1

http://www.more.net

University of Missouri System

Security – Defending your Customers from Themselves

StateNets Annual MeetingFebruary, 2004

2

Security, what do we do?

• What do we do to protect ourselves?• What do we do to protect our

customers?• What do we do to our customers?• If this is where we are today, where

should we be tomorrow?

3

What do we do to protect ourselves?

• Physical security• Backup and TEST RESTORES!• Internal awareness

– Monitor most appropriate lists– Membership in security organizations

• Configuration control– Protected circuits– Tripwire OS and configuration files– Evaluate and Patch OS– Change control

4

What do we do to protect ourselves?

• Limit access– Size-appropriate connections – limit DoS,

DDoS participation– Require SSH for shell accounts– Radius authentication/access logs– Disable unused services– Packet filtering software firewalls– Enforce complex, limited-life passwords

5

What do we do to protect ourselves?

• Monitor and Maintain– Intrusion detection for core systems– Network scanners– READ THE LOGS! Logcheck– Follow-up

6

What do we do to protect ourselves?

• Disaster Recovery/Risk Profile– Carrier-class or Enterprise-class equipment– Vendor maintenance – understand ”Acts of

God” clauses– Document recovery

procedures/responsibilities– Sponsor/Bill Payers understand and accept

risks

7

What do we do for our customers?

• Managed services – web and mail hosting• Virus filtering for managed mail services• Spam filtering for managed mail services• Remote Vulnerability Assessment• Awareness/Education

– Formal training

• Customer advisories

8

What do we do for our customers?

• Incidence Response• Monitored endpoints at customer edge

– Proactive connectivity and performance monitoring

– Reactive security monitoring

• Provide customer network tools– Netflow – MRTG– NetHealth– “looking glass” utilities

9

What do we do to our customers?

• Acceptable Use Policy– “reasonable efforts”

• Access lists– Block offending servers, connection– Block outside attacks

• “Open Relay” Scans

10

If this is where we are today, where do think we should be tomorrow?

• Proactive security measures– Better intrusion detection, automatic

notification• Security policy

– Require desktop virus scanning• Central security services –

– Cross institution authentication

11

If this is where we are today, where do think we should be tomorrow?

• Customer Services– Security Operations Center – Enhanced Advisory Services (awareness of new

developments before formal public advisories, enhanced information sharing)

– Managed Firewall Service– Managed Intrusion Detection – Managed Event Response– On-site vulnerability/audit services

12

MOREnet Security Link

• http://www.more.net/security/index.html