Join StoryChasers! StoryChasers - Empowering Responsible Digital Citizenship - Invent the future! Scratch | Home | imagine, program, share
17th April 2007

More on network security from Mike Pennell (part 2)

posted in edtech, leadership |

More of my notes from the Networking Security lunch and learn on 4/17/2007 in Tulsa, to be published later as an audio podcast. Primary presenter is Mike Pennell from NewNet66.

The five worst security mistakes end users make (according to the SANS institute)
1- failing to install anti-virus
2- opening unsolicited email attachments without verifying source and checking content first
3- failing to install security patches
4- not making and testing backups
5- not securing wireless network

Seven worst
- failing to get a quality firewall and manage it
2- failing to keep maintenance contracts updated (router, firewall, core switch)
3- allowing “anyone” to have access to a student info server (remote and physical)
4- failing to update windows on a regular basis
5- failing to know where everying lives
6- failing to secure wireless
7- failing to be proactive about network security

The average home has around 4 doors and a dozen or so windows to protect. You protect yourself by locking doors and windows.

One every network device, there are 65,535 dors that can be open or closed for business
- school networks have 100s of devices and therefore many doors to proect

Doors (ports) you must open from Trust (inside) to Untrust (outside)
- http - 80
- https - 443
- email - 25, 220
- ftp - 21
- RDP: Microsoft terminal services - 3389
- Network Time - 123

While there are exceptions specific to your school, all other doors should be closed for business

Who has rights to visit your Student Information Server
- should only be 164.58.234.200 / 255.255.255.255 tcp port 443
- WAVE implementation team also must be let in
- how many workstations do you think these people have told you to give access to your WAVE server?

Some schools are using Netscreen firewall policies and just open them for 2 week windows
- can also move them through a different port

Should the Internet be able to get to your WAVE server?
- no, stop that madness
- just allow SDE and WAVE to get there

Once those guys get into your WAVE server, where can they go from there?
- should your WAVE server
- student information server is the most holy grail you own
- you don’t want to compromise it, student info, identify theft, lawsuits, etc
- allowing your student info server to go to the is just needed for updates: you should turn that access on and off just as it is needed

Free from Microsoft: WUS server “windows update server
- see the info world article: “Build your own Windows Update server”

Example of a firewall policy that allows teh school users to do anything they want
- BAD idea

Lots of good networking help info on the NewNet66 website

Tidbits from this moorning

Watching live spam coming through the network, worms, etc
- number of attacks goes up during the night, that is when the bad guys are most active

Mail server filtering can now happen in the first couple lines of the transmission, so the entire spam message is not downloaded to the server
- you should be looking at your mail server logs EVERY day

Let’s talk about content filtering
- There is an SDE listserv now, and there are lots of emails flying around now about proxies
- the numbers of proxy servers you need to block

If your content filter is worth its salt, they go by category (one category is proxy and webelizers)
- out of the 100s that were sent out, there were just 3 not on our list
- On proxy.com a kid downloads proxy software and installs it on their machine at home, and then uses it as their proxy
- how are you going to stop THAT?

the computer is not a babysitter, the teachers have to watch what is going on
- if you think your kids are not using proxies, think again: they are

These are issues of risk management
- a good content filter (like ours from 8E6) gets your risk down to manageable levels

shelterbelt by twotrees: has an interesting way to battle proxy servers
- they monitor everyone’s bandwidth and where they go
- they watch for ADSL connections
- when they see people going somewhere as a proxy

Jenks denies all access to all image search engines except Google, and have strict Google image searching required
- also used a cache engine, that changed every Google search to append the syntax for a strict filtered image search

Tipping point box emails a report to schools every morning, includes top 20 attacks

Bandwidth is going off the charts rights now because video is now delivered over port 80 with Flash video
- everyone allows port 80, content people figured that out
- so some of those streams are work 100K easy
- that can bring a T1 down quickly

But what if you can CONTROL that?
- in the Tippingpoint box you can do a rate limit
- problem: What about United Streaming
- also student testing
- BIG need to manage bandwidth

Example was “missed call” after an OU football game, everyone was looking at the video on port 80

IT OCURRS TO ME THAT LIBRARIES MAY NEED IS TO TURN OFF INTERNET ACCESS WHEN NO ADULT IS PRESENT IN THE LIBRARY

MY QUESTIONS
- GHOST ALTERNATIVES?
- DOCUMENTING USER ONLINE VIRTUAL BREADCRUMBS

Ghost for Linux (G4L) is a linux-based cloning solution that will work for Windows-based OS installs, FREE
- some districts are using this instead of Symantec Ghost
- evidently you can no longer purchase an unlimited client version of Ghost for an entire school district

Intermapper shows diagram view of entire network, with colors and icons shows percent utilization and segments that are down
- can buy for a few hundred dollars that will track 25 devices
- free version monitors 5 devices
- Spiceworks is a free one

Segmented networks
info on www.newnet66.org/NetworkStuff/networkstuff.html
- VLANs
- segmenting the network
- couple of reasons why you want to cut up the network
– a lot of really bad worms don’t cross a routing border
– broadcast domains also have caused lots of problem

Anyone have a subnet 255.255.0.0 on your network? You shouldn’t! A lazy vendor generally sets that up. That gives 65K+ addresses
- 4 out of 10 school districts do now in Oklahoma
- if we change that to 255.255.255.0 that is worth just 253 possible boxes
- if you have a small subnet

route between buildings and segment the network

Wireless
- turn off SSID
- have 5 or 6 ways to authenticate: by MAC Address, by WPA, others
- Terry at Claremore uses MAC addressing, trying to control who comes on the network
- Uses WM100 from Extreme, can find rogue antennas and turn them off
- biggest threat: a laptop with the right mac address, now it becomes a valid access point
- that is where the WM100 comes in and finds those rogue APs
- people will drive by and jam your wireless network with an amplified signal: that hasn’t happened there yet
- are now using wireless on limited basis: for laptop cart

Have had some problems with Successmaker software on wireless because of its bandwidth consumption
- Wireless network is on its own VLAN, so if desired it could be given priority via QoS (quality of service)

You can’t afford to be down as a network anymore
- it is no longer just webpages and email
- phones and even intercoms are moving to the WAN
- you have to figure out ways to be more efficient

Big question: how do you handle laptops that leave the district?

Not running antivirus on workstations can offset the cost of a Tippingpoint box for a district

Oklahoma State Dept of education put a YouTube video up on their website
- that led to huge numbers of phone calls over content filtering
- the video was from the Rose Bowl parade

Technorati Tags: ,

On this day..

This entry was posted on Tuesday, April 17th, 2007 at 1:51 pm and is filed under edtech, leadership. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.

Comments are closed.