Copyright 2001 - Scott Conti Tools that Work… …At Umass-Amherst Scott F. Conti Network Operations Manager [email protected]

Copyright 2001 - Scott Conti

Tools that Work…

…At Umass-AmherstScott F. Conti

Network Operations [email protected]


UMASS-Amherst Network Vital Statistics

Class B network (umass.edu - 128.119)142 buildingsAll 42 Residential buildings networked8800 Residence hall connections (port-per-pillow)5500 Academic building connections900- Cisco 24 port Switches (1900 and 2900 series)5 Cisco 6509 core switches, 2 Cisco 5500 switches600 Off-campus dial-in modem lines(2) DS-3 (45mb/s) commodity Internet connectionsDS-3 - Internet2 connection


How do we find the port ?

Lookup IP address in DHCP server logsSearch switches for MAC address in switch CAM tablesLookup Jack activation record in Remedy database jacktrack database Netreg database (students)

Verify correct jack check Email logs if necessary


Remedy Jacktrack system

The Remedy AR (Action Request) system is used to manage all aspects of Jack activation for administrative jacks. Activates Switch ports immediately, or sends

request to Cable Engineering for crosswiring.

Support database lookups on any identifying fieldProvides real-time statistics on request processing.Allows movement of workflow through multiple departments.


Network Services Remedy Screen


Remedy Jacktrack Schema

# ./quickfind 128.119.123.198searching for haml-198.res.umass.edu. (128.119.123.198)Enet address for 128.119.123.198: 00:e0:98:02:4c:69Checking if haml-198.res.umass.edu. is operating....host IS operating.19XX, ignoring ports 25(AUI), 26(A), 27(B): 00:e0:98:02:4c:69 found on haml-sw-210-1, 21getting room number from OIT/NSS Jack Tracking 000000000013649...Building and Room: HAML 427===========================================================1 Building : HAML10 Switch Port : 212 Room Number : 4273 Jack Number : 4-1-214 Jack Letter : C5 Last Name : TUTHILL6 First Name : RICK7 Phone Number : 5-97268 UMAccess acct : tuthill9 Name : haml-sw-210-1===========================================================1 Building : HAML10 Switch Port : 132 Room Number : 4273 Jack Number : 4-1-214 Jack Letter : D5 Last Name : MISRA6 First Name : CHRISTOPHER7 Phone Number : 5-97218 UMAccess acct : crispy9 Name : haml-sw-210-4===========================================================

IP address : 128.119.123.198Enet address: 00:e0:98:02:4c:69Lease Starts: 1999/12/09 15:59:06;Lease Ends : 1999/12/14 15:59:06;Lease Client: "Mole";#


Netreg

Developed by Southwestern University http://www.southwestern.edu/ITS/netreg/

Works by issuing a temporary “non-routable” DHCP lease until the user registers the MAC address of the machine.Spoofs all DNS queries to registration server.Once registered, user can obtain a normal DHCP issued IP address.


Netreg - Subnet Overview


Netreg – Subnet Details


Netreg - Lease Information


Netreg – User Information


Systool

Systool is a web-front end that runs PERL scripts that parse the Cisco Log files.Router Tool – queries router logsDialup Tool – queries AS5800 Access-server dial-in logs.


Systool – Router Tool Query


Systool – Router Tool


Systool – Router Tool Top Ten


Honeypot systems

A Honeypot system is a deception tool that allows a cracker to attack a “vulnerable system”.

The system can be a “real” or a “virtual” machine. (Straight Linux or UML)

Intrusion Detection system sits nearby and logs hacking attempts.

At Umass – we move our Honeypot around to different subnets.

Check out - http://project.honeynet.org


Incident Database - Console


Incident Database – Query


Trend – Top Talkers


“The Packet of Shame”


Thank You !

Scott F. ContiUniversity of [email protected]


SANS ECN – Emergency Communications Network !

If you are an amateur radio operator and interested in participating in the SANS Emergency Communications Network project - please talk to me at the break or send me Email at:[email protected]

Documents

Copyright 2001 - Scott Conti Tools that Work… …At Umass-Amherst Scott F. Conti Network Operations Manager [email protected]