UVaNET Security Update and other Network Issues

1
UVaNET Security Update and other Network Issues

• Jim Jokljaj_at_Virginia.EDU
• October, 2002

2
Agenda

• Internet traffic issues
• Wireless Network
• Security
• Rogue access points
• The UVa network upgrade
• The More Secure Network
• LSP tools status / demo
• Volunteers?

3
Internet Traffic UVa Links
4
Internet Traffic tools

• We developed some tools
• Measure total traffic to/from off-grounds
  locations on a per-machine basis
• Bytes and flows per day
• Computes mean and standard deviation
• Finds systems with traffic more than 10 standard
  deviations above the mean
• Guesses at system OS system type

5
Internet Traffic some results

• Results for September 27, 2002
• Results for September 30, 2002

6
Internet Trafficsome results

• What people have found when checking their
  systems
• P2P music/video sharing software installed
• Hacked systems
• Game distribution
• Hacked software distribution
• Virus infected systems
• Only one case so far when the person contacted
  knew that their computers traffic was ok!

7
Internet Trafficwhere you can help

• Does anyone recognize 128.143.62.138?
• A Win2k box in MR-4
• If you get an email from us, please check the
  system quickly
• Problem we cant find owners for some of the
  systems on our list
• How can you help?
• Email?, web site?, other?

8
Wireless Network Issues Security

• Wireless LAN security
• MAC Address authentication
• Cisco LEAP
• Authentication and encryption
• Microsoft support on WinXP EAP-TLS
• Authentication and encryption
• Cisco doesnt support MAC, LEAP, and EAP-TLS
  simultaneously
• Nudging Cisco about this
• We still need help from LSPs to steer users
  towards the secure wireless solutions

9
Wireless Network IssuesAccess Point
Installations

• Some hard to resolve user problems caused by
  access points installed by departments
• Users workstation cant authenticate
• Roaming fails as user moves down hall
• Works on some days, fails on others
• Please contact us before you install anything
• Please remember the 2 for 1 funding option
• Tell us where you have student work/study areas
• Wireless Site - www.itc.virginia.edu/wireless

10
Network Project Goals

• Support large numbers of workstations operating
  at 100 Mbps
• Increase Internet capacity
• Provide QoS infrastructure
• Support multicast
• Support for additional server consolidations
• Support special research applications
• Provide infrastructure needed to support a more
  secure environment

11
Firewalls

• Normal Configuration
• Allows outbound connections
• Prohibits inbound connections
• Stateful inspection
• Capacity
• Network Address Translation (NAT)

Public Network
Firewall
Private Network
12
Network Security Logical View
Users
Level 3 Zone
VPN
Level 1 Backbone
Level 2 Backbone
FireWall
Internet
Fire Wall
less secure
more secure
Users
Fire Wall
IDS
Users
Level 3 Zone
Level 3 Zone
Users
VPN
Fire Wall
13
Network Security

• Goal
• Reduce the number of security incidents
• Implementation A three level approach
• Level 1 existing network security
• Intrusion Detection System (IDS) protection only
• Level 2 a new more-secure backbone
• Firewall protection for a large number of users
  via a second backbone
• Level 3 high security areas
• Example the current Oracle system

14
Network SecurityInbound Access

• Access to Level 1
• From anywhere
• VPN support for remote access safety
• UVa-Anywhere
• Access to Level 2
• Remote access via VPN support
• Access to Level 3
• Special authentication and authorization needed

15
Firewalls and Speed Bumps

• Firewalls speed bumps for hackers
• Height of speed bump
• High small number of carefully administered
  machines behind firewall
• Medium large number of computers behind firewall
• High security comes from cryptography and proper
  system administration

16
More Secure NetworkSome Implementation Options

• Migration by building
• Migration by individual network jack
• Prerequisites database, LSP network management
  tools completed
• Department specific managed firewall
• Rules for participation
• Required protocols (IPX?, Appletalk?)

17
Network Tools

• For users
• Web page that explains if they are using the more
  secure network
• For LSPs
• Port configuration for speed duplex
• Port configuration for security zone
• Port diagnostics
• Turn switch ports on and off
• Building network information
• An additional read-only LSP mode

18
Should there be rules for participation?

• Windows PCs
• Require anti-virus?
• Unix Machines
• Apple Macintosh
• Required attention to system administration?
• Required ISS scanning?
• Short grace period for compromised machines?
• Other?

19
More Secure Network ProtocolsWhat is needed?

• Within the more secure network
• IP
• IPX?
• Appletalk?
• To/from the less secure network
• IP
• IPX?
• Appletalk?

20
Where we could use some help

• Volunteers for a group that will meet with us a
  few times to set the rules for participation
• Volunteer departments - early adopters
• Volunteer LSPs for technical testing LSP tools
  and the more secure network
• Volunteers who will review and/or possibly even
  help create some documentation
• Email comments general or protocol

21
Discussion, comments, questions?