1 / 22

Providing secure open-access networks

Providing secure open-access networks. Oliver Gorwits Oxford University Computing Services. Workshop Outline. Review of the Problem Domain Designing secure open-access networks Incl. software and hardware choices Implementing secure open-access networks OUCS and Libraries Q & A.

miken
Download Presentation

Providing secure open-access networks

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Providing secure open-access networks Oliver Gorwits Oxford University Computing Services

  2. Workshop Outline • Review of the Problem Domain • Designing secure open-access networks • Incl. software and hardware choices • Implementing secure open-access networks • OUCS and Libraries • Q & A

  3. Problem Domain • Summer 2003 : large-scale Internet worms • Widespread laptop use • Catch-22 for software updates • Network security  University business

  4. Statutes and Regulations • ICTC Regulations • Monitoring (4) • Viruses (7.11) • Resources (13.2, 13.3) • JANET Acceptable Use Policy • Non-member use

  5. Designing the Network

  6. Use Cases (1) • Vital! • Humans - Who • Applications - What • Computers - How • Locations – Where & When

  7. Use Cases (2) • OUCS Helpcentre • MS, Antivirus updates • Building visitors • Lectures, Conferences • Larger scale non-full-member • Library Readers – odd services

  8. Network Integration (1) • Cabling and Switch-gear • Mix-in with existing infrastructure • New or refurbished facility • Labelling and Identification • Distribution cables • Port faceplates

  9. Network Integration (2) • IP space • Address and port translation • Hardware Configuration • Backup management • Avoid the replacement-exposure problem

  10. Managing Users • Controlled access • Physical, to the building • Virtual, to the network • Accounting • Open-access means unknown user? • Supervision

  11. Network Access • Firewall rules • Refer to the Use Case • OUCS – restricted • Official service servers only • Transparent HTTP redirect • Default deny in both directions

  12. Basic Topologies • VLANs • Vendor support • NAT • Software or Appliance • DHCP • Client support (MacOS pre-X)

  13. Hardware • Off the shelf appliances • Cisco PIX – DHCP & NAT • Open Source • Linux/*BSD with daemons • Black box solutions • Bluesocket – Web interface

  14. Software • Packet Filtering • iptables / ipfw • Scanning • Commercial • Various - see Google • Non-commercial • nmap, nessus

  15. Implementing the Network

  16. OUCS Visitors Network (1) • Mix-in with existing helpcentre network • VLAN per user into managing devices • Minimum ongoing maintenance • No peer to peer communications • Intended for MS/AV updates and teachers • Restrictive service

  17. OUCS Visitors Network (2) Backbone Protected Ports Cisco PIX 515 VlanTrunk C2950 Helpcentre Distribution Switch Vlan100 Vlan103 Vlan100

  18. OUCS Visitors Network (3) • Access Control List: • Default deny Incoming and Outgoing • OUCS : NTP, DNS, SMTP, HFS, NNTP, VPN • Also SSH, FTP, POP, IMAP to anywhere • OLIS on the telnet port • Transparent HTTP redirect via OUCS proxy • Minimal accounting; limited availability

  19. Libraries Reader Network (1) • Permissive service due to user requirements • Orthogonal to OUCS service • Large number of (potential) users • Need to pre-register • Multiple sites and networks • No site-local IT support

  20. Libraries Reader Network (2) Backbone File Server MAC addresses Library Distribution Switch SMB NFS Firewall Scanning Station Library Protected-Port Switch   PC PC

  21. Libraries Reader Network (3) • Known limitations: • Possible post-registration infection • Annual registration expiry • Client  Scanning Station incompatibility

  22. Q & A

More Related