Fences Make Good NeighborsMonitoring Academic Networks at the Port Level

Educause Security ConferenceApril 4, 5 2005Washington DC

David LaPorte / Kevin AmorinHarvard University

Angelo BravosJudson

College

2

Topics

Overview of the problems/needs Solutions

– Bradford CampusManager– PacketFence

Questions

3

Network (In)security Perimeter security

– Firewalls, IDS, IPS, Router ACLs – “Hard on the outside soft on the inside”– Leads to complacency

60-80% of attacks originate from systems on the internal network (behind the firewall)– VPN– Wireless– Dial-up

4

Internal Network Protection/Control

Mirage Networks (ARP)qRadar (ARP)Wholepoint (ARP)RNA networks (ARP)Tipping Point (inline)Etc..

Cisco (NAC)Trend Micro (NAC)Symantec (NAC)Microsoft (NAP Q2-2005)Juniper (TNC)Foundry Networks (TCC)

Internal Network Security Funding 2004– More then $80M ($13M Sept)

5

Academic Issues Network Environment

– Worms– Bot nets– DMCA– Policy violations

• NATs• p2p applications

Identity– Who owns an infected/offending system?

Support– Do you want to be manning the helpdesk on

move-in day?

6

Academic Needs

Academic IT departments need better monitoring and control of network clients and devices, and a way to better enforce usage policies and security.

7

Academic Needs - Clients

Dealing with Hosts with no antivirus Better Client Management for all users accessing

the network (Direct & Wireless) Better client management for Dorms and open

labs Enforcing acceptable usage policy Identifying roamers Denying/restricting service to certain groups Restricting certain applications, chat, p2p, gaming

8

Better management of different equipment: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, Alcatel

Better Internet and Intranet bandwidth management  

Enable and disable ports   Port-based VLAN switching   Discover network devices and connectivity   Alarm and notify on network events   Detection of Multi-Access Points   DHCP Application Server Management  

Academic Needs – Network management

9

Overview of Campus Manager

10

With Campus Manager the IT department can

Improve Client Management :: Force registration of all users accessing the network (Direct &

Wireless) Port based Registration  Improve the Helpdesk Interface   Enforce a usage policy such as Windows updates and anti-

virus protection  Quarantine Unregistered and non-compliant Network Users   Identify who is accessing the Network  and Locate Network

Users   Control chatting, gaming, and file sharing   Restrict / Deny an individual User or Groups of Users     Enforce Preferred VLAN Switching and Dynamic VLAN

Assignment   Audit Trail of Current and Historical Network Access   Automate Client / User Management Tasks      

11

With Campus Manager the IT department can Improve Network Management: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, Alcatel Internet and Intranet bandwidth management   Enable and disable ports   Port based VLAN switching   Discover network devices and connectivity   Keep track of network wiring information   Monitor network health   Alarm and notify on network events   Multi-Access Point Detection   DHCP Application Server Management   Configure Network device   Audit trail of network events   Automate network management tasks

12

13

14

15

16

17

18

19

20

21

22

23

24

What is PacketFence Open-source network registration

and worm mitigation solution– Co-developed by Kevin Amorin and

David LaPorte• GUI developed by Randy Heins, UIS NOC

– Captive portal• Intercepts HTTP sessions and forces client to view

content• Similar to Bluesocket

– Based on un-modified open-source components

25

Features Network registration

– Register systems to an authenticated user• LDAP, RADIUS, POP, IMAP…anything Apache supports

– Force AUP acceptance– Stores assorted system information

• NetBIOS computer name & Web browser user-agent string

• Presence of some NAT device

– Stores no personal information• ID->MAC mapping only

– Above data can provide a rough system inventory– Vulnerability scans

• at registration• scheduled/ad hoc

26

Features Worm mitigation

– Behavioral and signature-based detection– Optional isolation of infected nodes

• Implemented but not deployed

– Self-remediation• Empower users• Provides remediation instruction specific to

infection

Network “inoculation”– Preemptively detect and trap vulnerable

hosts

27

Features

Remediation– Requires signature-based detect– Provides user context-specific

remediation instructions– Redirection to the captive portal

• via Proxy• via Firewall pass-through

– Helpdesk support number if all else fails

28

Inline

Security bottleneck– immune to subversion

Fail-closed Performance bottleneck Single point of failure May not be necessary/preferable

– academia

29

Passive Fail-open solution

– Preferable in academic environment No bandwidth bottlenecks Network visibility

– Hub, monitor port, tap Easy integrating – no changes to

infrastructure– plug and play (pray?)

Manipulates client ARP cache– “Virtually” in-line

30

ARP Manipulation

All Traffic

`

Host User

PacketFence

Switch

Internet

Router

Switch

Man In the Middle (MiM) ARP poisoning

31

Detection (optional) Traffic analysis

– Anomaly based– Signature based– Time based

Snort with small signature set & portscan

Any signature and/or anomaly based detection tool can be used (“glue” will be necessary)

32

Implementations All current deployments are “passive” mode Several residential networks and 2 schools

– ~7076 systems– ~3934 registrations– ~225 violations

• Nachi / Sasser,Agobot,Gaobot,etc / IRC bots

33

Coming Soon… Static IP/ARP Detection DHCP Combat Queue-based Violation/Registration Independent components Isolation mechanisms

– DHCP• Change DHCP scope (reserved IP with enforcer

gateway)• Change DNS server to resolve all IP’s to Enforcer

– Switch port manipulation• Change VLAN to isolation network• Disable port

34

In Closing

PacketFence– Open-source– Passive deployment

• “plug and play”• no infrastructure changes needed

– Proactive and reactive remediation– Extremely configurable

35

In Closing – Campus Manager An all-in-one management solution Provides managed network access to all clients   Manages and controls wireless network access  Enforces a campus wide network usage policy  Reduces the time to   - Locate users   - Take action on

network access violations   - Detect network problems   - Troubleshoot network problems   - Configure network devices 

Delegates client management to network operators and helpdesk personnel 

Vendor independent solution  Passive management system on the network    Comprehensive integrations with vendor solutions  Reallocate IT staff from building management solutions to

managing the network services

36