Presentation is loading. Please wait.

Presentation is loading. Please wait.

Agenda Academic Issues Perimeter & Internal Security

Published byElinor O’Neal’ Modified over 8 years ago

Similar presentations

Presentation on theme: "Agenda Academic Issues Perimeter & Internal Security"— Presentation transcript:

0 PacketFence …because good fences make good neighbors
Michael Garofano, Director of IT, Harvard KSG Kevin Amorin, Sr. Security & Systems Engineer, Harvard KSG David LaPorte, Manager Network Security, Harvard (not present today)

1 Agenda Academic Issues Perimeter & Internal Security
PacketFence features Inline vs. Passive (out of line)

2 Academic Issues Help Desk Support
Limit spread of Worms Identify infected user DMCA (movie/music download violations) IP to user mapping

3 Academic Issues Inventory Gather Statistics List of MAC’s and owners
Get the more money! Number of IP’s, infections, helpdesk time, etc, active nodes,

4 Academic Issues Open vs. closed environment
Professors and students want unfettered access to the internet You can take your FIREWALL and put it… Some things break: Videoconferencing (H.323), Games (UDP non-statefull firewall), P2P, IM etc…

5 Average Network Security
Perimeter security Firewalls, IDS, IPS, Router ACLs Current architecture “Hard on the outside soft on the inside” Hard to protect the “inside” 60-80% of attacks originate from systems on the internal network (behind the firewall)

6 Worms wreak havoc August 11, 2003 Blaster and Welchia/Nachi
How did the worms get in? We block all types of traffic from the internet? (especially RPC) LAPTOPS!!!! Backdoors bypass perimeter defenses: Roaming users VPN Wireless Dialup

7 Internal Network Protection/Control
Mirage Networks (ARP) qRadar (ARP) Wholepoint (ARP) RNA networks (ARP) Tipping Point (inline) Etc.. Cisco (NAC) Trend Micro (NAC) Symantec (NAC) Microsoft (NAP Q2-2005) Juniper (TNC) Foundry Networks (TCC) Internal Network Security Funding 2004 More then $80M ($13M Sept)

8 What is PacketFence Open-source network registration and worm mitigation solution Co-developed by Kevin Amorin and David LaPorte Captive portal Intercepts HTTP sessions and forces client to view content Similar to NoCatAuth, Bluesocket Based on un-modified open-source components

9 Features Network registration
Register systems to an authenticated user LDAP, RADIUS, POP, IMAP…anything Apache supports Force AUP acceptance Stores assorted system information NetBIOS computer name & Web browser user-agent string Presence of some NAT device Stores no personal information ID->MAC mapping only Above data can provide a rough system inventory Vulnerability scans at registration

10 Features Worm mitigation Network scans
Signature and anomaly based detection Action based response Optional isolation of infected nodes Content specific information Empower users Provides remediation instruction specific to infection Network scans Preemptively detect and trap vulnerable hosts

11 Features Remediation Redirection to the captive portal
Requires signature-based detect Provides user context-specific remediation instructions Proxy Firewall pass-through Helpdesk support number if all else fails

12 Inline Performance bottleneck Single point of failure
Security bottleneck immune to subversion Fail-closed Performance bottleneck Single point of failure

13 Passive Fail-open solution No bandwidth bottlenecks Network visibility
Preferable in academic environment No bandwidth bottlenecks Network visibility Hub, monitor port, tap Easy integrating – no changes to infrastructure plug and play (pray?) Manipulates client ARP cache “Virtually” in-line

14 Passive Architecture

15 Why ARP? Trusting Easy to manipulate RFC826 1982 OS independent
Windows 95,98,ME,2k,xp,mac both type 1 & 2 Linux only type 1 Solaris ICMP & type 2 or 1

16 Methods of Isolation ARP DHCP VLAN switch If all else fails… Blackhole
Change the router’s ARP entry on the local system to enforcement point DHCP Change DHCP scope (reserved IP with enforcer gateway) or Change DNS server to resolve all IP’s to Enforcer VLAN switch Switch host to an isolation network with enforcer as the gateway If all else fails… Blackhole Router dynamic update Firewall/ACL update Disable switch port

17 ARP Manipulation

18 VLAN Change (Futures)

19 DNS (Futures)

20 DHCP (Futures)

21 Blackhole Injection (risky)

22

23

24 Implementations All current deployments are “passive” mode
Several residential networks and 2 schools ~4500 users 3781 registrations ~125 violations Nachi / Sasser,Agobot,Gaobot,etc / IRC bots

25 Thanks!!! Software available at: Hot “fun” topic! Questions?

26 References http://www.ece.cmu.edu/~lbauer/papers/policytr.pdf
ftp://www6.software.ibm.com/software/developer/library/ws-policy.pdf Harvard University network security Best practices – Scott Bradner

Download ppt "Agenda Academic Issues Perimeter & Internal Security"

Similar presentations

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.

5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Network Access Control Systems at Educational Institutions Richard Becker Brian Leslie Kansas State University.

Network Access Control Systems at Educational Institutions Richard Becker Brian Leslie Kansas State University.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.

Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
فاتن يحيى إسماعيل فاتن يحيى إسماعيل م. مهندس م. مهندس Network Security.

فاتن يحيى إسماعيل فاتن يحيى إسماعيل م. مهندس م. مهندس Network Security.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
NetPass and Northwestern By Julian Y. Koh As told by Robert Vance NUIT-Telecom & Network Services.

NetPass and Northwestern By Julian Y. Koh As told by Robert Vance NUIT-Telecom & Network Services.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, 2009 05/30/2009.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.

Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Wi-Fi Structures.

Wi-Fi Structures.
Fences Make Good Neighbors Monitoring Academic Networks at the Port Level Educause Security Conference April 4, 5 2005 Washington DC David LaPorte / Kevin.

Fences Make Good Neighbors Monitoring Academic Networks at the Port Level Educause Security Conference April 4, Washington DC David LaPorte / Kevin.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.

Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
All Rights Reserved © Alcatel-Lucent 2010 1 | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.

All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Network Architecture for Automatic Security and Policy Enforcement Internet2 Members Meeting Fall 2005 Eric Gauthier ~ Boston University Kevin Amorin ~

Network Architecture for Automatic Security and Policy Enforcement Internet2 Members Meeting Fall 2005 Eric Gauthier ~ Boston University Kevin Amorin ~
Office of Information Technologies CAMP: Bridging Security and Identity Management Christopher Misra 14 February 2008 Tempe, AZ Protecting Network Assets.

Office of Information Technologies CAMP: Bridging Security and Identity Management Christopher Misra 14 February 2008 Tempe, AZ Protecting Network Assets.
Fermilab VPN Service What is a VPN ?.

Fermilab VPN Service What is a VPN ?.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.

Similar presentations

Ads by Google