Presentation is loading. Please wait.

Presentation is loading. Please wait.

INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.

Published byBaldric Malone Modified over 8 years ago

Similar presentations

Presentation on theme: "INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office."— Presentation transcript:

1 INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office Indiana University Copyright Indiana University 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author."

2 INDIANAUNIVERSITYINDIANAUNIVERSITY Indiana University Founded in 1820 8 campuses ~100,000 Students ~18,000 Faculty and Staff http://factbook.indiana.edu/fbook05/fast_facts/fastfacts1.shtml

3 INDIANAUNIVERSITYINDIANAUNIVERSITY IT Security and Policy Office Reports directly to CIO University-wide office Staff responsible for a wide range of technologies

4 INDIANAUNIVERSITYINDIANAUNIVERSITY Incident Response Coordinating response to incidents of abuse or inappropriate use of information or information technology, such as: –Computer and network security breaches –Unauthorized disclosure or modification of electronic information –Denial of service attacks –Port probes, scans –Identifying virus infected machines –Copyright infringement (DMCA) –Forgery, fraud, harassment, chain mail, etc.

5 INDIANAUNIVERSITYINDIANAUNIVERSITY Incident Response Process Reports sent in to our tracking system Gather supporting technical data Interact with computer security officers to assist with technical investigation Package technical information for IU governance agencies, IU legal counsel, law enforcement, prosecutors, university administration, etc.

6 INDIANAUNIVERSITYINDIANAUNIVERSITY Incident Response Statistics

7 INDIANAUNIVERSITYINDIANAUNIVERSITY What types of common blocks exist? On Campus –DHCP lease –Switch port –Null Route –Router ACL Remote Access –Dialup modem pool –VPN access

8 INDIANAUNIVERSITYINDIANAUNIVERSITY Null Route A route that goes nowhere > route add 192.168.1.1 mask 255.255.255.255 0.0.0.0 Unicast Reverse Path Filtering (RPF) –Prevents traffic sourced from the null routed IP

9 INDIANAUNIVERSITYINDIANAUNIVERSITY Internet 129.79.0.00.0.0.0 Router Null Routing

10 INDIANAUNIVERSITYINDIANAUNIVERSITY Block characteristics The device can communicate with other hosts on the same VLAN, yet is not routed beyond. Typically used as an easier to implement switch port block.

11 INDIANAUNIVERSITYINDIANAUNIVERSITY Null Route Pros –Blocks take effect almost instantaneously –Can block many devices efficiently –Integration with web interface and shell interface Cons –Devices on same VLAN still exposed to threat –Reporting limited (no means to associate IPs belonging to computer support staff yet) –Only keeps track of IPs –Not suitable for dynamic ips

12 INDIANAUNIVERSITYINDIANAUNIVERSITY IU Core Network Map

13 INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation (ANI) The coupling of Network Intrusion Detection and Null Routing made easy In a nutshell –ITSO Intrusion Detection Sensors (IDS) detect malicious activity –IDS notifies Null Route Injector “hub” to block IP –ANI block is set with an expiration time of 10 mins Limited view ability

14 INDIANAUNIVERSITYINDIANAUNIVERSITY ANI cont’d Ideal for people that have the authority to block devices from the network but do not maintain network hardware. Initial automated ANI rollout focused on only one IDS rule, with fairly low incidence and high confidence.

15 INDIANAUNIVERSITYINDIANAUNIVERSITY

16 INDIANAUNIVERSITYINDIANAUNIVERSITY

17 INDIANAUNIVERSITYINDIANAUNIVERSITY Block List

18 INDIANAUNIVERSITYINDIANAUNIVERSITY 3-way Handshake SYN SYN + ACK ACK FIN ACK FIN ACK CLIENTSERVER

19 INDIANAUNIVERSITYINDIANAUNIVERSITY SSH brute force attack 13:01:34.006421 IP 128.148.y.z.22 > 129.79.aa.bb.49343: F ack 13:01:34.006432 IP 128.148.y.z.22 > 129.79.aa.bb.49358: S ack 13:01:34.006812 IP 129.79.aa.bb.49343 > 128.148.y.z.22:. ack 13:01:34.006872 IP 129.79.aa.bb.49358 > 128.148.y.z.22:. ack 13:01:34.076087 IP 128.148.y.z.22 > 129.79.aa.bb.49358:. ack

20 INDIANAUNIVERSITYINDIANAUNIVERSITY SSH attack after ANI block 13:01:43.325296 IP 129.79.aa.bb.44337 > 128.148.x.y.22: F 0:0(0) ack 13:01:43.973671 IP 129.79.aa.bb.49358 > 128.148.a.b.22: F 469:469(0) ack 13:01:44.723014 IP 129.79.aa.bb.49358 > 128.148.a.b.22: F 469:469(0) ack 13:01:45.117176 IP 129.79.aa.bb.50781 > 128.148.c.d.22: F 468:468(0) ack 13:01:45.192800 IP 129.79.aa.bb.44319 > 128.148.c.d.22: F 449:449(0) ack 13:01:45.194553 IP 129.79.aa.bb.48956 > 128.148.e.f.22: F 468:468(0) ack 13:01:45.237350 IP 129.79.aa.bb.44576 > 128.148.g.h.22: F 469:469(0) ack

21 INDIANAUNIVERSITYINDIANAUNIVERSITY Additional Resources Indiana University IT Security Office –http://itso.iu.edu/ IU Knowledge Base –http://kb.iu.edu/ Indiana University –http://www.indiana.edu/

22 INDIANAUNIVERSITYINDIANAUNIVERSITY

23 INDIANAUNIVERSITYINDIANAUNIVERSITY

24 INDIANAUNIVERSITYINDIANAUNIVERSITY Data submission my $wddx_data = { requestor => "$user via sniffer", action => "BLOCK", ipaddr => $ipaddr, expire => $expire_time, itso_reason => $sig, itpo_incident => "$incident" };

Download ppt "INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office."

Similar presentations

A Successful Help Desk Process for all IT Support

A Successful Help Desk Process for all IT Support
Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,

Office of Information Technology Affiliates/Guests – Who are these people and how do we give them services? Copyright, Barbara Hope, University of Maryland,
Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.

Making Sense out of the Information Security and Privacy Alphabet Soup in terms of Data Access A pragmatic, collaborative approach to promulgating campus-wide.
Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.

Student, Faculty, and Staff Data Availability and Protection What’s the Back-Up Plan? (for academic computing) Sponsored by.
Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.

Crisis Communications for Security Issues: A Nightmare You Can Manage Marilu Goodyear Donna Liss Allison Rose Lopez Jenny Mehmedovic The University of.
© Copyright Computer Lab Solutions 2006. All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.

© Copyright Computer Lab Solutions All rights reserved. Do you need usage information about your computer labs? Copyright Computer Lab Solutions.
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Southwest Educause 2003 © Baylor University 2003 Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network.

Southwest Educause 2003 © Baylor University 2003 Adapting Enterprise Security to a University Environment Bob Hartland Director of IT Servers and Network.
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of.

Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright This work is the intellectual property of.
Educause Security Professionals Conference Network Access Control through Quarantine, Remediation, and Verification Jonny Sweeny Incident Response Manager.

Educause Security Professionals Conference Network Access Control through Quarantine, Remediation, and Verification Jonny Sweeny Incident Response Manager.
Educause Security 2007ISC Information Security Copyright Joshua Beeman, 2007. This work is the intellectual property of the author. Permission is granted.

Educause Security 2007ISC Information Security Copyright Joshua Beeman, This work is the intellectual property of the author. Permission is granted.
Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.

Advancing Security Programs through Partnerships Cathy HubbsShirley Payne IT Security Coordinator Director for Security Coordination & Policy George Mason.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS 4600 - © Abdou Illia.

January 14, 2010 Introduction to Ethical Hacking and Network Defense MIS © Abdou Illia.
Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.

Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.
Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.

Wireless LANs A Case Study of Baylor University’s Wireless Network Copyright Bob Hartland 2002 This work is the intellectual property of the author. Permission.
Unraveling Web Development PRESENTERS: Bob Nakles and Paras Kaul, George Mason University.

Unraveling Web Development PRESENTERS: Bob Nakles and Paras Kaul, George Mason University.

Similar presentations

Ads by Google