1 / 29

A Multi-Zone Security Model

A Multi-Zone Security Model. David Morton Lori Stevens 17 October 2007. Multi-Zoned Security. Each Zone plays a role in security of system Layered defenses within each Zone. Zones. Introduction. The Connector Zone. Joins networks together Goals: Protect the infrastructure

marlow
Download Presentation

A Multi-Zone Security Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Multi-Zone Security Model David Morton Lori Stevens 17 October 2007 University of Washington

  2. Multi-Zoned Security • Each Zone plays a role in security of system • Layered defenses within each Zone University of Washington

  3. Zones University of Washington

  4. Introduction The Connector Zone • Joins networks together • Goals: • Protect the infrastructure • Low latency, high performance is key • Traffic is originated elsewhere • Connector policies establish rules • Examples: PNWGP, PacificWave University of Washington

  5. PacificWave Infrastructure The Connector Zone University of Washington

  6. Pacific Wave Security The Connector Zone • Since Pacific Wave is a layer-2 exchange, it cannot directly mitigate and address participant behavior above layer-2, such as: • using BGP-4 for peering • routing traffic without an established peering agreement • generating traffic other than IP • Must work together in order to collectively mitigate such activities • Develop processes and procedures for proper escalation in the event of malicious or unauthorized activities are discovered • Implement policies and protections to: • Limit the hosts/networks that can manage the network devices • Make use of token based login or one time passwords • Limit which network devices (by MAC) can directly connect University of Washington

  7. The Connector Zone CZ Layered Layered Security University of Washington

  8. Introduction The Campus Zone • Aggregates users to the connector • Goals: • Stop “bad” traffic with no impact to “good” • Isolate threats from the community • Control SPAM, Phishing and virus threats • Provide extra layers of protection as needed • Mitigate security incidents quickly • Minimize the impacts University of Washington

  9. Infrastructure The Campus Zone • 120,000 devices • NO PERIMETER FIREWALLS • IPS at the core University of Washington

  10. Intrusion Prevention The Campus Zone • Tipping Point IPS • Rich rule set to block “bad” traffic • Blocked at least 70 million attacks in 2006 • That’s nearly 185,000 attacks a day • Ability to route some traffic around IPS for performance or policy University of Washington

  11. Email Defense Options The Campus Zone • Appliance • Easy to setup • Simplified maintenance • Less flexible • Software Solution • Often more flexible, extensible to meet needs • Separate hardware platform and OS to maintain University of Washington

  12. Spam at the UW The Campus Zone • January daily volume avg: ~3,040,000 messages, 76.6% spam • August daily volume avg: ~4,100,000 messages, 80.1% spam • Sept daily volume avg: ~4,560,000 messages, 88.5% spam University of Washington

  13. The Campus Zone Spam at the UW • As much spam this year as all mail processed in 2006 and nearly twice as much total mail as we processed from 2003-2005 • Be prepared for growth! University of Washington

  14. Email-born Viruses at the UW The Campus Zone • 2003: 9,375,000 viruses detected in email • 2004: 20,000,000 viruses in email • 2007: 2,632,000 viruses • Not the threat it once was…. University of Washington

  15. UW 2003-2006 Mail Stats The Campus Zone University of Washington

  16. Network Firewalls The Campus Zone • Two varieties • Logical Firewall • Subnet Firewall • Logical Firewall (self managed) • Selectively allows hosts to participate • http://staff.washington.edu/corey • Subnet Firewall (centrally managed) • Gibraltar (linux) or Cisco FW Services Module University of Washington

  17. Incident Response The Campus Zone • Established incident response procedures • Automated protections against worms • Able to remotely capture network traffic • Partner with industry, peers, etc for up-to-date intelligence University of Washington

  18. CampZ Layered The Campus Zone Layered Security University of Washington

  19. Introduction The Dorm Zone • Student housing • Goals: • Protect Dorms from world • And the world from the Dorms :) • Provide high bandwidth for acedemics, etc • Control illegal filesharing • Enforce administrative policies (ie no servers) University of Washington

  20. Infrastructure The Dorm Zone • ~ 5,000 residents • IPS sandwich • Packeteer traffic shaper • Firewall policy enforcement University of Washington

  21. DormZ Layered The Dorm Zone Layered Security University of Washington

  22. Hosts: Defending Against Threats The User/Host Zone • Anti-virus sw is critical to keeping our networked-hosts clean • configure to update itself automatically • use other features such as buffer overflow and web (http) browsing protection, where appropriate • Stay current on security updates and virus definitions/signatures University of Washington

  23. The User/Host Zone Hosts: Defending Against Threats • Use complex passwords for critical devices, e.g. hosts, routers • Use logs to catch attacks or compromises • Software to detect inconsistencies • Best place for firewall as it’s easiest to define “good” traffic • can be complex to manage University of Washington

  24. The User/Host Zone Hosts: Defending Against Threats • Isolation approach • Separate services across hosts • So one passwd doesn’t get you to everything • Block services that aren’t relevant • For example, block port 25/tcp to and from all hosts that are not mail servers University of Washington

  25. The User/Host Zone Hosts: Defending Against Threats • Security is part of everything • design, build, implement, and buy • Fewer compromises where pervasive layer protection implemented University of Washington

  26. DormZ Layered The User/Host Zone Layered Security University of Washington

  27. Questions? David Morton dmorton@u.washington.edu +1 (206) 221-7814 Lori Stevens lrs@u.washington.edu +1 (206) 685-6227 University of Washington

  28. Resources TippingPoint: http://www.tippingpoint.com/products_ips.html PureMessage: http://sophos.com/products/enterprise/email/security-and-control/unix/index.html General Security Info:http://www.securityfocus.com/http://www.sans.org/network_security.phphttp://onguardonline.gov/index.html University of Washington

  29. Questions? University of Washington

More Related