vista impact on higher ed security cam beasley, iso craig blaha, manager of special projects the...
TRANSCRIPT
Vista Impact on Higher Ed Security
Cam Beasley, ISOCraig Blaha, Manager of Special ProjectsThe University of Texas at Austin
Overview
Corporate vs. HE ITS at UT, TAP program Big picture – get in front of it
User account protection Firewall Bitlocker Collaboration Network access protocol Command line IPV6
Primary Customer - Corporate?
Vista great for homogenous, centrally managed environment
With 63k+ machines attached to the network, managed by individuals or various departments.
Application ProgrammingNetwork Management
User Support
Application ProgrammingNetwork Management
User Support
Administrative DecisionsOperations
CIOSecurity
Purchasing
Corporate Hierarchy
Application ProgrammingNetwork Management
User Support
Application ProgrammingNetwork Management
User Support
Administrative DecisionsOperations
CIOSecurity
Purchasing
Ad
ministrative D
ecisionsO
peration
s
Administrative DecisionsOperations
Administrative Decisions
Operations
App
lica
tion
Pro
gram
min
g
App
lica
tion
Pro
gram
min
g
Application ProgrammingApplication Programming
Administrative Decisions
Applic
atio
n Pro
gram
min
g
Applic
atio
n Pro
gram
min
g
Application ProgrammingNetwork Management
User Support
Application ProgrammingNetwork Management
User Support
Administrative Decisions
Operations
CIOSecurity
Application Programming
User Support
Application Programming
User Support
App
licat
ion
Prog
ram
min
g
App
licat
ion
Prog
ram
min
g
Purchasing
SecurityPurchasingCIO
OperationsApplication Programming
Application Programming
Application ProgrammingApplication Programming
Ad
min
istr
ativ
e D
ecis
ions
Op
e rat
ion
s
Application ProgrammingNetwork Management
User Support
Application ProgrammingNetwork Management
User Support
Administrative DecisionsOperations
CIOSecurity
Purchasing
HE - The Explosion of Corp.
UT Technical Overview
Over 119 instances of exchange Utnet is one of the largest single networks in the country, supporting 1836 subnets and ~350 subdomains.
Every flavor of OS 16 academic departments, many administrative departments and independent entities each with the capacity and freedom to make their own IT decisions
UT Overview
Founded in 1883 Flagship of the 15-campus university of texas system, with 6 medical centers
51,000 students; 11,000 degrees/year
300,000 continuing ed enrollments
3,000 faculty, 18,000 staff
Over 450,000 alumni
TAP Program
Technology adoption program Over 100 participants, 3 higher ed research institutes
2 beta tests, one with 25 machines another with 100.
Commitment to deploy vista widely after RTM
Hardware Requirements
Many systems on campus will not be able to support the RAM | CPU | graphics requirements of vista.. E.G., Aero, the new GUI, requires at least 128mb video
RAM. Need to upgrade to RAM (512MB) to expose the new
features
Benefit: More time to prepare and test
Issue: What is the tipping point?
User Account Protection
Limits the chances of an application installing or making changes silently
Issue: User account protection = pop-up fatigue?
Examples of when this is required… make fonts larger or smaller, control panel mouse, battery power, add or remove user accounts
Firewall
Easy to write and share rules with users 3 flavors - sane, paranoid and ultra-paranoid
Issue: May conflict with existing firewalls Initial confusion (breaking apps?) Potential for user misconfiguration
Bitlocker
Great potential - HIPAA, research data BPM, stolen laptops etc.
De-commissioning made easy Issue (?)
Potential boat anchor creator - users can mistakenly kill all of their own data
When employee leaves, we can be locked out. All managed machines compromised if AD is vulnerable
Check on state key escrow requirements
Collaboration
New P2P protocol – peer name resolution protocol (PNRP) – on by default in last build
Users and applications can communicate with each other
Find people near me P2P happens, might as well be secure Issue
Could be used in new botnet command & control scenarios.
NAP
Network access protocol – NAP if using longhorn server (replacement for other network access control devices?)
Complexity and Command Line
2500 GPO’s added to registry Adds to level of control Adds to complexity
Command line driven
IP Stack
IPV6 on by default Each interface has its own routing table Can allow for transmission of sensitive data
over secure channels only. Ex.: Isolation between data going through a VPN
interface vs. Regular network interface
May decrease the chance of inadvertent routing of private network data over public network