Questions Univ. of Maryland, Baltimore Cty www.umbc.edu

possibledisastrousSecurity

Dec 9, 2013 (3 years and 11 months ago)

93 views

Questions
Univ. of Maryland, Baltimore Cty
www.umbc.edu
Institution demographics
Students - 10800, Fac/staff
3000 Hosts 9000
Research Funding 85m.
I1 - 155m, I2- 155mb
Staffing
Network Engineers - 4
Security Staff - 2.5
Both groups report to Director of
Infrastructure
Border Security
Router ACL's transitioning to two
firewalls for I1 and I2 networks
(Cisco 6000 pix blades) for border
security.
Interior Network Security
multiple VLANS for each building:
Client, Server, umbc-only, one-card,
wireless, and building. Transitioning
to 2 interior firewalls for interior
protection per building/dept vlans.
Default for hosts will be client access
Wireless Security
None required. Transitioning to a
model where VPN usage will be
required to get off-campus
Host and Application Security
Access to server VLAN will require
acknowledement of host-based
security guidelines. We're pushing
host-based firewalls, especially for
Unix. Working toward requiring
encryption for email, login, ftp.
Central email virus checking, LAN
virus protection.
Top 3-5 security concerns
Security requirements associatd with
HIPAA and GBL require more formal
approach to risk management,
security planning. Disaster recovery
and contingency planning.
Other comments
Security working group meets
monthly with CIO on security. Close
working relationship between groups.
URL to security site
www.umbc.edu/oit/security
Univ. of Maryland, College Park
Notre Dame
www.umd.edu
www.nd.edu
Student 34,800
Faculty 12500
Hosts 32,000
Research funding > 200m
I1 - 155mb, I2 - 655
Students - 10,000 Faculty
- 4000 Hosts 10000
Research funding $100m I1-
, I2 -
Network Engineers 3
Security Staff 1.5
Policy Staff 1.5 All
report to CIO - close working
relationship
Network Engineers - 6
Security staff - 3
Security reports to CIO, network to
Director of Engineering
Router ACL's
Router ACL's block high risk ports,
Default access is open
Firewall on critical subnets, router
Acl's on some others, SNORT IDS on
internet links
Firewall on datacenter, router acl's on
some subnets, 8-sensor Snort IDS,
VLAN's 1per building.
VPN available, Veneer going in soon.
Wireless open, VPN required to
access some legacy
hosts/applications.
Sysadmin in Unix group coordinates
security with Security Manager.
Beginning deployment of central
email with Virus scanning. Using host
based firewalls on some machines
(Unix). Encryption encouraged.
Sysadmins work closely with security
staff. Host-based firewalls used where
possible, moving to replace telnet,
ftp, email with encrypted alternatives.
Moving to central email service with
virus scanning.
Access controls at gigabit rates
Patching hosts in a distributed
support environment. Keeping open
networks secure (resnet).
Campus awareness gap, lax user
practices. Adequate capacty for
IDS/Firewall. Policy formation and
adherence. Vendor products.
Strong top-level support, good
working relationships among groups.
itsecurity.umd.edu
www.nd.edu/~ndoit/virusalert
Univ. of Washington
www.washington.edu/
Students - 43000
Faculty/staff 23000
Hosts 60,000
Research Funding $800m
Multi-campus (3), medical center,
multi-hospital network
I1 and I2 use GigE
Network engineers ~ 15
Security staff -5
Network reports to Director of
Networks and Distributed Computing,
Security reports to Director of Univ.
Computing Policy dev done
jointly by Dirs.
Open network
Router ACL's on Resnet to disallow
services. Close proximity firewalls in
places, "Logical Firewalls" in several
departments (plans for campus-wide
Logical Firewalls doing NAT
for RFC 1918 addresses routed across
campus.)
None required now. Working on
prototype to require authentication
for access beyond UW. Customers
encouraged to use encryption.
Good working relationship among sys-
admins, networks, and security via
opt-in list. Some use of host-based
firewalls, especially in medical center.
Use of logical firewalls in many
departments or workgroups. Central
services use encryption, UW provides
a CD for installation.
Windows security { weak passwords,
nimda, code-red, sql-slammer}
denial of service attacks
The value of a firewall is proportional
to the number of machines behind it,
but the effectiveness of a firewall is
inversely proportional to the number
of machines (and disparate policy
requirements) behind it.
www.washington.edu/security
staff.washington.edu/dittrich