* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Overview of IT Security at Nottingham
Survey
Document related concepts
Airport security wikipedia , lookup
Information security wikipedia , lookup
Cyber-security regulation wikipedia , lookup
Deep packet inspection wikipedia , lookup
Wireless security wikipedia , lookup
Network tap wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Computer and network surveillance wikipedia , lookup
Unix security wikipedia , lookup
Computer security wikipedia , lookup
Mobile security wikipedia , lookup
Security-focused operating system wikipedia , lookup
Transcript
Enterprise Security Protecting the Campus Network Paul Kennedy Security & Compliance Group Leader Information Services Objectives An introduction to practical IT security Some background on enterprise issues The campus network Samples of some technologies used Examples from the battlefront Technology Demo (if time allows) What is an enterprise? “a unit of economic organization or activity; especially : a business organization” What defines an enterprise: scale, purpose and cohesion Is the University an enterprise? Yes! “A place of learning, research, academic endeavour, advancement of knowledge” “A £380m global business with 5500 staff and 36000 customers” Enterprise security So what is enterprise security about? Protection of an entity where the scale is a factor in the decisions made (e.g. number of users, computers; size of network or bandwidth of the links; cost of solutions) Protection of an entity where the aims of the organisation need to be taken into consideration (e.g. business requirements) Protection of an organisation where the human factor becomes critical to success The University enterprise Facts & Figures An international University with campuses in the UK, China and Malaysia 36000 students and 5500 staff in the UK Numerous campuses In Nottingham » Univ Park, Jubilee, Sutton Bonnington, King’s Meadow, QMC, City Hospital, Shakespeare St the East Midlands » DCGH, DRI, Mansfield, Lincoln, Boston, Grantham and further afield » Offices in London, Brazil, Shanghai, overseas campuses Campus Network 12000 machines on the campus network Servers, desktops, laptops, network equipment, lab equipment, printers, VoIP devices, CCTV cameras, temperature sensors, cash tills, door access, building management system 8000 computers on the student network (SNS) 10 Gbps across the campus backbone 2 x 1Gbps + 1 x 100Mbps connections to East Midlands MAN (EMMAN) and JANET State-of-the-art “lights-out” primary data centre at KMC, secondary data centre (inc HPC) at CCC South Is this a LAN or a WAN or a MAN? The Academic Business The business: Financial management of £380m HR management of 5500 staff records SR management of 36000 student records UK legislation Data Protection Act (DPA), Freedom of Information (FoI), Human Rights Act (HRA) and more Regulation of Investigatory Powers Act (RIPA) Corporate Governance External auditors, Internal Audit Service (IAS) Academic Risk Profile We are a business AND an academic institution and must provide security accordingly! We’ll never have security like a bank We can’t enforce corporate standards We must support a wide range of teaching and research and a degree of choice in the tools that staff and students can use Security Facts & Figures We reject 3.5m spam emails per day We saw alerts on suspicious behaviour from 7000 external network addresses yesterday Anti-virus reported 120 desktop interceptions on campus yesterday We intercept around 100-150 email borne malware items per day We detect and report 5-10 previous unseen viruses to Sophos each year Security Model The University Security Model Policy, IT Security, Physical Security Defence in depth (the security “Onion”) Multiple, overlapping layers of security Security at different points in the network At the perimeter / gateway / choke points On the server / at the service layer At the desktop Across the network backbone But … Business first, Technology Second! Security Policy You MUST have a security policy, approved by senior management in order to have enforceable security ISO 27001 (aka ISO 17799, BS 7799) is the international standard for Information Security Management Systems Security policy; Organisation of information security; Asset management; Human resources security; Physical and environmental security; Communications and operations management; Access control; Information systems acquisition, development and maintenance; Information security incident management; Business continuity management; Compliance. Based on the Plan-Do-Check-Act model The University security policy is based on ISO 27001 but we are unlikely to seek certification at present The Technology At the perimeter / gateway / network level Enterprise firewall Allow or deny traffic based a set of rules Email Gateway Spam and malware detection and prevention Secure web gateway Proxying web traffic to check for malware Bandwidth management Limit or guarantee bandwidth available for services Virtual LANs (VLANs) Restrict the parts of the network specific traffic can reach Anomaly detection Measure network activity against a “normal” baseline Network access control At the Perimeter Enterprise Firewall Inspects packets entering or leaving the network against a defined rule set Allows or denies based on src and dest IP address and port Default Deny (“Deny everything except those services/protocols specifically required”) not Default Allow (“Allow everything, deny only known dangerous ports”) 2 x Juniper NetScreen 5200s with failover (Gigabit capable) Stateful packet inspection: knows which “conversations” are already in progress (prevents certain scans and attacks) Over 1200 firewall change requests since 2004 Over 600 rules in our firewall rule set (Spitzer: 200 is complex) At default deny, network traffic dropped 50%, attacks 90% Email Gateway Currently an open source solution on linux Exim, MailScanner, SpamAssassin, Sophos 10 mail relays! (5 incoming, 5 outgoing) 3.5m incoming emails per day of which 200000 are accepted for processing (5%) Have employed “tag and pass” for too long!!! Decisions are not only about technological solutions Spam and malware handling is now a commodity item so we are outsourcing to a managed service provider Webroot Email RBL Blocking Mail Relayed Viruses Identified Spam Identified Incoming Mail Queue Internet Traffic Secure Web Gateway Over 80% of incoming network traffic from the Internet is the result of web browsing Attack payloads via email are dropping Attacks initiated from a HTML formatted web page with the payload delivered via the web are increasing Current Squid proxy logs traffic and reduces risk of malware getting off campus but … … this does not protect against most incoming threats So implementing a Finjan Secure Web Gateway Web Gateway Capabilities Active real-time content inspection for detection and blocking of unknown attacks Zero-hour vulnerability protection via virtual patching Corporate Anti-Spyware solution for stopping known and unknown Spyware at the gateway Anti-Crimeware protects your sensitive business data Anti-Phishing prevents identity theft SSL Inspection for “in-box” scanning of HTTPS traffic and enforcement of SSL certificates Choice of leading Anti-Virus engines for protection against known viruses Choice of leading URL Filtering engines for full control over your organization’s web browsing Processing Web Content Anomaly Detection In 2006 IS was looking for a solution to provide better monitoring of traffic across the network Looked at Intrusion Detection and Intrusion Prevention Systems (IDS/IDP) Decided these were not suitable for the wide range of research traffic on our network (which can break firewalls) Discovered the alternative approach of anomaly detection! It learns what is normal network behaviour for each computer on the network and alerts to significant changes in that behaviour Detection Example Example: In August 2003, the University was hit by the Blaster worm. 1500 computers were infected in a few hours The immediate incident lasted two weeks Complete clean up took four months We can now detect a worm infected computer within minutes and, in most cases, prevent it from causing an outbreak before it affects the network Network Access Control At the start of each academic year 8000 student owned computers are connected to the Student Network Service (SNS) in Hall study bedrooms These computers arrive as unseen and unknown quantities; often they are not properly secured and are already infected with viruses and other malware They represent a potential threat to their fellow students, the SNS network and the wider campus network BUT IS is obliged to make them part of our community as soon as possible Campus Manager I In 2005 IS introduced Campus Manager which performs pre-connection health checks on student computers before it allows them access to the SNS and campus networks Campus Manager ensures that student machines Are fully patched with critical updates Have anti-virus protection installed Represent a minimal risk to the campus network Sophos Upgrade Just upgraded from Sophos A/V to Sophos Security & Control No longer just A/V, now an End Point security solution Anti-virus, anti-spyware, anti-adware Desktop firewall, detection of PUA, HIPS In Future Releases NAC, device (USB, Bluetooth, IR), port & mobile control, data leak prevention Sophos Architecture Sophos DBMS (sccapps) Updates from Sophos Sophos Console & EM Library Signature distribution web server Signature distribution file server (Univ Park: Campus Network) Signature distribution file server (Univ Park: Student Network) Signature distribution file server (Jubilee Campus) Signatures & product updates, remediation Signature distribution file server (Sutton Bonnington) Status information, interception reports Desktop Clients Signature distribution file server (King’s Meadow) Social Engineering Humans are usually the weakest link in any chain of security You can provide policies and best practice, but you can’t force people to read it University members do respond to phishing attacks from time to time The best solutions to social engineering issue are usually ones that use technology in place to allow for possible human failings Network Abuse Misconduct, gross misconduct and criminal activity by University members Yes, it does happen, but thankfully not that often Gross misconduct can lead to dismissal from the University Criminal activity can lead to prison IS does provide evidence for hearings, tribunals and police investigations and court cases ssshhh – Credit Card Scam Story Summary Enterprise security is about scale You need policy, planning and architecture You must consider the business before technology Technology can sometimes reduce human factors but can’t always make up for human failings (or social engineering)