1

Beyond CIPA Compliance - Planning a Truly Secure Network Infrastructure

CoSN, February 28, 2002, Session 4A

peter.haigh@verizon.comReproduction of this material is permitted, with attribution, for non-commercial purposes. This presentation represents the

professional opinion of the author. Verizon accepts no liability, expressed or implied, for the material contained herein.

2

What’s your SecurityQ? Why Network Security? What is Network Security Where can Verizon help you?

Today’s Agenda

3

Why should I care about Security?

It’s important to ensure that Students & Staff experience a “safe” computing environment

If you don’t comply with CIPA, YOU LOSE E-RATE DISCOUNTS, AND MUST REPAY ANY DISCOUNTS ALREADY RECEIVED

Citizen’s care about security– Heightened by 9/11– Security breaches are widely & frequently reported– Many laws (other than CIPA) deal with security & privacy– Individuals have right of action under Tort

4

What is “CIPA Compliant”?

Internet Safety Policy The Internet Safety Policy must address the following

issues: – access by minors to inappropriate matter on the Internet and

World Wide Web;

– the safety and security of minors when using electronic mail, chat rooms, and other forms of direct electronic communications;

– unauthorized access, including so-called "hacking," and other unlawful activities by minors online;

– unauthorized disclosure, use, and dissemination of personal information regarding minors; and

– measures designed to restrict minors' access to materials harmful to minors.

5

What is Security?

6

State of the Art Security

pre-Gunpowder!

State of the Art Security

pre-Gunpowder!

7

What is Security?

Classical definition:– Confidentiality– Integrity– Availability

How privacy can be assured:– Administratively– Physically– Technically

8

Information Security Lifecycle

Security Assurance

TestingReportingMonitoringTraining

Policy andArchitecture

RiskAssessment

Security Policy

Technology Implementation

VPN,Encryption, Firewalls,

Authentication, IDS

Solution Design and SelectionSecurity Design

Technology Selection

Business Applications and Services

Networks, Intranet, Internet, Remote Access

Hardware and Operating Systems

Building BlocksSecurity is aprocessnot aproduct...

People Process Technology

9

What is Privacy?

“The right to be left alone is the most comprehensive of rights...” US Supreme Court Justice Brandeis, 1928

“You already have zero privacy. Get over it.” Scott McNealy, CEO Sun Microsystems, 1999

Consumer attitudes - The Pew Internet & American Life Project, 2000

– 86% favor opt-in privacy policies, requiring permission for use– 54% view web-site tracking of users as invasion of privacy– 54% have provided personal info. to use a web site– 48% have bought on-line using a credit card– 55% have sought medical info. on the web– 43% have sought financial info.– 27% will never divulge personal information on-line

10

Privacy versus Security

Privacy is what you promise to do Security is about how you fulfil the promise Networks are how the authorized (and unauthorized) get

access Therefore network security is of paramount importance

11

5 Principles of Fair Information Practices

Openness– Existence and purpose of record-keeping systems must be publicly known.Individual Participation– Individual right to see records and assure quality of information.Security– Reasonable safeguards for confidentiality, integrity, and availability of

information.Accountability– Violations result in reasonable penalties and mitigation.Limits on Collection, Use, and Disclosure– Information collected only with knowledge and consent of subject.– Information used only in ways relevant to the purpose for which the data

was collected.– Information disclosed only with consent or legal authority.

12

Physical Security

Card Access Systems Closed Circuit TV (CCTV) Fire Suppression Systems Alarm Systems Power Systems

13

Two-Factor Authentication

3 ways to authenticate a person:– What they know – Password– What they have – Token– Who they are - Biometrics

14

Biometrics

Fingerprint / Palm Print Hand Geometry Iris Scanning Keyboard Dynamics Signature Characteristics Facial Recognition Voice Recognition

15

PKI / LDAP / X.500

Digital Certificates & PKI (X.509 v3)– Digital document attesting to the binding of a public key to an individual

or other entity. Use two encrypted soft key’s public & private keys, need certificate authority (notary), strong authentication

16

RADIUS

17

More communications/network controls

Firewalls for Internet (and other) connections– The DMZ concept– Importance of proper installation & maintenance

Strong encryption & digital signature on “public network”

Encryption on private networks (?) Regular virus checking Standardized client & server configurations Periodic census of network software & hardware Vulnerability assessment & intrusion detection

18

Firewalls & Intrusion Detection Systems

Internet

19

Encryption

Encryption provides confidentiality– Symmetric (Secret) Key– Asymmetric (Public) Key

VPNs provide a secure channel

VPN

VPN

NetworkNetwork

20

Areas of unusual concern

E-mail & fax Telecommuting IT applications Logging & Audit trails Suspect activity & security incidents

21

IT Applications

What enhanced security features will vendors provide?

Interoperability in “best of breed” environment Audit trails & logs Access & authorization controls “Single sign-on”

– Valuable protection, or– A more attractive target?

22

Suspect Activity & Incidents

Suspect activity– Regular vulnerability assessments– Intrusion detection– Surveillance of traffic

Incident response– Treat like crime!– Get forensic help - evidence gathering & protection– Change policy, procedure & technology as appropriate

• How incidents are identified

• Ensuring staff report incidents

• Knowing what is unauthorized

23

You Can be more Secure!

Services for a Trusted Environment– Confidentiality– Integrity– Availability– Identification & Authentication– Authorization & Access Control– Non-repudiation– Forensics

24

Vulnerability Testing Services

External Port Scan Vulnerability Scan of External Network Penetration Testing Phone Sweep

25

• Comprehensive review of a client’s security

• Designed to assess and prioritize a client’s security risks and develop a comprehensive action plan

Security Assessment Services

26

Technology Planning

3rd Party Best-of-Breed Solutions

• Firewalls

• Intrusion Detection

• Anti-Virus/Content Filtering

• Auditing

• Strong Authentication

• VPN

• PKI

• Physical Security

• Biometrics

27

Training Programs

Security Awareness Program Technical Training Intelligence Programs

Thank you for your time, please contact your Verizon Account Manager for

further information regarding solutions for your Security needs.