IT Security at the University of Wisconsin -
Green Bay
David KieperManager, Networks and Infrastructure Services
IT Security [email protected]
University of Wisconsin – Green Bay Students: 4500 FTE, 5400 head count Faculty/Staff: 700 Campus is 35 years old 750 acre campus on Bay of Green Bay On campus housing for 2100 students
Background on Campus Infrastructure Campus Network
2300 Wired 10/100 mbit ports Minimal wireless (support both encrypted
and open, Lucent/HP access points) Extreme Blackdiamond Core Switch Extreme Summit 5i and 3Com 4900sx
gigabit aggregation switches 3Com 3300 and HP 2524 Edge switches Checkpoint SVN-1 for firewall, network
authentication, VPN, and bandwidth control
Background on Campus Infrastructure Student Housing Network (“ResNet”)
2100 students (one port per pillow) 10/100 megabit service 3Com 3300fx 100FX aggregators 3Com 3300 edge switches No client install (TCP/IP “dial tone”
service) DHCP NAT to Internet
Overall Defenses (Desktop) Computing controls all campus workstations
and does software refreshes and updates Ghost cloning for all core OS/software install Windows XP mandatory policies to lockdown
desktops and block certain executables Windows Software Update Service (Win XP) Anti-virus software (NAI Viruscan/Virex) Workstation replacement plan ensures no
workstation more than fours old Accurate inventory Training for desktop environment developers
Overall Defenses (Network) Firewall (Checkpoint SVN-1) between
campus/residence life/open networks and the Internet
VLANS to separate/segregate traffic Access lists at core switch to separate
housing network from campus network Access lists are core switch to stop known
attack vectors Accurate network records Open access network use is authenticated
via the firewall (LDAP) Training for network administrators
Overall Defenses (Server) Predominately Windows 2003 (some 2000,
one Linux) Security policies to lockdown servers Kept up to date on patches Anti-virus software on all systems Firewall only allows specific protocols
to/from the Internet Training for Windows server
administrators Eeye Retina for Intrusion Testing
Overall Defenses (Housing Network) Residence Life broke up into 38
VLANS Quarantine Network for Infected
Computers (new for 2004) NAT for Residence Life Network Distribution lists for each of the 25
housing buildings Use Residence Assistants (RA’s) for
distribution
Overall Defenses (Other) Mcafee Anti-virus software subscription
for faculty/staff/student personal computers
Warning flyer and email to students/staff Keeping campus informed when
outbreaks are occurring in the wild Policies
Acceptable Use No Servers (games or otherwise)
Network General Distributed Sniffer
Detection Methods Firewall logs
Log all sessions to/from campus to Internet Look for large numbers of similar sessions (i.e., SMTP or RPC)
from an address to many different Internet addresses Attempts by residence life network users to address into
reserved areas of campus class B space Sniffer (high bandwidth users, ARP’s to illegal
addresses) Scan software (Eeye, Microsoft) Server event logs for specific attack information McAfee E-Policy Orchestrator provides central
virus reporting database Network Monitoring (Openview, Servers Alive)
Firewall Features No outside initiated access to desktops
for campus or housing networks Stateful packet inspection to track
negotiated sessions (i.e., RPC) Only specific protocols to AND FROM
each server Bandwidth limit unknown sessions (100
kbits/second) Log all sessions (15 – 20 million/day)
Campus Network – The Damage (Aug, 2003) 100 out of 1500 workstations hit by
Nachi Viruscan not up to date Not all recloned to Win 2K, SP3 Network performance impaired (ARP traffic)
Two Sources Laptops at home for the summer came back
infected Imbedded PC system (solar monitoring kiosk
with an opening through firewall to vendor who’s own network became infected)
Campus Network - Enhancements Weekly wakeup
Wake on LAN on Sunday, 1 am Apply Windows updates (SUS) Shutdown at 6 am
Periodic scanning for unpatched/infected More diligent on software updates,
patching clone images, verifying patch status
Review firewall to reduce holes to external providers
Campus Network - Enhancements Anti-virus DAT updates checked for
hourly by E-Policy Orchestrator server Workstations/servers check for DAT
updates every four hours from E-Policy server
Servers demand scan when new DAT is received (email or file servers)
DAT updates can be pushed immediately by support staff
Campus Network – Future Investigate desktop
firewall/intrusion prevention software for all clients (Mcafee Enterprise 8.0i, 8/11/2004)
More extensive use of VLAN’s to separate servers, faculty/staff, and lab computer networks
Housing Network – The Damage (Fall, 2004) 300 – 400 out of 1400 computers
infected Mostly nachi and lovesan worms Many other trojan horse/backdoors
also Network performance impaired Student workstation stability
compromised
Housing Network – Ongoing Damage Reality:
New/rebuilt unprotected systems New viruses/worms/trojans all the time DAT updates are generally updated only
daily or weekly Many don’t do Windows update Many don’t have firewall software
Result: Some attacks get through and computers
become infected
Housing Network – Efforts Block ping traffic at core switch Block port 135 traffic at firewall Block smtp traffic at firewall Housing help desk for first two weeks after
move in Housing office has CD’s with patches, anti-
virus software, and scanning tools Residence Assistants have these CD’s also
(later addition) Residence Assistants went door to door Lots of emails to students
Housing Network– Efforts Ongoing monitoring Following up with emails to persons with
infected computers, one week to clean up or get network service cut off. Give them links to Windows update, anti-virus scanner, and anti-virus software
Very little direct intervention About 75% are cleaned up after first
email, 95% by third email. Three disconnects had to be done.
Housing Network – Fall, 2004 More information before students move in Move infected computers to Quarantine VLAN and notify
them More monitoring of logs/traffic during move in period Allow access to fixes/patches electronically via the
network Do not want to distribute fix/patch CD’s to all students
(patches are a moving target and CD’s become obsolete quickly)
Do not want to pre-scan computers Parents/students want everything working within hours of
move in Too many computers, too few staff and locations to do
scanning No way to guarantee all patches and anti-virus software stay
up to date after initial scan Lots of communication (email, flyers)
Housing Network – Fall, 2004 Quarantine Network
Only allow access to campus web server and web based email servers
Only allow internet access to selected vendor sites
PC suppliers (Gateway, HP, IBM, Apple, etc.) OS suppliers (Microsoft, Apple, etc.) Anti-virus vendors (Mcafee, Symantec, etc.) Firewall vendors (Black Ice, Zone Labs, etc.)
Make/force student to want to get their computer cleaned up!!
Housing Network - Future Considering over-the-network scans to
identify vulnerable systems with email follow up
Commercial/shareware products to automate scanning and movement between housing and Quarantine VLANS.
Will wait to see how 2004/2005 year goes before decision is made
Campus IT Security – The Near Future Formal procedures for investigating
potential violations of acceptable use policy have been developed Academic freedom issues Privacy issues Legal issues Human Resources/Union issues
Warnings going out now Investigations will begin October 1,
2004 Password security review