dark alleys part2

Dark Alleys of the Internet

Part 2

Dark Alleys of the Internet

Part 2

ACE/NETC 2007June 19, 2007

Albuquerque, NM

Do the Right Thing!

Attack StatisticsAttack Statistics» AU Border Firewall

• Packets blocked by 1000s

» Intrusion Prevention System (blocking recommended attacks) (week of 5/28-6/02)

• 90,540 – blocked packets• 25,147 – suspicious packets• 3,893 – possibly successful

Passwords on a Sticky Note?

Passwords on a Sticky Note?How to stop the sharing

madness

PasswordsPasswords» No reason to share passwords

because you can use:• Shared files/folders• Permissions settings• Remote Desktop• E-mail Proxy• Web 2.0 products

Managing PasswordsManaging Passwords» Trade-offs

• Different passwords for different systems• Require passwords to change

» Password Managers• Password Safe

http://passwordsafe.sourceforge.net• Others

http://www.lifehack.org/articles/technology/10-free-ways-to-track-all-your-passwords.html

» Choosing a good passphrase• “1wbiDCH” (I was born in Dale County Hospital)http://www.aces.edu/extconnections/2006/10/

Network ProtocolsNetwork ProtocolsHelp protect users

Secure All ProtocolsSecure All Protocols

»Telnet -> SSH»FTP -> SFTP»SSL Certificates

• LDAP -> LDAPS• HTTP -> HTTPS

»Require Secure Protocols for New Applications

Plain-text ProtocolsPlain-text Protocols

Secure ProtocolSecure Protocol

SSL CertificatesSSL Certificates» Recognized

Certificate Authority -$$

» Pre-installed• Verisign• CyberTrust• Thawte

» Self-signed Certificates – free

» Manual Install• eXtension• AU

VS

Root CertificatesRoot Certificates

» Internet Explorer• Internet

Options• Content• Certificates

Self-Signed CertificatesSelf-Signed Certificates

» Products• Microsoft Certificate Authority• Mac OS - Keychain• Linux - OpenSSL

» Importing• Active Directory• Download• Script

Secure Network Access

Secure Network Access

For the Road Warriors

Virtual Private Network

Virtual Private Network

» VPN provides unlimited access to campus network

» Prevent eavesdropping» Treat off-campus just like WiFi

An insecure transmission medium

Public/Private WiFiPublic/Private WiFi» Restrict open WiFi ports/protocols» Encourage VPN

• Better encryption• Unrestricted access• Restrict OS announcements• Gain benefit of University border firewall• Restrict services to internal Ips

» Enable Security• Prevent stealing bandwidth• Add some security to insecure sites

Remote AccessRemote Access

» Remote Desktop» Shared space access» Printer access» Internal websites

Other References Other References» Bruce Schneier’s

http://www.schneier.com» SANS’ “@RISK: The Consensus

Security Alert”

Thank YouThank You

Jonas Bowersock, Greg Parmer

“Until it goes missing, security is a boring obstacle to productivity in the minds of most.”

-Greg Parmer