Presentation is loading. Please wait.

Presentation is loading. Please wait.

Isolating Threats on the University Network Tom N. Jagatic IT Policy Office.

Published byVerity Lucas Modified over 9 years ago

Similar presentations

Presentation on theme: "Isolating Threats on the University Network Tom N. Jagatic IT Policy Office."— Presentation transcript:

1 Isolating Threats on the University Network Tom N. Jagatic IT Policy Office

2 Overview About us Types of incidents Blocks: pros/cons and diagnosing Intrusion detection ANI: Automated Network Isolation Tips to better identify hosts and up-to-date contact info Questions

3 Incident Response (ITPO/ITSO) Respond and investigate incidents related to misuse or abuse of Indiana University information technology resources. –computer and network security breaches –unauthorized disclosure or modification of electronic institutional or personal information

4

5 Types of Incidents Non-behavioral –Malicious code: worms, viruses, trojans, IRC bots –Misconfiguration: network bridge, ethernet loop, rogue dhcpd Behavioral –Account misuse, student suspension, copyright violation (DMCA)

6 Who can block and why? ITPO/ITSO –Incidents of misuse/abuse of technology resources Network Operations –Misconfigured devices, causing degredation to network stability or performance –Wireless network bridges, Ethernet loops, rogue wireless access points (WAPs), unauthorized network address translation (NAT) devices.

7 Who can block and why? Per IT-11: Excessive Use of Information Technology Resources –“Emergency actions: Service managers, system administrators, and security and network engineers may temporarily suspend or block access to an information technology resource, or stop processes active in an account when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of university or other computing resources, or to protect the university from liability.” Such blocks may be tied to the service or host (not necessarily network blocks).

8 What types of “common” blocks exist? On campus –DHCP lease –Switch port –Black hole/null route Remote Access –Dialup modem pool –VPN access

9 DHCP lease block Pros –Reporting via MAS tools (https://mas.iu.edu/) –Effective on all networks using central DHCP services (follows user if they move) –Can be used in lieu of VPN account block for campus wireless Cons –Doesn’t take effect immediately –Possible to block MAC address w/o knowing registrant. This will change January (IPSAP).

10

11 IP Address Security & Accountability Project (IPSAP) To increase network security and accountability, the UITS IP Address Security and Accountability Project (IPSAP) requires IU network computers to use DHCP to acquire a dynamic IP address. Note: As part of this project, beginning January 4, 2006, all computers on IUB and IUPUI DHCP subnets must be registered.

12 Switch port block Pros –Conceptually equivalent to unplugging the network cable Cons –Easy to circumvent: use adjacent jack –Manual process: not feasible for many hosts –Recordkeeping can be tricky: which jack/port was associated with the blocked ip. What was the MAC address of the ip? –Device must be on the network in order to block

13 Black hole/null route Pros –Blocks take effect almost instantaneously –Can block many devices efficiently –Integration with ANI Cons –Devices on same VLAN still exposed to threat –Reporting limited within UITS/Support Center (no means to associate IPs belonging to LSP yet)

14 Black hole/null route –Only keeps track of IPs, registrants not associated with blocked ips (notification best-effort and handled outside of null route injector) –Not suitable for dynamic ips, such as remote access (VPN and dialup)

15 Remote Access: Modem Pros –Simple to diagnose the block –Difficult to circumvent (unless you have a second account) Cons –Can take up to several hours before session terminates, and stop records written. –Block prevents modem access from *any* device (not solely the offending one)

16 Remote Access: VPN Subtleties –Wireless: dhcp block –Remote: change to ADS (wireless access) Pros –For wireless hosts, can target only offending host –Excellent logging (radius and dhcp) and reporting (wireless--MAS)

17 Remote Access: VPN cont’d. Cons –For wireless, block latency same as dhcp; for remote, block doesn’t take effect until session terminates –May be confusing to diagnose, as some blocks may be a combination of wireless and remote –VPN account block sometimes confused with users not granted VPN access (during account creation)

18 Notifications Remote access (VPN and dialup), and registered DHCP hosts, notifications are easily correlated with subscriber records. Static IPs or devices which fit into “other” category, manual record searches must be done to determine host “ownership”. Can be very arduous!

19 Subject: IT Policy Office: Notice of compromised host (uliblsp/1e:a7:de:ad:be:ef) Date: Mon, 31 Oct 2005 14:06:24 -0500 (EST) From: IT Policy Office To: uliblsp@iupui.edu ULIBLSP, Network reports indicate that the computer listed below has been compromised. It appears a bot has taken over the system. A "bot," or "robot," is a program that is installed by an intruder, so that the machine takes actions automatically, as programmed by the intruder and at times specified by the intruder who put the bot there. Our research indicates that these bots are being spread through several methods. One method is instant messenger programs like AOL Instant Messenger (AIM). The Knowledge Base article "What should I do if my computer is infected with an AIM Trojan?" (http://kb.iu.edu/data/aqhm.html) contains some good advice about how to prevent your computer from being infected through instant messaging. Date Type IP address MAC address ----------------------- ------- --------------- ----------------- 2005-10-30 14:05:38dhcp134.68.0.11e:a7:de:ad:be:ef *** Network access for this user or computer is being blocked to *** *** protect the University network from this threat. *** To recover from this compromise it is necessary to completely rebuild the computer. When a computer is compromised in this manner, anything on the system can be modified and/or monitored by someone else.

20

21

22 How do we know what to block? Investigation of reports sent to us via (abuse|it-incident|itso|itpo)@(indiana|iupui|iu).edu Data gleaned from network flow analysis (netflow) IDS: Intrusion detection (network) Other resources used to identify malicious activity, sometimes combined with above.

23 Intrusion Detection Detecting actions that attempt to compromise the confidentiality, integrity or availability of a resource Network based Packet inspection or “sniffing”: snort, ngrep Emphasis on high confidence, low false positives In some instances, we act upon anomalous activity (e.g. FTPd using nonstandard ports)

24 Automated Network Isolation (ANI) The coupling of Network Intrusion Detection and Null Routing made easy In a nutshell –ITSO IDS sensors detect malicious activity –IDS notifies Null Route Injector “hub” to block IP –ANI block is set with an expiration time of 10 mins Support Center has ability to view null routed IPs (ANI and manually entered)

25 ANI cont’d Null route/blackhole: In some sense, can be viewed as a “poor man’s” switch port block –Not as effective as switch port or dhcp block (device can still communicate on its own VLAN) Initial ANI rollout focusing on only one IDS rule, with fairly low incidence and high confidence.

26

27 I suspect a device is blocked, what steps should I take? Step 0 (avoid subsequent steps): If possible associate device with your department or network id (IPSAP/dhcp). Step 1: diagnose it’s indeed a block, before calling the Support Center Characteristics of each block –DHCP: Device will not be given a DHCP lease; therefore it will not be put on a public nor private 10 network. NOTE: If wireless, the device may appear on the guest wireless network.

28 Block characteristics cont’d –Switch port: Link light may be dark. Using a network tester or laptop, the jack remains unresponsive. –Null route/blackhole: The device can communicate with other hosts on the same VLAN, yet is not routed beyond. –Modem: End-user will be unable to establish PPP session. Following message may be displayed: “Your account has been disabled.”

29 Block characteristics cont’d –VPN: wireless (see dhcp); remote, user is unable to authenticate to VPN server. Step 2: Contact the Support Center for further info if all troubleshooting options have been exhausted.

30 Once a block has been identified All blocks will be labeled with: –A reason: (see next page) –An action: What needs to occur before re- enabling. Rebuild (in which case they need to take ALL steps as outlined in http://kb.iu.edu/data/anbp.html) Clean Reconfigure (fix configuration to stop this) Contact ITPO. MAS reporting interface, LSPs can leverage only if end-users associate themselves

31 Block codes Backdoor.Migmaf Backdoor.Sinit Botted host Compromised host Contact ITPO Dameware DMCA; DMCA1; DMCA2; DMCA3 FTPd HOD Marketscore NOC request Open proxy Port scanning Probing for FTP Rogue DHCPd Router RPC overflow RPC scanning Slammer Spam W32.Beagle W32.Blaster W32.Korgo W32.MyDoom W32.Welchia WAP Wireless bridge

32 As a LSP, how do I get improved notifications & block reporting Notifications –IPSAP: be identified as the LSP of record for the blocked device (will show how to update) –Only dhcp is supported under IPSAP at this time. –Non-dhcp (with the exception of remote access) continue as best-effort manual process to identify owner Reporting –https://mas.iu.edu/ : View real-time dhcp blocks for machines where you are identified as LSP. IPSAP is the pillar

33 https://dhcp.indiana.edu/

34

35

36 Other ways to better identify your hosts and contact info For static ips, use intuitive names for DNS records (A records and inverse) Same with computer name Notify dns-admin@(indiana|iupui).edu when –IPs deallocated; or reallocated within your group –Changes in staffing occur that may be impacted Ensure your department/unit information is correct in the PICs LSP database

37 Questions?

Download ppt "Isolating Threats on the University Network Tom N. Jagatic IT Policy Office."

Similar presentations

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

1 Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Educause Security Professionals Conference Network Access Control through Quarantine, Remediation, and Verification Jonny Sweeny Incident Response Manager.

Educause Security Professionals Conference Network Access Control through Quarantine, Remediation, and Verification Jonny Sweeny Incident Response Manager.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Wireless and Switch Security NETS David Mitchell.

Wireless and Switch Security NETS David Mitchell.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 13: Troubleshoot TCP/IP.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
A Guide to major network components

A Guide to major network components
INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.

INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.
Network Registration and User Tracking An Open Source Approach Mark Berman Ashley Frost Williams College.

Network Registration and User Tracking An Open Source Approach Mark Berman Ashley Frost Williams College.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

Similar presentations

Ads by Google