april 11, 2006 2:45pm – 3:45pm denver ballroom 2
DESCRIPTION
EDUCAUSE & Internet2 Security Professionals Conference The Challenge: Securing a Large Multicampus Network Kirk Kelly – Pima Community College Scott Ferguson – Pima Community College. April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2. http://www.pima.edu/admin/presentations. Outline. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/1.jpg)
EDUCAUSE & Internet2Security Professionals Conference
The Challenge: Securing a Large Multicampus Network
Kirk Kelly – Pima Community CollegeScott Ferguson – Pima Community College
April 11, 2006
2:45pm – 3:45pm
Denver Ballroom 2http://www.pima.edu/admin/presentations
![Page 2: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/2.jpg)
Outline
• Who is Pima Community College (PCC)
• PCC technology infrastructure
• Specific incident
• Lessons learned
• New security devices
• New network architecture
• Questions
http://www.pima.edu/admin/presentations
![Page 3: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/3.jpg)
Pima Community CollegeLocated in Tucson, AZ
• 8 campuses
• 9 centers
Enrollment
• 61,769 – Credit
• 13,639 – Noncredit
• 75,408 – Combined
![Page 4: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/4.jpg)
Student Profile
• Average age: 27
• 41% ethnic minorities
• 56% female
• 69% part-time
• 68% daytime
• 25% evening
• 7% weekends
![Page 5: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/5.jpg)
Current Data & Phone Network• 15,000 data network connections across the
college
• 7,000 devices connected to the network @ 100/1000mbits
• Campuses, DO, and MS connected at 1 Gigabit speed via City I-Net Fiber ring
• Wireless at all locations
• 2,500+ phone lines across the college
• Over 70 (IDF/MDF) rooms
![Page 6: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/6.jpg)
Internet
Internet Router PCC
ResourceNetwork
DowntownCampus
CommunityCampus
District SupportServices Center
EastCampus
Routers or Layer 3 Switches
WestCampus
NE CtrSE Ctr
Davis-MonathonCtr
Green ValleyCtr
PCC Locations, Routers, Firewalls, and WAN Transports
T1 Point to Point
100/1000 Mbit Ethernet
KRK 11/19/04
PCAEEastside
PCAELindsey
PCAEEl Rio
PCAEEl Pueblo
Desert VistaCampus
AviationTrainingFacility
Nokia FW
Network Core Layer
DMZResourceNetwork
Data over Gigabit Ethernet(City of Tucson INET)
PIX
HITACHI
IPS2
1- 10 Mbit Ethernet2-IPS– Intrusion Prevention System is attached In-line on connectionsindicated by arrows
DOResources
NW Campus1
T1 Frame Relay
![Page 7: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/7.jpg)
Wiring Closets, Before and After
![Page 8: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/8.jpg)
W32/Blaster Announced
• August 2003
• Blaster, Nachi, Welchia
• Blocked port 135, etc. at the edge
• Thought antivirus updates were in place
• No problems first day while others across the Internet are having major problems
• Day two an infected laptop plugs in
• Infection spreads quickly and network is shut down
![Page 9: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/9.jpg)
The Awakening
• All services stopped
• All IT meeting with the Chancellor at 6:00pm
• 35+ employees worked all night
• All core systems back online by 1:00pm the following day
• Some remote sites offline for 2-3 days
![Page 10: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/10.jpg)
What Did We Learn?
• Antivirus updates handled differently at every campus
• MS patches were way behind• Firewalls & routers were underpowered and over
tasked (new firewalls installed two months earlier)• No way to control or secure campus links• Network not segmented • Poor communication between command center
and staff • No HVAC• No keys
![Page 11: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/11.jpg)
Desktop Antivirus and Updates
• All computers centralized into two domains
• McAfee ePolicy Orchestrator
• WSUS for MS security updates
![Page 12: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/12.jpg)
Intrusion Detection?
• Demo of an Intrusion Detection System (IDS)
• Visited U of A
• Discovered an IDS needs constant babysitting
• Demo of an Intrusion Prevention System (IPS)
• No more staff on the horizon
• No central data security position or team
![Page 13: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/13.jpg)
Purchase an IPS
• Decision to purchase IPS• Updates• Threat Management Center
• Inline on Internet connection
• Inline to all WAN links
• “Wire Speed” packet inspection at gigabit speeds
![Page 14: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/14.jpg)
![Page 15: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/15.jpg)
![Page 16: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/16.jpg)
![Page 17: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/17.jpg)
![Page 18: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/18.jpg)
![Page 19: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/19.jpg)
![Page 20: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/20.jpg)
![Page 21: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/21.jpg)
![Page 22: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/22.jpg)
![Page 23: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/23.jpg)
![Page 24: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/24.jpg)
![Page 25: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/25.jpg)
![Page 26: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/26.jpg)
Firewall
• Needed more horsepower
• Needed firewall ports to support all WAN links
• Needed more DMZs
• Needed more advanced features
• Purchased new firewalls• 24 gig ports• Virtual firewalls• Redundant boxes for redundant links• Processor management
![Page 27: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/27.jpg)
Changes to Network• Needed multiple DMZs to support a centralized
server approach
• Created a Frame Relay T1 Failover Network
• Switch to gigabit
• Network segmentation
• Redundant Internet connection (BGP with City)
• Created public access network
• Wireless rides on public network
![Page 28: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/28.jpg)
Additional changes
• Established a disaster recovery site• Payroll and native Banner only• Redundant Internet link
• Re-architected college DNS/DHCP• From 10 distributed servers to 4 centralized• Chose an appliance solution• HA pair for internal, 1 at disaster recovery site,
1 for external DNS
![Page 29: April 11, 2006 2:45pm – 3:45pm Denver Ballroom 2](https://reader035.vdocuments.mx/reader035/viewer/2022062314/5681415f550346895dad3b37/html5/thumbnails/29.jpg)
Future• Clean access type things…..
• Patch, spyware and antivirus checking• Quarantine • Goal to provide students access and maintain security
• Portal, students in LDAP• VoIP pilot and phased installation• Wireless security• Wireless with U of A and City of Tucson
• Inet tie in