Infected Host Isolation via Packeteer PacketShaper Ben Freitag Grand Valley State University

Step 1 – Detect the Infected Hosts 1. Cisco IDS Blade 2. Firewall Flows/Server Connections 3. Abnormal Traffic in the Packeteer 4. Complaints from the outside world

Cisco IDS Blade This is the preferred method We use this as a passive monitor to look for infected hosts

Firewall Flows/Server Connections Manual scanning of the connections table in our PIX Blades SMTP Related Virii show up in our mail queues Looks like has the Sasser worm:

Abnormal Traffic in the Packeteer & Complaints from the outside world These are ‘lucky catches’ – would prefer these were caught earlier Packeteer Aspect usually only works with Auto Discovery

Step 2 – Block the host At the top of our Packeteer traffic-tree we have created a Folder & Small partition for Blocking. Within the folder we’ve created several classes depending on the type of violation. These classes have a never-admit policy that redirects them to an internal web-site.

Step 2 (Continued) The Hosts are tied to the classes via a Host Lists for each category: Virus, Abuse, Unauthorized Equipment & Other. The additions can be made via CLI or via simple VB Application created for our Help Desk:

The User Experience When a ‘redirected host’ attempts to view a website off of GVSU’s network – they are greeted with a website similar to:

The User Experience (Cont.) From these websites they can request reactivation or are instructed to call the Help Desk for further assistance. The Help Desk logs these incidents as Trouble Tickets and is separately tracking offending IPs - tying them to MAC address, student name etc.

Problems Can require an enormous amount of time – especially at the beginning of the school year. Does not scale well Not proactive – no real-time way to tie users to IPs.

The Future We are evaluating several appliances to provide Network Admission Control (NAC) services such as Perfigo (Cisco) & Blue Socket.