A Multi-Zone Security Model

University of WashingtonUniversity of Washington

A Multi-ZoneSecurity Model

David MortonLori Stevens

17 October 2007


Multi-Zoned Security

• End-to-end connectivity divided intoZone

• Each Zone plays a role in security ofthe overall system

• Layered defenses within each Zone


Zones


IntroductionIntroductionThe Connector ZoneThe Connector Zone

•Joins networks together•Goals:

–Protect the infrastructure–Low latency, high performance is key–Traffic is originated elsewhere–Connector policies establish rules–Examples: PNWGP, PacificWave


PacificWave InfrastructureThe Connector ZoneThe Connector Zone


Pacific Wave Security• Since Pacific Wave is a layer-2 exchange, it cannot directly mitigate

and address participant behavior above layer-2, such as:– using BGP-4 for peering– routing traffic without an established peering agreement– generating traffic other than IP

• Must work together in order to collectively mitigate such activities– Develop processes and procedures for proper escalation in the

event of malicious or unauthorized activities are discovered

• Implement policies and protections to:– Limit the hosts/networks that can manage the network devices– Make use of token based login or one time passwords– Limit which network devices (by MAC) can directly connect

The Connector ZoneThe Connector Zone


The Connector ZoneThe Connector Zone

Layered SecurityCZ LayeredCZ Layered


IntroductionThe Campus ZoneThe Campus Zone

•Aggregates users to the connector•Goals:

–Stop “bad” traffic with no impact to “good”–Isolate threats from the community–Control SPAM, Phishing and virus threats–Provide extra layers of protection as needed–Mitigate security incidents quickly–Minimize the impacts


InfrastructureThe Campus ZoneThe Campus Zone

• 120,000 devices• NO PERIMETER

FIREWALLS• IPS at the core


Intrusion PreventionThe Campus ZoneThe Campus Zone

•Tipping Point IPS– Rich rule set to block “bad” traffic– Blocked at least 70 million attacks in 2006

–That’s nearly 185,000 attacks a day– Ability to route some traffic around IPS forperformance or policy


Email Defense Options• Appliance

– Easy to setup– Simplified maintenance– Less flexible

• Software Solution– Often more flexible, extensible to meet needs– Separate hardware platform and OS to maintain

The Campus ZoneThe Campus Zone


Spam at the UW• January daily volume avg: ~3,040,000

messages, 76.6% spam• August daily volume avg: ~4,100,000

messages, 80.1% spam• Sept daily volume avg: ~4,560,000

messages, 88.5% spam



Spam at the UW• As much spam this year as all mail

processed in 2006 and nearly twice asmuch total mail as we processed from2003-2005

• Be prepared for growth!



Email-born Viruses at the UW• 2003: 9,375,000 viruses detected in email

• 2004: 20,000,000 viruses in email

• 2007: 2,632,000 viruses

• Not the threat it once was….



UW 2003-2006 Mail StatsThe Campus ZoneThe Campus Zone


Network FirewallsThe Campus ZoneThe Campus Zone

• Two varieties– Logical Firewall– Subnet Firewall

• Logical Firewall (self managed)• Selectively allows hosts to participate• http://staff.washington.edu/corey

• Subnet Firewall (centrally managed)• Gibraltar (linux) or Cisco FW Services Module


Incident ResponseThe Campus ZoneThe Campus Zone

• Established incident response procedures• Automated protections against worms• Able to remotely capture network traffic• Partner with industry, peers, etc for up-to-date intelligence


Layered Security

CampZ CampZ LayeredLayered



IntroductionTheThe Dorm ZoneDorm Zone

•Student housing•Goals:

–Protect Dorms from world–And the world from the Dorms :)–Provide high bandwidth for acedemics, etc–Control illegal filesharing–Enforce administrative policies (ie no servers)


Infrastructure

• ~ 5,000 residents• IPS sandwich• Packeteer traffic

shaper• Firewall policy

enforcement

TheThe Dorm ZoneDorm Zone


Layered Security

DormZ DormZ LayeredLayered

TheThe Dorm ZoneDorm Zone


Hosts: Defending Against Threats• Anti-virus sw is critical to keeping our

networked-hosts clean– configure to update itself automatically– use other features such as buffer overflow

and web (http) browsing protection, whereappropriate

• Stay current on security updates and virusdefinitions/signatures

TheThe User/Host ZoneUser/Host Zone


Hosts: Defending Against Threats• Use complex passwords for critical devices, e.g.

hosts, routers• Use logs to catch attacks or compromises• Software to detect inconsistencies• Best place for firewall as it’s easiest to define

“good” traffic– can be complex to manage



Hosts: Defending Against Threats• Isolation approach

– Separate services across hosts– So one passwd doesn’t get you to everything

• Block services that aren’t relevant– For example, block port 25/tcp to and from all hosts

that are not mail servers



Hosts: Defending Against Threats

• Security is part of everything– design, build, implement, and buy

• Fewer compromises where pervasivelayer protection implemented



Layered Security

User/hostZ User/hostZ LayeredLayered



Questions?

David Morton [email protected] +1 (206) 221-7814

Lori Stevens [email protected] +1 (206) 685-6227

Documents

A Multi-Zone Security Model