living next to the anarchists by erick engelke. anarchists? anarchy is (various definitions) -...
TRANSCRIPT
Living Next to the Anarchists
By Erick Engelke
Anarchists?
Anarchy is (various definitions) - lawlessness or disorder when there is a lack
of governance.- Some see it as a Utopia
What is the future?
Laptops now outsell desktops we must expect growth in unmanaged wireless
computing Laptops, CD-R/DVD-R’s, USB memory sticks
and MP3/memory devices breach our perimeter – becoming more popular
Hardware firewalls protect between zones, ineffective against the computer plugged in beside you.
Continuum of Security
None
Available – but optional
Encouraged / Accessible
Heavily Enforced
Always a risk that heavily enforced security will lead people to avoid our protections and return to no security.
Accessible Security?
Make technology simple to conceptualize though not necessarily understand
It becomes part of the culture Examples:
privacy of PIN numbers on Debit cards Security of SSL web sites
How to Encourage Security
Educate Reward
Remind Nag Embarrass Punish
Possible Education Points
1. Secure your computer Antivirus, Workstation Firewall, Updates, …
2. Secure your applications MyWaterloo, SSH, Secure IMAP, VPN
3. Secure yourself Best practices like strong secret passwords, avoiding probable malware
Users can conceptualize these points,
but will they act? How hard is this to do?
MinUWet Setting minimum standards
NAA detects OS at login screen highly vulnerable OS’s must endure a scan using
MinUWet Antivirus enabled and up-to-date? Freshen! OS getting patches? Push button to enable!
HTTP always allowed, download patches Pass test… get additional network access Other OS’s are not affected will still do existing security scans and SNORT
complementary solutions add more security
Some MinUWet Facts
Idea is similar to Cisco NAC and MS NAP MinUWet is compatible with all existing
hardware and safe with non-MS OSs. Local expertise, we can adapt it Cisco and MS solutions are stronger but
more difficult to run and inflexible MinUWet doesn’t have to be hack-proof, it
just has to be better than today’s mess! MinUWet - retired upon better options
Students Overusing Networks
Wireless, Villages, Libraries and Nexus labs Download DVDs – signature is typically a
multiple of 4 GB download per day Peer2Peer – traffic will grow to fill almost any
sized network pipe
Nexus Firewall w/TTTS
Some ExamplesWireless Villages Nexus
Authentication, Auditing/
Accoutning, Access Controls
NAA Port Locking Nexus
Bandwidth
Management
NAA
Toilet Tank Traffic Shaping
Other Nexus Firewall with Toilet Tank
Traffic Shaping
Vulnerability and
Malware Management
NAA firewall
MinUWet
Snort
Antivirus, Firewall
Snort
Antivirus, Firewall
Nexus Firewall
MinUWet-similar
Snort
Antivirus
User Data
Security
Future VPN Switched Network Switched Network
Typical Network Traffic Patterns
Toilet Tank Traffic Shaping
Start with a full reservoir of potential bandwidth
We keep adding more potential bandwidth, until the reservoir reaches maximum
Client can use bandwidth in big bursts or small constant trickle
You cannot keep flushing, the reservoir takes time to refill
Example
5 MB reservoir, 1 MB inflow rate user can download 5 MB every 5 minutes or can stream 1 MB/min (17 kB/s) limited to 1.4 GB/day
(1MB/min x 60 min x 24h) Most users unaware of any limits, but P2P
users get frustrated and give up. These rates imposed only for off-campus Faculty/Staff machines rarely rate limited.
Reading Mail Off Site
Options: Use secure protocols from own laptop
Eg. IMAPS Use MyWaterloo Email portal from any web
browser
But what if a keystroke grabber catches my password…
Kiosk Password Security
Abstain – don’t use kiosks Pray – use and hope they are safe Disposable single use passwords, all the
pleasure of Email access without the risk.
(Disposable passwords also could be used for NAA authentication, etc.)
Disposable Passwords
Disposable Password
Cryptographic hash, non-invertible Internet Standard: One Time Password Don’t need a dongle to buy and carry, just
use your Java phone, Blackberry or PDA. Free Relatively secure:
40,000,000,000,000,000,000 unique passwords for hackers to try.
Summary
We must learn to live with the threats and abuse around us
Good strategies reduce our risks and workload without hurting most users
Talk was focused on three new-ish technologies
Benefit of expertise is the ability to leverage existing infrastructure to solve new problems
Thank you