 |
|
Overview of the Network Security ProjectComputer SecurityComputer security continues to be an increasing problem on the Internet and at the university. Attempts by hackers to compromise university computer systems continue to increase and too many university computers require additional maintenance as a result of these attacks. The university is working to improve computer security across the grounds at a variety of levels including improving user awareness of security issues, promoting the use of anti-virus software and proper computer management, and providing an additional layer of security within the university network. This web site is focused on the additional security available in the university network. A collection of other security information is available on the ITC Security web site. This section is designed to provide end-users with a brief introduction to our network security project and focuses on the More Secure network layer, how it works, the services that it provides, and the types of network services that are not supported. Our goal is to see the majority of user workstations moved to the More Secure network over the next couple of years. Other sections of this web site are designed for technical professionals who need a deeper understanding of the system before making decisions for their department. Firewalls and the More Secure networkA Firewall is a network security device that is designed to help to protect your computer from hackers and other malicious people on the Internet. When your computer is moved to the "UVa More Secure Network", it is being relocated to a more secure private network located behind a firewall. As shown in Figure 1, the firewall lets your computer make outbound connections through the firewall to access services on the public network and the Internet. This is shown by the white lines in the figure. These outbound connections allow you to browse the web, read your email, and access other normal network services from your computer. While the firewall lets you make outbound connections, it blocks all attempts by remote computers to make inbound network connections to your computer. The blocked inbound connections are depicted by the red lines in Figure 1. Many of the ways that hackers attack and probe your computer for vulnerabilities are through the use of inbound connections to your computer. The firewall blocks these connections and protects your computer from this type of attack. Remember that there are many ways to attempt to break into a computer system. A firewall protects only against network level attacks that originate from outside of the private network. A firewall does not help to protect against email viruses and some other forms of attack based on vulnerabilities in applications software and operating systems. Note also that a firewall is a perimeter defense and does not help to protect against attacks from other computers on the private network. Since the firewall simply adds a layer of security to protect against certain types of attacks, we have named the private network behind the firewall the More Secure network. The firewall does provide a significant level of extra protection for your computer but does not by itself solve the security problem. Strong security also requires user awareness, proper computer system software configuration and maintenance, and the use of encryption technology whenever possible for data that flows over the network. Applications Supported on the More Secure networkThe More Secure network was designed to be transparent to the average user. A large and growing list of network applications have been tested and most end-users will be able to tell if their computer has been moved to the More Secure network or not. See the Tested Applications list for more information. While most user applications work perfectly on the More Secure network, it is not possible to run servers that provide content to the general public from the More Secure network. Recall that the firewall blocks all attempts to establish inbound connections so people not on the More Secure network will not be able to access a Web server running on the More Secure network. Some end users run server software on their workstations. If the content on these servers needs to be accessed by the general public, the computer should not be moved to the More Secure network. A VPN solution is available so that users can access computers on the More Secure network from the standard UVa network and from the Internet. The VPN provides authenticated access to computers on the More Secure network and encrypts all data that flows over the network from your remote computer to the More Secure network. All university faculty and staff are eligible to use this VPN solution for remote access. By blocking all inbound connections, the firewall does prevent some applications from working in their normal manner. For example, video and audio conferencing products such as Microsoft NetMeeting use inbound connections when placing a new audio or video call. If the call recipient is on the More Secure network and the calling party is on the standard network, NetMeeting will not be able to establish the connection since it will be blocked by the firewall. This problem can be mitigated to some extent by using one of the MultiPoint Conference Units (MCU). See the ITC videoconferencing web site for additional information. Some specialized conferencing and peer-to-peer software will not operate properly through the firewall. Users of these applications should either move all of their computers to the More Secure network or, if this is impractical, they should leave these systems on the standard university network. |
|
Figure 1 diagrams the typical use of a firewall. The Public side of the firewall is connected to the Internet or some other insecure public network. The Private side of the firewall connects to an organization's internal network. The firewall helps to protect the computers on the internal private network from all of the computers and unknown people on the public network and the Internet.