developing an effective affordable security infrastructure in a small college environment l.
Download
Skip this Video
Download Presentation
Developing an Effective & Affordable Security Infrastructure in a Small College Environment

Loading in 2 Seconds...

play fullscreen
1 / 28

Developing an Effective & Affordable Security Infrastructure in a Small College Environment - PowerPoint PPT Presentation


  • 356 Views
  • Uploaded on

Developing an Effective & Affordable Security Infrastructure in a Small College Environment About Penn College Williamsport Technical Institute, founded 1941 Williamsport Area Community College, founded 1965 Pennsylvania College of Technology, founded 1989

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Developing an Effective & Affordable Security Infrastructure in a Small College Environment' - adamdaniel


Download Now An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
about penn college
AboutPenn College
  • Williamsport Technical Institute, founded 1941
  • Williamsport Area Community College, founded 1965
  • Pennsylvania College of Technology, founded 1989
  • Special Mission Affiliate of Penn State University
  • Accredited - Middle States Association of Colleges and Secondary Schools
  • 6,358 headcount - 5,891 FTE
  • 288 FTE faculty, 518 FTE staff
  • B.S., A.S. and certificate degrees in over 100 majors
  • Specialize in vocational and technology-based education
  • Strong focus on small class sizes and hands-on instruction
  • www.pct.edu
it infrastructure
ITInfrastructure
  • 2,600 College-owned computers, 1,400 student-owned computers in residential complexes
  • 1,600 computers in 50+ academic computer labs, student to computer ratio of 4:1
  • Standard computer lab software includes Microsoft Windows XP, Office 2003, NetMail POP3 e-mail system
it infrastructure cont d
ITInfrastructure (cont’d)
  • 1,000 staff/faculty PCs
  • Standard employee image: Windows XP, Office 2003, Novell GroupWise, iSeries client
  • Novell Directory Services (NDS)
  • IBM iSeries mainframe, home-grown legacy administrative applications
  • WebCT, Sirsi, eRecruiting, Raiser’s Edge, Cbord Odyssey, EBMS
  • 25 Novell, 15 Microsoft, 3 Linux, 1 Sun, 1 AIX server
it infrastructure cont d6
IT Infrastructure (cont’d)
  • 100% Cisco network infrastructure except for Packeteer Packetshaper
  • Fast Ethernet via CAT5 for all building LANs, Gigabit Ethernet via fiber for backbone
  • Dual Cisco 6500s for redundant core
  • Fractional T-3 (30 Mbps) Internet service
  • Dial-up Internet access provided for employees, not students
  • About 50% wireless coverage
information technology services
Organization (50 employees)

Desktop Computing

Academic Computing

Technical Support/Help Desk

Technical Writer/Trainer

Administrative Information Systems

Network Applications

Mail & Document Services

Media Services

Telecommunications

Information Technology Services
post y2k it security problem
Post Y2K IT Security “Problem”
  • Increasing threats from viruses, trojans, worms, hackers, etc.
  • Lack of security standards
  • No coordinated security response
  • Poor security awareness
  • Minimal security policy
  • No security testing
the challenge
The “Challenge”
  • Limitations
    • Budget
    • Staff
    • Time
  • Large backlog of post Y2K projects
  • Balancing security effectiveness with efficient resource management
solution analysis
Solution Analysis
  • Dedicated security staff vs. security team
  • Advantages of team approach:
    • Utilizes existing staff and expertise
    • Spreads/diffuses the importance of security across all functional IT areas
    • Funded through existing budgets
  • Disadvantages:
    • No centralized focus/authority
    • Long lead time to develop expertise
    • Staff time directed away from other projects
    • Not invented here syndrome
the solution
The “Solution”
  • IT management recommended forming a campus “security team.”
  • Each area of the IT department committed one employee and a percentage of its budget.
  • A senior manager was designated to provide leadership and coordination of this team effort.
  • The team met weekly over an initial 18 month period, then bi-weekly.
  • Rotating duty officer/CERT format
the context
The Context
  • Risk vs. investment
  • Scope and impact for priority
  • Mitigating risk factors
    • Administrative data locked up in IBM iSeries (AS/400)
    • GroupWise e-mail system
    • Institutional policy requiring data files to be stored on network drives
    • Centralized IT management and budget culture
7 layer security approach
7-Layer Security Approach
  • Layer 1 - Physical
  • Layer 2 - Internet
  • Layer 3 - Network
  • Layer 4 - ResNet
  • Layer 5 - Servers
  • Layer 6 - Employee PCs
  • Layer 7 - Social
layer 1 physical
Before

Distributed servers, not physically secured, some actually in staff/faculty offices

Network components not secured

Minimal UPS protection

After

Most non-academic servers moved to secured data center; backup generator

Wiring closets secured

UPS for all servers and network equipment

Layer 1 - Physical
layer 2 internet
Layer 2 - Internet
  • Before
    • Internet router with public IP addresses
    • No filtering of ports
  • After
    • Cisco PIX firewall with PAT translation initially, later acquired additional IPs, changed to NAT (still occasional problems, need an XLATE clear)
    • Access control list on Internet router (example)
    • Packeteer - Although purchased for bandwidth control, provides another layer of “protection” and “detection”
internet router acl
access-list 115 permit tcp any 0.0.0.0 255.255.255.0 established

access-list 115 deny ip 10.0.0.0 0.255.255.255 any

access-list 115 deny ip 127.0.0.0 0.255.255.255 any

access-list 115 deny ip 172.16.0.0 0.15.255.255 any

access-list 115 deny ip 192.168.0.0 0.0.255.255 any

access-list 115 deny ip 224.0.0.0 15.255.255.255 any

access-list 115 deny ip host 0.0.0.0 any

access-list 115 deny ip 12.23.198.0 0.0.0.255 any

access-list 115 deny ip 12.23.199.0 0.0.0.255 any

access-list 115 deny ip any 0.0.0.255 255.255.255.0

access-list 115 deny tcp any any eq 135

access-list 115 deny udp any any eq 135

access-list 115 deny tcp any any eq 137

access-list 115 deny udp any any eq netbios-ns

access-list 115 deny tcp any any eq 138

access-list 115 deny udp any any eq netbios-dgm

access-list 115 deny tcp any any eq 139

access-list 115 deny udp any any eq netbios-ss

access-list 115 deny tcp any any eq 445

access-list 115 deny udp any any eq 445

access-list 115 deny tcp any any eq 593

access-list 115 deny udp any any eq 593

access-list 115 deny tcp any any eq 3333

access-list 115 deny udp any any eq 3333

access-list 115 deny tcp any any eq 4444

access-list 115 deny udp any any eq 4444

access-list 115 deny tcp any any eq 69

access-list 115 deny udp any any eq tftp

access-list 115 deny tcp any any eq 161

access-list 115 deny udp any any eq snmp

access-list 115 deny tcp any any eq 162

access-list 115 deny udp any any eq snmptrap

access-list 115 deny udp any any eq 1993

access-list 115 deny tcp any any eq 1900

access-list 115 deny udp any any eq 1900

access-list 115 deny tcp any any eq 5000

access-list 115 deny udp any any eq 5000

access-list 115 deny udp any any eq 8998

access-list 115 permit icmp any any echo

access-list 115 permit icmp any any echo-reply

access-list 115 deny ip any any log-input

Internet Router ACL
layer 3 network before
Layer 3 – Network - Before
  • 10.x.x.x organized geographically; each “building complex” has a subnet; 10.1.x.x, 10.2.x.x, 10.3.x.x, etc.
  • Any to any routing philosophy
  • Simple telnet to devices
  • No central security scheme
layer 3 network after
100% VLAN scheme

VLANs based on computer/user role

Internet style ACLs applied on traffic leaving VLANs

Traffic denied entering VLAN ifno reason for the traffic

Extended today to separate VLANS for point-of-sale stations, HVAC, wireless, dial-up; each with its own ACL

SSH required to access devices, coordinated userid/password with Cisco ACS server that LDAPs to our NDS

Layer 3 – Network - After
  • 10.1.x.x network equipment
  • 10.2.x.x servers
  • 10.3.x.x printers
  • 10.4.x.x staff
  • 10.100.x.x ResNet
  • Etc.
layer 4 resnet
Before

Normal network subnet

No restrictions

ISP attitude

No scanning

After – version 1

Single VLAN

ACL limited access to other campus VLANs

After – version 2

VLAN per 48 port switch

Internet style ACL “rule set” to block known bad ports such as 445

Routine scanning and quarantining

Layer 4 – ResNet
layer 5 servers before
Layer 5 – Servers - Before
  • Public IP address via firewall conduit
  • Distributed physically
  • No port filtering
  • Inconsistent patch strategy
  • No virus protection
  • Inconsistent HTTPS implementation
  • Many outside of the “network” department
  • No scanning for vulnerabilities
  • No disaster recovery plan
layer 5 servers after
Layer 5 – Servers - After
  • Servers in data center or managed by server group
  • HTTPS required for any sensitive data
  • Private IP addresses mapped to public via “conduit” in the firewall
  • Port filtered in the firewall, deny all, allow those required for specific services
  • Port filtered coming out of ResNet and student computer labs
  • Managed patch strategy, critical patches applied in 24 hours
  • Symantec Anti-Virus on servers
  • NetMail/CA eTrust anti-virus and RBL filtering for e-mail
  • GWAVA/Symantec Anti-Virus e-mail filtering
  • GWAVA attachment filtering
  • Routine Nessus scanning
  • Comprehensive disaster recovery plan
layer 6 employee pcs
After

Private IP address via PAT/NAT

Managed Symantec Anti-Virus

“Push” of critical Microsoft security patches via Novell ZenWorks

Nessus scanning

Before

Public IP address

No anti-virus

No patch management

No scanning

Layer 6 - Employee PCs
layer 7 social
Before

Little or no public awareness

No AUP

Loose user ID and password policies

“It won’t happen here, we know everyone personally

After

Acceptable Use Policy

Accounts blocked after 3 failed log in attempts

Passwords changed every 180 days

Regular communication via online newspaper

Security education classes

Layer 7 - Social
what s on the radar screen
What’s on the radar screen?
  • Spyware
  • PC firewall
  • Instant Messenging issues
  • VPN
  • Network access control
  • Two factor authentication
  • Security as it affects privacy issues
  • E-mail security
conclusion
Security team was the right approach for us

Effective, no significant down-time except for Blaster/Welcia, fall 2003

Cost-efficient

Diffused security awareness across the department

Developed security skills across ITS

Security Infrastructure

Cisco PIX firewall

Packeteer Packetshaper

Cisco VLANs/ACLs

Symantec Anti-Virus

Novell ZenWorks

GWAVA Anti-virus/attachment filtering

Nessus

Conclusion