Download presentation
Presentation is loading. Please wait.
Published byCorey Fields Modified over 8 years ago
1
Fences Make Good Neighbors Monitoring Academic Networks at the Port Level Educause Security Conference April 4, 5 2005 Washington DC David LaPorte / Kevin Amorin Harvard University Angelo Bravos Judson College
2
1 Topics Overview of the problems/needs Solutions –Bradford CampusManager –PacketFence Questions
3
2 Network (In)security Perimeter security –Firewalls, IDS, IPS, Router ACLs –“Hard on the outside soft on the inside” –Leads to complacency 60-80% of attacks originate from systems on the internal network (behind the firewall) –VPN –Wireless –Dial-up
4
3 Internal Network Protection/Control Mirage Networks (ARP) qRadar (ARP) Wholepoint (ARP) RNA networks (ARP) Tipping Point (inline) Etc.. Cisco (NAC) Trend Micro (NAC) Symantec (NAC) Microsoft (NAP Q2-2005) Juniper (TNC) Foundry Networks (TCC) Internal Network Security Funding 2004 –More then $80M ($13M Sept)
5
4 Academic Issues Network Environment –Worms –Bot nets –DMCA –Policy violations NATs p2p applications Identity –Who owns an infected/offending system? Support –Do you want to be manning the helpdesk on move-in day?
6
5 Academic Needs Academic IT departments need better monitoring and control of network clients and devices, and a way to better enforce usage policies and security.
7
6 Academic Needs - Clients Dealing with Hosts with no antivirus Better Client Management for all users accessing the network (Direct & Wireless) Better client management for Dorms and open labs Enforcing acceptable usage policy Identifying roamers Denying/restricting service to certain groups Restricting certain applications, chat, p2p, gaming
8
7 Better management of different equipment: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, Alcatel Better Internet and Intranet bandwidth management Enable and disable ports Port-based VLAN switching Discover network devices and connectivity Alarm and notify on network events Detection of Multi-Access Points DHCP Application Server Management Academic Needs – Network management
9
8 Overview of Campus Manager
10
9 With Campus Manager the IT department can Improve Client Management :: Force registration of all users accessing the network (Direct & Wireless) Port based Registration Improve the Helpdesk Interface Enforce a usage policy such as Windows updates and anti- virus protection Quarantine Unregistered and non-compliant Network Users Identify who is accessing the Network and Locate Network Users Control chatting, gaming, and file sharing Restrict / Deny an individual User or Groups of Users Enforce Preferred VLAN Switching and Dynamic VLAN Assignment Audit Trail of Current and Historical Network Access Automate Client / User Management Tasks
11
10 With Campus Manager the IT department can Improve Network Management: Cisco, HP, 3Com, Enterasys, Packeteer, Nortel, Alcatel Internet and Intranet bandwidth management Enable and disable ports Port based VLAN switching Discover network devices and connectivity Keep track of network wiring information Monitor network health Alarm and notify on network events Multi-Access Point Detection DHCP Application Server Management Configure Network device Audit trail of network events Automate network management tasks
12
11
13
12
14
13
15
14
16
15
17
16
18
17
19
18
20
19
21
20
22
21
23
22
24
23 What is PacketFence Open-source network registration and worm mitigation solution –Co-developed by Kevin Amorin and David LaPorte GUI developed by Randy Heins, UIS NOC –Captive portal Intercepts HTTP sessions and forces client to view content Similar to Bluesocket –Based on un-modified open-source components
25
24 Features Network registration –Register systems to an authenticated user LDAP, RADIUS, POP, IMAP…anything Apache supports –Force AUP acceptance –Stores assorted system information NetBIOS computer name & Web browser user-agent string Presence of some NAT device –Stores no personal information ID->MAC mapping only –Above data can provide a rough system inventory –Vulnerability scans at registration scheduled/ad hoc
26
25 Features Worm mitigation –Behavioral and signature-based detection –Optional isolation of infected nodes Implemented but not deployed –Self-remediation Empower users Provides remediation instruction specific to infection Network “inoculation” –Preemptively detect and trap vulnerable hosts
27
26 Features Remediation –Requires signature-based detect –Provides user context-specific remediation instructions –Redirection to the captive portal via Proxy via Firewall pass-through –Helpdesk support number if all else fails
28
27 Inline Security bottleneck –immune to subversion Fail-closed Performance bottleneck Single point of failure May not be necessary/preferable –academia
29
28 Passive Fail-open solution –Preferable in academic environment No bandwidth bottlenecks Network visibility –Hub, monitor port, tap Easy integrating – no changes to infrastructure –plug and play (pray?) Manipulates client ARP cache –“Virtually” in-line
30
29 ARP Manipulation Man In the Middle (MiM) ARP poisoning
31
30 Detection (optional) Traffic analysis –Anomaly based –Signature based –Time based Snort with small signature set & portscan Any signature and/or anomaly based detection tool can be used (“glue” will be necessary)
32
31 Implementations All current deployments are “passive” mode Several residential networks and 2 schools –~7076 systems –~3934 registrations –~225 violations Nachi / Sasser,Agobot,Gaobot,etc / IRC bots
33
32 Coming Soon… Static IP/ARP Detection DHCP Combat Queue-based Violation/Registration Independent components Isolation mechanisms –DHCP Change DHCP scope (reserved IP with enforcer gateway) Change DNS server to resolve all IP’s to Enforcer –Switch port manipulation Change VLAN to isolation network Disable port
34
33 In Closing PacketFence –Open-source –Passive deployment “plug and play” no infrastructure changes needed –Proactive and reactive remediation –Extremely configurable
35
34 In Closing – Campus Manager An all-in-one management solution Provides managed network access to all clients Manages and controls wireless network access Enforces a campus wide network usage policy Reduces the time to - Locate users - Take action on network access violations - Detect network problems - Troubleshoot network problems - Configure network devices Delegates client management to network operators and helpdesk personnel Vendor independent solution Passive management system on the network Comprehensive integrations with vendor solutions Reallocate IT staff from building management solutions to managing the network services
36
35
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.