18
Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information Technology, Information Security Directorate

Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Embed Size (px)

Citation preview

Page 1: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Georgia Tech Information Security

Campus Architecture for ECE6612November 2, 2005

Peter N. WanSenior Information Security Engineer

Office of Information Technology, Information Security Directorate

Page 2: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Information Security Architecture - Outline

• InfoSec Architecture diagram

• Network Architecture diagram

• Security Technology

• Policies

• User Awareness Campaign

• Q&A

Page 3: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Information Security Architecture(1)http://www.oit.gatech.edu/information_security/architecture/index.html

Still on Web – 4/23/2008

Page 4: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Information Security Architecture(2)

• Layered Defense in Depth

• Host firewalls and other defensive measures are still important even if there is a network firewall

• Business of the Institute must continue so security must help enable business processes

Page 5: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Network Architecture (1)

Page 6: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Network Architecture (2)

• Border routers receive traffic from Tech ISPs (Cogent, Quest, Level3, Peachnet, SoX/Abilene, etc.)

• Border routers feed traffic to campus gateway routers

• Campus gateway routers feed the campus backbone, where departmental and other routers/firewalls are connected

Page 7: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Campus Security Technology

• Border/Backbone Routers

• Intrusion Prevention Systems (not in production yet)

• Intrusion Detection Systems

• Network Firewalls

• Host-Based Security

Page 8: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Campus Security Technology – Border/Backbone Routers

• Pass traffic only

• Protocols that are not passed over a Wide Area Network (tftp, file sharing, database services, etc.) are blocked by internal firewalls, not ACLs at the border

• “Netflows” are collected at various routers to identify suspicious traffic; content is not examined

Page 9: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Campus Security Technology – Intrusion Prevention Systems

• Two ISS Proventia G1000F intrusion prevention devices were installed at the border of the campus network

• IPSes are designed to be installed in-line, and to provide blocking of traffic that does not meet their security policy (more flexibility than router port filters, which are all-or-none type enforcement)

• “Deep Inspection”

Page 10: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Campus Security Technology – Intrusion Detection Systems

• Campus border traffic is mirrored by a switch to two types of IDSes

• Enterasys Dragon is a signature-based IDS

• Lancope Stealthwatch is an anomaly-based IDS

Page 11: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Example Status from Lancope Stealthwatch

P2P

Worm Activity

Worm Propagation

SPAM Source_Mail RelayComm. With Known Bad Host

-Flood

-Target SYNs

3000-

2000-

1000-

Page 12: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Campus Security Technology – Network Firewalls

• Business Office/Ferst Center incidents emphasized the need for better monitoring/control of certain departments/servers

• Program for deploying firewalls at the connection of departments to the campus network has been progressing

Page 13: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Campus Security Mechanisms – Host-Based Security(1)

• Antivirus software (NAI/McAfee site-licensed for campus)

• Host firewalls (ISS RealSecure Desktop Protector)

• Spyware removal software (no site-licensed packages currently, though Spybot Search & Destroy is free even for university use)

Page 14: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Campus Security Mechanisms – Host-Based Security(2)

• Operating system, application, utility patching very important; use vendor-supplied or 3rd party products (e.g., PatchLink or HFNetChk)

• Activate automatic updates wherever possible (antivirus, spyware remover, operating system); this may not be appropriate for servers

Page 15: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Incident Response

• Many incidents consist of virus/spyware infections, and are handled locally by departments or ResNet/EastNet staff

• A “Sensitive Server Database” records machines which are critical to a unit’s function or which contain sensitive information (classifications per the Data Access Policy); incident response for these type of systems requires more attention

• Some incidents are serious enough to require disk/system forensic examinations

Page 16: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Campus Security Policies

• Federal/State/Local (FERPA, HIPAA, GLBA, Open Records, etc.)

• Campus Network Usage/Security Policy

• Unit Level Network Usage Policies

• Data Access Policy

• Copyrighted Material Usage (DMCA, fair use, etc.)

• Employee/Student Handbooks

Page 17: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

User Awareness

• Security awareness tutorial at http://oit.gatech.edu/information_security/education_and_awareness/safe/

• Educational campaign in Fall 2005 Semester with posters, etc.

• Outreach such as talks with classes and other groups

• For more information, please see the OIT-IS page at http://oit.gatech.edu/information_security

Page 18: Georgia Tech Information Security Campus Architecture for ECE6612 November 2, 2005 Peter N. Wan Senior Information Security Engineer Office of Information

Thank You!

• Any Questions?