Network Security in Academia: an Oxymoron - PowerPoint PPT Presentation

1 / 16
About This Presentation
Title:

Network Security in Academia: an Oxymoron

Description:

Network Security in Academia: an Oxymoron? Terry Gray ... Almost everyone wears more than one hat. Traditional network security measures are based on physical ... – PowerPoint PPT presentation

Number of Views:79
Avg rating:3.0/5.0
Slides: 17
Provided by: ClaytonBud
Category:

less

Transcript and Presenter's Notes

Title: Network Security in Academia: an Oxymoron


1
Network Security in Academia an Oxymoron?
  • Terry Gray
  • Director, Networks Distributed Computing
  • Computing Communications
  • University of Washington
  • April 8, 1999

2
Contradictions
  • Researchers want open access
  • Clinicians, administrators want closed access
  • Everyone wants fast access
  • Almost everyone wears more than one hat
  • Traditional network security measures are based
    on physical locality and constrained use

3
Threats
  • Probing, Sniffing (when done by foes)
  • Denial of Service (DOS)
  • Penetration
  • Account take-over
  • Connection hijacking
  • Data Crimes
  • Theft/Disclosure
  • Corruption/Destruction
  • Impersonation/Fraud (e.g. web spoofing)

4
Security is not free
  • In fact Security is very expensive
  • Costs include
  • inconvenience
  • reduced performance
  • complexity management overhead requiring more
    staff, more time
  • Use "Appropriate technology"

5
Threat Sources
  • Outsiders
  • Insiders
  • Outsiders who become insiders
  • Insiders who become outsidersgtgt Benign neglect
    is also a threat!

6
Security Perimeters
  • Physical/Topological
  • site
  • subnet
  • host
  • Logical/Organizational
  • consortium or community of interest
  • enterprise
  • campus
  • department
  • workgroup
  • individual

7
Security Policy
  • Defining who can/cannot do what to whom...
  • Identification and prioritization of threats
  • Identification of assumptions, e.g.
  • Security perimeters
  • Trusted systems and infrastructure
  • Policy drives securitylack of policy drives
    insecurity

8
Security approaches (Guns, Fences, Hounddogs,
Camouflage)
  • Network
  • Perimeter security (Firewalls, NATs)
  • Path isolation (Switches, VPNs, IPsec)
  • System
  • Host OS security (wrappers, patches, etc)
  • Application security (SSH, SSL, Steganography...)
  • Other
  • Vulnerability detection
  • Intrusion detection
  • Better development tools and developers!

9
Security Usually Implies Isolation
  • Network security network isolation
  • (what's wrong with that picture?)
  • Physical isolation
  • Separate wires/fiber
  • low-level multiplexing, e.g. TDM
  • Logical isolation
  • Access control
  • Encryption

10
Defense in Depth
  • Security is additive
  • No single solution
  • Examine cost/benefit of each approach vs. cost of
    security incidents
  • Focus first on biggest vulnerabilities
  • Then knock off the easy to do items

11
Cost Time Inconvenience
  • In order of increasing sys-admin time
  • Application security
  • Vulnerability intrusion detection
  • Path isolation (VPNs)
  • Perimeter security (Firewalls)
  • Host security
  • Incident cleanup (compound frustration!)
  • In order of increasing user inconvenience
  • Vulnerability intrusion detection
  • Application security
  • Host security
  • Path isolation (VPNs)
  • Perimeter security (Firewalls)
  • Incident cleanup

12
The Dark Side of Firewalls
  • Firewalls are often viewed as a security panacea
  • But they dont live up to the hype, because they
  • Assume fixed security perimeter
  • Give false sense of security
  • May inhibit legitimate activities
  • May be hard to manage
  • Won't stop many threats
  • Are a performance bottleneck

13
Assessing the value of Firewalls
  • Let
  • E of attacks originating outside firewall
  • B of external attacks actually blocked
  • H Number of hosts to be protected
  • P Number of security policies
  • Firewall Value E B H / P
  • In the limit, P may approach H !
  • Must weigh cost of managing v. alternatives

14
Campus Network "Firewalls(Router packet
filtering)
  • Criteria
  • Low impact on network performance
  • High degree of campus consensus no flaming CC!
  • Can't reasonably be done at end-systems
  • Now
  • Prevent source address spoofing
  • Other possibilities under consideration

15
Even with Firewalls...
  • Bad guys arent always "outside" the moat
  • One persons security perimeter is anothers
    broken network
  • Organization boundaries and filtering
    requirements constantly change
  • Security perimeters only protect against a
    limited percentage of threats must examine
    entire system
  • Cannot ignore end-system management
  • Use of secure applications is a key strategy

16
Conclusions
  • Security "pay now or pay later
  • No silver bullets, only thankless effort
  • Computer ownership has responsibilities Each
    hacked system is a threat to neighbors
  • Organizational boundaries rarely map to physical
    topology
  • Suggested security priorities Application gt
    Host gt Path gt Perimeter
Write a Comment
User Comments (0)
About PowerShow.com