presentation


  • 89 Views
  • Uploaded on

A Multi-Zone Security Model. David Morton Lori Stevens 17 October 2007. Multi-Zoned Security. Each Zone plays a role in security of system Layered defenses within each Zone. Zones. Introduction. The Connector Zone. Joins networks together Goals: Protect the infrastructure

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'A Multi-Zone Security Model' - marlow


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a multi zone security model

A Multi-Zone Security Model

David Morton

Lori Stevens

17 October 2007

University of Washington

multi zoned security
Multi-Zoned Security
  • Each Zone plays a role in security of system
  • Layered defenses within each Zone

University of Washington

zones
Zones

University of Washington

introduction
Introduction

The Connector Zone

  • Joins networks together
  • Goals:
    • Protect the infrastructure
    • Low latency, high performance is key
    • Traffic is originated elsewhere
    • Connector policies establish rules
    • Examples: PNWGP, PacificWave

University of Washington

pacificwave infrastructure
PacificWave Infrastructure

The Connector Zone

University of Washington

pacific wave security
Pacific Wave Security

The Connector Zone

  • Since Pacific Wave is a layer-2 exchange, it cannot directly mitigate and address participant behavior above layer-2, such as:
    • using BGP-4 for peering
    • routing traffic without an established peering agreement
    • generating traffic other than IP
  • Must work together in order to collectively mitigate such activities
    • Develop processes and procedures for proper escalation in the event of malicious or unauthorized activities are discovered
  • Implement policies and protections to:
    • Limit the hosts/networks that can manage the network devices
    • Make use of token based login or one time passwords
    • Limit which network devices (by MAC) can directly connect

University of Washington

cz layered

The Connector Zone

CZ Layered

Layered Security

University of Washington

introduction8
Introduction

The Campus Zone

  • Aggregates users to the connector
  • Goals:
    • Stop “bad” traffic with no impact to “good”
    • Isolate threats from the community
    • Control SPAM, Phishing and virus threats
    • Provide extra layers of protection as needed
    • Mitigate security incidents quickly
    • Minimize the impacts

University of Washington

infrastructure
Infrastructure

The Campus Zone

  • 120,000 devices
  • NO PERIMETER FIREWALLS
  • IPS at the core

University of Washington

intrusion prevention
Intrusion Prevention

The Campus Zone

  • Tipping Point IPS
    • Rich rule set to block “bad” traffic
    • Blocked at least 70 million attacks in 2006
      • That’s nearly 185,000 attacks a day
    • Ability to route some traffic around IPS for performance or policy

University of Washington

email defense options
Email Defense Options

The Campus Zone

  • Appliance
    • Easy to setup
    • Simplified maintenance
    • Less flexible
  • Software Solution
    • Often more flexible, extensible to meet needs
    • Separate hardware platform and OS to maintain

University of Washington

spam at the uw
Spam at the UW

The Campus Zone

  • January daily volume avg: ~3,040,000 messages, 76.6% spam
  • August daily volume avg: ~4,100,000 messages, 80.1% spam
  • Sept daily volume avg: ~4,560,000 messages, 88.5% spam

University of Washington

spam at the uw13

The Campus Zone

Spam at the UW
  • As much spam this year as all mail processed in 2006 and nearly twice as much total mail as we processed from 2003-2005
  • Be prepared for growth!

University of Washington

email born viruses at the uw
Email-born Viruses at the UW

The Campus Zone

  • 2003: 9,375,000 viruses detected in email
  • 2004: 20,000,000 viruses in email
  • 2007: 2,632,000 viruses
  • Not the threat it once was….

University of Washington

uw 2003 2006 mail stats
UW 2003-2006 Mail Stats

The Campus Zone

University of Washington

network firewalls
Network Firewalls

The Campus Zone

  • Two varieties
    • Logical Firewall
    • Subnet Firewall
  • Logical Firewall (self managed)
    • Selectively allows hosts to participate
    • http://staff.washington.edu/corey
  • Subnet Firewall (centrally managed)
    • Gibraltar (linux) or Cisco FW Services Module

University of Washington

incident response
Incident Response

The Campus Zone

  • Established incident response procedures
  • Automated protections against worms
  • Able to remotely capture network traffic
  • Partner with industry, peers, etc for up-to-date intelligence

University of Washington

campz layered
CampZ Layered

The Campus Zone

Layered Security

University of Washington

introduction19
Introduction

The Dorm Zone

  • Student housing
  • Goals:
    • Protect Dorms from world
    • And the world from the Dorms :)
    • Provide high bandwidth for acedemics, etc
    • Control illegal filesharing
    • Enforce administrative policies (ie no servers)

University of Washington

infrastructure20
Infrastructure

The Dorm Zone

  • ~ 5,000 residents
  • IPS sandwich
  • Packeteer traffic shaper
  • Firewall policy enforcement

University of Washington

dormz layered
DormZ Layered

The Dorm Zone

Layered Security

University of Washington

hosts defending against threats
Hosts: Defending Against Threats

The User/Host Zone

  • Anti-virus sw is critical to keeping our networked-hosts clean
    • configure to update itself automatically
    • use other features such as buffer overflow and web (http) browsing protection, where appropriate
  • Stay current on security updates and virus definitions/signatures

University of Washington

hosts defending against threats23

The User/Host Zone

Hosts: Defending Against Threats
  • Use complex passwords for critical devices, e.g. hosts, routers
  • Use logs to catch attacks or compromises
  • Software to detect inconsistencies
  • Best place for firewall as it’s easiest to define “good” traffic
    • can be complex to manage

University of Washington

hosts defending against threats24

The User/Host Zone

Hosts: Defending Against Threats
  • Isolation approach
    • Separate services across hosts
    • So one passwd doesn’t get you to everything
  • Block services that aren’t relevant
    • For example, block port 25/tcp to and from all hosts that are not mail servers

University of Washington

hosts defending against threats25

The User/Host Zone

Hosts: Defending Against Threats
  • Security is part of everything
    • design, build, implement, and buy
  • Fewer compromises where pervasive layer protection implemented

University of Washington

dormz layered26
DormZ Layered

The User/Host Zone

Layered Security

University of Washington

questions
Questions?

David Morton [email protected] +1 (206) 221-7814

Lori Stevens [email protected] +1 (206) 685-6227

University of Washington

resources
Resources

TippingPoint: http://www.tippingpoint.com/products_ips.html

PureMessage: http://sophos.com/products/enterprise/email/security-and-control/unix/index.html

General Security Info:http://www.securityfocus.com/http://www.sans.org/network_security.phphttp://onguardonline.gov/index.html

University of Washington

questions29

Questions?

University of Washington

ad