January 2006 Common Solutions Group 1
Network Based Security
Looking at the future of university networking…
January 2006 Common Solutions Group 2
CSG Network/Subnet Poll (1)
• Asked on– Ednog ([email protected])– Netguruhttp://security.internet2.edu/docs/internet2-salsa-topics-advanced-network-management-200511.html
– Virtnet
• Heard from (in no particular order):– Berkeley, Columbia, UBuffalo, Stanford, UCLA,
VT, Cornell, Yale, Duke, CMU, Northwestern, Colorado, UMich
January 2006 Common Solutions Group 3
CSG Network/Subnet Poll (2):
• Complicated technical issues – VLans, VLans, everywhere…• History of subnetting for manageability
– Smaller broadcast domains– Tracking addresses for abuse
• Future of subnetting for service differentiation– Traffic isolation for real and imagined safety– Differential firewall policy (users, services, multi-tier web services)– Pre-auth, .1x for vlan assignment, quarantine subnets– Isolated subnets for customer firewalling– Infrastructure devices - no need for remote access– Address preservation, RFC1918 (NAT-ed and not)– Networking ‘for-fee’
January 2006 Common Solutions Group 4
CSG Network/Subnet Poll (3)
• A few more issues– Spanning tree isn’t “a fun thing”– Vlans != subnets– Some campus trunks – mostly avoided– Need tools for VLAN management– Lots of ‘not-so-smart’ devices– Edge security is preferred, defense in depth is necessary– Need lots of tools – particular with dynamics– Didn’t ask the vpn question…– Didn’t ask the lambda question…
January 2006 Common Solutions Group 5
Asking a little differently…
How many of you now, or in future will:• Offer more than one class of network connectivity?• Require VPN’s for remote access to many apps?• Require network admission control (pre-access)?
– For wired– For wireless
• Offer (or allow) subnet firewalls?• Offer dedicated lambdas?
January 2006 Common Solutions Group 6
Stanford Governance Pressure
• University enterprise risk management
• Internal Audit & Info Security Officer
• External Audit of Systems
• Faculty Governance Committee
• Administrative Governance Committee
January 2006 Common Solutions Group 7
QuickTime™ and aTIFF (Uncompressed) decompressor
are needed to see this picture.
January 2006 Common Solutions Group 8
Key UW-Madison Strategies
• Deploy a three-zone network with clear standards and policies for each zone
• Build relationships and understanding between central net-admins, department net-admins, and other campus interests
• Empower (training and tools) department net-admins to manage things that are important to them using a powerful set of web-based network monitoring and administration tools
9Common Solutions GroupJanuary 2006
AANTS: Authorized Agent Network Tool Suite
• Loosely-coupled set of web-based utilities for network administration
• Tools are team-developed in-house, optimized toward local networking practices, driven by user need
• About 244 trained network administrators across campus
• Allow users (campus LAN administrators and network engineers) to manage network devices, change device configurations, troubleshoot, inspect traffic data, coordinate with users, and perform other network management tasks