If you can't read please download the document
Upload
eman
View
30
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Fences Make Good Neighbors Monitoring Academic Networks at the Port Level Educause Security Conference April 4, 5 2005 Washington DC. David LaPorte / Kevin Amorin Harvard University. Angelo Bravos Judson College. Topics. Overview of the problems/needs Solutions Bradford CampusManager - PowerPoint PPT Presentation
Citation preview
Fences Make Good NeighborsMonitoring Academic Networks at the Port Level
Educause Security ConferenceApril 4, 5 2005Washington DCDavid LaPorte / Kevin Amorin Harvard UniversityAngelo Bravos Judson College
TopicsOverview of the problems/needsSolutionsBradford CampusManagerPacketFenceQuestions
Network (In)securityPerimeter securityFirewalls, IDS, IPS, Router ACLs Hard on the outside soft on the insideLeads to complacency60-80% of attacks originate from systems on the internal network (behind the firewall)VPNWirelessDial-up
Internal Network Protection/ControlInternal Network Security Funding 2004More then $80M ($13M Sept)
Academic IssuesNetwork EnvironmentWormsBot netsDMCAPolicy violationsNATsp2p applicationsIdentityWho owns an infected/offending system?SupportDo you want to be manning the helpdesk on move-in day?
Academic NeedsAcademic IT departments need better monitoring and control of network clients and devices, and a way to better enforce usage policies and security.
Academic Needs - Clients
Dealing with Hosts with no antivirusBetter Client Management for all users accessing the network (Direct & Wireless)Better client management for Dorms and open labsEnforcing acceptable usage policyIdentifying roamersDenying/restricting service to certain groupsRestricting certain applications, chat, p2p, gaming
Academic Needs Network managementBetter management of different equipment: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, AlcatelBetter Internet and Intranet bandwidth management Enable and disable ports Port-based VLAN switching Discover network devices and connectivity Alarm and notify on network events Detection of Multi-Access Points DHCP Application Server Management
Overview of Campus Manager
With Campus Manager the IT department can Improve Client Management :: Force registration of all users accessing the network (Direct & Wireless) Port based Registration Improve the Helpdesk Interface Enforce a usage policy such as Windows updates and anti-virus protection Quarantine Unregistered and non-compliant Network Users Identify who is accessing the Network and Locate Network Users Control chatting, gaming, and file sharing Restrict / Deny an individual User or Groups of Users Enforce Preferred VLAN Switching and Dynamic VLAN Assignment Audit Trail of Current and Historical Network Access Automate Client / User Management Tasks
With Campus Manager the IT department can Improve Network Management: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, AlcatelInternet and Intranet bandwidth management Enable and disable ports Port based VLAN switching Discover network devices and connectivity Keep track of network wiring information Monitor network health Alarm and notify on network events Multi-Access Point Detection DHCP Application Server Management Configure Network device Audit trail of network events Automate network management tasks
What is PacketFenceOpen-source network registration and worm mitigation solutionCo-developed by Kevin Amorin and David LaPorteGUI developed by Randy Heins, UIS NOCCaptive portalIntercepts HTTP sessions and forces client to view contentSimilar to Bluesocket Based on un-modified open-source components
FeaturesNetwork registrationRegister systems to an authenticated userLDAP, RADIUS, POP, IMAPanything Apache supportsForce AUP acceptanceStores assorted system informationNetBIOS computer name & Web browser user-agent stringPresence of some NAT device Stores no personal informationID->MAC mapping onlyAbove data can provide a rough system inventoryVulnerability scansat registrationscheduled/ad hoc
FeaturesWorm mitigationBehavioral and signature-based detectionOptional isolation of infected nodesImplemented but not deployedSelf-remediationEmpower usersProvides remediation instruction specific to infectionNetwork inoculationPreemptively detect and trap vulnerable hosts
FeaturesRemediationRequires signature-based detectProvides user context-specific remediation instructionsRedirection to the captive portalvia Proxyvia Firewall pass-throughHelpdesk support number if all else fails
InlineSecurity bottleneckimmune to subversionFail-closedPerformance bottleneckSingle point of failureMay not be necessary/preferableacademia
PassiveFail-open solutionPreferable in academic environmentNo bandwidth bottlenecksNetwork visibilityHub, monitor port, tapEasy integrating no changes to infrastructureplug and play (pray?)Manipulates client ARP cacheVirtually in-line
ARP ManipulationMan In the Middle (MiM) ARP poisoning
`
Host
Detection (optional)Traffic analysis Anomaly basedSignature basedTime based
Snort with small signature set & portscan
Any signature and/or anomaly based detection tool can be used (glue will be necessary)
ImplementationsAll current deployments are passive modeSeveral residential networks and 2 schools~7076 systems~3934 registrations~225 violationsNachi / Sasser,Agobot,Gaobot,etc / IRC bots
Coming SoonStatic IP/ARP DetectionDHCP CombatQueue-based Violation/RegistrationIndependent componentsIsolation mechanismsDHCPChange DHCP scope (reserved IP with enforcer gateway)Change DNS server to resolve all IPs to EnforcerSwitch port manipulationChange VLAN to isolation networkDisable port
In ClosingPacketFenceOpen-sourcePassive deploymentplug and playno infrastructure changes neededProactive and reactive remediationExtremely configurable
In Closing Campus ManagerAn all-in-one management solution Provides managed network access to all clients Manages and controls wireless network access Enforces a campus wide network usage policy Reduces the time to- Locate users- Take action on network access violations- Detect network problems- Troubleshoot network problems- Configure network devices Delegates client management to network operators and helpdesk personnel Vendor independent solution Passive management system on the network Comprehensive integrations with vendor solutions Reallocate IT staff from building management solutions to managing the network services