Enterprise SecurityProtecting the Campus Network

Paul KennedySecurity & Compliance Group Leader

Information Services

Objectives

An introduction to practical IT security Some background on enterprise issues The campus network Samples of some technologies used Examples from the battlefront Technology Demo (if time allows)

What is an enterprise?

“a unit of economic organization or activity; especially : a business organization”

What defines an enterprise: scale, purpose and cohesion

Is the University an enterprise? Yes! “A place of learning, research, academic endeavour,

advancement of knowledge” “A £380m global business with 5500 staff and 36000

customers”

Enterprise security

So what is enterprise security about? Protection of an entity where the scale is a factor in the

decisions made (e.g. number of users, computers; size of network or bandwidth of the links; cost of solutions)

Protection of an entity where the aims of the organisation need to be taken into consideration (e.g. business requirements)

Protection of an organisation where the human factor becomes critical to success

The University enterprise

Facts & Figures An international University with campuses in

the UK, China and Malaysia 36000 students and 5500 staff in the UK Numerous campuses

In Nottingham» Univ Park, Jubilee, Sutton Bonnington, King’s Meadow,

QMC, City Hospital, Shakespeare Stthe East Midlands

» DCGH, DRI, Mansfield, Lincoln, Boston, Granthamand further afield

» Offices in London, Brazil, Shanghai, overseas campuses

Campus Network

12000 machines on the campus network Servers, desktops, laptops, network equipment, lab equipment,

printers, VoIP devices, CCTV cameras, temperature sensors, cash tills, door access, building management system

8000 computers on the student network (SNS) 10 Gbps across the campus backbone 2 x 1Gbps + 1 x 100Mbps connections to East

Midlands MAN (EMMAN) and JANET State-of-the-art “lights-out” primary data centre

at KMC, secondary data centre (inc HPC) at CCC South

Is this a LAN or a WAN or a MAN?

The Academic Business

The business: Financial management of £380m HR management of 5500 staff records SR management of 36000 student records

UK legislation Data Protection Act (DPA), Freedom of

Information (FoI), Human Rights Act (HRA) and more

Regulation of Investigatory Powers Act (RIPA) Corporate Governance

External auditors, Internal Audit Service (IAS)

Academic Risk Profile

We are a business AND an academic institution and must provide security accordingly! We’ll never have security like a bank We can’t enforce corporate standards We must support a wide range of teaching and research and

a degree of choice in the tools that staff and students can use

Security Facts & Figures

We reject 3.5m spam emails per day We saw alerts on suspicious behaviour

from 7000 external network addresses yesterday

Anti-virus reported 120 desktop interceptions on campus yesterday

We intercept around 100-150 email borne malware items per day

We detect and report 5-10 previous unseen viruses to Sophos each year

Security Model

The University Security Model Policy, IT Security, Physical Security Defence in depth (the security “Onion”) Multiple, overlapping layers of security Security at different points in the network

At the perimeter / gateway / choke points On the server / at the service layer At the desktop Across the network backbone

But … Business first, Technology Second!

Security Policy

You MUST have a security policy, approved by senior management in order to have enforceable security

ISO 27001 (aka ISO 17799, BS 7799) is the international standard for Information Security Management Systems

Security policy; Organisation of information security; Asset management; Human resources security; Physical and environmental security; Communications and operations management; Access control; Information systems acquisition, development and maintenance; Information security incident management; Business continuity management; Compliance.

Based on the Plan-Do-Check-Act model The University security policy is based on ISO 27001 but we

are unlikely to seek certification at present

The Technology

At the perimeter / gateway / network level Enterprise firewall

Allow or deny traffic based a set of rules Email Gateway

Spam and malware detection and prevention Secure web gateway

Proxying web traffic to check for malware Bandwidth management

Limit or guarantee bandwidth available for services Virtual LANs (VLANs)

Restrict the parts of the network specific traffic can reach Anomaly detection

Measure network activity against a “normal” baseline Network access control

At the Perimeter

Enterprise Firewall Inspects packets entering or leaving the network against a

defined rule set Allows or denies based on src and dest IP address and port Default Deny (“Deny everything except those

services/protocols specifically required”) not Default Allow (“Allow everything, deny only known dangerous ports”)

2 x Juniper NetScreen 5200s with failover (Gigabit capable) Stateful packet inspection: knows which “conversations” are

already in progress (prevents certain scans and attacks) Over 1200 firewall change requests since 2004 Over 600 rules in our firewall rule set (Spitzer: 200 is

complex) At default deny, network traffic dropped 50%, attacks 90%

Email Gateway

Currently an open source solution on linux Exim, MailScanner, SpamAssassin, Sophos

10 mail relays! (5 incoming, 5 outgoing) 3.5m incoming emails per day of which 200000

are accepted for processing (5%) Have employed “tag and pass” for too long!!!

Decisions are not only about technological solutions

Spam and malware handling is now a commodity item so we are outsourcing to a managed service provider Webroot

Email RBL Blocking

Mail Relayed Viruses Identified

Spam Identified Incoming Mail Queue

Internet Traffic

Secure Web Gateway

Over 80% of incoming network traffic from the Internet is the result of web browsing Attack payloads via email are dropping Attacks initiated from a HTML formatted web page with the

payload delivered via the web are increasing Current Squid proxy logs traffic and reduces risk of

malware getting off campus but … … this does not protect against most incoming threats

So implementing a Finjan Secure Web Gateway

Web Gateway Capabilities

Active real-time content inspection for detection and blocking of unknown attacks

Zero-hour vulnerability protection via virtual patching Corporate Anti-Spyware solution for stopping known and

unknown Spyware at the gateway Anti-Crimeware protects your sensitive business data Anti-Phishing prevents identity theft SSL Inspection for “in-box” scanning of HTTPS traffic and

enforcement of SSL certificates Choice of leading Anti-Virus engines for protection against

known viruses Choice of leading URL Filtering engines for full control over

your organization’s web browsing

Processing Web Content

Anomaly Detection

In 2006 IS was looking for a solution to provide better monitoring of traffic across the network Looked at Intrusion Detection and Intrusion

Prevention Systems (IDS/IDP) Decided these were not suitable for the wide

range of research traffic on our network (which can break firewalls)

Discovered the alternative approach of anomaly detection!

It learns what is normal network behaviour for each computer on the network and alerts to significant changes in that behaviour

Detection Example

Example: In August 2003, the University was hit by the Blaster worm. 1500 computers were infected in a few hours The immediate incident lasted two weeks Complete clean up took four months

We can now detect a worm infected computer within minutes and, in most cases, prevent it from causing an outbreak before it affects the network

Network Access Control

At the start of each academic year 8000 student owned computers are connected to the Student Network Service (SNS) in Hall study bedrooms

These computers arrive as unseen and unknown quantities; often they are not properly secured and are already infected with viruses and other malware

They represent a potential threat to their fellow students, the SNS network and the wider campus network BUT IS is obliged to make them part of our community as soon as possible

Campus Manager I

In 2005 IS introduced Campus Manager which performs pre-connection health checks on student computers before it allows them access to the SNS and campus networks

Campus Manager ensures that student machines Are fully patched with critical updates Have anti-virus protection installed Represent a minimal risk to the campus

network

Sophos Upgrade

Just upgraded from Sophos A/V to Sophos Security & Control

No longer just A/V, now an End Point security solution Anti-virus, anti-spyware, anti-adware Desktop firewall, detection of PUA, HIPS

In Future Releases NAC, device (USB, Bluetooth, IR), port & mobile control, data

leak prevention

Sophos Architecture

Sophos Console &

EM Library

Signature distribution file server (Univ Park:

Campus Network)

Signature distribution web server

Signature distribution file server

(Jubilee Campus)

Signature distribution file server

(Sutton Bonnington)

Signature distribution file server

(King’s Meadow)

Signature distribution file server (Univ Park:

Student Network)

Sophos DBMS

(sccapps)

Desktop Clients

Updates from

Sophos

Signatures & product updates, remediation

Status information, interception reports

Social Engineering

Humans are usually the weakest link in any chain of security

You can provide policies and best practice, but you can’t force people to read it

University members do respond to phishing attacks from time to time

The best solutions to social engineering issue are usually ones that use technology in place to allow for possible human failings

Network Abuse

Misconduct, gross misconduct and criminal activity by University members

Yes, it does happen, but thankfully not that often Gross misconduct can lead to dismissal from the

University Criminal activity can lead to prison IS does provide evidence for hearings, tribunals

and police investigations and court cases ssshhh – Credit Card Scam Story

Summary

Enterprise security is about scale You need policy, planning and architecture You must consider the business before

technology Technology can sometimes reduce human

factors but can’t always make up for human failings (or social engineering)