1. Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University

2. Advanced Internet Bandwidth & Security Strategies How Illinois Wesleyan University: –Minimizes copyright infringement notices –Allows peer-to-peer computing –Maintains sub-second web performance –Mitigates denial of service attacks –Identifies virus infections –Controls illegal activities on the campus network

3. Advanced Internet Bandwidth & Security Strategies Layers of security Intrusion Detection –Host based intrusion detection –Network based intrusion detection Knowledge based Behavior based Bandwidth management & monitoring User education and enforcement

4. About Illinois Wesleyan University Liberal arts - 2100 students –1800 on-campus residents IT Resource limitations –16 IT Staff –Voice, video, & data Environment –100mpbs switched port per pillow –18mbps Internet connection –No technology fee –Some wireless –LDAP authentication

5. Bandwidth & Security Strategies User Education (and results) Firewall & IP address policies Response Time Measurement Bandwidth Policies Monitoring and detection Redirection & quarantine Judicial procedures Future plans

6. User Education Computer Incident Factor Analysis and Categorization (CIFAC) Project –IT personnel More education and training… –Users More education and training… –Non IT Staff More education… –Networks More resources, more and better procedures…

7. User Education @ Illinois Wesleyan Freshman orientation Web site, portal & e-mail lists One on one training Help desk Assessment Our customers –Novices –“The Mistaken”

8. User Education - Results

10. Firewall & IP Address Policies No MAC registration (yet) DHCP All local 10.x.x.x IP numbers Ports blocked inbound, few outbound Restrict SMTP, SNMP, etc.

11. Response Time Measurement Library consortium RRDTOOL MRTG ping probe Packetshaper command: rtm sho

12. rtm sho

13. Bandwidth Policies Detail* Traffic classification Flow control Host lists Class licenses *Command line vs. web interface

14. Traffic classification Classify in and out - hundreds of classes No changes for time of day Can block/restrict by IP#, port, or protocol Partitions and policies Peer to peer - low priority, typically 10k policy in, 1k policy out Gamers are a challenge

16. Flow control Limits the number of new flows per minute for client or server actions

17. Classification and Flow Control No auto-discovery, but all traffic classified

18. Host lists Groups of internal or external IP numbers using bandwidth rules Quarantine internal users Limit groups of high bandwidth servers Quickly block intruders Identify servers for additional priority

20. Class licenses Limit how many connections per class

21. Know what’s typical and atypical Check for top bandwidth users Watch number of flows - active and failed Spot check Automation Community Monitoring and Detection

22. Know what’s typical & atypical –sys heal

23. Monitoring and Detection Check for top bandwidth users –Over time hos top sho /outbound Host top sho /inbound Host inf -sr -i –Right now Host inf -sr -n 10

24. Monitoring and Detection Watch number of flows - active and failed –host inf -sf -n 10 –host inf -sp -n 10

25. Monitoring and Detection Spot check –Overall (e.g., check tree) tr tr –Individual classifications tr fl -tupIc/outbound/discoveredports/students tr his recent /inbound/multimedia/mpeg-video –Individual machines (servers & clients) tr fl -tupIA10.x.x.x tr his find 10.x.x.x

26. Monitoring and Detection Automation  Rule sets: application and port rules  E-mail notifications  Identify & isolate violators  Packetshaper Adapative Response  Snort

27. Monitoring and Detection Automation - Packetshaper Adaptive Response

28. Monitoring and Detection Automation - Packetshaper Adaptive Response

29. Monitoring and Detection Automation - Snort  By Martin Roesch  Extensive rule sets  Henwen & Letterstick = Snort GUI for Mac

30. Monitoring & Detection

31. Monitoring and Detection Community - firewall log analysis  D-Shield Distributed Intrusion Detection System http://www.dshield.org/ http://www.dshield.org/  D-Shield Academic http://dshield.infosecurityresearch.org/ http://dshield.infosecurityresearch.org/  SANS Internet Storm Center http://isc.sans.org http://isc.sans.org Computer Emergency Response Team  http://www.cert.org http://www.cert.org

32. Redirection & Quarantine Soft quarantine Hard quarantine with redirect

33. Judicial Procedures Network disruption - logical disconnect RIAA notices - less than 1 per month Students referred to Associate Dean of Students for judicial processes

34. Future Plans Cisco ASA - firewall, VPN, intrusion detection More Adaptive Response More Snort 45mbps Internet NetReg? Clean Access? –VLAN Quarantine Wireless authentication

35. Advanced Internet Bandwidth & Security Strategies Summary –User education is key –Need layers of security –Bandwidth management & monitoring –Intrusion detection and prevention Hosts and network More application level detection Support more community efforts – Enforce policies with judicial procedures

36. Additional References… Packeteer Education e-mail list http://www.packeteer.com/prod-sol/stanford.cfm http://www.packeteer.com/prod-sol/stanford.cfm EDUCAUSE Intrusion Detection Resources http://www.educause.edu/Browse/645?PARENT_ID=661 http://www.educause.edu/Browse/645?PARENT_ID=661 CIFAC Project Report (volume 1) http://www.educause.edu/LibraryDetailPage/666?ID=CSD4207 http://www.educause.edu/LibraryDetailPage/666?ID=CSD4207 Illinois Wesleyan IT Policies http://titan.iwu.edu/IT/policies/ http://titan.iwu.edu/IT/policies/ Snort http://www.snort.org http://www.snort.org Henwen & Letterstick http://seiryu.home.comcast.net/henwen.html http://seiryu.home.comcast.net/henwen.html