View
223
Download
0
Category
Preview:
Citation preview
Security: The Network PerspectiveJeff Collyer
Christy JosephJoe Agler
This presentation will break down some of the tools used by our Information Security Engineers to keep you safe on the UVa
networks.
Who now?
• Jeffrey Collyer– ITS since 1999, email, networks, hostmaster. Joined InfoSec in 2015 right
before Phoenix.
• Christy Joseph– CS from 1996-2004, ITS since 2004, LDAP, User database, Infrastructure
Applications, Joined InfoSec in 2016
• Joe Agler– In IT since 2004, five years of IT Security experience. UVA ITS since 2016.
EI-VAMS, Carbon Black, CyberArk. Joined InfoSec in 2017
2
Layers of Security
• “Defense in depth” is an information security concept in which multiple layers of security controls are placed throughout information technology systems.
• The intent is to provide redundancy should one security control fail or a vulnerability be exploited.
• Secure the network using different tools than the endpoint/desktop.
3
Academic Protected Network (APN)
• What– A new wired network rolling out across grounds
• Why– To give wired machines basic protection from Internet threats
5
Internet Circa 1986 Internet Today
Internet today
• Average survival time for an unpatched computer connected to the open internet is currently under 5 minutes– That’s less time than it takes to download all the patches you need
from your OS vendor
• Anecdotal evidence – 800+ scans hit a machine I put up on the open internet while I was at lunch (~1 hour)
6
APN Protections
• APN is firewall protected from Internet traffic– Computers on the internet cannot scan or attack an APN host directly
• no communication can start from the outside and come in– APN hosts can still communicate out
• to get updates, browse the web, etc– APN hosts can still communicate to all UVA resources
• Still print to printers– Your cable router already does this for your home network
• APN has Intrusion Prevention System(IPS) protection
7
Gory Details
8
Network Device Type IP Network
Academic Open
Network
Academic Protected Network
More Secure
NetworkPublicly Available Server 128.143.x.x/16 Printer (no Internet access) 172.16.x.x/16 Internal (Grounds) Server 172.29.x.x/16 Printer (with Internet access) 172.29.x.x/16 Standard Laptop or Desktop 172.28.x.x/16 Managed Laptop or Desktop 137.54.128.x/17
For updates and changes to UVA’s IP Address Space go to https://its.virginia.edu/network/ipspace.html.
APN to Remember
• Only wired connections using DHCP• Much like the MSN• It does use a new IP range
– If you limit access to resources by IP you will need to change your filters
• On ground networks including the various VPNs can connect to resources on the APN, nothing new required
9
Intrusion Prevention System
• What – Monitors network traffic– Matches signatures in network traffic like AV– Also matches patterns and thresholds (network scans)– Has a list of know bad IP addresses
• Why– Block the Bad Stuff
• Botnets• Ransomware
10
IPS is your friend
• But wait didn’t you just say that the APN won’t let attackers in?– What if a machine is already compromised?
• A laptop that moves around• Existing host moved to APN from open network
• IPS only logs activity on a Signature/Rule hit– Preserves your privacy
• Receives daily sometime hourly updates, so its always scanning for the newest threats
• Only blocking very specific known bad items
11
IPS Rollout
• Initially in front of the APN networks
• Over time will be rolled out to other networks– 10/2/2017 – APN– 10/23/2017 – Guest Networks– 11/27/2017 – MSN– 1/8/2018 – Dorm Networks– 1/24/2018 – Wireless
• There is a whitelisting process if something is blocked in error
• More at https://www.secureuva.virginia.edu/ips/
12
Network Anti-Malware
• Malware is a persistent problem at UVa
• Allows remote control by external parties and/or uses infected devices to propagate additional malware attacks
• Presents a serious security risk for UVa data
• FireEye Network Security appliance provides a layer of protection by acting as an Intrusion Detection System (IDS)
14
FireEye Network Security
• Continuously analyzes network traffic looking for botnet transmissions & executables.
• Explodes executables in VM sandbox.
• Alerts are generated from identified malware callbacks from within our network.
• A Security Incident is generated in ServiceNow, which sends out a notification to the Security Analyst team.
15
Security Information and Event Management (SIEM)
• System for collecting and analyzing data relevant to IT security & operations
• Intakes machine data from • Servers• Network equipment• Specialized security equipment • Application and Service logs (both on premises and cloud based)
• Provides an integrated point of view into the data• Makes it easier to spot trends and see patterns that are out of the
ordinary
16
SIEM at UVA
• SecureUVA Project launched in Fall 2016
• Includes Log Aggregation and Log Correlation
• Log Aggregation: Syslog-NG Store Box
• Log Correlation: Splunk
• Project will wrap up by end of December
17
Syslog-NG Store Box (SSB)
• Log aggregation appliance using Syslog protocol
• Ingests logs for over 150 log source hosts currently
• Data is parsed, indexed, and stored locally (with options for compression and encryption)
• Supports filtering and tagging data, custom retention policies, and custom report generation
• Licensing is based on # of log source hosts
18
Syslog-NG Store Box (SSB) cont.
• Filters and routes event data to downstream applications (log correlation, etc)
• Provides web access for log searching
• Will be coming soon as a contract service
19
Splunk
• Log correlation system; Gartner Magic Quadrant Leader
• High performance indexing/searching of virtually any log data
• Sophisticated searching using Search Processing Language (SPL)
• Licensing is based on GB of data ingested / day
• Will be coming soon as a contract service
20
Splunk Capabilities
• Saved searches and reports with a variety of scheduling options
• Alerts which fire based on results of saved searches
• Custom dashboards and forms
• Full featured data visualizations (line, area, column, bar, pie, bubble, scatter charts; gauges; cluster and chloropleth maps; tables with custom formatting, and more)
• Data normalization using field aliases, tags, and eventtypes
• External lookups (file based, KV store, external DB integrations, scripts)
21
UVa Splunk Uses
• Abuse Investigations
• Alerting on Indicators of Compromise (IOCs)– Identify potential account/device compromises– Example: Email log searching to identify spammers -> leads back to
compromised accounts
• Integration of and automated alerting based on Threat Intelligence feeds– Emerging Threats Pro is the feed we use today– Use it to look for logins by “bad” IPs on JointVPN
22
Domain Name Service (DNS) Firewall
• DNS Firewall was implemented at UVA Mid-2017– DNS is equivalent to a phone book; Directory of names which
translate to IP addresses– DNS Firewall builds on that where certain security categories are
blocked– Proactively Detect and Automatically Contain Malware– Protects you while on UVA networks
24
What we do• Block from various Threat
Intelligence feeds (including your notifications)
• Block Categories– Antimalware– Ransomware– Phishing– Botnets– Command & Control– Indicators of Compromises
• Send hits to our Log Correlator (Logs!)
27
How can you stay protected?
– Public WiFi use• Utilize UVA Virtual Private Network (VPN) for a secure connection/protection
by DNS Firewall
– Phishing attempts• We block phishing URLs reported to abuse@virginia.edu to protect others
that may fall victim to Eve L. Phish• Don’t click on links• Report phishing emails to abuse@virginia.edu
28
Vulnerability and Patch Management
• SecureUVA project – Coming Soon• What is Vulnerability and Patch
Management?• Why Vulnerability and Patch
Management?• How does Vulnerability and Patch
Management protect me?
29
Scalable Vulnerability Scanner – Coming Soon
• Surveying available scanning products• For use by all of UVA Departments and LSP’s!• Goals:
– Identify vulnerable systems– Patch them quicker
• Added benefits: – Assist in inventorying systems– Assist in identifying software– Notification workflow for remediation
30
Critical ITS systems – Qualys
• Small scale Qualys implementation • Identify and/or classify areas of network• Establish Patch cycle/procedures• Focus on Critical and Urgent items
– Weekly Operational Intelligence meeting
31
Patch Management
• Currently have some Patch Management like– System Center Configuration Manager (SCCM)– Puppet
• Moving forward– Looking to provide solutions for all of UVA
• Operating System Updates, Applications, Drivers, Configurations
• Asset & Software inventory– Determine risk profile
32
Think about these -
• Patch Operating Systems and Applications– Prioritize Critical/Urgent/Internet Facing
• No OS or Application Patch support?– Retire unsupported/unpatched systems
immediately
• If you need ad-hoc vulnerability scans –– Service Request Catalog > Security >
SecureUVA Products and Services >SecureUVA- Vulnerability Management
33
Recommended