Intelligent address management and university network security
1 / 30

Intelligent Address Management and University Network Security - PowerPoint PPT Presentation

  • Uploaded on

Intelligent Address Management and University Network Security. UNC-CAUSE 2004 Author: Joff Thyer …Thanks to many UNCG IT colleagues for their contributions…. Disclaimers!. According to pseudo-random neuron activity, this material may seem like a good idea for the moment.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Intelligent Address Management and University Network Security' - allistair-buck

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Intelligent address management and university network security

Intelligent Address Management and University Network Security


Author: Joff Thyer

…Thanks to many UNCG IT colleagues for their contributions…

Disclaimers! Security

  • According to pseudo-random neuron activity, this material may seem like a good idea for the moment.

  • There are a million assumptions contained within of which I will recall maybe 50,000.

  • Nirvana always seems just another fingertip reach away….

  • I don’t claim to have a handle on the “be all and end all” of network management.

Background 2004 enrollment
Background – 2004 Enrollment. Security

  • 11,497 undergraduate students.

  • 3,217 graduate students.

  • 14, 714 total headcount.

  • Largest freshman class (2,158)

  • Residence halls at capacity! (approx. 3,800)

  • Approx. 2000 employees (Faculty/Staff)

Background data network
Background – Data Network! Security

  • End to end Cisco network (IP only)

  • 700 network switches

    • 200 in residence halls (10m/bit ports)

    • 500 in campus general population (100m/bit ports)

  • Approx. 25,000 ports.

  • Approx. 7000 active MAC addresses

    • 3,400 workstations in Residence Halls

    • 500 IT managed workstations in public labs

    • Approx. 150 non-IT managed workstations in departmental labs

    • Approx. 1800 faculty/staff workstations

    • Balance is application servers, switches, routers, printers, HVAC devices and other misc. network connected devices.

Background data network1
Background – Data Network! Security

  • 50 buildings connected to the campus network via Gigabit single mode fiber to one of four core routing points.

  • A collapsed core model!

    • Predictably the 4 core routers are Catalyst 6500 series

  • Primary segment (VLAN) deployed per building

  • VLAN’s deployed per IT managed lab

  • VLAN’s deployed per IT server groupings (O/S based)

How do we provide ip addressing
How do we provide IP addressing? Security

  • Manual address assignment is clearly not an option.

  • Desktop ownership is in the hands of various groups.

  • Early in our network deployment (years ago) we adopted a policy that all network communications devices must be “registered” with IT.

Macmaster our own sql database appl
MacMaster – Our own SQL database appl. Security

  • We grew our own system to manage all computer workstation registrations

  • Web driven, LDAP authenticated role based users.

  • Data from SQL tables gets extracted to campus DHCP / DNS servers on a periodic basis.

  • Reporting ability shows data on:

    • DHCP lease requests

    • Workstation names within individual VLANS (buildings)

    • Address assignments

    • Last seen on network – switch/port attached to.

    • Track a MAC address to a port.

Macmaster gives us flexibility
MacMaster gives us flexibility Security

  • You don’t get an IP in the DHCP table unless you are registered in this database

  • We can re-address a sub-network if we need with a simple router and database change.

  • We associate names and locations with workstations.

  • Effective (though loose) MAC address level access control.

Why give everyone public ip space
Why give everyone public IP space? Security

  • This is a historical issue that we are faced with.

  • It used to be a promotional point that all workstations on campus were full fledged Internet members.

  • It effectively promotes fiefdoms within your network!

Security starting from an open network
Security – starting from an open network. Security

  • It’s a University – quit now while you’re still alive.

    • Not acceptable folks! Start out by securing things you can reach out and touch.

  • We have a diverse population but there are some defined groups based on subnet/VLAN segmentation

  • Some of these groups are:

    • Residence Hall buildings

    • IT managed labs

    • IT managed application servers

    • Servers subject to our Enterprise Systems Policy

Initial steps policy
Initial Steps – Policy Security

  • UNCG created an Information Security Committee and asked for IT staff consulting assistance.

    • As of this year, we have executive level approval of a new set of policies.

    • This is of critical importance! You may view our policies at:

      (see the New Policies section of the page)

Initial steps technical
Initial Steps - Technical Security

  • Protect your perimeter using router ACL’s.

    • Common sense protections:

      • Allow only your address block to transit the perimeter

        • In our case

      • Filter RFC-3330/1918 – Private/Reserved address blocks

        • (eg:,… etc)

      • Filter protocols/ports used for network management

        • UDP/TCP 161 and 162 (snmp/snmp trap)

        • UDP 69 (tftp), UDP 67/68 (dhcp/bootp)

    • If your Policy statements allow for it:

      • Filter Netbios/SMB protocols

        • TCP/UDP ports 445, 135-139

      • Send email traffic only to legitimate email relay hosts

Initial steps technical1
Initial Steps – Technical Security

  • Protect your campus from the Residence Hall traffic using router ACL’s.

    • Obtain buy in from Residence Hall staff.

      • UNCG RESNET – Highest Priority is literally 99% uptime. They are highly supportive of tightening security.

    • UNCG RESNET security measures to date look a lot like the perimeter filtering

      • Filtered network based protocols

      • Allowed email traffic only to legitimate relay hosts

      • Filtered SMB/Netbios protocols

  • Deploy a server farm firewall and begin securing servers incrementally.

    • Deploy intrusion prevention technology in front of servers.

    • Use router ACL’s to log activity on commonly abused TCP/UDP ports

Security for clients a la carte
Security for clients – a la carte? Security

  • What do we do with the rest of the general client workstation population?

  • Let them handle it themselves / workstation centric?

    • This can work but we really want a “defense in depth” strategy.

    • Can also depend on how much desktop management control IT professionals have. In most Universities, this control is limited.

  • We can secure things by VLAN using some policy routing tricks.

Traffic routing by policy
Traffic routing by policy? Security

  • We could customize traffic routing on a per subnet, or per user basis

  • What about destinations of communications?

    • Primarily driven to two locations – either server farm or Internet.

    • All servers actually live in XX bits of the class B address space.

    • This masks easily as:**censored**

    • One large subnet? No – actually a collection of smaller subnets.

The client perspective
The client perspective Security

  • A policy route-map can be placed on any router interface to control traffic destinations.

  • Our servers nicely fall into one block

  • The concept for “a la carte” security is to

    • Route Internet bound traffic through a firewall

    • Route enterprise server traffic directly to the server address block.

    • Don’t allow “other” subnets to communicate back to secured client subnets.

Intelligent address management and university network security Security

Router configuration example 1
Router configuration example 1 Security

route-map CLIENT-SECURED permit 10

match ip address CLIENT-SECURED

set ip next-hop

ip access-list extended CLIENT-SECURED

deny ip any 152.13(SERVER BLOCK)

deny udp any any eq bootps

permit ip any any

Router configuration example 2
Router configuration example 2 Security

interface Vlan512

description Forney Building (Secured - Testing - Joff)

ip address

ip helper-address

no ip redirects

ip pim sparse-dense-mode

ip cgmp

ip policy route-map CLIENT-SECURED


Firewall configuration
Firewall Configuration Security

hostname ScapeGoat

nameif gb-ethernet1 inside security100

nameif gb-ethernet0 outside security0

ip address inside

ip address outside

global (outside) 1 netmask

global (outside) 1

nat (inside) 1 0 0

route inside 1

route outside 1

Firewall config acl s
Firewall Config – ACL’s Security

access-group inside in interface inside

access-group outside in interface outside

access-list inside permit tcp any range 1024 65535 any eq www

access-list inside permit tcp any range 1024 65535 any eq https

access-list inside permit tcp any range 1024 65535 any eq ftp

access-list inside permit tcp any range 1024 65535 any eq ssh

access-list inside permit tcp any range 1024 65535 any eq aol

access-list inside permit icmp any any echo

access-list outside permit icmp any any echo-reply

Separate clients at layer 2
Separate clients at layer 2 Security

  • Optionally we can use a Cisco switch feature which separates layer 2 traffic on a per port basis.

  • This is called “protected” ports and is available on Cat. 2950/3550 switches and later.

    • Traffic coming into a “protected” port within a single VLAN cannot communicate at layer 2 with another “protected” port.

    • Make your uplink port (link to router) be non-protected and then all access ports be “protected”.

    • Client machines communicate with the router but not each other!

What if all my clients in one subnet don t want this
What if all my clients in one subnet don’t want this? Security

  • Even though we have segmented things nicely, the people don’t all fit nicely into the VLAN/subnet boundaries!

  • Choices….

    • Policy routing allows us to select clients by logical address within an ACL.

    • Apply layer 2 traffic separation.

    • Segment into smaller pieces – the power of VLANs!

  • Caution! – KISS principle should be kept in mind.

    • Too much VLAN segmentation can be administratively burdensome. You have to find a balance.

Summing it all up
Summing it all up Security

  • Actively manage logical addressing.

  • Segment network using both physical and administrative boundaries.

  • Begin deploying security measures:

    • Secure the perimeter

    • Secure the RESNET

    • Secure the servers

    • Secure the clients

  • Just throw in a database, a web server, a router, a couple of firewalls, some programming work and season to taste.

Future steps for uncg
Future steps for UNCG Security

  • Enhance our database application for general campus workstation registration

    • If someone moves a workstation, we want it “de-registered” automatically.

    • When you first plug in, you will be driven to an automatic registration application

      • The auto-registration app. will allow clients to select their preferred security profile.

  • Offer “customer self service” for network communications profiles.

    • Try to get our customers to “buy in” to a more secure profile at registration time.

    • Directly negotiate higher security communications profiles with specific business units. (They will become VLAN’s – surprise!)

Thank you
Thank you! Security

  • Feel free to share your questions/suggestions.

  • Email later if you would like to.

    Joff Thyer, UNCG IT-Networks