fences make good neighbors monitoring academic networks at the port level educause security...
TRANSCRIPT
Fences Make Good NeighborsMonitoring Academic Networks at the Port Level
Educause Security ConferenceApril 4, 5 2005Washington DC
David LaPorte / Kevin AmorinHarvard University
Angelo BravosJudson
College
2
Topics
Overview of the problems/needs Solutions
– Bradford CampusManager– PacketFence
Questions
3
Network (In)security Perimeter security
– Firewalls, IDS, IPS, Router ACLs – “Hard on the outside soft on the inside”– Leads to complacency
60-80% of attacks originate from systems on the internal network (behind the firewall)– VPN– Wireless– Dial-up
4
Internal Network Protection/Control
Mirage Networks (ARP)qRadar (ARP)Wholepoint (ARP)RNA networks (ARP)Tipping Point (inline)Etc..
Cisco (NAC)Trend Micro (NAC)Symantec (NAC)Microsoft (NAP Q2-2005)Juniper (TNC)Foundry Networks (TCC)
Internal Network Security Funding 2004– More then $80M ($13M Sept)
5
Academic Issues Network Environment
– Worms– Bot nets– DMCA– Policy violations
• NATs• p2p applications
Identity– Who owns an infected/offending system?
Support– Do you want to be manning the helpdesk on
move-in day?
6
Academic Needs
Academic IT departments need better monitoring and control of network clients and devices, and a way to better enforce usage policies and security.
7
Academic Needs - Clients
Dealing with Hosts with no antivirus Better Client Management for all users accessing
the network (Direct & Wireless) Better client management for Dorms and open
labs Enforcing acceptable usage policy Identifying roamers Denying/restricting service to certain groups Restricting certain applications, chat, p2p, gaming
8
Better management of different equipment: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, Alcatel
Better Internet and Intranet bandwidth management
Enable and disable ports Port-based VLAN switching Discover network devices and connectivity Alarm and notify on network events Detection of Multi-Access Points DHCP Application Server Management
Academic Needs – Network management
9
Overview of Campus Manager
10
With Campus Manager the IT department can
Improve Client Management :: Force registration of all users accessing the network (Direct &
Wireless) Port based Registration Improve the Helpdesk Interface Enforce a usage policy such as Windows updates and anti-
virus protection Quarantine Unregistered and non-compliant Network Users Identify who is accessing the Network and Locate Network
Users Control chatting, gaming, and file sharing Restrict / Deny an individual User or Groups of Users Enforce Preferred VLAN Switching and Dynamic VLAN
Assignment Audit Trail of Current and Historical Network Access Automate Client / User Management Tasks
11
With Campus Manager the IT department can Improve Network Management: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, Alcatel Internet and Intranet bandwidth management Enable and disable ports Port based VLAN switching Discover network devices and connectivity Keep track of network wiring information Monitor network health Alarm and notify on network events Multi-Access Point Detection DHCP Application Server Management Configure Network device Audit trail of network events Automate network management tasks
12
13
14
15
16
17
18
19
20
21
22
23
24
What is PacketFence Open-source network registration
and worm mitigation solution– Co-developed by Kevin Amorin and
David LaPorte• GUI developed by Randy Heins, UIS NOC
– Captive portal• Intercepts HTTP sessions and forces client to view
content• Similar to Bluesocket
– Based on un-modified open-source components
25
Features Network registration
– Register systems to an authenticated user• LDAP, RADIUS, POP, IMAP…anything Apache supports
– Force AUP acceptance– Stores assorted system information
• NetBIOS computer name & Web browser user-agent string
• Presence of some NAT device
– Stores no personal information• ID->MAC mapping only
– Above data can provide a rough system inventory– Vulnerability scans
• at registration• scheduled/ad hoc
26
Features Worm mitigation
– Behavioral and signature-based detection– Optional isolation of infected nodes
• Implemented but not deployed
– Self-remediation• Empower users• Provides remediation instruction specific to
infection
Network “inoculation”– Preemptively detect and trap vulnerable
hosts
27
Features
Remediation– Requires signature-based detect– Provides user context-specific
remediation instructions– Redirection to the captive portal
• via Proxy• via Firewall pass-through
– Helpdesk support number if all else fails
28
Inline
Security bottleneck– immune to subversion
Fail-closed Performance bottleneck Single point of failure May not be necessary/preferable
– academia
29
Passive Fail-open solution
– Preferable in academic environment No bandwidth bottlenecks Network visibility
– Hub, monitor port, tap Easy integrating – no changes to
infrastructure– plug and play (pray?)
Manipulates client ARP cache– “Virtually” in-line
30
ARP Manipulation
All Traffic
`
Host User
PacketFence
Switch
Internet
Router
Switch
Man In the Middle (MiM) ARP poisoning
31
Detection (optional) Traffic analysis
– Anomaly based– Signature based– Time based
Snort with small signature set & portscan
Any signature and/or anomaly based detection tool can be used (“glue” will be necessary)
32
Implementations All current deployments are “passive” mode Several residential networks and 2 schools
– ~7076 systems– ~3934 registrations– ~225 violations
• Nachi / Sasser,Agobot,Gaobot,etc / IRC bots
33
Coming Soon… Static IP/ARP Detection DHCP Combat Queue-based Violation/Registration Independent components Isolation mechanisms
– DHCP• Change DHCP scope (reserved IP with enforcer
gateway)• Change DNS server to resolve all IP’s to Enforcer
– Switch port manipulation• Change VLAN to isolation network• Disable port
34
In Closing
PacketFence– Open-source– Passive deployment
• “plug and play”• no infrastructure changes needed
– Proactive and reactive remediation– Extremely configurable
35
In Closing – Campus Manager An all-in-one management solution Provides managed network access to all clients Manages and controls wireless network access Enforces a campus wide network usage policy Reduces the time to - Locate users - Take action on
network access violations - Detect network problems - Troubleshoot network problems - Configure network devices
Delegates client management to network operators and helpdesk personnel
Vendor independent solution Passive management system on the network Comprehensive integrations with vendor solutions Reallocate IT staff from building management solutions to
managing the network services
36