Living Next to the Anarchists

1
Living Next to the Anarchists

• By Erick Engelke

2
Anarchists?

• Anarchy is (various definitions)
• lawlessness or disorder when there is a lack of
  governance.
• Some see it as a Utopia

3
What is the future?

• Laptops now outsell desktops
• we must expect growth in unmanaged wireless
  computing
• Laptops, CD-R/DVD-Rs, USB memory sticks and
  MP3/memory devices breach our perimeter
  becoming more popular
• Hardware firewalls protect between zones,
  ineffective against the computer plugged in
  beside you.

4
Continuum of Security

• None
• Available but optional
• Encouraged / Accessible
• Heavily Enforced
• Always a risk that heavily enforced security
  will lead people to avoid our protections and
  return to no security.

5
Accessible Security?

• Make technology simple to conceptualize though
  not necessarily understand
• It becomes part of the culture
• Examples
• privacy of PIN numbers on Debit cards
• Security of SSL web sites

6
How to Encourage Security

• Educate
• Reward

• Remind
• Nag
• Embarrass
• Punish

7
Possible Education Points

• 1. Secure your computer
• Antivirus, Workstation Firewall, Updates,
• 2. Secure your applications
• MyWaterloo, SSH, Secure IMAP, VPN
• 3. Secure yourself
• Best practices like strong secret passwords,
  avoiding probable malware
• Users can conceptualize these points,
• but will they act? How hard is this to do?

8
MinUWet Setting minimum standards

• NAA detects OS at login screen
• highly vulnerable OSs must endure a scan using
  MinUWet
• Antivirus enabled and up-to-date? Freshen!
• OS getting patches? Push button to enable!
• HTTP always allowed, download patches
• Pass test get additional network access
• Other OSs are not affected
• will still do existing security scans and SNORT
• complementary solutions add more security

9
Some MinUWet Facts

• Idea is similar to Cisco NAC and MS NAP
• MinUWet is compatible with all existing hardware
  and safe with non-MS OSs.
• Local expertise, we can adapt it
• Cisco and MS solutions are stronger but more
  difficult to run and inflexible
• MinUWet doesnt have to be hack-proof, it just
  has to be better than todays mess!
• MinUWet - retired upon better options

10
Students Overusing Networks

• Wireless, Villages, Libraries and Nexus labs
• Download DVDs signature is typically a multiple
  of 4 GB download per day
• Peer2Peer traffic will grow to fill almost any
  sized network pipe

11
Nexus Firewall w/TTTS
12
Some Examples
Wireless Villages Nexus
Authentication, Auditing/ Accoutning, Access Controls NAA Port Locking Nexus
Bandwidth Management NAA Toilet Tank Traffic Shaping Other Nexus Firewall with Toilet Tank Traffic Shaping
Vulnerability and Malware Management NAA firewall MinUWet Snort Antivirus, Firewall Snort Antivirus, Firewall Nexus Firewall MinUWet-similar Snort Antivirus
User Data Security Future VPN Switched Network Switched Network
13
Typical Network Traffic Patterns
14
Toilet Tank Traffic Shaping

• Start with a full reservoir of potential
  bandwidth
• We keep adding more potential bandwidth, until
  the reservoir reaches maximum
• Client can use bandwidth in big bursts or small
  constant trickle
• You cannot keep flushing, the reservoir takes
  time to refill

15
Example

• 5 MB reservoir, 1 MB inflow rate
• user can download 5 MB every 5 minutes
• or can stream 1 MB/min (17 kB/s)
• limited to 1.4 GB/day
• (1MB/min x 60 min x 24h)
• Most users unaware of any limits, but P2P users
  get frustrated and give up.
• These rates imposed only for off-campus
• Faculty/Staff machines rarely rate limited.

16
Reading Mail Off Site

• Options
• Use secure protocols from own laptop
• Eg. IMAPS
• Use MyWaterloo Email portal from any web browser
• But what if a keystroke grabber catches my
  password

17
Kiosk Password Security

• Abstain dont use kiosks
• Pray use and hope they are safe
• Disposable single use passwords, all the pleasure
  of Email access without the risk.
• (Disposable passwords also could be used for NAA
  authentication, etc.)

18
Disposable Passwords
19
Disposable Password

• Cryptographic hash, non-invertible
• Internet Standard One Time Password
• Dont need a dongle to buy and carry, just use
  your Java phone, Blackberry or PDA.
• Free
• Relatively secure 40,000,000,000,000,000,000
  unique passwords for hackers to try.

20
Summary

• We must learn to live with the threats and abuse
  around us
• Good strategies reduce our risks and workload
  without hurting most users
• Talk was focused on three new-ish technologies
• Benefit of expertise is the ability to leverage
  existing infrastructure to solve new problems

21
Thank you