Agenda Academic Issues Perimeter & Internal Security

Slides:



Advertisements
Similar presentations
5.1 Overview of Network Access Protection What is Network Access Protection NAP Scenarios NAP Enforcement Methods NAP Platform Architecture NAP Architecture.
Advertisements

Computer Security: Principles and Practice Chapter 9 – Firewalls and Intrusion Prevention Systems.
Network Access Control Systems at Educational Institutions Richard Becker Brian Leslie Kansas State University.
Wireless and Network Security Integration Defense by Hi-5 Marc Hogue Chris Jacobson Alexandra Korol Mark Ordonez Jinjia Xi.
5-Network Defenses Dr. John P. Abraham Professor UTPA.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
فاتن يحيى إسماعيل فاتن يحيى إسماعيل م. مهندس م. مهندس Network Security.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
NetPass and Northwestern By Julian Y. Koh As told by Robert Vance NUIT-Telecom & Network Services.
WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.
Firewalls Presented by: Sarah Castro Karen Correa Kelley Gates.
Wi-Fi Structures.
Fences Make Good Neighbors Monitoring Academic Networks at the Port Level Educause Security Conference April 4, Washington DC David LaPorte / Kevin.
Barracuda Web Filter Overview March 26, 2008 Alan Pearson, Monroe County School District Marcus Burge, Network Engineer.
All Rights Reserved © Alcatel-Lucent | Dynamic Enterprise Tour – Safe NAC Solution | 2010 Protect your information with intelligent Network Access.
Network Architecture for Automatic Security and Policy Enforcement Internet2 Members Meeting Fall 2005 Eric Gauthier ~ Boston University Kevin Amorin ~
Office of Information Technologies CAMP: Bridging Security and Identity Management Christopher Misra 14 February 2008 Tempe, AZ Protecting Network Assets.
Fermilab VPN Service What is a VPN ?.
Being Proactive with Computer Posture Assessment Department of Housing and Residence Education Charles Benjamin.
Securing a Wireless Network
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Khaja Ahmed Architect Windows Networking Microsoft Corporation.
Network Services Lesson 6. Objectives Skills/ConceptsObjective Domain Description Objective Domain Number Setting up common networking services Understanding.
Course 201 – Administration, Content Inspection and SSL VPN
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
000000_1 Confidential and proprietary information of Ingram Micro Inc. — Do not distribute or duplicate without Ingram Micro's express written permission.
©2003–2008 Check Point Software Technologies Ltd. All rights reserved. CheckPoint new security architecture and R70 highlights.
1 Network Admission Control to WLAN at WIT Presented by: Aidan McGrath B.Sc. M.A.
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
Internal NetworkExternal Network. Hub Internal NetworkExternal Network WS.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
University of Montana - Missoula Adam Ormesher & Chase Maier.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 2: Installing and Maintaining ISA Server. Overview Installing ISA Server 2004 Choosing ISA Server Clients Installing and Configuring Firewall Clients.
1 Improving Security Through Automated Policy Compliance Christopher Stevens Director of Network and Technical Services Lewis & Clark College Educause.
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
IP Security IP sec IPsec is short for Internet Protocol Security. It was originally created as a part of IPv6, but has been retrofitted into IPv4. It.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Campus Networking Best Practices Hervey Allen NSRC & University of Oregon Dale Smith University of Oregon & NSRC
Resnet Enhancements and Directions Part 1, Bruce Campbell, Information Systems and Technology.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
Net Optics Confidential and Proprietary 1 Bypass Switches Intelligent Access and Monitoring Architecture Solutions.
Data Communications and Networks Chapter 10 – Network Hardware and Software ICT-BVF8.1- Data Communications and Network Trainer: Dr. Abbes Sebihi.
Secure Wired Local Area Network( LAN ) By Sentuya Francis Derrick ID Module code:CT3P50N BSc Computer Networking London Metropolitan University.
Supporting a Wireless Network By Gareth Ayres.
CS460 Final Project Service Provider Scenario David Bergman Dong Jin Richard Bae Scott Greene Suraj Nellikar Wee Hong Yeo Virtual Customer: Mark Scifres.
1 Week #5 Routing and NAT Network Overview Configuring Routing Configuring Network Address Translation Troubleshooting Routing and Remote Access.
Security fundamentals Topic 10 Securing the network perimeter.
7.4 Update - ISE Session.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
So how to identify exactly who and what is on your network at any point in time? Andrew Noonan, SE ForeScout February 2015.
Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.
Great Bay Beacon Extreme Sentriant AG RADIUS router (proxy) Network Enforcement Point Switches Cisco Enterasys Extreme HP APs Introduction to NAC Switches.
FIREWALLS An Important Component in Computer Systems Security By: Bao Ming Soh.
Security fundamentals
Network Admission Control: A Survey of Approaches Educause 2008
CompTIA Security+ Study Guide (SY0-401)
Implementing Network Access Protection
Welcome To : Group 1 VC Presentation
CompTIA Security+ Study Guide (SY0-401)
Check Point Connectra NGX R60
Protecting Network Assets
Network Access Control
Implementing Client Security on Windows 2000 and Windows XP Level 150
Intrusion Detection system
Network Access Control
Presentation transcript:

PacketFence …because good fences make good neighbors Michael Garofano, Director of IT, Harvard KSG Kevin Amorin, Sr. Security & Systems Engineer, Harvard KSG David LaPorte, Manager Network Security, Harvard (not present today) mgarofano@ksg.harvard.edu kamorin@ksg.harvard.edu david_laporte@harvard.edu

Agenda Academic Issues Perimeter & Internal Security PacketFence features Inline vs. Passive (out of line)

Academic Issues Help Desk Support Limit spread of Worms Identify infected user DMCA (movie/music download violations) IP to user mapping

Academic Issues Inventory Gather Statistics List of MAC’s and owners Get the more money! Number of IP’s, infections, helpdesk time, etc, active nodes,

Academic Issues Open vs. closed environment Professors and students want unfettered access to the internet You can take your FIREWALL and put it… Some things break: Videoconferencing (H.323), Games (UDP non-statefull firewall), P2P, IM etc…

Average Network Security Perimeter security Firewalls, IDS, IPS, Router ACLs Current architecture “Hard on the outside soft on the inside” Hard to protect the “inside” 60-80% of attacks originate from systems on the internal network (behind the firewall)

Worms wreak havoc August 11, 2003 Blaster and Welchia/Nachi How did the worms get in? We block all types of traffic from the internet? (especially RPC) LAPTOPS!!!! Backdoors bypass perimeter defenses: Roaming users VPN Wireless Dialup

Internal Network Protection/Control Mirage Networks (ARP) qRadar (ARP) Wholepoint (ARP) RNA networks (ARP) Tipping Point (inline) Etc.. Cisco (NAC) Trend Micro (NAC) Symantec (NAC) Microsoft (NAP Q2-2005) Juniper (TNC) Foundry Networks (TCC) Internal Network Security Funding 2004 More then $80M ($13M Sept)

What is PacketFence Open-source network registration and worm mitigation solution Co-developed by Kevin Amorin and David LaPorte Captive portal Intercepts HTTP sessions and forces client to view content Similar to NoCatAuth, Bluesocket Based on un-modified open-source components

Features Network registration Register systems to an authenticated user LDAP, RADIUS, POP, IMAP…anything Apache supports Force AUP acceptance Stores assorted system information NetBIOS computer name & Web browser user-agent string Presence of some NAT device Stores no personal information ID->MAC mapping only Above data can provide a rough system inventory Vulnerability scans at registration

Features Worm mitigation Network scans Signature and anomaly based detection Action based response Optional isolation of infected nodes Content specific information Empower users Provides remediation instruction specific to infection Network scans Preemptively detect and trap vulnerable hosts

Features Remediation Redirection to the captive portal Requires signature-based detect Provides user context-specific remediation instructions Proxy Firewall pass-through Helpdesk support number if all else fails

Inline Performance bottleneck Single point of failure Security bottleneck immune to subversion Fail-closed Performance bottleneck Single point of failure

Passive Fail-open solution No bandwidth bottlenecks Network visibility Preferable in academic environment No bandwidth bottlenecks Network visibility Hub, monitor port, tap Easy integrating – no changes to infrastructure plug and play (pray?) Manipulates client ARP cache “Virtually” in-line

Passive Architecture

Why ARP? Trusting Easy to manipulate RFC826 1982 OS independent Windows 95,98,ME,2k,xp,mac both type 1 & 2 Linux only type 1 Solaris ICMP & type 2 or 1

Methods of Isolation ARP DHCP VLAN switch If all else fails… Blackhole Change the router’s ARP entry on the local system to enforcement point DHCP Change DHCP scope (reserved IP with enforcer gateway) or Change DNS server to resolve all IP’s to Enforcer VLAN switch Switch host to an isolation network with enforcer as the gateway If all else fails… Blackhole Router dynamic update Firewall/ACL update Disable switch port

ARP Manipulation

VLAN Change (Futures)

DNS (Futures)

DHCP (Futures)

Blackhole Injection (risky)

Implementations All current deployments are “passive” mode Several residential networks and 2 schools ~4500 users 3781 registrations ~125 violations Nachi / Sasser,Agobot,Gaobot,etc / IRC bots

Thanks!!! Software available at: Hot “fun” topic! Questions? http://www.packetfence.org

References http://www.ece.cmu.edu/~lbauer/papers/policytr.pdf ftp://www6.software.ibm.com/software/developer/library/ws-policy.pdf http://www9.org/w9cdrom/345/345.html http://www.sans.org/resources/policies/Policy_Primer.pdf http://www.cs.sjsu.edu/faculty/stamp/students/Silky_report.pdf Harvard University network security Best practices – Scott Bradner

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.