Network  Security  Roadmap  

February  15,  2010  

The  IT  Security  landscape  

Malware  

Data  Breaches  

Infoprotect    EncrypEon  WISP  

Spyw

are  

malicious  code  

keystroke  logger  

Global  Threats  

Stopit  

cookies   Policy  Awaren

ess  

botnets  

Laws  &  RegulaEon  

Law  Enforcement    Support  rootkit  

FERPA  

botnet  

Forensics  

DMCA  NoEficaEons  

DDoS  

2/14/11   2  

Many  Dimensions  of  IT  Security  

Policy  

Strategy  

Awareness  

PreparaEon  &  PrevenEon  

DetecEon  &  ReacEon  

Recovery  &  RestoraEon  

Risk  Management  

MIT  Policy  IS&T  Policy  

Change  Management  

IT  Security  &  Risk  Management  Roadmap  

User  Experience  standards  • WIN  Domain  • Virtual  Desktops  • Data  ProtecEon  • Privacy  ProtecEon  

Enterprise  Backup  Services  VirtualizaEon  

Data  Law/Regs  Compliance  DMCA  /  HEOA  Compliance  

IdenEty  Management  Accounts  Management  

ConfiguraEon  Management  AuthorizaEons  Management

2/14/11  

Web    sites  Knowledge  Base  Security-­‐FYI  newsle[er  EducaEon  &  Training  Infoprotect  

Border  Firewalls  /  IDS  /  IPS  WIN  Doman  /  ePO  

Event  Logging  Network  Traffic  Analysis  

Incident  Response  

3  

Current  Challenges  

•  IT  Security  approach  today  is  reacEve,  one-­‐off,  labor  intensive  and  lacking  useful  data  

•  Most  incident  detecEon  re:  MIT  computers  comes  from  3rd  parEes  

•  We  have  sparse  data  on  MITnet’s  uses  •  Computers  are  not  adequately  protected  from  a[ack  –  from  both  inside  and  outside  

•  Compromises  reduce  producEvity,  put  sensiEve  data  and  IP  at  risk,  and  lead  to  legal,  financial  and  reputaEonal  harm  

2/14/11   4  

TradiEonal  View  The  Public  Internet  is  wonderful,  we  should  do  everything  possible  to  ENABLE  computers  on  MITnet  to  access  anything  and  everything  on  the  Public  Internet,  and  vice  versa,  and  to  think  of  MIT  and  MITnet  as  if  they  were  simply  a  subset  of  the  Public  Internet,  parEcularly  from  a  policy  point  of  view.  

The  Public  Internet  

MITnet  

???  

Service,  Server  or  Data  Resource  

Personal  or  Work  Computer  

2/14/11   5  

Examples  

•  MIT  does  not  comply  with  all  provisions  of  MA  Data  Breach  Law/RegulaEons,  parEcularly  in  incident  detecEon/response  and  forensics  

•  MIT  complies  with  HEOA,  but  DMCA  NoEficaEon  volumes  are  soaring,  so  the  measures  used  may  not  be  enough,  and  we  may  need  addiEonal  technological  measures  

•  IsolaEng/protecEng  PCI  computers  (as  well  as    other  devices  requiring  VERY  high  protecEon)  remains  difficult.  

2/14/11   6  

Guiding  Principles  

•  Provide  for  standards  in  a  decentralized  environment  

•  Academic  freedom,  privacy  and  choice  •  Technically  sound,  providing  high  reliability  •  Improve  visibility  of  network  needs  and  issues  •  Granularity  –  no  more  “one  size  fits  all”  •  Protect  intellectual  property  •  Comply  with  laws  and  regulaEons  •  Safer  compuEng  experience      •  Fiscally  prudent  2/14/11   7  

Future  View  By  providing  a  more  managed  connecEon  at  the  border  between  MITnet  and  the  Public  Internet,  we  increase  the  visibility  of  –  and  our  understanding  of    -­‐-­‐  the  threats  and  risks  that  are  present,  and  then  how  to  protect  MIT  computers  and  work  areas  on  a  very  granular  level.  

The  Public  Internet  

MITnet  ???  

Service,  Server  or  Data  Resource  

Personal  or  Work  Computer  

IDS/Firewall/IPS  

2/14/11   8  

Protected Work Areas

Protected  Admin  Servers  

Protected  Computers  

What  is  the  plan?  

Managed  User  Experience  

Network  Access  Border  

ProtecEon  

DLC  managed  domains  IS&T  managed  domains  Desktop  VirtualizaEon  

Intrusion  DetecEon  Intrusion  PrevenEon  Border  Firewalls  RemediaEon  

AuthenEcated  Wireless  &  Wired  Network  Access  

Logging  Policies  

2/14/11   9  

The  Cisco  SCE  8000  Series  Service  Control  Engine  delivers  high-­‐capacity  applicaEon  and  session-­‐based  classificaEon  and  control  of  applicaEon-­‐level  IP  traffic  per  subscriber.  

The  Cisco  ASA  5500  Series  AdapEve  Security  Appliances  deliver  highly  effecEve  intrusion  prevenEon  capabiliEes  using  hardware-­‐accelerated  IPS  modules.  

Splunk  collects,  indexes  and  harnesses  data  generated  by  our  applicaEons,  servers  to    troubleshoot  problems  and  invesEgate  security  to  avoid  service  degradaEon  or  outages.  Correlate  and  analyze  complex  events  spanning  mulEple  systems.  

AdopEon  of  the  802.1x  standard  for  access  to  MITnet  wireless,  with  default  connecEons  set  to  be  secure,  but  offering  choices  for  those  who  need  them.  

ConEnue  support  of  an  MIT-­‐wide  WIN  domain  for  Windows  computer;  explore  Casper  for  managing  Macintosh  computers  in  a  similar  way.    

Move  ahead  with  pilot  projects  for  desktop  virtualizaEon  in  early-­‐adopter,  high-­‐risk  areas  of  the  InsEtute.    

Increase rollout Phase 2

Initial tuning Phase 1

NETWORK SECURITY MILESTONE TIMELINE CALENDAR YEAR 2011

2/14/11   10  

Jan  -­‐  Mar   Apr  -­‐  Jul   Aug  -­‐  Oct   Oct  -­‐  Dec  

Purchase  &  install  border  protecEon  equipment  

Implement  detecEon  &  protecEon  for  select  network  segments  

Integrate  alert  detecEon  and  end-­‐user  noEficaEon  

Increase  breadth  of  protecEon,  targeEng  high-­‐risk  services  

Install  intelligent  log  management  

Integrate  alerts  and  log  management  

Cisco  ASA  5585  Cisco  SCE  8000  

Splunk,  RT,  Moira  

Border  ProtecEon

 Wire

less  

Plan  and  communicate  default  secure  wireless  configuraEon    

Deploy  default  secure  wireless  configuraEon  and  guest  wireless  

Secured  wireless  

Integrate  remediaEon  

Managed

 Domain  

ConEnue  Windows  Domain  deployments   Pilot  virtual  desktop  with  high-­‐risk  groups  

WIN  domain  Virtual  desktop  

Technology  Legend