1 / 22

Designing Secure Open-Access Networks Workshop: Implementing Best Practices

Dive into the intricacies of designing and implementing secure open-access networks, covering software and hardware choices, network integration, and user management. Gain insights from industry experts on managing users, network access, and implementing basic topologies. Explore real-world use cases and best practices for maintaining a secure network environment. Workshop conducted by Oliver Gorwits from Oxford University Computing Services. Join us for an in-depth discussion on network security in the academic and business sectors.

ulla-dawson
Download Presentation

Designing Secure Open-Access Networks Workshop: Implementing Best Practices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Providing secure open-access networks Oliver Gorwits Oxford University Computing Services

  2. Workshop Outline • Review of the Problem Domain • Designing secure open-access networks • Incl. software and hardware choices • Implementing secure open-access networks • OUCS and Libraries • Q & A

  3. Problem Domain • Summer 2003 : large-scale Internet worms • Widespread laptop use • Catch-22 for software updates • Network security  University business

  4. Statutes and Regulations • ICTC Regulations • Monitoring (4) • Viruses (7.11) • Resources (13.2, 13.3) • JANET Acceptable Use Policy • Non-member use

  5. Designing the Network

  6. Use Cases (1) • Vital! • Humans - Who • Applications - What • Computers - How • Locations – Where & When

  7. Use Cases (2) • OUCS Helpcentre • MS, Antivirus updates • Building visitors • Lectures, Conferences • Larger scale non-full-member • Library Readers – odd services

  8. Network Integration (1) • Cabling and Switch-gear • Mix-in with existing infrastructure • New or refurbished facility • Labelling and Identification • Distribution cables • Port faceplates

  9. Network Integration (2) • IP space • Address and port translation • Hardware Configuration • Backup management • Avoid the replacement-exposure problem

  10. Managing Users • Controlled access • Physical, to the building • Virtual, to the network • Accounting • Open-access means unknown user? • Supervision

  11. Network Access • Firewall rules • Refer to the Use Case • OUCS – restricted • Official service servers only • Transparent HTTP redirect • Default deny in both directions

  12. Basic Topologies • VLANs • Vendor support • NAT • Software or Appliance • DHCP • Client support (MacOS pre-X)

  13. Hardware • Off the shelf appliances • Cisco PIX – DHCP & NAT • Open Source • Linux/*BSD with daemons • Black box solutions • Bluesocket – Web interface

  14. Software • Packet Filtering • iptables / ipfw • Scanning • Commercial • Various - see Google • Non-commercial • nmap, nessus

  15. Implementing the Network

  16. OUCS Visitors Network (1) • Mix-in with existing helpcentre network • VLAN per user into managing devices • Minimum ongoing maintenance • No peer to peer communications • Intended for MS/AV updates and teachers • Restrictive service

  17. OUCS Visitors Network (2) Backbone Protected Ports Cisco PIX 515 VlanTrunk C2950 Helpcentre Distribution Switch Vlan100 Vlan103 Vlan100

  18. OUCS Visitors Network (3) • Access Control List: • Default deny Incoming and Outgoing • OUCS : NTP, DNS, SMTP, HFS, NNTP, VPN • Also SSH, FTP, POP, IMAP to anywhere • OLIS on the telnet port • Transparent HTTP redirect via OUCS proxy • Minimal accounting; limited availability

  19. Libraries Reader Network (1) • Permissive service due to user requirements • Orthogonal to OUCS service • Large number of (potential) users • Need to pre-register • Multiple sites and networks • No site-local IT support

  20. Libraries Reader Network (2) Backbone File Server MAC addresses Library Distribution Switch SMB NFS Firewall Scanning Station Library Protected-Port Switch   PC PC

  21. Libraries Reader Network (3) • Known limitations: • Possible post-registration infection • Annual registration expiry • Client  Scanning Station incompatibility

  22. Q & A

More Related