Download Leveraging Web Service Security Standards

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
Document related concepts

Computer network wikipedia , lookup

Recursive InterNetwork Architecture (RINA) wikipedia , lookup

Peering wikipedia , lookup

Airborne Networking wikipedia , lookup

Net bias wikipedia , lookup

Deep packet inspection wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Dynamic Host Configuration Protocol wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Network tap wikipedia , lookup

Wireless security wikipedia , lookup

Computer security wikipedia , lookup

Nonblocking minimal spanning switch wikipedia , lookup

Piggybacking (Internet access) wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Zero-configuration networking wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
PacketFence
…because good fences make good neighbors
Michael Garofano, Director of IT, Harvard KSG
Kevin Amorin, Sr. Security & Systems Engineer, Harvard KSG
David LaPorte, Manager Network Security, Harvard (not present today)
[email protected]
[email protected]
[email protected]
Agenda
Academic Issues
Perimeter & Internal Security
PacketFence features
Inline vs. Passive (out of line)
1
Academic Issues
Help Desk Support
– Limit spread of Worms
– Identify infected user
DMCA (movie/music download violations)
– IP to user mapping
2
Academic Issues
Inventory
– List of MAC’s and owners
Gather Statistics
– Get the more money!
– Number of IP’s, infections, helpdesk time, etc,
active nodes,
3
Academic Issues
Open vs. closed environment
– Professors and students want unfettered
access to the internet
You can take your FIREWALL and put it…
– Some things break:
Videoconferencing (H.323), Games (UDP nonstatefull firewall), P2P, IM etc…
4
Average Network Security
Perimeter security
– Firewalls, IDS, IPS, Router ACLs
Current architecture
– “Hard on the outside soft on the inside”
Hard to protect the “inside”
60-80% of attacks originate from systems
on the internal network (behind the
firewall)
5
Worms wreak havoc
August 11, 2003 Blaster and Welchia/Nachi
How did the worms get in? We block all types of
traffic from the internet? (especially RPC)
LAPTOPS!!!!
Backdoors bypass perimeter defenses:
–
–
–
–
Roaming users
VPN
Wireless
Dialup
6
Internal Network Protection/Control
Mirage Networks (ARP)
qRadar (ARP)
Wholepoint (ARP)
RNA networks (ARP)
Tipping Point (inline)
Etc..
Cisco (NAC)
Trend Micro (NAC)
Symantec (NAC)
Microsoft (NAP Q2-2005)
Juniper (TNC)
Foundry Networks (TCC)
Etc..
Internal Network Security Funding 2004
– More then $80M ($13M Sept)
7
What is PacketFence
Open-source network registration and
worm mitigation solution
– Co-developed by Kevin Amorin and
David LaPorte
– Captive portal
Intercepts HTTP sessions and forces client to view content
Similar to NoCatAuth, Bluesocket
– Based on un-modified open-source
components
8
Features
Network registration
– Register systems to an authenticated user
LDAP, RADIUS, POP, IMAP…anything Apache supports
– Force AUP acceptance
– Stores assorted system information
NetBIOS computer name & Web browser user-agent string
Presence of some NAT device
– Stores no personal information
ID->MAC mapping only
– Above data can provide a rough system inventory
– Vulnerability scans at registration
9
Features
Worm mitigation
– Signature and anomaly based detection
– Action based response
Optional isolation of infected nodes
– Content specific information
Empower users
Provides remediation instruction specific to
infection
Network scans
– Preemptively detect and trap vulnerable hosts
10
Features
Remediation
– Redirection to the captive portal
– Requires signature-based detect
– Provides user context-specific remediation
instructions
Proxy
Firewall pass-through
– Helpdesk support number if all else fails
11
Inline
Security bottleneck
– immune to subversion
Fail-closed
Performance bottleneck
Single point of failure
12
Passive
Fail-open solution
– Preferable in academic environment
No bandwidth bottlenecks
Network visibility
– Hub, monitor port, tap
Easy integrating – no changes to infrastructure
– plug and play (pray?)
Manipulates client ARP cache
– “Virtually” in-line
13
Passive Architecture
DB
PacketFence
Internet
`
User
Host
Router
14
Why ARP?
Trusting
– Easy to manipulate
RFC826 1982
OS independent
– Windows 95,98,ME,2k,xp,mac both type 1 & 2
– Linux only type 1
– Solaris ICMP & type 2 or 1
15
Methods of Isolation
ARP
– Change the router’s ARP entry on the local system to
enforcement point
DHCP
– Change DHCP scope (reserved IP with enforcer gateway)
– or Change DNS server to resolve all IP’s to Enforcer
VLAN switch
– Switch host to an isolation network with enforcer as the gateway
If all else fails… Blackhole
– Router dynamic update
– Firewall/ACL update
– Disable switch port
16
ARP Manipulation
Internet
Router
Switch
Switch
PacketFence
All Traffic
`
Host
User
17
VLAN Change (Futures)
Internet
Router
Enforcement Point
Switch
Switch
`
`
Host
User
Host
User
18
DNS
(Futures)
Internet
Router
Switch
DHCP
Switch
Enforcement Point &
DNS
DNS Requests
`
Host
19
User
DHCP
(Futures)
Internet
Router
Switch
Switch
Enforcement Point &
DNS/DHCP Server
DHCP & DNS Requests
`
Host
20
User
Blackhole Injection (risky)
Internet
Router
Router
Switch
Switch
`
Host
`
User
Host
User
21
22
23
Implementations
All current deployments are “passive” mode
Several residential networks and 2 schools
– ~4500 users
– 3781 registrations
– ~125 violations
Nachi / Sasser,Agobot,Gaobot,etc / IRC bots
24
Thanks!!!
Hot “fun” topic!
Questions?
Software available at:
http://www.packetfence.org
25
References
http://www.ece.cmu.edu/~lbauer/papers/policyt
r.pdf
ftp://www6.software.ibm.com/software/develop
er/library/ws-policy.pdf
http://www9.org/w9cdrom/345/345.html
http://www.sans.org/resources/policies/Policy_Pr
imer.pdf
http://www.cs.sjsu.edu/faculty/stamp/students/
Silky_report.pdf
Harvard University network security Best
practices – Scott Bradner
26
Related documents
Sample Quiz
Sample Quiz
Peak Support Services Ltd
Peak Support Services Ltd
Lab 9
Lab 9
Northeastern Illinois University Department of Computer
Northeastern Illinois University Department of Computer
Cisco Discovery 1 Module 03 Quiz Picture Descriptions
Cisco Discovery 1 Module 03 Quiz Picture Descriptions
CS412 Computer Networks - Winona State University
CS412 Computer Networks - Winona State University
Chapter 5: ARP
Chapter 5: ARP
glossary - Homework Market
glossary - Homework Market
netLyr-arp
netLyr-arp
ch-3-FIT-pt2
ch-3-FIT-pt2
How to setup the router for Static IP internet connection mode
How to setup the router for Static IP internet connection mode
009_namingaddressing
009_namingaddressing