Copyright Scott Conti Tools that Work… …At Umass-Amherst Scott F. Conti Network Operations Manager
Copyright Scott Conti UMASS-Amherst Network Vital Statistics Class B network (umass.edu ) 142 buildings All 42 Residential buildings networked 8800 Residence hall connections (port-per-pillow) 5500 Academic building connections 900- Cisco 24 port Switches (1900 and 2900 series) 5 Cisco 6509 core switches, 2 Cisco 5500 switches 600 Off-campus dial-in modem lines (2) DS-3 (45mb/s) commodity Internet connections DS-3 - Internet2 connection
Copyright Scott Conti How do we find the port ? Lookup IP address in DHCP server logs Search switches for MAC address in switch CAM tables Lookup Jack activation record in Remedy database jacktrack database Netreg database (students) Verify correct jack check logs if necessary
Copyright Scott Conti Remedy Jacktrack system The Remedy AR (Action Request) system is used to manage all aspects of Jack activation for administrative jacks. Activates Switch ports immediately, or sends request to Cable Engineering for crosswiring. Support database lookups on any identifying field Provides real-time statistics on request processing. Allows movement of workflow through multiple departments.
Copyright Scott Conti Network Services Remedy Screen
Copyright Scott Conti Remedy Jacktrack Schema
#./quickfind searching for haml-198.res.umass.edu. ( ) Enet address for : 00:e0:98:02:4c:69 Checking if haml-198.res.umass.edu. is operating....host IS operating. 19XX, ignoring ports 25(AUI), 26(A), 27(B): 00:e0:98:02:4c:69 found on haml-sw-210-1, 21 getting room number from OIT/NSS Jack Tracking Building and Room: HAML 427 =========================================================== 1 Building : HAML 10 Switch Port : 21 2 Room Number : Jack Number : Jack Letter : C 5 Last Name : TUTHILL 6 First Name : RICK 7 Phone Number : UMAccess acct : tuthill 9 Name : haml-sw =========================================================== 1 Building : HAML 10 Switch Port : 13 2 Room Number : Jack Number : Jack Letter : D 5 Last Name : MISRA 6 First Name : CHRISTOPHER 7 Phone Number : UMAccess acct : crispy 9 Name : haml-sw =========================================================== IP address : Enet address: 00:e0:98:02:4c:69 Lease Starts: 1999/12/09 15:59:06; Lease Ends : 1999/12/14 15:59:06; Lease Client: "Mole"; #
Copyright Scott Conti Netreg Developed by Southwestern University Works by issuing a temporary “non-routable” DHCP lease until the user registers the MAC address of the machine. Spoofs all DNS queries to registration server. Once registered, user can obtain a normal DHCP issued IP address.
Copyright Scott Conti Netreg - Subnet Overview
Copyright Scott Conti Netreg – Subnet Details
Copyright Scott Conti Netreg - Lease Information
Copyright Scott Conti Netreg – User Information
Copyright Scott Conti Systool Systool is a web-front end that runs PERL scripts that parse the Cisco Log files. Router Tool – queries router logs Dialup Tool – queries AS5800 Access- server dial-in logs.
Copyright Scott Conti Systool – Router Tool Query
Copyright Scott Conti Systool – Router Tool
Copyright Scott Conti Systool – Router Tool Top Ten
Copyright Scott Conti Honeypot systems A Honeypot system is a deception tool that allows a cracker to attack a “vulnerable system”. The system can be a “real” or a “virtual” machine. (Straight Linux or UML) Intrusion Detection system sits nearby and logs hacking attempts. At Umass – we move our Honeypot around to different subnets. Check out -
Copyright Scott Conti Incident Database - Console
Copyright Scott Conti Incident Database – Query
Copyright Scott Conti Trend – Top Talkers
Copyright Scott Conti “The Packet of Shame”
Copyright Scott Conti Thank You ! Scott F. Conti University of Massachusetts-Amherst
Copyright Scott Conti SANS ECN – Emergency Communications Network ! If you are an amateur radio operator and interested in participating in the SANS Emergency Communications Network project - please talk to me at the break or send me at: