Upload
damon-jefferson
View
215
Download
1
Embed Size (px)
Citation preview
Southwest Educause 2003© Baylor University 2003
Adapting Enterprise
Security to a
University Environment
Bob Hartland
Director of IT Servers and
Network Services
Jon Allen
Coordinator ofIT Security
Tommy Roberson
Manager of ServersAnd IT Security
Southwest Educause 2003© Baylor University 2003
Overview of Presentation
• Baylor University
• IT Security
• Security through technology/hardware
• Security through People
• Putting it all together
Southwest Educause 2003© Baylor University 2003
Baylor University
• 14,221 Students• 1,750 Full Time
Employees
Waco, Texas
Southwest Educause 2003© Baylor University 2003
Information Technology Organizational Chart
Dr. Robert Sloan
President
Mr. David Brooks
CFO
Dr. Reagan Ramsower
CIO & Dean of Libraries
Bob Hartland
Director of IT Servers and Networking Services
Data Networks Broadband Video Telephone Network IT Servers and Security
Tommy Roberson
Jon Allen
Southwest Educause 2003© Baylor University 2003
What is IT Security?• “…the concepts, techniques, technical measures and
administrative measures used to protect information assets from deliberate or inadvertent unauthorized acquisition,
damage, disclosure, manipulation, modification, loss, or use…” [McDaniel - IBM Dictionary of Computing 1994]
• It is more beneficial to focus on good planning then it is to rely solely on fancy technology.
Southwest Educause 2003© Baylor University 2003
Risks of Poor Security
• Loss of university productivity
• Public Relations problems
• Private Information (SSN, CC numbers, grades, etc.)
• Degradation or loss of client services
Southwest Educause 2003© Baylor University 2003
Security– As Viewed by Industry
• Security is a priority (proactive)
• The ROI for security has become highly visible in the past 2-3 years.
• Compromise or downtime results in lost profits
Southwest Educause 2003© Baylor University 2003
Security – As Viewed in an University Environment
• Threat to Academic Freedom • A hindrance to research and education
productivity• Contention for funding
Southwest Educause 2003© Baylor University 2003
Baylor’s Approach to IT Security
• Our security strategy can be divided into two parts
• Technology
• People
Southwest Educause 2003© Baylor University 2003
Security through Technology
• Firewalls
• Intrusion Detection Systems
• VPN (encryption technologies)
• Logs
• Server Configuration
• Vulnerability Scanning
Southwest Educause 2003© Baylor University 2003
Firewalls
• First line of network protection from outside world
• Must be strategically placed to be effective in universities
• One size does not fit all for firewall policies
Southwest Educause 2003© Baylor University 2003
Firewall Recommendations
• Multiple firewalls are necessary in a university environment
• Firewall policies should be written with port level filtering.
Southwest Educause 2003© Baylor University 2003
Intrusion Detection Systems
• Deployment must be highly targeted
• Networks and servers must be understood to limit false positives
• Not a substitute for good security practices
Southwest Educause 2003© Baylor University 2003
Virtual Private Networks
• Ideal for limiting access and securing data transmission
• Great for extending the university network to students and remote campuses
Southwest Educause 2003© Baylor University 2003
Logs
• Vital to identifying and resolving server and network problems
• Subtle or well planned attacks may only be seen through log evaluation
• Raises questions of academic freedom and big brother
Southwest Educause 2003© Baylor University 2003
Server Configuration
• Servers should only run daemons/services that are necessary
• Use mailing lists and OS update services to maintain server patches
• Limit the services on servers that contain critical data
Southwest Educause 2003© Baylor University 2003
Vulnerability Scanning
• Prioritize scans to focus on critical systems first.
• Be aware that false positives are common with scanning tools
• Scanning results can be used to point to weak points in networks and servers before they are abused
Southwest Educause 2003© Baylor University 2003
Security through People
• Policies
• Procedures
• Education
Southwest Educause 2003© Baylor University 2003
Policies-Creation
• Important to bring in other departments
• Anticipate problems
• Try to make policies broad enough to cover many issues
Southwest Educause 2003© Baylor University 2003
Policies-Modification
• Be flexible
• Policies are an ongoing work
• There will always be exceptions to policy
Southwest Educause 2003© Baylor University 2003
Policies-Enforcement
• Must have administrative backing for policies
• Helpful to explain this to various departments
• Must establish consistent method for dealing with student violations
• Document ALL enforcement actions taken
Southwest Educause 2003© Baylor University 2003
Procedures
• When done appropriately-procedures can be used to prevent many problems
• These are very time consuming…
• …but can eventually save time and headaches by preventing obvious security lapses.
Southwest Educause 2003© Baylor University 2003
Education
• End-User education
• Server admin education
• Support Staff education
Southwest Educause 2003© Baylor University 2003
End-User Education
• Most important thing is educating end-user on sound password practices.
• Users are more likely to follow policies and rules if they understand reasons for them
• Teach users to notice things that don’t seem right
Southwest Educause 2003© Baylor University 2003
Server Admin Education
• Teach importance of keeping systems up to date
• Encourage sound local account practices
• Try to bring other admins in other schools into the security community
Southwest Educause 2003© Baylor University 2003
IT Staff Education
• Support Staff are many times ignorant of sound security practices
• Many IT users in general never consider security when doing their jobs.
• We must also try to bring them into the security community
Southwest Educause 2003© Baylor University 2003
Security is everyone’s job!
Southwest Educause 2003© Baylor University 2003
On the Horizon
• Proactive and correlative IDS
• Stricter laws forcing security in universities
• Probable increase in security incidents
Southwest Educause 2003© Baylor University 2003
Summary
• Complete security solutions must address both technology and people
• Technology solutions are only as good as the policies they are enforcing
• Security strategies must depend upon and encourage cooperation from people in the organization
Southwest Educause 2003© Baylor University 2003
Contributors:
• Bob Hartland
Director for IT Servers and Network Services
Speakers:
• Jon AllenCoordinator of IT [email protected]
• Tommy RobersonManager of Servers and IT [email protected]
Southwest Educause 2003© Baylor University 2003
Copyright Bob Hartland, Tommy Roberson, and Jon Allen 2003.This work is the intellectual property of the author. Permission is granted for this
material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and
notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the
author.