1 / 36

David LaPorte / Kevin Amorin Harvard University

Fences Make Good Neighbors Monitoring Academic Networks at the Port Level Educause Security Conference April 4, 5 2005 Washington DC. David LaPorte / Kevin Amorin Harvard University. Angelo Bravos Judson College. Topics. Overview of the problems/needs Solutions Bradford CampusManager

eman
Download Presentation

David LaPorte / Kevin Amorin Harvard University

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fences Make Good NeighborsMonitoring Academic Networks at the Port Level Educause Security ConferenceApril 4, 5 2005Washington DC David LaPorte / Kevin AmorinHarvard University Angelo BravosJudson College

  2. Topics • Overview of the problems/needs • Solutions • Bradford CampusManager • PacketFence • Questions

  3. Network (In)security • Perimeter security • Firewalls, IDS, IPS, Router ACLs • “Hard on the outside soft on the inside” • Leads to complacency • 60-80% of attacks originate from systems on the internal network (behind the firewall) • VPN • Wireless • Dial-up

  4. Internal Network Protection/Control • Internal Network Security Funding 2004 • More then $80M ($13M Sept)

  5. Academic Issues • Network Environment • Worms • Bot nets • DMCA • Policy violations • NATs • p2p applications • Identity • Who owns an infected/offending system? • Support • Do you want to be manning the helpdesk on move-in day?

  6. Academic Needs Academic IT departments need better monitoring and control of network clients and devices, and a way to better enforce usage policies and security.

  7. Academic Needs - Clients • Dealing with Hosts with no antivirus • Better Client Management for all users accessing the network (Direct & Wireless) • Better client management for Dorms and open labs • Enforcing acceptable usage policy • Identifying roamers • Denying/restricting service to certain groups • Restricting certain applications, chat, p2p, gaming

  8. Academic Needs – Network management • Better management of different equipment: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, Alcatel • Better Internet and Intranet bandwidth management   • Enable and disable ports   • Port-based VLAN switching   • Discover network devices and connectivity   • Alarm and notify on network events   • Detection of Multi-Access Points   • DHCP Application Server Management  

  9. Overview of Campus Manager

  10. With Campus Manager the IT department can • Improve Client Management :: • Force registration of all users accessing the network (Direct & Wireless) Port based Registration  • Improve the Helpdesk Interface   • Enforce a usage policy such as Windows updates and anti-virus protection  • Quarantine Unregistered and non-compliant Network Users   • Identify who is accessing the Network  and Locate Network Users   • Control chatting, gaming, and file sharing   • Restrict / Deny an individual User or Groups of Users     • Enforce Preferred VLAN Switching and Dynamic VLAN Assignment   • Audit Trail of Current and Historical Network Access   • Automate Client / User Management Tasks

  11. With Campus Manager the IT department can • Improve Network Management: • Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, Alcatel • Internet and Intranet bandwidth management   • Enable and disable ports   • Port based VLAN switching   • Discover network devices and connectivity   • Keep track of network wiring information   • Monitor network health   • Alarm and notify on network events   • Multi-Access Point Detection   • DHCP Application Server Management   • Configure Network device   • Audit trail of network events   • Automate network management tasks

  12. What is PacketFence • Open-source network registration and worm mitigation solution • Co-developed by Kevin Amorin andDavid LaPorte • GUI developed by Randy Heins, UIS NOC • Captive portal • Intercepts HTTP sessions and forces client to view content • Similar to Bluesocket • Based on un-modified open-source components

  13. Features • Network registration • Register systems to an authenticated user • LDAP, RADIUS, POP, IMAP…anything Apache supports • Force AUP acceptance • Stores assorted system information • NetBIOS computer name & Web browser user-agent string • Presence of some NAT device • Stores no personal information • ID->MAC mapping only • Above data can provide a rough system inventory • Vulnerability scans • at registration • scheduled/ad hoc

  14. Features • Worm mitigation • Behavioral and signature-based detection • Optional isolation of infected nodes • Implemented but not deployed • Self-remediation • Empower users • Provides remediation instruction specific to infection • Network “inoculation” • Preemptively detect and trap vulnerable hosts

  15. Features • Remediation • Requires signature-based detect • Provides user context-specific remediation instructions • Redirection to the captive portal • via Proxy • via Firewall pass-through • Helpdesk support number if all else fails

  16. Inline • Security bottleneck • immune to subversion • Fail-closed • Performance bottleneck • Single point of failure • May not be necessary/preferable • academia

  17. Passive • Fail-open solution • Preferable in academic environment • No bandwidth bottlenecks • Network visibility • Hub, monitor port, tap • Easy integrating – no changes to infrastructure • plug and play (pray?) • Manipulates client ARP cache • “Virtually” in-line

  18. ARP Manipulation Man In the Middle (MiM) ARP poisoning

  19. Detection (optional) • Traffic analysis • Anomaly based • Signature based • Time based • Snort with small signature set & portscan • Any signature and/or anomaly based detection tool can be used (“glue” will be necessary)

  20. Implementations • All current deployments are “passive” mode • Several residential networks and 2 schools • ~7076 systems • ~3934 registrations • ~225 violations • Nachi / Sasser,Agobot,Gaobot,etc / IRC bots

  21. Coming Soon… • Static IP/ARP Detection • DHCP Combat • Queue-based Violation/Registration • Independent components • Isolation mechanisms • DHCP • Change DHCP scope (reserved IP with enforcer gateway) • Change DNS server to resolve all IP’s to Enforcer • Switch port manipulation • Change VLAN to isolation network • Disable port

  22. In Closing • PacketFence • Open-source • Passive deployment • “plug and play” • no infrastructure changes needed • Proactive and reactive remediation • Extremely configurable

  23. In Closing – Campus Manager • An all-in-one management solution • Provides managed network access to all clients   • Manages and controls wireless network access  • Enforces a campus wide network usage policy  • Reduces the time to   - Locate users   - Take action on network access violations   - Detect network problems   - Troubleshoot network problems   - Configure network devices  • Delegates client management to network operators and helpdesk personnel  • Vendor independent solution  • Passive management system on the network    • Comprehensive integrations with vendor solutions  • Reallocate IT staff from building management solutions to managing the network services

More Related