Download Network Access Control

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts

Distributed firewall wikipedia , lookup

Malware wikipedia , lookup

Wireless security wikipedia , lookup

Access control wikipedia , lookup

Mobile security wikipedia , lookup

Computer security wikipedia , lookup

Network tap wikipedia , lookup

Unix security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Network Access Control through
Quarantine, Remediation, and
Verification
Educause Security Professionals Conference
Jonny Sweeny
Incident Response Manager
Office of the VP for IT
Indiana University
5 May 2008
Copyright 2008, The Trustees of Indiana University. This work is the intellectual property of the author. Permission is granted for this material to be shared for noncommercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of
the author. To disseminate otherwise or to republish requires written permission from the author.
Overview
• IU’s Get Connected
– Computers new to the network
• Blocking `bad` systems
– Communication
– Restoring access
Get Connected Stats
• 7,641 computers connected in 14 days
• Currently only required in Residence
Halls on Windows wired connections
• 81% are laptops
Other reasons to restrict network access
• Compromised systems
– detected by sensors
• Port scanning, high mailers, etc.
– Detected by logs
• DNS botted, spyware, etc.
• Webmail compromised credentials
• Copyright Infringement
Blocking Options
•
•
•
•
•
•
MAC Address
VPN
Dialup
802.1x
Static IP null-route
Switch-port
Communication
• User needs to know why machine is
blocked
– Sending an email to the user is not
sufficient, however CC-ing their
support provider helps
– Redirecting to a self-service site is
ideal.
– Dynamically-assigned VLANs.
Jonny,
User receives
notification email
Network reports indicate that the computer listed below has been
compromised. It appears a bot has taken over the system. A "bot,"
or "robot," is a program that is installed by an intruder, so that
the machine takes actions automatically, as programmed by the
intruder and at times specified by the intruder who put the bot there.
Date (Timezone=UTC)
------------------2008-03-12 02:57:12
2008-04-01 14:01:31
***
***
Type
---vpn
dhcp
IP Address
--------------156.56.175.226
156.56.18.118
Remote IP Address
--------------76.252.188.1
00:06:5b:17:17:xx iu-itpo-iceland
Network access for this user or computer is being blocked to ***
protect the University network from this threat.
***
If your machine is not running a Windows operating system, please
consult with the Support Center on how to rebuild for your operating
system.
To recover from this compromise it is necessary to completely rebuild
the computer. When a computer is compromised in this manner, anything
on the system can be modified and/or monitored by someone else.
When you are finished and wish to have network access restored,
please reply back to this message, leaving the subject line intact,
and outline specifically what actions you took. You must take all
actions listed in order for us to restore access.
Help with these steps can be obtained from the KB article titled "In
Windows, how do I rebuild my computer after a system-level
compromise" available at [http://kb.iu.edu/data/anbp.html].
1. Remove the computer from the network by removing the network cable
from the computer, or by turning off the wireless or dialup
connection. Do not reconnect the computer until all steps have
been completed, or you run the risk of being compromised again.
2. Backup your personal files. If you do not take this step, you will
lose all of your data when you perform step #3.
3. Perform a New Install of Windows XP or Vista. Make sure you use a
new password for the Administrator account when setting up
Windows. When you reboot the machine, you should allow automatic
updates when prompted, which is the recommended action.
4. Install anti-virus software. Symantec AntiVirus is available on
the IUware CD, and is configured to update virus patterns daily.
Self-service unblock
Self-service is great…but
• Need to prevent abuse of trust
– Track instances of repeat-offenders
and treat them differently
– Require tutorial & quiz
– Delete registration so Get Connected
is required again
DMCA Quiz
Random comments about automation
• Good relationships with network staff
translates to access to tools.
– Null-route
– MacMon
– Arpfind
– Router Configs
– Syslogs
– Dialup, VPN blocks
– etc.
Random comments about automation
• Access to tools allows automation:
– Block scanners, phishers, bruteforcers, etc.
• Blocking remainder of leases
Automate Response – IR Web Service
Identify user
User is blocked and notified
Final Thoughts
• 802.1x rolling out now
– 2,700 WAPs by fall
• Dean of Students NAC
– Third copyright violation results in
permanent ban from attaching
personal device to University network
Questions
Jonny Sweeny
[email protected]
Related documents
Assignment
Assignment
Product Deck
Product Deck
document
document
Using Economics to Quantify the Security of the Internet
Using Economics to Quantify the Security of the Internet
care of the medically compromised patient
care of the medically compromised patient
Guided Ad Hoc Presentation
Guided Ad Hoc Presentation
Human-level AI`s Killer Application: Interactive Computer Games
Human-level AI`s Killer Application: Interactive Computer Games
投影片 1
投影片 1
Intelligent data engineering
Intelligent data engineering
The Pseudo-Internal Intruder: A New Access Oriented Intruder
The Pseudo-Internal Intruder: A New Access Oriented Intruder
Lecture # 16
Lecture # 16
Introduction to Programming Example: Bot and BetterBot Inheritance
Introduction to Programming Example: Bot and BetterBot Inheritance
LAIR2 peptide ab195145 Product datasheet Overview Product name
LAIR2 peptide ab195145 Product datasheet Overview Product name
Taking on the Giant (anatomy of an attack)
Taking on the Giant (anatomy of an attack)
Lec07a-Blocking and Non
Lec07a-Blocking and Non
Quiz #1 - Cabrillo College
Quiz #1 - Cabrillo College
Pervasive Database File Rebuilding
Pervasive Database File Rebuilding
Step 1: Right-Click the My Network Places icon
Step 1: Right-Click the My Network Places icon
IOSR Journal of Electrical and Electronics Engineering (IOSR-JEEE) e-ISSN: 2278-1676,p-ISSN: 2320-3331,
IOSR Journal of Electrical and Electronics Engineering (IOSR-JEEE) e-ISSN: 2278-1676,p-ISSN: 2320-3331,
Botnets: Infrastructure and Attacks
Botnets: Infrastructure and Attacks
Slides
Slides
Introduction - Knowledge Based Systems Group
Introduction - Knowledge Based Systems Group