Fences Make Good NeighborsMonitoring Academic Networks at the Port Level

Educause Security ConferenceApril 4, 5 2005Washington DCDavid LaPorte / Kevin Amorin Harvard UniversityAngelo Bravos Judson College

TopicsOverview of the problems/needsSolutionsBradford CampusManagerPacketFenceQuestions

Network (In)securityPerimeter securityFirewalls, IDS, IPS, Router ACLs Hard on the outside soft on the insideLeads to complacency60-80% of attacks originate from systems on the internal network (behind the firewall)VPNWirelessDial-up

Internal Network Protection/ControlInternal Network Security Funding 2004More then $80M ($13M Sept)

Academic IssuesNetwork EnvironmentWormsBot netsDMCAPolicy violationsNATsp2p applicationsIdentityWho owns an infected/offending system?SupportDo you want to be manning the helpdesk on move-in day?

Academic NeedsAcademic IT departments need better monitoring and control of network clients and devices, and a way to better enforce usage policies and security.

Academic Needs - Clients

Dealing with Hosts with no antivirusBetter Client Management for all users accessing the network (Direct & Wireless)Better client management for Dorms and open labsEnforcing acceptable usage policyIdentifying roamersDenying/restricting service to certain groupsRestricting certain applications, chat, p2p, gaming

Academic Needs Network managementBetter management of different equipment: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, AlcatelBetter Internet and Intranet bandwidth management Enable and disable ports Port-based VLAN switching Discover network devices and connectivity Alarm and notify on network events Detection of Multi-Access Points DHCP Application Server Management

Overview of Campus Manager

With Campus Manager the IT department can Improve Client Management :: Force registration of all users accessing the network (Direct & Wireless) Port based Registration Improve the Helpdesk Interface Enforce a usage policy such as Windows updates and anti-virus protection Quarantine Unregistered and non-compliant Network Users Identify who is accessing the Network and Locate Network Users Control chatting, gaming, and file sharing Restrict / Deny an individual User or Groups of Users Enforce Preferred VLAN Switching and Dynamic VLAN Assignment Audit Trail of Current and Historical Network Access Automate Client / User Management Tasks

With Campus Manager the IT department can Improve Network Management: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, AlcatelInternet and Intranet bandwidth management Enable and disable ports Port based VLAN switching Discover network devices and connectivity Keep track of network wiring information Monitor network health Alarm and notify on network events Multi-Access Point Detection DHCP Application Server Management Configure Network device Audit trail of network events Automate network management tasks

What is PacketFenceOpen-source network registration and worm mitigation solutionCo-developed by Kevin Amorin and David LaPorteGUI developed by Randy Heins, UIS NOCCaptive portalIntercepts HTTP sessions and forces client to view contentSimilar to Bluesocket Based on un-modified open-source components

FeaturesNetwork registrationRegister systems to an authenticated userLDAP, RADIUS, POP, IMAPanything Apache supportsForce AUP acceptanceStores assorted system informationNetBIOS computer name & Web browser user-agent stringPresence of some NAT device Stores no personal informationID->MAC mapping onlyAbove data can provide a rough system inventoryVulnerability scansat registrationscheduled/ad hoc

FeaturesWorm mitigationBehavioral and signature-based detectionOptional isolation of infected nodesImplemented but not deployedSelf-remediationEmpower usersProvides remediation instruction specific to infectionNetwork inoculationPreemptively detect and trap vulnerable hosts

FeaturesRemediationRequires signature-based detectProvides user context-specific remediation instructionsRedirection to the captive portalvia Proxyvia Firewall pass-throughHelpdesk support number if all else fails

InlineSecurity bottleneckimmune to subversionFail-closedPerformance bottleneckSingle point of failureMay not be necessary/preferableacademia

PassiveFail-open solutionPreferable in academic environmentNo bandwidth bottlenecksNetwork visibilityHub, monitor port, tapEasy integrating no changes to infrastructureplug and play (pray?)Manipulates client ARP cacheVirtually in-line

ARP ManipulationMan In the Middle (MiM) ARP poisoning

`

Host

Detection (optional)Traffic analysis Anomaly basedSignature basedTime based

Snort with small signature set & portscan

Any signature and/or anomaly based detection tool can be used (glue will be necessary)

ImplementationsAll current deployments are passive modeSeveral residential networks and 2 schools~7076 systems~3934 registrations~225 violationsNachi / Sasser,Agobot,Gaobot,etc / IRC bots

Coming SoonStatic IP/ARP DetectionDHCP CombatQueue-based Violation/RegistrationIndependent componentsIsolation mechanismsDHCPChange DHCP scope (reserved IP with enforcer gateway)Change DNS server to resolve all IPs to EnforcerSwitch port manipulationChange VLAN to isolation networkDisable port

In ClosingPacketFenceOpen-sourcePassive deploymentplug and playno infrastructure changes neededProactive and reactive remediationExtremely configurable

In Closing Campus ManagerAn all-in-one management solution Provides managed network access to all clients Manages and controls wireless network access Enforces a campus wide network usage policy Reduces the time to- Locate users- Take action on network access violations- Detect network problems- Troubleshoot network problems- Configure network devices Delegates client management to network operators and helpdesk personnel Vendor independent solution Passive management system on the network Comprehensive integrations with vendor solutions Reallocate IT staff from building management solutions to managing the network services