University of WashingtonUniversity of Washington
A Multi-ZoneSecurity Model
David MortonLori Stevens
17 October 2007
University of WashingtonUniversity of Washington
Multi-Zoned Security
• End-to-end connectivity divided intoZone
• Each Zone plays a role in security ofthe overall system
• Layered defenses within each Zone
University of WashingtonUniversity of Washington
Zones
University of WashingtonUniversity of Washington
IntroductionIntroductionThe Connector ZoneThe Connector Zone
•Joins networks together•Goals:
–Protect the infrastructure–Low latency, high performance is key–Traffic is originated elsewhere–Connector policies establish rules–Examples: PNWGP, PacificWave
University of WashingtonUniversity of Washington
PacificWave InfrastructureThe Connector ZoneThe Connector Zone
University of WashingtonUniversity of Washington
Pacific Wave Security• Since Pacific Wave is a layer-2 exchange, it cannot directly mitigate
and address participant behavior above layer-2, such as:– using BGP-4 for peering– routing traffic without an established peering agreement– generating traffic other than IP
• Must work together in order to collectively mitigate such activities– Develop processes and procedures for proper escalation in the
event of malicious or unauthorized activities are discovered
• Implement policies and protections to:– Limit the hosts/networks that can manage the network devices– Make use of token based login or one time passwords– Limit which network devices (by MAC) can directly connect
The Connector ZoneThe Connector Zone
University of WashingtonUniversity of Washington
The Connector ZoneThe Connector Zone
Layered SecurityCZ LayeredCZ Layered
University of WashingtonUniversity of Washington
IntroductionThe Campus ZoneThe Campus Zone
•Aggregates users to the connector•Goals:
–Stop “bad” traffic with no impact to “good”–Isolate threats from the community–Control SPAM, Phishing and virus threats–Provide extra layers of protection as needed–Mitigate security incidents quickly–Minimize the impacts
University of WashingtonUniversity of Washington
InfrastructureThe Campus ZoneThe Campus Zone
• 120,000 devices• NO PERIMETER
FIREWALLS• IPS at the core
University of WashingtonUniversity of Washington
Intrusion PreventionThe Campus ZoneThe Campus Zone
•Tipping Point IPS– Rich rule set to block “bad” traffic– Blocked at least 70 million attacks in 2006
–That’s nearly 185,000 attacks a day– Ability to route some traffic around IPS forperformance or policy
University of WashingtonUniversity of Washington
Email Defense Options• Appliance
– Easy to setup– Simplified maintenance– Less flexible
• Software Solution– Often more flexible, extensible to meet needs– Separate hardware platform and OS to maintain
The Campus ZoneThe Campus Zone
University of WashingtonUniversity of Washington
Spam at the UW• January daily volume avg: ~3,040,000
messages, 76.6% spam• August daily volume avg: ~4,100,000
messages, 80.1% spam• Sept daily volume avg: ~4,560,000
messages, 88.5% spam
The Campus ZoneThe Campus Zone
University of WashingtonUniversity of Washington
Spam at the UW• As much spam this year as all mail
processed in 2006 and nearly twice asmuch total mail as we processed from2003-2005
• Be prepared for growth!
The Campus ZoneThe Campus Zone
University of WashingtonUniversity of Washington
Email-born Viruses at the UW• 2003: 9,375,000 viruses detected in email
• 2004: 20,000,000 viruses in email
• 2007: 2,632,000 viruses
• Not the threat it once was….
The Campus ZoneThe Campus Zone
University of WashingtonUniversity of Washington
UW 2003-2006 Mail StatsThe Campus ZoneThe Campus Zone
University of WashingtonUniversity of Washington
Network FirewallsThe Campus ZoneThe Campus Zone
• Two varieties– Logical Firewall– Subnet Firewall
• Logical Firewall (self managed)• Selectively allows hosts to participate• http://staff.washington.edu/corey
• Subnet Firewall (centrally managed)• Gibraltar (linux) or Cisco FW Services Module
University of WashingtonUniversity of Washington
Incident ResponseThe Campus ZoneThe Campus Zone
• Established incident response procedures• Automated protections against worms• Able to remotely capture network traffic• Partner with industry, peers, etc for up-to-date intelligence
University of WashingtonUniversity of Washington
Layered Security
CampZ CampZ LayeredLayered
The Campus ZoneThe Campus Zone
University of WashingtonUniversity of Washington
IntroductionTheThe Dorm ZoneDorm Zone
•Student housing•Goals:
–Protect Dorms from world–And the world from the Dorms :)–Provide high bandwidth for acedemics, etc–Control illegal filesharing–Enforce administrative policies (ie no servers)
University of WashingtonUniversity of Washington
Infrastructure
• ~ 5,000 residents• IPS sandwich• Packeteer traffic
shaper• Firewall policy
enforcement
TheThe Dorm ZoneDorm Zone
University of WashingtonUniversity of Washington
Layered Security
DormZ DormZ LayeredLayered
TheThe Dorm ZoneDorm Zone
University of WashingtonUniversity of Washington
Hosts: Defending Against Threats• Anti-virus sw is critical to keeping our
networked-hosts clean– configure to update itself automatically– use other features such as buffer overflow
and web (http) browsing protection, whereappropriate
• Stay current on security updates and virusdefinitions/signatures
TheThe User/Host ZoneUser/Host Zone
University of WashingtonUniversity of Washington
Hosts: Defending Against Threats• Use complex passwords for critical devices, e.g.
hosts, routers• Use logs to catch attacks or compromises• Software to detect inconsistencies• Best place for firewall as it’s easiest to define
“good” traffic– can be complex to manage
TheThe User/Host ZoneUser/Host Zone
University of WashingtonUniversity of Washington
Hosts: Defending Against Threats• Isolation approach
– Separate services across hosts– So one passwd doesn’t get you to everything
• Block services that aren’t relevant– For example, block port 25/tcp to and from all hosts
that are not mail servers
TheThe User/Host ZoneUser/Host Zone
University of WashingtonUniversity of Washington
Hosts: Defending Against Threats
• Security is part of everything– design, build, implement, and buy
• Fewer compromises where pervasivelayer protection implemented
TheThe User/Host ZoneUser/Host Zone
University of WashingtonUniversity of Washington
Layered Security
User/hostZ User/hostZ LayeredLayered
TheThe User/Host ZoneUser/Host Zone
University of WashingtonUniversity of Washington
Questions?
David Morton [email protected] +1 (206) 221-7814
Lori Stevens [email protected] +1 (206) 685-6227