Network Security Roadmap
February 15, 2010
The IT Security landscape
Malware
Data Breaches
Infoprotect EncrypEon WISP
Spyw
are
malicious code
keystroke logger
Global Threats
Stopit
cookies Policy Awaren
ess
botnets
Laws & RegulaEon
Law Enforcement Support rootkit
FERPA
botnet
Forensics
DMCA NoEficaEons
DDoS
2/14/11 2
Many Dimensions of IT Security
Policy
Strategy
Awareness
PreparaEon & PrevenEon
DetecEon & ReacEon
Recovery & RestoraEon
Risk Management
MIT Policy IS&T Policy
Change Management
IT Security & Risk Management Roadmap
User Experience standards • WIN Domain • Virtual Desktops • Data ProtecEon • Privacy ProtecEon
Enterprise Backup Services VirtualizaEon
Data Law/Regs Compliance DMCA / HEOA Compliance
IdenEty Management Accounts Management
ConfiguraEon Management AuthorizaEons Management
2/14/11
Web sites Knowledge Base Security-‐FYI newsle[er EducaEon & Training Infoprotect
Border Firewalls / IDS / IPS WIN Doman / ePO
Event Logging Network Traffic Analysis
Incident Response
3
Current Challenges
• IT Security approach today is reacEve, one-‐off, labor intensive and lacking useful data
• Most incident detecEon re: MIT computers comes from 3rd parEes
• We have sparse data on MITnet’s uses • Computers are not adequately protected from a[ack – from both inside and outside
• Compromises reduce producEvity, put sensiEve data and IP at risk, and lead to legal, financial and reputaEonal harm
2/14/11 4
TradiEonal View The Public Internet is wonderful, we should do everything possible to ENABLE computers on MITnet to access anything and everything on the Public Internet, and vice versa, and to think of MIT and MITnet as if they were simply a subset of the Public Internet, parEcularly from a policy point of view.
The Public Internet
MITnet
???
Service, Server or Data Resource
Personal or Work Computer
2/14/11 5
Examples
• MIT does not comply with all provisions of MA Data Breach Law/RegulaEons, parEcularly in incident detecEon/response and forensics
• MIT complies with HEOA, but DMCA NoEficaEon volumes are soaring, so the measures used may not be enough, and we may need addiEonal technological measures
• IsolaEng/protecEng PCI computers (as well as other devices requiring VERY high protecEon) remains difficult.
2/14/11 6
Guiding Principles
• Provide for standards in a decentralized environment
• Academic freedom, privacy and choice • Technically sound, providing high reliability • Improve visibility of network needs and issues • Granularity – no more “one size fits all” • Protect intellectual property • Comply with laws and regulaEons • Safer compuEng experience • Fiscally prudent 2/14/11 7
Future View By providing a more managed connecEon at the border between MITnet and the Public Internet, we increase the visibility of – and our understanding of -‐-‐ the threats and risks that are present, and then how to protect MIT computers and work areas on a very granular level.
The Public Internet
MITnet ???
Service, Server or Data Resource
Personal or Work Computer
IDS/Firewall/IPS
2/14/11 8
Protected Work Areas
Protected Admin Servers
Protected Computers
What is the plan?
Managed User Experience
Network Access Border
ProtecEon
DLC managed domains IS&T managed domains Desktop VirtualizaEon
Intrusion DetecEon Intrusion PrevenEon Border Firewalls RemediaEon
AuthenEcated Wireless & Wired Network Access
Logging Policies
2/14/11 9
The Cisco SCE 8000 Series Service Control Engine delivers high-‐capacity applicaEon and session-‐based classificaEon and control of applicaEon-‐level IP traffic per subscriber.
The Cisco ASA 5500 Series AdapEve Security Appliances deliver highly effecEve intrusion prevenEon capabiliEes using hardware-‐accelerated IPS modules.
Splunk collects, indexes and harnesses data generated by our applicaEons, servers to troubleshoot problems and invesEgate security to avoid service degradaEon or outages. Correlate and analyze complex events spanning mulEple systems.
AdopEon of the 802.1x standard for access to MITnet wireless, with default connecEons set to be secure, but offering choices for those who need them.
ConEnue support of an MIT-‐wide WIN domain for Windows computer; explore Casper for managing Macintosh computers in a similar way.
Move ahead with pilot projects for desktop virtualizaEon in early-‐adopter, high-‐risk areas of the InsEtute.
Increase rollout Phase 2
Initial tuning Phase 1
NETWORK SECURITY MILESTONE TIMELINE CALENDAR YEAR 2011
2/14/11 10
Jan -‐ Mar Apr -‐ Jul Aug -‐ Oct Oct -‐ Dec
Purchase & install border protecEon equipment
Implement detecEon & protecEon for select network segments
Integrate alert detecEon and end-‐user noEficaEon
Increase breadth of protecEon, targeEng high-‐risk services
Install intelligent log management
Integrate alerts and log management
Cisco ASA 5585 Cisco SCE 8000
Splunk, RT, Moira
Border ProtecEon
Wire
less
Plan and communicate default secure wireless configuraEon
Deploy default secure wireless configuraEon and guest wireless
Secured wireless
Integrate remediaEon
Managed
Domain
ConEnue Windows Domain deployments Pilot virtual desktop with high-‐risk groups
WIN domain Virtual desktop
Technology Legend