Information Technology at Emory Copyright Jay D. Flanagan, This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author. Network Registration and Intrusion Prevention Services Implementation at Emory University Jay D. Flanagan Security Professionals Conference April 2005

Information Technology at Emory Information Technology Division Technical Services

Information Technology at Emory Information Technology Division Technical Services

Information Technology at Emory Information Technology Division Technical Services Security at Emory In 2000 it was determined that more and better security was needed to protect the Emory environment In 2001 a Security Initiatives Project was proposed and funded – Over 1 million dollars was set aside for the initiatives – Initial projects included: Firewalls Virus Scanning Vulnerability Scanning Web Content Security

Information Technology at Emory Information Technology Division Technical Services Security at Emory Firewalls –Firewall protection is the cornerstone of the security project –Firewall protection has been implemented at the Emory border gateway to the internet, for the School of Public Health (SPH), for Resnet and for our Administrative Trusted Core (The Administrative Trusted Core protects those services that are considered confidential and restricted)

Information Technology at Emory Information Technology Division Technical Services Security at Emory Border Gateway Firewall –Implemented in the Fall of 2001 –Specific rules set up to protect the Emory Academic network –Rules stop specific vulnerabilities that could adversely affect machines and their ability to work

Information Technology at Emory Information Technology Division Technical Services Security at Emory

Information Technology at Emory Information Technology Division Technical Services Security at Emory SPH Firewall –Implemented in Summer of 2001 –Protects all SPH services with a deny- all-but-necessary rule set –Supports large distance learning group

Information Technology at Emory Information Technology Division Technical Services Security at Emory

Information Technology at Emory Information Technology Division Technical Services Security at Emory Administrative Trusted Core Firewall –Implemented in Fall of 2003 –Very restricted rule set –Utilizes a DMZ (Demilitarized Zone) for publicly accessible services –Utilizes a VPN firewall for remote access services –Entities protected by the Trusted core include PeopleSoft, Human Resources, Purchasing, ITD Web Services, Evening at Emory, Ace/Donor and Finance –Other services preparing to move into the core include ITD AIS Services and ITD System services –The Security Team is working and planning with other schools and departments to determine if they should move into the Trusted Core

Information Technology at Emory Information Technology Division Technical Services Security at Emory

Information Technology at Emory Information Technology Division Technical Services Security at Emory

Information Technology at Emory Information Technology Division Technical Services

Information Technology at Emory Information Technology Division Technical Services Security at Emory Virus Scanning –Went production in January of 2003 –Service has been a huge success –All inbound and outbound, including internal outbound is scanned –Hundreds of thousands of born viruses blocked by virus scanners

Information Technology at Emory Information Technology Division Technical Services Security at Emory Virus Scanning –Scanning of has been extremely successful

Information Technology at Emory Information Technology Division Technical Services Security at Emory The firewall in this architecture diagram is the Admin Core / DMZ firewall. The virus scanners all sit in the DMZ.

Information Technology at Emory Information Technology Division Technical Services Security at Emory Desktop Virus Scanning –New desktop antivirus software from Symantec implemented in Summer of 2003 –Pushed out to all users on campus via Emory on Line (EOL) CD –Set up managed AV services for ITD in Fall of 2004 Working with other schools and departments on campus to set up the managed service Other schools and departments using the managed service include Emory College, Theology, Campus Life and BioChemistry

Information Technology at Emory Information Technology Division Technical Services

Information Technology at Emory Information Technology Division Technical Services Security at Emory Spam Scanning Service –A huge problem for Emory users –Implemented centralized spam scanning in 2003 Scanned all incoming to Emory’s central mail service, Eagle Mail –Other campus servers added to this service in late 2003 and 2004 Including Learnlink, Listserv, Nursing, Cell Biology, Spinal, Housing, Physics, Physiology, Bimcore, MathCS, Facilities, SPH, Law School and Biology

Information Technology at Emory Information Technology Division Technical Services Security at Emory Spam Scanning Service –We are continuing to upgrade this service. The following graph shows the amount of spam being scanned and found by this service:

Information Technology at Emory Information Technology Division Technical Services Security at Emory Spam Scanning – Implemented scanning of all inbound utilizing Trend Micro’s IMSS Product The firewall in this architecture diagram is the Admin Core / DMZ firewall. The spam scanners all sit in the DMZ.

Information Technology at Emory Information Technology Division Technical Services Security at Emory Vulnerability Scanning Service –Scan servers or desktops upon request from user (local support) Utilizing Internet Scanner from Internet Security Systems (ISS) and Nessus –Over 100 machines are scanned regularly –Including PeopleSoft, ITD, Emory College, Neurology, University Communications and Campus Life –Scan all student desktops as part of the Network Registration project Utilizing Nessus Over 4000 machines scanned

Information Technology at Emory Information Technology Division Technical Services Security at Emory Vulnerability Scanning Service –Offering a self-service vulnerability scanning service for system administrators and local support Implemented in January 2005 Utilizing Nessus Administrators from Emory College, Bio- Chemistry and ITD have requested the use of this service

Information Technology at Emory Information Technology Division Technical Services Security at Emory Web Content Security –Secure authentication and authorization to Web Applications –Utilizes Netegrity Siteminder –Production in April of 2002 –Utilizes LDAP for Authentication Allows use of Healthcare Ldap, so Healthcare users can utilize Healthcare id –Over 40 applications currently protected by Netegrity Including Emory Budget Office, Registrar, Trustee site, Student Voting and Med School

Information Technology at Emory Information Technology Division Technical Services Not Enough? In the Fall of 2003, Emory was hit by the Blaster and Welchia viruses/worms like many other Universities –Thousands of machines were infected –Many were never completely cleaned In the Spring of 2004, Emory was hit by a rash of DDoS attacks which took down the academic network –Almost 60% of the attacks were initiated by machines on our Resnet network

Information Technology at Emory Information Technology Division Technical Services

Information Technology at Emory Information Technology Division Technical Services More needed to be done Even with the many new security initiatives in place, infections, compromises and outages were occurring –Caused major disruptions to Emory operations During registration at beginning of school year During finals at end of the school year New options needed to be found and implemented –Network Redesign –Network Registration –Intrusion Prevention

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Network Redesign –Resnet Network Over 60% of the DDoS attacks in the spring of 2004 were from our Resnet network Copyright violations were increasing, with over 70% from our Resnet network How to prevent these attacks and violations from occurring while at the same time protecting the Resnet network? –Move the Resnet network outside the Academic Core firewall –Implement IPS / IDS –Implement Firewall

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Network Redesign –SPH Network Supports large distance learning group Moved from Academic Core to Border network to facilitate the distance learning service

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Network Registration –User computer hardware (MAC) address is registered before gaining access to the Emory network –Initial implementation was on the Resnet network –Over 4000 student machines were registered –Those same machines were scanned by the Nessus vulnerability scanner as part of the registration –Security incidents on Resnet have declined since implementation

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Network Registration –The following graph shows how security incidents have declined:

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Resnet w/ NetReg Architecture

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Network Registration Architecture / Flow

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Network Registration – Phase 2 –The 2 nd phase of Network Registration implements this service to other portions of the Emory campus Initially: –Library –Oxford Other schools and departments indicating interest include: –Law School –School of Public Health

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Network Registration – Phase 2 –Implementing at these other entities has different requirements –Specifically guest access requirements –With these new requirements, an evaluation was done of vendor products, including Perfigo’s Clean Machine and Bradford’s Campus Manager

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Network Registration – Phase 2 –Implementing network registration in places like Oxford and the Library will give us an excellent indication of how it will roll out to the entire campus. –Phase 2 part 1 of the project would implement network registration at Oxford and the Library –Phase 2 part 2 would move the rest of the campus

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Intrusion Detection / Prevention –Original proposal implemented Intrusion Detection Manual intervention necessary for all alerts Resource intensive Large number of false positives –Decided to evaluate Intrusion Prevention Alerts like intrusion detection Automatically blocks hacks and attacks without manual intervention Less resources necessary to mange multiple boxes Non-existent false positives

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Intrusion Prevention –Implemented two IPS boxes in July of 2004 Interfaces for Resnet, Administrative Trusted Core and border network firewalls

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Intrusion Prevention –Implemented four more IPS boxes in October of 2004 Interfaces for entire Academic Core and SPH

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives Intrusion Prevention –The IPS implementation has been extremely successful Literally millions of hacks, attacks and compromises have been blocked by this service The graphs on the following two slides shows our success

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives

Information Technology at Emory Information Technology Division Technical Services New Security Initiatives

Information Technology at Emory Information Technology Division Technical Services Summary We have come a long way in securing the Emory network Work still remains The steps outlined here will help in making Emory more secure by being aggressive and proactive in our vigilance against hacks, attacks, compromises and viruses

Information Technology at Emory Information Technology Division Technical Services

Information Technology at Emory Information Technology Division Technical Services Contact Information Jay D. Flanagan – Security Team Lead

Information Technology at Emory Information Technology Division Technical Services Questions?