View
580
Download
0
Category
Tags:
Preview:
DESCRIPTION
Citation preview
Company
LOGO
NETWORK SECURITY
Protecting NSU Technological Assets
Andrea Di Fabio – Information Security Officer
Agenda
1. Security • Internet Connection• Network Devices• Wireless Devices• Firewall and Port Filtering• Encryption and VPN• IDS and IPS• Web Administration• Latest Threats and Attacks• Logs• Physical Security
2. Security Demo• IPS Console• Firewall Management & Logs• Authentication and Users Tracking
3. Supercomputing and Clusters• A Cluster Demo
1. Security • Internet Connection• Network Devices• Wireless Devices• Firewall and Port Filtering• Encryption and VPN• IDS and IPS• Web Administration• Latest Threats and Attacks• Logs• Physical Security
2. Security Demo• IPS Console• Firewall Management & Logs• Authentication and Users Tracking
3. Supercomputing and Clusters• A Cluster Demo
Securing Technological Assets
MISSION Secure and Safeguard NSU Technological
assets from unauthorized use. Insure conformity to NSU policies Proactively prevent system intrusion and
misuse Investigate and respond to threats
Securing The Network
Securing from Outside Attacks
FIREWALL Nokia IP 530 w/ Checkpoint NG AI R55 507 Mbps Firewall Throughput 115 Mbps VPN Throughput 155 Mbps Internet Connection (OC3)
Securing from Outside Attacks
Core SwitchesInternal Network
FIREWALL
External Router
Internal Routerwith ACL
Internet
INTERNAL NETWORKS
COL-ACT-STA-
1 2 3 4 5 6 7 8 9101112HS1 HS2 OK1 OK2 PS
CONSOLE
Connecting Switch
To/From Internet
To/From Internal
To/From Internet
DMZCore Switches
Internal Network
External Routerwith ACL
Internal Router
Internet
INTERNAL NETWORKS
COL-ACT-STA-
1 2 3 4 5 6 7 8 9101112HS1 HS2 OK1 OK2 PS
CONSOLE
Connecting Switch
To/From Internet
To/From Internal
BEFOREThe Firewall
Firewall Phase 1
Core SwitchesInternal Network
FIREWALL
External Router
Internal Routerwith ACL
Internet
INTERNAL NETWORKS
COL-ACT-STA-
1 2 3 4 5 6 7 8 9101112HS1 HS2 OK1 OK2 PS
CONSOLE
Connecting Switch
To/From Internet
To/From Internal
To/From Internet
DMZ
Firewall Phase 2
Enterprise Systems
SecureNetwork
Enterprise Systems
InternalFirewall
Enterprise Systems
InternalFirewall
Securing from All Attacks
Intrusion Prevention System (IPS) TippingPoint UnityOne 2400 #1 IPS System in the market 2 Gbps Wire Speed Throughput ~11,000 Attacks/Exploits Prevention Extensive Reporting
Securing from Outside Attacks
SPAM and EMAIL VIRUS PROTECTION
Spam is: Unsolicited Bulk Email (UBE) Unsolicited means that the recipient has not granted verifiable
permission for the message to be sent. Bulk means that the message is sent as part of a larger collection of
messages, all having substantively identical content. A message is Spam only if it is both Unsolicited and Bulk. How do we Protect from Spam?
BrightMail (a Microsoft Partner) BL and WL Content Filtering
Securing from Outside Attacks
Internet
Routing Master TrendMicro Scanmail
Email Anti-virus
BlackberryServer
Outlook Web Access “Webmail”
(load balanced)
SMTP Gateways (load balanced)
Symantec Anti-Virus DNSBL antispam lists
TrendMicroScanmail
Email Anti-VirusBrightmail spam folder agent
Scan Monitor
Storage Area Network (SAN)
Firewall
`
Mobile UsersBlackberry, PDAs,
laptops
Home Users, remote office users
Norfolk State University Exchange 2000 Email Infrastructure
BrightmailAnti-SPAM
Server
1st Line of DefenseCompliance with SMTP Standards
2nd Line of DefenseAntivirus + Anti-SPAM
3nd Line of DefenseAnti-SPAM
Back-End Exchange Mailbox Servers
4th Line of DefenseAnti-Virus
5th Line of DefenseAnti-Virus + Scan Monitor
Securing from Outside Attacks
InternetNSU
Firewall
`
Wired and WiFi Users,Remote NSU Locations
Mobile Users Blackberry, PDAs, Laptops and Wireless
Web Administration and Caching
Web Cache
NSU NETWORKLAN
1
1
2
1
HIT
HIT
HIT
MISSMISS
MIS
SMISS
INVALID
1. A web access is initiated from the LAN2. A content engine examines the
request for policy compliance.• If the request is valid it forwards
it to the cache• If the request is invalid it returns
a message to the user.The Web Cache intercepts the request
• HIT - If the request is in cache it is served from the cache
• MISS - If the request is not in cache it is forwarded to the internet
Securing from Outside Attacks
Web Administration and CachingBEFORE AFTER
Securing from Inside Attacks
Latest Threats and Attacks
Computer Viruses and Worms
Adware, Spyware, Malware, Phishing, Pharming
Bots, Botnets and Rootkits
Buffer Overflows … attacking the stack
Secure yourself … the power of knowledge.
Securing from Inside Attacks
IP CAMERAS
Securing from Inside Attacks
Wireless Coverage
Residence Halls Green Space – Channel 1 Green Space – Channel 11Residence Halls Green Space – Channel 1 Green Space – Channel 11
Site Survey by Elandia Solutions, Inc.
Wireless Security
802.1X PEAP Authentication with Dynamic VLAN Assignment
Ser
ver
Ne
trw
ork
WiFi Network
Guest Network
Student Network
Faculty Network
1 Kno
ck K
nock
2 Who’s There
LDAP Server
RADIUS Server
4 Hi Bob
5 Here’s The Key
6 Com
e on
this
Networ
k
7
8
3 It’s Bob
Security for the End User
Windows and Office Updates http://windowsupdate.microsoft.com http://office.microsoft.com/en-us/officeupdate
Free Antivirus Avast - http://www.avast.com Avg - http://free.grisoft.com
Free Spyware / Malware Removal MS Anti-Spyware (Beta) - http://www.microsoft.com Adaware - http://www.lavasoftusa.com Spybot S&D - http://www.safer-networking.org
Future Enhancements
Previous Wish-List Physical Security
Biometrics? IP Cameras Access Control
Network Security Network Admission Control (NAC) Virtual Private Network (VPN) Network Intrusion Detection System
(NIDS)
Current Wish-List Physical Security
Biometrics?
Network Security Network Admission Control (NAC) Automatic Policy Enforcement
The power of Agents Virtual Private Network (VPN)
Actively Being tested 2- Factor Authentication
The Human Factor
70% of all threats come from within Tailgating Hot Plug Dialup and VPN Shoulder Surfing Unsecured Wireless Social Engineering
Viruses exploit vulnerable programs, Social engineering exploits Vulnerable People.
Super Computing
Reminder WHEN: 12pm to 1pm WHERE: Room 131 (Same Room) WHO:
Kevin HolmanBlackboard System Support Coordinator
Andrea Di FabioInformation Security Officer and Supercomputing Technology Coordinator
WHAT: Super Computers Clusters The Grid Live Cluster Computing Demo Live examples of applications running on the cluster
Q&A
Recommended