Living Next to the Anarchists

By Erick Engelke

Anarchists?

Anarchy is (various definitions) - lawlessness or disorder when there is a lack

of governance.- Some see it as a Utopia

What is the future?

Laptops now outsell desktops we must expect growth in unmanaged wireless

computing Laptops, CD-R/DVD-R’s, USB memory sticks

and MP3/memory devices breach our perimeter – becoming more popular

Hardware firewalls protect between zones, ineffective against the computer plugged in beside you.

Continuum of Security

None

Available – but optional

Encouraged / Accessible

Heavily Enforced

Always a risk that heavily enforced security will lead people to avoid our protections and return to no security.

Accessible Security?

Make technology simple to conceptualize though not necessarily understand

It becomes part of the culture Examples:

privacy of PIN numbers on Debit cards Security of SSL web sites

How to Encourage Security

Educate Reward

Remind Nag Embarrass Punish

Possible Education Points

1. Secure your computer Antivirus, Workstation Firewall, Updates, …

2. Secure your applications MyWaterloo, SSH, Secure IMAP, VPN

3. Secure yourself Best practices like strong secret passwords, avoiding probable malware

Users can conceptualize these points,

but will they act? How hard is this to do?

MinUWet Setting minimum standards

NAA detects OS at login screen highly vulnerable OS’s must endure a scan using

MinUWet Antivirus enabled and up-to-date? Freshen! OS getting patches? Push button to enable!

HTTP always allowed, download patches Pass test… get additional network access Other OS’s are not affected will still do existing security scans and SNORT

complementary solutions add more security

Some MinUWet Facts

Idea is similar to Cisco NAC and MS NAP MinUWet is compatible with all existing

hardware and safe with non-MS OSs. Local expertise, we can adapt it Cisco and MS solutions are stronger but

more difficult to run and inflexible MinUWet doesn’t have to be hack-proof, it

just has to be better than today’s mess! MinUWet - retired upon better options

Students Overusing Networks

Wireless, Villages, Libraries and Nexus labs Download DVDs – signature is typically a

multiple of 4 GB download per day Peer2Peer – traffic will grow to fill almost any

sized network pipe

Nexus Firewall w/TTTS

Some ExamplesWireless Villages Nexus

Authentication, Auditing/

Accoutning, Access Controls

NAA Port Locking Nexus

Bandwidth

Management

NAA

Toilet Tank Traffic Shaping

Other Nexus Firewall with Toilet Tank

Traffic Shaping

Vulnerability and

Malware Management

NAA firewall

MinUWet

Snort

Antivirus, Firewall

Snort

Antivirus, Firewall

Nexus Firewall

MinUWet-similar

Snort

Antivirus

User Data

Security

Future VPN Switched Network Switched Network

Typical Network Traffic Patterns

Toilet Tank Traffic Shaping

Start with a full reservoir of potential bandwidth

We keep adding more potential bandwidth, until the reservoir reaches maximum

Client can use bandwidth in big bursts or small constant trickle

You cannot keep flushing, the reservoir takes time to refill

Example

5 MB reservoir, 1 MB inflow rate user can download 5 MB every 5 minutes or can stream 1 MB/min (17 kB/s) limited to 1.4 GB/day

(1MB/min x 60 min x 24h) Most users unaware of any limits, but P2P

users get frustrated and give up. These rates imposed only for off-campus Faculty/Staff machines rarely rate limited.

Reading Mail Off Site

Options: Use secure protocols from own laptop

Eg. IMAPS Use MyWaterloo Email portal from any web

browser

But what if a keystroke grabber catches my password…

Kiosk Password Security

Abstain – don’t use kiosks Pray – use and hope they are safe Disposable single use passwords, all the

pleasure of Email access without the risk.

(Disposable passwords also could be used for NAA authentication, etc.)

Disposable Passwords

Disposable Password

Cryptographic hash, non-invertible Internet Standard: One Time Password Don’t need a dongle to buy and carry, just

use your Java phone, Blackberry or PDA. Free Relatively secure:

40,000,000,000,000,000,000 unique passwords for hackers to try.

Summary

We must learn to live with the threats and abuse around us

Good strategies reduce our risks and workload without hurting most users

Talk was focused on three new-ish technologies

Benefit of expertise is the ability to leverage existing infrastructure to solve new problems

Thank you