1.uw network security2003
Terry Gray
University of Washington
Computing & Communications
17 October 2003
2.UW campus network (backbone)
border
router
border
router
backbone switches
~ 30 level one routers
subnets (733 total; 150 c&c); over 60,000 live devices
3.UW campus network (typical subnet)
Level One Router
Aggregation Switch
Edge Switch
Edge Switch
Edge Switch
campus subnets are a mixture of
shared 10Mbps
switched 10Mbps
switched 10/100Mbps
4.network facilities
5.typical core routers
6.campus network traffic
7.Pacific Northwest Gigapop
The PNW’s access point to next generation Internets, including Internet2, high performance USA Federal Networks, and high speed commodity Internet
A high speed peering point for regional and international networks
R&D testbed inviting national and international experimentation with advanced Internet-based applications
8.
9.Pacific Northwest Gigapop
uw
border
uw
border
3 diverse network providers
Internet2
national & internat’nl nets
Internet2 2.5Gbps
(10Gbps upgrade underway)
Three different 1Gbps
connections to the Internet
Multiple gigabits of connections
to other networks
30+ network
customers
10.K-12 (307)
Community/Technical College (73)
Public Baccalaureate (50)
Library (65 in process)
Independent Colleges (9 approved)
K20 Network Sites
11.seven security axioms
Network security is maximized when we assume there is no such thing.
Large security perimeters mean large vulnerability zones.
Firewalls are such a good idea, every computer should have one. Seriously.
Remote access is fraught with peril, just like local access.
One person's security perimeter is another's broken network.
Isolation strategies are limited by how many PCs you want on your desk.
Network security is about psychology as much as technology. Bonus: never forget that computer ownership is not for the feint-hearted.
12.credo
focus first on the edge(perimeter protection paradox)
add defense in depth as needed
keep it manageable
provide for local policy choice...
avoid one-size-fits-all
13.gray’s defense-in-depth conjecture
MTTE (exploit) = k * N**2
MTTI (innovation) = k * N**2
MTTR (repair) = k * N**2where N = number of layers