January 2006 Common Solutions Group 1

Network Based Security

Looking at the future of university networking…

January 2006 Common Solutions Group 2

CSG Network/Subnet Poll (1)

• Asked on– Ednog (ednog@puck.nether.net)– Netguruhttp://security.internet2.edu/docs/internet2-salsa-topics-advanced-network-management-200511.html

– Virtnet

• Heard from (in no particular order):– Berkeley, Columbia, UBuffalo, Stanford, UCLA,

VT, Cornell, Yale, Duke, CMU, Northwestern, Colorado, UMich

January 2006 Common Solutions Group 3

CSG Network/Subnet Poll (2):

• Complicated technical issues – VLans, VLans, everywhere…• History of subnetting for manageability

– Smaller broadcast domains– Tracking addresses for abuse

• Future of subnetting for service differentiation– Traffic isolation for real and imagined safety– Differential firewall policy (users, services, multi-tier web services)– Pre-auth, .1x for vlan assignment, quarantine subnets– Isolated subnets for customer firewalling– Infrastructure devices - no need for remote access– Address preservation, RFC1918 (NAT-ed and not)– Networking ‘for-fee’

January 2006 Common Solutions Group 4

CSG Network/Subnet Poll (3)

• A few more issues– Spanning tree isn’t “a fun thing”– Vlans != subnets– Some campus trunks – mostly avoided– Need tools for VLAN management– Lots of ‘not-so-smart’ devices– Edge security is preferred, defense in depth is necessary– Need lots of tools – particular with dynamics– Didn’t ask the vpn question…– Didn’t ask the lambda question…

January 2006 Common Solutions Group 5

Asking a little differently…

How many of you now, or in future will:• Offer more than one class of network connectivity?• Require VPN’s for remote access to many apps?• Require network admission control (pre-access)?

– For wired– For wireless

• Offer (or allow) subnet firewalls?• Offer dedicated lambdas?

January 2006 Common Solutions Group 6

Stanford Governance Pressure

• University enterprise risk management

• Internal Audit & Info Security Officer

• External Audit of Systems

• Faculty Governance Committee

• Administrative Governance Committee

January 2006 Common Solutions Group 7

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

January 2006 Common Solutions Group 8

Key UW-Madison Strategies

• Deploy a three-zone network with clear standards and policies for each zone

• Build relationships and understanding between central net-admins, department net-admins, and other campus interests

• Empower (training and tools) department net-admins to manage things that are important to them using a powerful set of web-based network monitoring and administration tools

9Common Solutions GroupJanuary 2006

AANTS: Authorized Agent Network Tool Suite

• Loosely-coupled set of web-based utilities for network administration

• Tools are team-developed in-house, optimized toward local networking practices, driven by user need

• About 244 trained network administrators across campus

• Allow users (campus LAN administrators and network engineers) to manage network devices, change device configurations, troubleshoot, inspect traffic data, coordinate with users, and perform other network management tasks