Upload
walt
View
29
Download
0
Embed Size (px)
DESCRIPTION
To block or not to block. 5 IT Managers share their experiences. Knox Grammar School. Mike Israel – IT Manager. Network Topology. Internal Network. Cisco Switches and Access Points Using VLAN’s Originally no wireless security - PowerPoint PPT Presentation
Citation preview
© The Association of Independent Schools of NSW
To block or not to block5 IT Managers share their experiences
© The Association of Independent Schools of NSW
Knox Grammar SchoolMike Israel – IT Manager
© The Association of Independent Schools of NSW
Network Topology
© The Association of Independent Schools of NSW
Internal Network
Cisco Switches and Access Points
Using VLAN’s
Originally no wireless security
Wireless WPA-TKIP with PEAP authentication. When machine is joined to domain it is issued with a certificate to join the network
© The Association of Independent Schools of NSW
Bandwidth Control
Packeteer
Provides bandwidth control
Can monitor and control how bandwidth is being used eg. iTunes downloads, max total 5Mbps, any one connection <256kbps
Can designate slices of bandwidth to particular ports protocols
Can block programs and protocols eg, encrypted tunnelling over port 80
© The Association of Independent Schools of NSW
ACL’s on core router to block student access to servers
Using ACL’s
Access Control Lists enable the control of certain VLAN’s to specified servers/addresses/ports/services
© The Association of Independent Schools of NSW
Spam and Anti-virus
Spam is detected, marked as spam and delivered to Junk mail folder via Exchange.
ClamAV does initial filtering of malware.
Trend Micro performs second pass on incoming mail.
Symantec Client used on client machines
Spam Assassin, Clam
AV (free)
Symantec Client Updates
Trend Micro
© The Association of Independent Schools of NSW
Filtering - ContentKeeper
Can block all unmanaged sites to students which takes care of proxy bypass. Also blocks keyword searches on popular search engines, block protocols (backup to Packeteer)
Firewall prevents access to certain IP address ranges on certain ports
© The Association of Independent Schools of NSW
ContentKeeper Filtering Groups
Users default to general profile with filtering based on student needs
Staff identified through their login (LDAP) to more open filtering
Pages can be blocked/coached/time of day. All unmanaged sites blocked for students
© The Association of Independent Schools of NSW
Web Access Policy
Technology Usage Policy published in school diary and condition to login. Also Year 7 sign when they take delivery of their school laptop
MySpace and Youtube blocked, Facebook OK
Streaming media is limited so as not to clog Internet access
© The Association of Independent Schools of NSW
Mike Israel Knox Grammar School
7 Woodville Ave Wahroonga
Phone (02) 9473 9773 Fax (02) 9473 9759
Email [email protected]
Contact Details
© The Association of Independent Schools of NSW
Danebank Anglican School for GirlsJohn Tuffs – IT Director
© The Association of Independent Schools of NSW
Network History
< 2005 Microsoft ISA Firewall + DCHP/DNSwith no E-mail filtering
2005 – 2008 ISONet HTTP & SMTP filteringISA Firewall + DCHP/DNS
2008 Cisco ASA Firewall + SONAR filteringWindows server for DHCP/DNS
© The Association of Independent Schools of NSW
Danebank Network Layout
© The Association of Independent Schools of NSW
Internal Network
HP Procurve Switches
1 Management VLAN for Procurve Manager
1 VLAN for the rest
Wireless Access Points using only WEP & MAC security (ie no security)
© The Association of Independent Schools of NSW
Antivirus / SPAM / Web Filtering
Symantec System Centre and local clients for AV
SPAM handled by Sonar Appliance – not using challenge option
Filtering handled by Sonar Appliance
(Initial install and support provided by Accucom)
© The Association of Independent Schools of NSW
Sonar Filtering Groups
IT Staff
General Staff / Teachers
Senior School (7-12)
Junior School (K-6)
Lunch Filter (7-12)
© The Association of Independent Schools of NSW
Custom Block Message
© The Association of Independent Schools of NSW
Web Access Policy
Internet Acceptable Use policy signed by students
All social networking is blocked
Youtube is blocked to students – teachers can show videos
Streaming media is blocked due to bandwidth constraints
© The Association of Independent Schools of NSW
John Tuffs
IT Director
80-98 Park Rd Hurstville NSW 2220
Phone (02) 9580 1415 Fax (02) 9579 3450
Email [email protected]
Contact Details
© The Association of Independent Schools of NSW
Security WorkshopSCEGGS Darlinghurst
© The Association of Independent Schools of NSW
Topology Overview
© The Association of Independent Schools of NSW
ISOnet topology
© The Association of Independent Schools of NSW
SCEGGS’ Topology
© The Association of Independent Schools of NSW
ISOnet: Intrusion Detection
Two layers of Intrusion Prevention using
McAfee IntruShield and TippingPoint.
Both are set to blocking mode for all medium to high threats.
There have been 13,777,987 Exploits blocked…This week!
There have been 1,830,537 policy Violations blocked…This week!
© The Association of Independent Schools of NSW
ISOnet: Denial of Service
Peakflow DDoS technology from Arbor Networks.
There have been 1,830,537 policy Violations blocked…This week!
Up to 60% of traffic bound for schools is blocked by ISONet as it is unsolicited. Schools only pay for what they use.
© The Association of Independent Schools of NSW
ISOnet: Spam/Av
ISOnet uses a cluster of McAfee and IronPort AV/Spam/Content filter appliances.
Filters based on policies set by individual school
Actions taken by the filter is specified as part of the policy determined by the school
For staff – messages sent to spam@sceggs. This mailbox is searchable by staff through a proxy arrangement.
For students spam messages are dropped
© The Association of Independent Schools of NSW
ISONet Policies Real-time blackhole list (RBL) checking – Identifies whether the IP address is
an open relay or spam organisation.
IP Reputation checking – Identifies whether an IP address has been known to send exploits, worms, trojans or sites known to be hacked.
Anti-spoofing verifications – Determines if sender is attempting to forge as an internal address.
All scanning modules listed in the attached document (AV checks, spam checks, content-filtering checks, anti-phishing checks, file filtering, etc.)
Integrity Analysis – Examine header, layout and organisation of the message.
Spam scoring - Positive and negative scoring of emails based on known spam traits.
Bayesian Learning - Custom created spam signatures based on feedback system – false-positive and false-negative verification.
Blacklists and whitelists – customer based trusted and untrusted email senders.
© The Association of Independent Schools of NSW
From Outside: SCEGGS Policy
Email Setting Status Severity Configuration Detail (Action)
Anti-spam Enabled MediumWhen spam identified: Refuse original data and return a rejection codeForward the original email to [email protected]
Anti-virus Enabled HighWhen identified: Attempt to cleanIf cleaning fails replace content with an HTML alert and quarantine the original email
Anti-Phishing EnabledWhen identified:Forward the original email to [email protected]
Compliancy Disabled -
Corrupt Content EnabledWhen corrupt content detected: Replace the content with an HTML alert
Encrypted Content EnabledWhen encrypted content detected: Allow through
File Filtering Disabled -
HTML Settings Disabled -
Mail Settings Disabled -
Mail Size Filtering Disabled -When the message is larger than 10240 kilobytes:Refuse the original data and return a rejection codeDeliver a notification email to the sender
Protected Content Enabled -When protected content is detected: Allow through
Enabled -When a denial of service protection limit is exceeded: Replace the content with an HTML alert
Enabled -When signed content is detected: Allow changes to break signed email
Enabled -When content identified: Allow through
Enabled -When content identified: Allow through
Enabled -When content identified: Allow through
Enabled -When content identified: Allow through
Enabled -When content identified: Allow through
Enabled -When content identified: Allow through
Enabled -When content identified: Allow through
Enabled -When content identified: Allow through
Enabled -When content identified: Allow through
© The Association of Independent Schools of NSW
Ian Ralph
IT Manager – SCEGGS Darlinghurst
215 Forbes St Darlinghurst NSW 2010
Phone (02) 99332 1133 Fax (02) 9332 1858
Web sceggs.nsw.edu.au
Email [email protected]
Contact Details
© The Association of Independent Schools of NSW
Arndell Anglican College Network Security Overview
© The Association of Independent Schools of NSW
VLAN’s
Low Level VLAN Map
© The Association of Independent Schools of NSW
What’s Great About VLAN’s
Allows use of ACL’s
Segments Broadcast Traffic
More Devices
© The Association of Independent Schools of NSW
How Does it Translate Into a Physical Layout?
© The Association of Independent Schools of NSW
Content Filtering at Arndell
Blacklists - Various Categories Updated Regularly
Scanning of log’s regularly
Students summoned to explain actions
Culture has changed now that students know they will be caught if they do the wrong thing
Internet traffic is forced to content filter dependent on VLAN assignment
© The Association of Independent Schools of NSW
Spam and Anti - Virus
Sophos Anti - Virus used across the network
Sophos plug - in for mail server
Spam filtered using Spam Assassin
Blacklist lookups like SORBS
© The Association of Independent Schools of NSW
Rohan Smith
Coordinator IT Services
Arndell Anglican College
118 Wolseley Road Oakville NSW 2765
Phone: +61 2 4572 3633 Fax: +61 2 4573 3849
Website: http://www.arndell.nsw.edu.au
Email: [email protected]
Contact Details
© The Association of Independent Schools of NSW
The King’s SchoolMichael Eggenhuizen
© The Association of Independent Schools of NSW
The School
The King’s School – Some Statistics:
Anglican Church School Established in 1832 (176 years) 300 acres in North Parramatta K-12 Boys School with 1450 Students 400 Boarders Multiple Residences on Property
© The Association of Independent Schools of NSW
Internet Bandwidth
Internet Connection Bandwidth:
2005 – 2.5Mb ADSL/ISDN 2006 – 10Mb Ethernet 2007 – 20Mb Ethernet 2008 – 50Mb Ethernet 2009 – 100Mb Ethernet ISP – The Somerville Group
© The Association of Independent Schools of NSW
Internet Access
All Staff and Students have Access to:
YouTube, MySpace, FaceBook, ... Hotmail, Yahoo Mail, Gmail, ... MSN Messenger, ... Most if not all Web 2.0 Technologies Changes to filtering (lead by ICT Services) provide staff and students with a real and relatively unrestricted learning experience
© The Association of Independent Schools of NSW
Internet & Email Filtering
© The Association of Independent Schools of NSW
Network Box
Weekly Email Activity (Incoming Average)
Spam (95.5%) - 485,647 Virus (1.5%) - 7,608 Delivered (3%) - 15,615 Total (100%) - 508,870
© The Association of Independent Schools of NSW
Network Box
Weekly Internet Activity (Average)
URL's Visited - 13,254,949 URL's Blocked due to Virus Activity - 71 URL's Blocked due to Policy Rules - 3,326 Threat Signature Updates - 843 Internet Download (GB) – 398 Monthly Internet Download (TB) – 1.6
© The Association of Independent Schools of NSW
Michael Eggenhuizen
Director ICT
PO Box 1 Parramatta NSW 2124
Phone (02) 9683 8650 Fax (02) 9683 8565
www.kings.edu.au
Contact Details