uw network security 2003
DESCRIPTION
uw network security 2003. Terry Gray University of Washington Computing & Communications 17 October 2003. UW campus network (backbone). border router. border router. backbone switches. ~ 30 level one routers. subnets (733 total; 150 c&c); over 60,000 live devices. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/1.jpg)
uw network security2003
Terry Gray
University of Washington
Computing & Communications
17 October 2003
![Page 2: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/2.jpg)
UW campus network (backbone)
borderrouter
borderrouter
backbone switches
~ 30 level one routers
subnets (733 total; 150 c&c); over 60,000 live devices
![Page 3: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/3.jpg)
UW campus network (typical subnet)
Level One Router
Aggregation Switch
Edge Switch Edge Switch Edge Switch
campus subnets are a mixture of• shared 10Mbps• switched 10Mbps• switched 10/100Mbps
![Page 4: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/4.jpg)
network facilities
![Page 5: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/5.jpg)
typical core routers
![Page 6: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/6.jpg)
campus network traffic
![Page 7: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/7.jpg)
Pacific Northwest Gigapop
The PNW’s access point to next generation Internets, including Internet2, high performance USA Federal Networks, and high speed commodity Internet
A high speed peering point for regional and international networks
R&D testbed inviting national and international experimentation with advanced Internet-based applications
![Page 8: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/8.jpg)
![Page 9: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/9.jpg)
Pacific Northwest Gigapop
uwborder
uwborder
3 diverse network providersInternet2national & internat’nl nets
•Internet2 2.5Gbps (10Gbps upgrade underway)•Three different 1Gbps connections to the Internet•Multiple gigabits of connections to other networks
30+ networkcustomers
![Page 10: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/10.jpg)
K-12 (307)
Community/Technical College (73)
Public Baccalaureate (50)
Library (65 in process)Independent Colleges (9 approved)
K20 Network Sites
![Page 11: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/11.jpg)
seven security axioms Network security is maximized when we assume there is no such
thing. Large security perimeters mean large vulnerability zones. Firewalls are such a good idea, every computer should have one.
Seriously. Remote access is fraught with peril, just like local access. One person's security perimeter is another's broken network. Isolation strategies are limited by how many PCs you want on your
desk. Network security is about psychology as much as technology
. Bonus: never forget that computer ownership is not for the feint-hearted.
![Page 12: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/12.jpg)
credo
focus first on the edge(perimeter protection paradox)
add defense in depth as needed keep it manageable provide for local policy choice... avoid one-size-fits-all
![Page 13: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/13.jpg)
gray’s defense-in-depth conjecture
MTTE (exploit) = k * N**2 MTTI (innovation) = k * N**2 MTTR (repair) = k * N**2
where N = number of layers
![Page 14: uw network security 2003](https://reader035.vdocuments.us/reader035/viewer/2022062322/56814a02550346895db73513/html5/thumbnails/14.jpg)
C&C security activities logical firewalls project 172 network infrastructure protection reverse IDS (local infection detection) auto-block; self-reenable traffic monitoring tools who/where traceability tools nebula proactive probing honeypots security operations training; consulting