IS 2600 Intrushield IPS appliance (McAfee) ... McAfe

1
Network Security on an Urban Campus A
Multilayered Approach
The Art and Practice of Security A Trilogy
Part 3

• Presented By Barry Williams, Manager of
  Networks/CISO
• Assisted By Sanders Diaz, Network Security
  Supervisor
• Victor Mahatheva, Manager of Servers/PCs/Te
  lephony Support
• Terry Dunne, Telephony Admin. Operations

2
Agenda

• A bit of philosophy
• BMCCs approach to implementing comprehensive
  network security
• What we have done so far
• Where we plan to go

3
What is network security?

• Maintain the integrity of information as it flows
  into, out of, and through a network.
• Maintain the integrity of information that
  resides on networked devices.
• Maintain the integrity of the network itself,
  including the devices on the network.

4
What threatens network integrity?

• Outside threats malware, hackers,
  cybercriminals, misused applications, the
  computer inept
• Inside threats malware, hackers, cybercriminals,
  misused applications, the computer inept, play,
  instructional experimentation

5
What are best practices today to establish good
network security?

• Is there such thing as a perimeter? Yes, and No
• Can everything be protected by using the products
  of a single vendor? Maybebut how well?
• How do policies in an academic environment differ
  from those in a corporate environment?
• Teaching, learning, academic freedom,
  semi-public users, transient users

6
BMCCs Approach

• Identify layers that can protected for as many
  elements as possible using one tool.
• Try to get the biggest bang for the buck
• Get the best tools that accomplish the needs, not
  the best tools possible.
• Its a moving target, anyway
• Practice Buddhist Security Kung Fu.
• Try to avoid before argue, argue before fight,
  fight before
• kill (disable service)

7
BMCCs Network NowSecurity Viewpoint
iChain Cluster
8
Product List

• IS 2600 Intrushield IPS appliance (McAfee)
• FG 800 Fortigate Firewall/IDS-IPS/Anti-Spam/Anti
  -Virus /VPN/ Bandwidth Shaping
• Cisco PIX 525, 535 Firewall/VPN
• Not Shown
• Novell NetWare 6 featuring eDirectory, iChain,
  and ZenWorks
• Cisco IDS-4235
• Array Security Proxy
• McAfee Anti-Virus suite
• Funk Steel Belted RADIUS
• Zix Corp. Message Inspector
• e-Security
• Host-based firewalls
• Alcatel OmniPCX IP telephony switch

9
Wireless Deployment

• Alcatel OmniAccess 4000 Wireless Switch
• PoE-capable, manage directly attached skinny
  APs
• OmniAccess 4100 Wireless Appliance
• Manage APs anywhere in the network
• Cisco 1200 fat APs
• Existing areas pre-Alcatel, temporary installs
  if no Alcatel AP available
• Some non-Cisco still around

10
Tactical Security Product Deployment - Now

• Network elements are computers, servers,
  applications, switches/routers, IP phones,
  wireless devices, peripherals, transport media,
  the security devices themselvesand the users
• Separate admin and instructional networks VLANs
  for layer 2 isolation within each network
  filtering between select VLANs
• PIX firewalls for standard, whole-campus
  perimeter firewalling host-based firewalls for
  selected servers and computers

11
Tactical Security Product Deployment - Now

• All wireless segments must be encrypted media
  802.11a segment for highest security, QoS
  applications 802.11b/g for general access and
  instructional use
• All sensitive applications accessed via
  authentication, SSL preferred
• IntruShield and Fortigate appliances targeted at
  clusters of network elements Cisco IDS cascaded
  to monitor where prevention is not crucial

12
BMCCs Network FutureSecurity Viewpoint
iChain Clusters
13
Tactical Security Product Deployment - Future

• Core network elements are computers, servers,
  applications, switches, routers, wireless
  devices, network peripherals, transport media,
  the security devices themselvesand the users
• PIX firewalls for standard, whole-campus
  perimeter firewalling host-based firewalls for
  selected computers
• IntruShield and Fortigate appliances targeted at
  clusters of network elements

14
Tactical Security Product Deployment - Future

• All wireless segments must be encrypted media
  802.11a segment for highest security, QoS
  applications 802.11b/g for general access and
  instructional use
• All network access via authentication, or host
  dumped into holding VLAN the keySSO!
• Mobile/remote devices checked for minimum secure
  configuration before VPN connection

15
Closing Thoughts

• Problems to be addressed evolving at Internet
  speed, as are solutions
• We cant wait for the total solution, but we will
  avoid locking into proprietary ones
• If you try to depend on in-house staff for
  implementation, the house will never be built to
  stand

16
QUESTIONS?

• Barry Williams bwilliams_at_bmcc.cuny.edu
• Victor Mahatheva vmahatheva_at_bmcc.cuny.edu
• Novell desktop management
• Sanders Diaz sdiaz_at_bmcc.cuny.edu
• Security product implementation, maintenance
• Terry Dunne tdunne_at_bmcc.cuny.edu
• IP telephony