Download Providing secure open-access networks

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts
no text concepts found
Transcript 
Providing secure openaccess networks
Oliver Gorwits
Oxford University Computing Services
Providing secure open-access networks
Workshop Outline
Review of the Problem Domain
 Designing secure open-access networks

 Incl.

software and hardware choices
Implementing secure open-access networks
 OUCS

Q&A
and Libraries
Providing secure open-access networks
Problem Domain
Summer 2003 : large-scale Internet worms
 Widespread laptop use
 Catch-22 for software updates
 Network security  University business

Providing secure open-access networks
Statutes and Regulations

ICTC Regulations
 Monitoring
(4)
 Viruses (7.11)
 Resources (13.2, 13.3)

JANET Acceptable Use Policy
 Non-member
use
Providing secure open-access networks
Designing the Network
Providing secure open-access networks
Use Cases (1)
Vital!
 Humans - Who
 Applications - What
 Computers - How
 Locations – Where & When

Providing secure open-access networks
Use Cases (2)

OUCS Helpcentre
 MS,

Antivirus updates
Building visitors
 Lectures,

Conferences
Larger scale non-full-member
 Library
Readers – odd services
Providing secure open-access networks
Network Integration (1)

Cabling and Switch-gear
 Mix-in
with existing infrastructure
 New or refurbished facility

Labelling and Identification
 Distribution
cables
 Port faceplates
Providing secure open-access networks
Network Integration (2)

IP space
 Address

and port translation
Hardware Configuration
 Backup
management
 Avoid the replacement-exposure problem
Providing secure open-access networks
Managing Users

Controlled access
 Physical,
to the building
 Virtual, to the network

Accounting
 Open-access

Supervision
means unknown user?
Providing secure open-access networks
Network Access

Firewall rules
 Refer

to the Use Case
OUCS – restricted
 Official
service servers only
 Transparent HTTP redirect
 Default deny in both directions
Providing secure open-access networks
Basic Topologies

VLANs
 Vendor

support
NAT
 Software

or Appliance
DHCP
 Client
support (MacOS pre-X)
Providing secure open-access networks
Hardware

Off the shelf appliances
 Cisco

PIX – DHCP & NAT
Open Source
 Linux/*BSD

with daemons
Black box solutions
 Bluesocket
– Web interface
Providing secure open-access networks
Software

Packet Filtering
 iptables

/ ipfw
Scanning
 Commercial
 Various
- see Google
 Non-commercial
 nmap,
nessus
Providing secure open-access networks
Implementing the Network
Providing secure open-access networks
OUCS Visitors Network (1)
Mix-in with existing helpcentre network
 VLAN per user into managing devices
 Minimum ongoing maintenance
 No peer to peer communications
 Intended for MS/AV updates and teachers
 Restrictive service

Providing secure open-access networks
OUCS Visitors Network (2)
Backbone
Protected Ports
Cisco PIX 515
VlanTrunk
C2950
Vlan100
Vlan103
Helpcentre Distribution Switch
Vlan100
Providing secure open-access networks
OUCS Visitors Network (3)

Access Control List:
 Default
deny Incoming and Outgoing
 OUCS : NTP, DNS, SMTP, HFS, NNTP, VPN
 Also SSH, FTP, POP, IMAP to anywhere
 OLIS on the telnet port
Transparent HTTP redirect via OUCS proxy
 Minimal accounting; limited availability

Providing secure open-access networks
Libraries Reader Network (1)

Permissive service due to user requirements
 Orthogonal

Large number of (potential) users
 Need

to OUCS service
to pre-register
Multiple sites and networks
 No
site-local IT support
Providing secure open-access networks
Libraries Reader Network (2)
Backbone
MAC
addresses
File
Server
Library Distribution Switch
Firewall
Scanning
Station
Library Protected-Port Switch
PC

PC

Providing secure open-access networks
Libraries Reader Network (3)

Known limitations:
 Possible
post-registration infection
 Annual
 Client
registration expiry
 Scanning Station incompatibility
Providing secure open-access networks
Q&A
Related documents
Relevant Literature - University of California, Santa Barbara
Relevant Literature - University of California, Santa Barbara
ch13
ch13
South-Eastern European Journal of Earth Observation and Geomatics
South-Eastern European Journal of Earth Observation and Geomatics
The Economics of Biodiversity
The Economics of Biodiversity
PDF
PDF
CIS - IJSK
CIS - IJSK
Presentation
Presentation
New Approaches to Filling the Gap in Tuberculosis Drug Discovery
New Approaches to Filling the Gap in Tuberculosis Drug Discovery
Designing a Web Page - University of Oxford
Designing a Web Page - University of Oxford
The Changing Role of University Computing Centres
The Changing Role of University Computing Centres
Company and Industry Info and Financial Info
Company and Industry Info and Financial Info
File - Rust Science
File - Rust Science