dark alleys part2
DESCRIPTION
Internet security tips for network administratorsTRANSCRIPT
Dark Alleys of the Internet
Part 2
Dark Alleys of the Internet
Part 2
ACE/NETC 2007June 19, 2007
Albuquerque, NM
Do the Right Thing!
Attack StatisticsAttack Statistics» AU Border Firewall
• Packets blocked by 1000s
» Intrusion Prevention System (blocking recommended attacks) (week of 5/28-6/02)
• 90,540 – blocked packets• 25,147 – suspicious packets• 3,893 – possibly successful
Passwords on a Sticky Note?
Passwords on a Sticky Note?How to stop the sharing
madness
PasswordsPasswords» No reason to share passwords
because you can use:• Shared files/folders• Permissions settings• Remote Desktop• E-mail Proxy• Web 2.0 products
Managing PasswordsManaging Passwords» Trade-offs
• Different passwords for different systems• Require passwords to change
» Password Managers• Password Safe
http://passwordsafe.sourceforge.net• Others
http://www.lifehack.org/articles/technology/10-free-ways-to-track-all-your-passwords.html
» Choosing a good passphrase• “1wbiDCH” (I was born in Dale County Hospital)http://www.aces.edu/extconnections/2006/10/
Network ProtocolsNetwork ProtocolsHelp protect users
Secure All ProtocolsSecure All Protocols
»Telnet -> SSH»FTP -> SFTP»SSL Certificates
• LDAP -> LDAPS• HTTP -> HTTPS
»Require Secure Protocols for New Applications
Plain-text ProtocolsPlain-text Protocols
Secure ProtocolSecure Protocol
SSL CertificatesSSL Certificates» Recognized
Certificate Authority -$$
» Pre-installed• Verisign• CyberTrust• Thawte
» Self-signed Certificates – free
» Manual Install• eXtension• AU
VS
Root CertificatesRoot Certificates
» Internet Explorer• Internet
Options• Content• Certificates
Self-Signed CertificatesSelf-Signed Certificates
» Products• Microsoft Certificate Authority• Mac OS - Keychain• Linux - OpenSSL
» Importing• Active Directory• Download• Script
Secure Network Access
Secure Network Access
For the Road Warriors
Virtual Private Network
Virtual Private Network
» VPN provides unlimited access to campus network
» Prevent eavesdropping» Treat off-campus just like WiFi
An insecure transmission medium
Public/Private WiFiPublic/Private WiFi» Restrict open WiFi ports/protocols» Encourage VPN
• Better encryption• Unrestricted access• Restrict OS announcements• Gain benefit of University border firewall• Restrict services to internal Ips
» Enable Security• Prevent stealing bandwidth• Add some security to insecure sites
Remote AccessRemote Access
» Remote Desktop» Shared space access» Printer access» Internal websites
Other References Other References» Bruce Schneier’s
http://www.schneier.com» SANS’ “@RISK: The Consensus
Security Alert”
Thank YouThank You
Jonas Bowersock, Greg Parmer
“Until it goes missing, security is a boring obstacle to productivity in the minds of most.”
-Greg Parmer