Defending the campus juniper nerworks

50 %
50 %
Information about Defending the campus juniper nerworks
Education

Published on March 11, 2014

Author: Brozaa

Source: slideshare.net

Description

More info :http://goo.gl/LYQuss

Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1 Defending the Campus Ed Lopez – Emerging Technologies

2Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net “The Headlines”  “‟MafiaBoy‟ DDoS Attack Via University Network”  “Postdoc Arrest Linked to Intellectual Property Theft from University Labs”  “Hack on University Exposes 1.4M Social Security Numbers”  “Universities Fear 6th of Month as Klez Virus Re-erupts”  “RIAA Sues Campus File-Swappers”  “Weak Security Causes University to Ban Unauthorized Wi-Fi on Campus Nets”  “Campus Networks: Havens for Spammers?”  “Vital Files Exposed in University Hacking, 32,000 Students and Employees Affected”

3Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Our Users – Our Problem  Students – Bandwidth, Active Threat, No Standards  Faculty – Openess, Intellectual Property, Communication  Administration – Privacy/Financial/Academic Data, Web Services  Facilities/Security – Operations, Logistics, Emergency Services  Health Services – HIPPA, Medical Support Systems  Externals – Support for Gov‟t Projects, External/Joint Academics, Libraries, Research

4Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Security is in How We Access Our Networks  Dormitories – Wired/Wireless, >1 host to 1 student  Libraries – Shared systems, public/anonymous access  Commons – Wireless, rogues, „evil twins‟  Telecommuters – Commuting Students, Off-Campus Housing, Fraternities/Sororities, „Starbucks‟ and other community outlets  Educational Areas – May have specialized requirements, especially science departments  Health Services & Administration – Autonomous but linked  Externals – Dedicated support requirements, threat from external security breaches

5Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Campuses – Crucibles for New Technologies and Security Issues  Varied OS Support: Windows (multiple versions), MacOS, Linux, BSD, Palm, PocketPC, new handhelds  No Personal Firewall/Anti-Virus Standards  VoIP: Internally supported, Vonage, etc.  Authentication: Passwords (weak), Tokens, SSN vs. Unique Number, Single Sign-On vs. Segmentation  Wireless vs. Wired  Many Back Channels: POP3, IM, IRC, P2P, FTP, etc.  Music: P2P vs. Legal Downloads

6Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net What We Intended

7Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net What We Ended Up With Social Engineering

8Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Firewalls Alone Are Not Enough  A TCP/80 client session: • Is it MSIE? • Is it Mozilla Firefox? • Is it a Warez P2P Session?  Firewalls, even with application intelligence, only deal with Layer 3&4  But with convergence of multiple applications around well-known ports & protocols, how do we differentiate the legitimate ones from the rogue ones?

9Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Layered Threats – Layered Defenses

10Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Domino Effect

11Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Security Is Not Required for Applications & Networks to Function!  Everything works in the lab!  Trust is inherent to design!  What are your policies?  How are they enforced?  How do you detect/prevent malicious traffic, rogue host/apps, and misuse?  What is really on your network?

12Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Security Requirements for the Campus  Access Defense at Network/Data Centers – No effective perimeters, no control of end-user hosts  Network Awareness – Variable users/access/technologies make for quickly changing threats  QoS - defending bandwidth for necessary resources, mitigating DoS attacks, policy conformance  Segregation of IP Networks – With use of common infrastructure  Standardization Where Possible – Enforcement of security processes is a must for applications, data centers, and systems holding sensitive data  Provisioned Services – Key to consistant delivery of managable services

13Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Securing Access  Wireless Access = Remote Access  Common solution sets mean ease of deployment and common user experience • Can implement roles-based policies  SSL VPNs are your friend • Clientless – Just need a browser • Encryption offers confidentiality, integrity of traffic • Defend Remote Access, Wireless Access, Access to Data Centers  You can‟t rely on host-based defenses, defend at the ingress • Perimeter defenses (Firewall, ACL) • NAV and Anti-spam on campus web/mail services

14Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Securing Data Centers  Best defenses are based on knowing what to defend • You may not control the clients, but you do control the servers  Tight perimeter defenses  Portaling  Intrusion Detection/Prevention  Honeypots / Honeynets

15Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Importance of Network Awareness  “Network awareness now a new mindset for security professionals.”  “Every component of the network is part of the ecosystem.”  “The end user is the moving chess piece of the network board.”  “The really good intruders study the environment before attacking.” Source: Network Awareness, whitepaper by BlackHat Consulting

16Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IDS – Intrusion Detection System Typically out of line of the data flow on a tap. Evaluates deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed. IDS HELP Dynamic ACL request sent to the router/firewall, or TCP RESET sent to close the session

17Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net IPS – Intrusion Prevention System Typically inline of the data flow. Evaluates deeper into the packet to validate protocol, search for exploits and anomalies. All 7 layers of the OSI model can be parsed. Does not have to rely on other devices in the network to complete it‟s task. IPS

18Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Network Awareness – Know Your Threat!  Who is peering with your critical systems?  Who are the IRC bots?  Who is probing your network?  Correlate security events to hosts/network objects

19Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Network QoS – Managed Unfairness  Bandwidth isn‟t free and all traffic is not equal  Migration continues toward converged network, with multiple services over IP  Need to distinguish between the multiple services on the converged network infrastructure  Examples: voice and real-time video  Implementing QoS allows us to utilize existing bandwidth better  QoS tools can be used as security tools to safeguard priority network services and applications VoIP Gold Silver Best Effort VoIPGold Classify Silver Schedule VoIPGoldSilver Transmit

20Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Segregating IP Networks - MPLS Wireless Access Housing Remote Campus VoIP Internet Access Campus Network IP/MPLS Multiple IP nets / Common Infrastructure Security, Access Control at the Edge Provisioned Services - Managability PE PCE

21Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Standardization  Openness applies to the user community, not to campus administration and staff  Deployed network applications and services must be tightly defined  IDS/IPS to look for malicious traffic within these applications and services  Standardized authentication systems – centralized online identity control  Operational & management support is key to policy enforcement

22Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Provisioned Services  Bring all of these security concepts together • Portaling – Present services in a consistent fashion, roles-based authentication • Network Awareness – Defining and provisioning services provides a clear scope • QoS – Protect service resources • Segregation – Reduces threat vectors and malicious logic trees between services • Standardization – Building security in what we deploy  Create an atmosphere of what we can do, vs. what we can‟t

23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23Copyright © 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net Juniper Networks Portfolio M-series T-series Large Core Metro Aggregation E-series BRAS & Circuit Aggregation Policy & Service Control Small/Med Core Circuit Aggregation Secure Access SSL VPN Intrusion Detection and Prevention Integrated Firewall/IPSEC VPN Central Policy-based Management NMC-RX JUNOScope Secure Meeting Enterprise Routing J-series

Thank You! elopez@juniper.net

Add a comment

Related presentations

Related pages

Defending the campus juniper nerworks - Education

Share Defending the campus juniper nerworks. ... 2004 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1 Defending the Campus Ed Lopez ...
Read more

Defending the campus juniper nerworks - Education

Download Defending the campus juniper nerworks. Transcript. 1.
Read more

Defending the Spread[1] - Documents - docslide.us

Defending the Spread[1] Download. of 60 ...
Read more

Defending the Environment - Documents

Search; Home; Documents; Defending the Environment
Read more

Emotion defending the woks - Documents

Emotion defending the woks. by gwsis. on Dec 05, 2014. Report Category: Documents. Download: 0 Comment: 0. 126. views. Comments. Description .
Read more

Defending The Castle Rwsp - Documents

Defending The Castle Rwsp; Download. of 21
Read more

Defending the Earth - Documents - docslide.us

Search; Home; Documents; Defending the Earth
Read more

Defending the Filibuster (excerpt) - Documents - docslide.us

Chapter 1 from Richard A. Arenberg's and Robert B. Dove's book Defending the Filibuster. The authors argue passionately in favor of retaining the ...
Read more

Discover the Networks

Welcome to Discover the Networks. This website describes the networks and agendas of the political Left. ... Campus Watch Capital Research Center
Read more

COMPUTER NETWORK INTERVIEW QUESTIONS WITH ANSWERS - scribd.com

COMPUTER NETWORK INTERVIEW QUESTIONS WITH ANSWERS - Download as PDF File (.pdf), Text File (.txt) or read online.
Read more