packetfence …because good fences make good neighbors
DESCRIPTION
PacketFence …because good fences make good neighbors. Michael Garofano, Director of IT, Harvard KSG Kevin Amorin, Sr. Security & Systems Engineer, Harvard KSG David LaPorte, Manager Network Security, Harvard (not present today) [email protected] [email protected] - PowerPoint PPT PresentationTRANSCRIPT
PacketFencePacketFence…because good fences make good neighbors…because good fences make good neighbors
Michael Garofano, Director of IT, Harvard KSGMichael Garofano, Director of IT, Harvard KSGKevin Amorin, Sr. Security & Systems Engineer, Harvard KSG Kevin Amorin, Sr. Security & Systems Engineer, Harvard KSG
David LaPorte, Manager Network Security, Harvard (not present today)David LaPorte, Manager Network Security, Harvard (not present today)
[email protected]@[email protected]@ksg.harvard.edu
22
AgendaAgenda
Academic IssuesAcademic Issues
Perimeter & Internal SecurityPerimeter & Internal Security
PacketFence featuresPacketFence features
Inline vs. Passive (out of line)Inline vs. Passive (out of line)
33
Academic Issues Academic Issues
Help Desk SupportHelp Desk Support– Limit spread of WormsLimit spread of Worms– Identify infected userIdentify infected user
DMCA (movie/music download violations)DMCA (movie/music download violations)– IP to user mappingIP to user mapping
44
Academic Issues Academic Issues
InventoryInventory– List of MAC’s and ownersList of MAC’s and owners
Gather StatisticsGather Statistics– Get the more money!Get the more money!– Number of IP’s, infections, helpdesk time, etc, Number of IP’s, infections, helpdesk time, etc,
active nodes,active nodes,
55
Academic Issues Academic Issues
Open vs. closed environmentOpen vs. closed environment– Professors and students want unfettered Professors and students want unfettered
access to the internetaccess to the internet
You can take your FIREWALL and put it…You can take your FIREWALL and put it…– Some things break:Some things break:
Videoconferencing (H.323), Games (UDP non-Videoconferencing (H.323), Games (UDP non-statefull firewall), P2P, IM etc…statefull firewall), P2P, IM etc…
66
Average Network SecurityAverage Network Security
Perimeter securityPerimeter security– Firewalls, IDS, IPS, Router ACLsFirewalls, IDS, IPS, Router ACLs
Current architectureCurrent architecture– ““Hard on the outside soft on the inside”Hard on the outside soft on the inside”
Hard to protect the “inside”Hard to protect the “inside”
60-80% of attacks originate from 60-80% of attacks originate from systems on the internal network systems on the internal network (behind the firewall)(behind the firewall)
77
Worms wreak havocWorms wreak havoc
August 11, 2003 Blaster and Welchia/NachiAugust 11, 2003 Blaster and Welchia/Nachi
How did the worms get in? We block all How did the worms get in? We block all types of traffic from the internet? types of traffic from the internet? (especially RPC) LAPTOPS!!!!(especially RPC) LAPTOPS!!!!
Backdoors bypass perimeter defenses:Backdoors bypass perimeter defenses:– Roaming usersRoaming users– VPNVPN– WirelessWireless– DialupDialup
88
Internal Network Internal Network Protection/ControlProtection/Control
Mirage Networks (ARP)Mirage Networks (ARP)
qRadar (ARP)qRadar (ARP)
Wholepoint (ARP)Wholepoint (ARP)
RNA networks (ARP)RNA networks (ARP)
Tipping Point (inline)Tipping Point (inline)Etc..Etc..
Cisco (NAC)Cisco (NAC)
Trend Micro (NAC)Trend Micro (NAC)
Symantec (NAC)Symantec (NAC)
Microsoft (NAP Q2-2005)Microsoft (NAP Q2-2005)
Juniper (TNC)Juniper (TNC)
Foundry Networks (TCC)Foundry Networks (TCC)
Etc..Etc..
Internal Network Security Funding 2004Internal Network Security Funding 2004– More then $80M ($13M Sept)More then $80M ($13M Sept)
99
What is PacketFenceWhat is PacketFence
Open-source network registration and Open-source network registration and worm mitigation solutionworm mitigation solution– Co-developed by Kevin Amorin andCo-developed by Kevin Amorin and
David LaPorteDavid LaPorte– Captive portalCaptive portal
Intercepts HTTP sessions and forces client to view contentIntercepts HTTP sessions and forces client to view content
Similar to NoCatAuth, BluesocketSimilar to NoCatAuth, Bluesocket
– Based on un-modified open-source Based on un-modified open-source componentscomponents
1010
FeaturesFeatures
Network registrationNetwork registration– Register systems to an authenticated userRegister systems to an authenticated user
LDAP, RADIUS, POP, IMAP…anything Apache supportsLDAP, RADIUS, POP, IMAP…anything Apache supports
– Force AUP acceptanceForce AUP acceptance– Stores assorted system informationStores assorted system information
NetBIOS computer name & Web browser user-agent stringNetBIOS computer name & Web browser user-agent string
Presence of some NAT device Presence of some NAT device
– Stores no personal informationStores no personal informationID->MAC mapping onlyID->MAC mapping only
– Above data can provide a rough system inventoryAbove data can provide a rough system inventory– Vulnerability scans at registrationVulnerability scans at registration
1111
FeaturesFeatures
Worm mitigationWorm mitigation– Signature and anomaly based detectionSignature and anomaly based detection– Action based responseAction based response
Optional isolation of infected nodesOptional isolation of infected nodes
– Content specific information Content specific information Empower usersEmpower usersProvides remediation instruction specific to Provides remediation instruction specific to infectioninfection
Network scansNetwork scans– Preemptively detect and trap vulnerable hostsPreemptively detect and trap vulnerable hosts
1212
FeaturesFeatures
RemediationRemediation– Redirection to the captive portalRedirection to the captive portal– Requires signature-based detectRequires signature-based detect– Provides user context-specific remediation Provides user context-specific remediation
instructionsinstructionsProxyProxy
Firewall pass-throughFirewall pass-through
– Helpdesk support number if all else failsHelpdesk support number if all else fails
1313
InlineInline
Security bottleneckSecurity bottleneck– immune to subversionimmune to subversion
Fail-closedFail-closed
Performance bottleneckPerformance bottleneck
Single point of failureSingle point of failure
1414
PassivePassive
Fail-open solutionFail-open solution– Preferable in academic environmentPreferable in academic environment
No bandwidth bottlenecksNo bandwidth bottlenecks
Network visibilityNetwork visibility– Hub, monitor port, tapHub, monitor port, tap
Easy integrating – no changes to Easy integrating – no changes to infrastructureinfrastructure– plug and play (pray?)plug and play (pray?)
Manipulates client ARP cacheManipulates client ARP cache– ““Virtually” in-lineVirtually” in-line
1515
Passive ArchitecturePassive Architecture
Internet
User
Router
`
Host
DB
PacketFence
1616
Why ARP?Why ARP?
TrustingTrusting– Easy to manipulateEasy to manipulate
RFC826 1982RFC826 1982
OS independentOS independent– Windows 95,98,ME,2k,xp,mac both type Windows 95,98,ME,2k,xp,mac both type
1 & 21 & 2– Linux only type 1Linux only type 1– Solaris ICMP & type 2 or 1Solaris ICMP & type 2 or 1
1717
Methods of IsolationMethods of Isolation
ARPARP– Change the router’s ARP entry on the local system to Change the router’s ARP entry on the local system to
enforcement pointenforcement point
DHCPDHCP– Change DHCP scope (reserved IP with enforcer gateway)Change DHCP scope (reserved IP with enforcer gateway)– or Change DNS server to resolve all IP’s to Enforceror Change DNS server to resolve all IP’s to Enforcer
VLAN switchVLAN switch– Switch host to an isolation network with enforcer as the Switch host to an isolation network with enforcer as the
gatewaygateway
If all else fails… BlackholeIf all else fails… Blackhole– Router dynamic updateRouter dynamic update– Firewall/ACL updateFirewall/ACL update– Disable switch portDisable switch port
1818
ARP ManipulationARP Manipulation
All Traffic
`
Host User
PacketFence
Switch
Internet
Router
Switch
1919
VLAN Change (Futures)VLAN Change (Futures)
User
Internet
Router
Switch
`
Host User
`
Host
Enforcement Point
Switch
2020
DNS DNS (Futures)(Futures)
`
Host User
Switch
Internet
Router
DNS Requests
Switch
DHCP
Enforcement Point &DNS
2121
DHCP DHCP (Futures)(Futures)
`
Host User
Enforcement Point & DNS/DHCP Server
Switch
Internet
Router
DHCP & DNS Requests
Switch
2222
Blackhole Injection (risky)Blackhole Injection (risky)
User
Internet
Router
Switch
`
HostUser
Router
Switch
`
Host
2323
2424
2525
ImplementationsImplementations
All current deployments are “passive” modeAll current deployments are “passive” mode
Several residential networks and 2 schoolsSeveral residential networks and 2 schools– ~4500 users~4500 users– 3781 registrations3781 registrations– ~125 violations~125 violations
Nachi / Sasser,Agobot,Gaobot,etc / IRC botsNachi / Sasser,Agobot,Gaobot,etc / IRC bots
2626
Thanks!!!Thanks!!!
Hot “fun” topic!Hot “fun” topic!
Questions?Questions?
Software available at:Software available at:http://www.packetfence.orghttp://www.packetfence.org
2727
ReferencesReferences
http://http://www.ece.cmu.edu/~lbauer/papers/policytrwww.ece.cmu.edu/~lbauer/papers/policytr.pdf.pdfftp://www6.software.ibm.com/software/devftp://www6.software.ibm.com/software/developer/library/ws-policy.pdfeloper/library/ws-policy.pdfhttp://www9.org/w9cdrom/345/345.htmlhttp://www9.org/w9cdrom/345/345.htmlhttp://www.sans.org/resources/policies/Polihttp://www.sans.org/resources/policies/Policy_Primer.pdfcy_Primer.pdfhttp://www.cs.sjsu.edu/faculty/stamp/studhttp://www.cs.sjsu.edu/faculty/stamp/students/Silky_report.pdfents/Silky_report.pdfHarvard University network security Best Harvard University network security Best practices – Scott Bradnerpractices – Scott Bradner