Jamie Spitznagel 4 8 15

Summary

James Spitznagel is JCU's network infrastructure & data security engineer. He is an "accomplished IT Security, Infrastructure and Networking professional, with extensive experience implementing technical solutions to exceed enterprise needs while mitigating risk". He will speak regarding his experience developing JCU's network and regarding modern-day threats he has encountered while doing so.

Discussion Outline

1. Introduction

2. What are we doing at JCU

3. How did we get here – network evolution since the 90s

a. 1996 ATM topology

b. 2001 Ethernet topology

i. Firewall addition

ii.Buildup for ERP

iii. Cisco PIX

c. 2003 DSC addition

i. Checkpoint Firewall

d. 2007

i. Cisco FWSM

e. 2010

i. Palo Alto Networks Firewall

f. 2012

i. Network evolution / segmentation

ii.BGP – Internet dual path / dual home

g. 2015

i. Where we are now

ii.Detail of network segmentation and topology

iii. Technologies currently in use

1. Google

2. Google Vault

3. Veeam and BakBone NetVault

4. Palo Alto Networks

a. Live walkthrough of PAN

b. Wildfire screenshots

c. Screenshots of traffic

5. Symantec Endpoint

6. Sophos Safeguard

7. Whatsup

8. PRTG

a. Live view of Internet Util

b. Live view of BGP metrics

c. Live view of Green Road Annex

h. Current Initiatives

i. 2015 Threats

i. Phishing

ii.IRS falsified refund scam

iii. Malware

iv. Cryptolocker

v.Android Malware

vi. Zero-Day

j. Zero-Day Mitigations

k. Compliance & Governance

l. Resources

Discussion

Information and the security thereof are two opposing forces, and a balance must be struck between them. Specifically, one must weigh the ease of access of information against securing it. This is especially relevant in a private college like JCU; losing student data is illegal and carries heavy repercussions.

Jamie Spitznagel himself is currently a Data Security Engineer. He's part of the Systems & Network Operations Group in ITS. He's worked for 21 years in IT, working with PCs, servers, software implementation, networking and security.

In 1993, he graduated with a Bachelor's in computer science at JCU. From 1994-1996, he worked at a consulting and software business, catering primarily to law firms, title agencies, and local businesses. He also worked at various retail & catalog companies until 1996, when he became a network engineer at JCU.

In 2008, he became instead a network infrastructure engineer, and in 2012 he became a data security engineer. In the '90s, security was almost an afterthought, but his title and responsibilities changed over time. A network engineer is more often to be involved in tasks as relatively simple as the switching of routing, but an 'infrastructure' engineer encompasses more responsibility, for example. Despite outside forces and the needs of JCU requiring him to focus on security, he is still entrenched in network architecture.

What is happening at JCU now?

Doing well with:

  • Perimeter/internet engineering & security.
  • Wired & wireless networks (core network infrastructure works well).
  • Network segmentation & security.
  • Systems monitoring.
  • Governance & compliance.
  • Disaster recovery/business continuity (room to grow here; there are plans to change).

Not doing so well with:

  • Digital forensic investigation & incident response.
  • Vulnerability assessment.
  • Penetration testing (ethical hacking to expose network vulnerabilities).
  • Related policy creation.
  • Security awareness education for staff & students.

JCU's Network Over the Years

1996:
ATM network, flat bridged, segmented off unless necessary
155 Mbps ATM full duplex core (no visibility into what was happening, easy to sniff connected traffic, but no idea after ATM cloud)
100 Mbps ethernet server connectivity
10 Mbps ethernet endpoint
7.5 Mbps internet connection
40 Novell NetWare servers
MS Windows NT 4.0
Dec Vax "mainframe" ­ ERP, academic platform (superminicomputer)
Dec Vax Process Software email platform
no firewall (not until '98)

Rudimentary DSL internet speed overall. Network servers were localized; there was no way to get traffic from across campus to other areas.

2001: All ATM gear was forklifted out and replaced with the following.
gigabit ethernet network ­ 256 Gbps (cheaper to implement, 6x speed increase)
1 Gbps ethernet full duplex core
100 Mbps & 1 Gbps server connectivity
10/100 Mbps endpoint
20 Mbps internet cnnection
NetApp Filers (emulates window file server)
20 Microsoft Windows NT and Win2000 servers
AIX supporting Banner ERP
Mirapoint mail appliance (more complex than it seems)
Cisco PIX Firewall + P2P shaping technology

P2P needed attention due to bandwidth and cost issues. In 1998, hubs were replaced by edge switches, which connected to building switches, which were linked to one another by a 1 Gbps ethernet over fiber. This also linked to the core switch with integrated router, which was firewalled ('protection at the border').

2003:
gigabit ethernet network ­256 Gbps
1 Gbps ethernet full duplex core
1 Gbps server connectivity
10/100/1000 Mbps endpoint + Wi­Fi 802.11b 200 APs (very faulty)
45 Mbps internet connection
NetApp Filers
25 Microsoft Windows NT and Win2000 servers
AIX supporting Banner ERP / modules
Mirapoint & Exchange email
Checkpoint Firewall including Cisco VPN + P2P shaping technology (vpn and p2p shaping didn't work very well but checkpoint firewall was good)

Provisioned dialup lines still existed at this point, but they were eventually disposed of.

2007:
2nd iteration of gigabit ethernet network ­ second iteration, 2 Tbps
1 Gbps ethernet full duplex core
1 Gbps server connectivity
10/100/1000 Mbps endpoint + Wi­Fi 802.11abg 250 APs
200 Mbps internet cnnection ­ added provider
NetApp Filers ­ 2nd iteration
30 Microsoft Windows NT and Win2000 servers
AIX supporting Banner ERP / even more modules
Mirapoint & Exchange email
Cisco Firewall Services Module + P2P shaping (ramp-up in shutdown notices & DMCAs)

2010:
2nd iteration of gigabit ethernet network ­ second iteration, 2 Tbps
10 Gbps ethernet full duplex core
1 & 10 Gbps server connectivity
10/100/1000 Mbps endpoint + Wi­Fi 802.11abg 250 APs
300 Mbps internet connection added provider (AT&T metro ethernet solution)
NetApp Filers­ 3rd iteration
Explosion of Windows/Linux servers on VMware (VMware allows all running on 1 server, compartmentalizes despite needing additional memory, instantaneous copies of servers)
AIX supporting Banner ERP / even more modules
Mirapoint, Exchange & Gmail for students (not happy with Mirapoint anymore)
Palo Alto Networks firewall + VPN (extra visibility & security handling, virtually eliminated p2p traffic, traffic behavior, intrusion detection & prevention)

2012:
2nd iteration of gigabit ethernet network ­ second iteration, 2 Tbps
10 Gbps ethernet full duplex core
1, 10 & 20 Gbps server connectivity
10/100/1000 Mbps endpoint + Wi­Fi 802.11n 800 APs
500 Mbps internet connection, added disparate path
NetApp Filers ­3rd iteration
+80 Production Windows/Linux servers on VMware
AIX supporting Banner ERP / even more modules
100% Gmail
Palo Alto Networks firewall segmenting internal subnets

A solution was needed to give fault & path tolerance to the network. This solution consisted of the following:
A PA 5050 firewall to a small ethernet switch, connected to a managed router, connected to another ethernet switch which connects to the OARnet provider. Onecommunity's router is connected to the other path, with another managed router. Two paths exist, with a virtual link between them, to make one IP address for internal traffic. Devices have unique IPs on three different interfaces. The use of two managed routers allows for retention of data if and when one router fails.

2015:
gigabit ethernet network ­third iteration, 11.4 Tbps
aggregated 10 Gbps ethernet full duplex core
1, 10 & 20 Gbps server connectivity
10/100/1000 Mbps endpoint + Wi­Fi 802.11n 800 APs
800 Mbps internet connection
NetApp Filers ­3rd iteration (4th iteration soon or new solution)
+80 Production Windows/Linux servers on VMware
AIX supporting Banner ERP / even more modules (replacement TBD, cloud?)
100% Gmail
Palo Alto Networks firewall further segmentation + Two Factor Authentication (Google authenticator, phone message, etc.)

The secure wireless network supports 4,000 devices, and the guest wireless network 10,000. In a given 4 hour window, each network reaches 50% capacity.

JCU Perimeter Topology & Routing, April 2015

The Palo Alto firewall has become the center of the network. It acts as a firewall and router. Each of the eight residence halls are individually segmented, along with financial transactions (primarily card readers on vending machines), and access control to residence hall doors. In addition, fifty VLANs and subnets exist on campus, half routed by the firewall and half by the central router.

Current Technologies

Google admin console
Google vault (archive, email)
Veeam and Bakbone Netvault (disc solution for vm environment, bakbone for physical servers; antiquated, clumsy & takes a lot of space but works, will change soon)

Palo Alto Networks (dashboard image, risk factors found, system resources, data logs; monitor: current connections, large majority of traffic is denied; incoming threats, packet capture; 100+ policies to handle traffic, Jamie's job to manage them; SSL encrypted malware cannot always be caught by firewalls due to security certificate being required from firewall; security certificate errors on VMs possibly caused by this)

Wildfire: anything unknown to Palo Alto firewall thrown to wildfire for running in safe sandbox, detailed report including file/url

Symantec endpoint protection
Sophos safeguard enterprise encryption (for laptops JCU owns)
Whatsup
Cisco prime network control system (wired & wireless)
Fluke Airmagnet (wireless)
PRTG ­traffic monitor (internet utilization, bgp router metric, green road annex)

A display of return-from-spring-break traffic was shown from the PRTG traffic monitor; a huge amount of traffic is caused by students. Preparations are taken for expected large amounts of traffic, such as the Apple iOS 7 release, when more of the network was prepared than needed.

Current Initiatives

Formalizing policy.
Implementing security & event management (SIEM).
Vulnerability management, patch management (now manual, although there will be tools in the future).
Password strength! Jcu password strength tester, 2 factor authentication (something you have, a token + something you know, a password). Google apps has this capability now; 90 accounts at JCU are enrolled out of 15,000.
File access auditing / PII scanning, etc.

2015 Threats

Phishing, fedex, dropbox.
IRS falsified refund scam.
Malware: clickbait/rabbithole, bogus software 'Windows AV', etc.
Encrypted malware (which can bypass the Palo Alto firewall).
Executable images.
Cryptolocker malware.
Android malware.
Zero-­day hacks.

Questions & Misc.

Jamie's responses to the questions from the virtual class before the discussion.

Jamie's presentation.

'How has the perception of hackers changed since you've begun your job?' More respect for hackers. 58k people certified at the SAMS Institute. It's a growing field, especially in IT, despite bad hackers still existing.

'What sway do you have on the financial decisions of the university?' He's not one to decide. The people interested will price it out, but sometimes competitive bids are impossible. There is a capped budget for capital expenses, and engineers have to juggle priorities in regards to that budget. On a broader level, a CIO decision is made with input from the board of directors, sometimes including faculty input.

Legal issues: If JCU is a reasonable cause of student data breach, they may be sued. They are legally obligated to notify victims of breaches, phishing scams, etc., and are beholden to FERPA for students.

Resume

Jamie Spitznagel's professional resume.