Salsa Bits: A few things that the analysts aren't talking about...

December 2006

2

What analysts are saying is important (and we agree)

• Protecting sensitive data• Not just the enterprise data, but the researcher data

• Identity management• In higher-ed, there's a lot of business process and

policy issues as well as technology• Malware (viruses, worms, spyware, etc.)• Distributed denial of service attacks

3

What analysts haven't started to talk about yet...

• The strategic importance of and expanding reliance on DNS

• The value of sector-based security operations and the REN-ISAC

• {Spam, DDOS, etc} and its impact on the infrastructure

• Evolving firewall management strategies to accommodate advanced applications

• Federated identity and leveraging it for access control

4

Domain Name System (DNS)

• DNS is the foundational service of the network; no service works without it.

• DNS itself needs better security• Vulnerable to several attacks and can be exploited

for other attacks• Remedial steps (e.g. DNSSec) face critical

bootstrap and mass adoption value• DNS as the basis for many security enhancements• Spam control mechanisms will leverage it• Federated security services depend on it• EDUCAUSE oversees .edu; chance for higher-ed to

lead

5

Takeaway: Domain Name System (DNS)

• Make sure the campus DNS operations are adequately supported; check out www.dnsreport.com

• Campus DNS operations should plan to work with applications

• Make sure that you’re not part of the problem – filter outgoing spoofed traffic, don't operate open recursive servers, etc...

6

Sector-based security services

• Of the initial sector oriented security analysis centers, the best remaining one is the REN-ISAC

• New technical and advisory groups• Today, offers early warning services gleaned

from Abilene traffic, identification of botnets, interactions with DHS and vendors, exchanges with other cooperative security efforts

• Tomorrow, it could build better analytic tools, inter-realm security exchanges, and other community-based security services

7

Takeaway: Sector-based security

• Make sure your campus is plugged in:• To the REN-ISAC trust community – it is a

vehicle for sharing real time security information

• To the various lists that discuss sector security issues, e.g. the higher-ed mail admin list, the EDUCAUSE security list

• Understand that our distinctive requirements will require common security approaches

8

Attacks and their impacts on infrastructure

• IETF concerns at the amount of unwanted traffic…

• Chronic threats – e.g. spam, botnets, etc are dramatically up and more resistant to remedies

• Better tuned MS machines have significantly increased the DDOS potentials

• Stress the campus infrastructure – mail servers, spam filters, firewalls, etc.

9

Takeaway: Attacks and their impacts

• Harden the infrastructure• High capacity networking links should include

high capacity security mechanisms• New retention laws, rise of spam, etc. may

change the way we choose to communicate

10

Evolving perimeter defense strategies

• From the network perimeter to defense in depth

• The starbucks effect• The internal threats• Push the protection perimeter as close to the

edge as feasible• Need to deal with optical bypass • Need to be flexible for different requirements• Credit card requirements can factor in

11

Evolving perimeter defense tradeoffs

• Understand that perimeter defense security tools often involve tradeoffs• VPN – security and opacity• NAT – isolation and loss of collaboration• Firewalls and performance

• Additional perimeters increase the complexity of problem diagnosis

12

Takeaway: Evolving perimeter defense

• Be prepared for changes to accommodate team science. Trust-mediated transparency will leverage identity management

• Be aware that fundamental network architecture discussions are examining clouds of gated communities vs. a network utility• Mean time to diagnose and support implications

• Monitor, audit, non-repudiation• moving beyond forensics to situational awareness

and active management

13

Federated identity

• As touted, Identity Management is urgent and important

• Federated identity leverages institutional Identity Management in inter-institutional settings

• By itself federated identity can provide significant security value.• Enables flexible LOA's, improves privacy, etc.

• As a new layer of infrastructure, it can be leveraged to provide new security services• Improved guest access usability and accountability• Privilege management for virtual organizations

14

Takeaway: Federated Identity

• Make sure your campus is coming to grips with IdM• Business owners, data stewards, external constituency

services (alumni, facilities management, etc), central IT• Understand the policies, the state transitions and their

triggers, the privileges per state, etc• Check out the www.nmi-edit.org/ web site and CAMPS.

• Prepare for federation• Internal federations with medical schools, engineering

colleges, etc.• Install federating software, e.g. Shibboleth• Identify policy issues and groups to work on them

• Understand the value of strategic use of two factor authentication

15