A MultiZone Security Model

1
A Multi-Zone Security Model

• David Morton
• Lori Stevens
• 17 October 2007

2
Multi-Zoned Security

• Each Zone plays a role in security of system
• Layered defenses within each Zone

3
Zones
4
Introduction
The Connector Zone

• Joins networks together
• Goals
• Protect the infrastructure
• Low latency, high performance is key
• Traffic is originated elsewhere
• Connector policies establish rules
• Examples PNWGP, PacificWave

5
PacificWave Infrastructure
The Connector Zone
6
Pacific Wave Security
The Connector Zone

• Since Pacific Wave is a layer-2 exchange, it
  cannot directly mitigate and address participant
  behavior above layer-2, such as
• using BGP-4 for peering
• routing traffic without an established peering
  agreement
• generating traffic other than IP
• Must work together in order to collectively
  mitigate such activities
• Develop processes and procedures for proper
  escalation in the event of malicious or
  unauthorized activities are discovered
• Implement policies and protections to
• Limit the hosts/networks that can manage the
  network devices
• Make use of token based login or one time
  passwords
• Limit which network devices (by MAC) can directly
  connect

7
CZ Layered
The Connector Zone
Layered Security
8
Introduction
The Campus Zone

• Aggregates users to the connector
• Goals
• Stop bad traffic with no impact to good
• Isolate threats from the community
• Control SPAM, Phishing and virus threats
• Provide extra layers of protection as needed
• Mitigate security incidents quickly
• Minimize the impacts

9
Infrastructure
The Campus Zone

• 120,000 devices
• NO PERIMETER FIREWALLS
• IPS at the core

10
Intrusion Prevention
The Campus Zone

• Tipping Point IPS
• Rich rule set to block bad traffic
• Blocked at least 70 million attacks in 2006
• Thats nearly 185,000 attacks a day
• Ability to route some traffic around IPS for
  performance or policy

11
Email Defense Options
The Campus Zone

• Appliance
• Easy to setup
• Simplified maintenance
• Less flexible
• Software Solution
• Often more flexible, extensible to meet needs
• Separate hardware platform and OS to maintain

12
Spam at the UW
The Campus Zone

• January daily volume avg 3,040,000 messages,
  76.6 spam
• August daily volume avg 4,100,000 messages,
  80.1 spam
• Sept daily volume avg 4,560,000 messages, 88.5
  spam

13
Spam at the UW
The Campus Zone

• As much spam this year as all mail processed in
  2006 and nearly twice as much total mail as we
  processed from 2003-2005
• Be prepared for growth!

14
Email-born Viruses at the UW
The Campus Zone

• 2003 9,375,000 viruses detected in email
• 2004 20,000,000 viruses in email
• 2007 2,632,000 viruses
• Not the threat it once was.

15
UW 2003-2006 Mail Stats
The Campus Zone
16
Network Firewalls
The Campus Zone

• Two varieties
• Logical Firewall
• Subnet Firewall
• Logical Firewall (self managed)
• Selectively allows hosts to participate
• http//staff.washington.edu/corey
• Subnet Firewall (centrally managed)
• Gibraltar (linux) or Cisco FW Services Module

17
Incident Response
The Campus Zone

• Established incident response procedures
• Automated protections against worms
• Able to remotely capture network traffic
• Partner with industry, peers, etc for
  up-to-date intelligence

18
CampZ Layered
The Campus Zone
Layered Security
19
Introduction
The Dorm Zone

• Student housing
• Goals
• Protect Dorms from world
• And the world from the Dorms )
• Provide high bandwidth for acedemics, etc
• Control illegal filesharing
• Enforce administrative policies (ie no servers)

20
Infrastructure
The Dorm Zone

• 5,000 residents
• IPS sandwich
• Packeteer traffic shaper
• Firewall policy enforcement

21
DormZ Layered
The Dorm Zone
Layered Security
22
Hosts Defending Against Threats
The User/Host Zone

• Anti-virus sw is critical to keeping our
  networked-hosts clean
• configure to update itself automatically
• use other features such as buffer overflow and
  web (http) browsing protection, where appropriate
• Stay current on security updates and virus
  definitions/signatures

23
Hosts Defending Against Threats
The User/Host Zone

• Use complex passwords for critical devices, e.g.
  hosts, routers
• Use logs to catch attacks or compromises
• Software to detect inconsistencies
• Best place for firewall as its easiest to define
  good traffic
• can be complex to manage

24
Hosts Defending Against Threats
The User/Host Zone

• Isolation approach
• Separate services across hosts
• So one passwd doesnt get you to everything
• Block services that arent relevant
• For example, block port 25/tcp to and from all
  hosts that are not mail servers

25
Hosts Defending Against Threats
The User/Host Zone

• Security is part of everything
• design, build, implement, and buy
• Fewer compromises where pervasive layer
  protection implemented

26
DormZ Layered
The User/Host Zone
Layered Security
27
Questions?
David Morton dmorton_at_u.washington.edu 1 (206)
221-7814 Lori Stevens lrs_at_u.washington.edu 1
(206) 685-6227
28
Resources

• TippingPoint http//www.tippingpoint.com/products
  _ips.html
• PureMessage http//sophos.com/products/enterprise
  /email/security-and-control/unix/index.html
• General Security Infohttp//www.securityfocus.co
  m/http//www.sans.org/network_security.phphttp/
  /onguardonline.gov/index.html

29
Questions?