Download Once You Let Them on the

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
page
25
page
26
page
27
page
28
page
29
page
30
Document related concepts

Mobile security wikipedia , lookup

Wireless security wikipedia , lookup

Unix security wikipedia , lookup

Computer security wikipedia , lookup

Distributed firewall wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
Once you let them connect,
how do you make sure they
are behaving?
Joseph Karam
Director, Network & Telecommunication Services,
Hamilton College
ResNet 2007
Hamilton College
 Liberal Arts college in Clinton, New York
 Chartered in 1812 – one of the oldest
colleges in New York State.
 1,800 undergraduate students
 200 Faculty
 400 Administrators and Staff
Network Services @ Hamilton
 4.5 full-time administrators
 Team Leader
 2.5 Network & Systems Administrators
 Telephone Administrator
 Wiring Technician (outsourced)
 Interns
Network Infrastructure @ Hamilton
 6,000+ network jacks on-campus
 160+ Cisco Switches
 200+ Cisco Wireless Access Points
 50+ Windows Servers
 10 UNIX Servers
 5 Macintosh Servers
 50 Mbps Internet connection
Hamilton College Philosophy
All devices are allowed to
connect and use the network
unless they are behaving in a
manner which impacts the
operation of the network and
the ability for other devices to
reliably use the network.
Network Security Monitoring Tools
 Firewalls
 Network Access Control (NAC) Systems
 Intrusion Detection/Prevention Systems
 Network Behavior Analysis Systems
 Log & Event Management Systems
 Virus/Spyware/Spam Gateways
 Etc.
Network Behavior Monitoring
Network behavior monitoring involves:
 monitoring a network for deviations
in typical activity
 detecting the unusual activity
 stopping the unusual activity from
impacting network operations.
Network Behavior Monitoring vs.
Intrusion Detection Systems
 Intrusion Detection Systems perform signature
detection examining the network for packet sequences
known to be malicious.
 Network behavior monitoring systems perform anomaly
detection based on behaviors that fall outside predefined
accepted guidelines.
 Intrusion Detection Systems detect ‘intrusions’ from
outside a protected network segment.
 Network behavior monitoring systems detect malicious
behavior from endpoints inside & outside the network.
Benefits of Network Behavior Monitoring
 Secure against new “zero-day”
vulnerabilities that intrusion systems and
firewalls cannot recognize.
 Detect virus and worm attacks before they
impact network operations.
 Stop threats that start inside the network.
 Provides visibility into the network to really
understand how the network is being used.
Unwanted Network Behaviors
 Network attacks (nmap, TCP/UDP port scans,
ICMP floods, port scans)
 Excessive connections (P2P, Gaming)
 Unauthorized Servers (Mail, Web, FTP,
DHCP, DNS)
 Unauthorized Routers/Gateways
 Excessive Bandwidth
 Unauthorized Applications
Network Behavior Monitoring Products
 Mirage Networks
 Mazu Networks
 Lancope
 Q1 Labs
Stealthwatch
 Cisco MARS
 Arbor Networks
PeakFlow X
 GraniteEdge
Networks
 PacketFence
(OpenSource)
 NetFort
Technologies
 SourceFire
Network Behavior Monitoring with
Mirage Networks









ARP Cache Manipulation
Deception (Honey Pot)
Reverse Access Restriction
Web page redirection or quarantine
Help Desk Support
Passive device
Alerts, analysis, and reporting
Pre-Admission compliance checking
MAC/IP address and OS checking
Network Design
Implementation with Mirage
 Configured on network in ½ day.
 Monitored network for 2 to 4 weeks.
 Configured exceptions.
 Implemented deception on each VLAN
individually.
 Adjusted profiles for security threats.
 Implemented security threat restrictions one
at a time.
Mirage Zones
 Priority 5 – Full Access
 Priority 4 – Monitored Access
 Priority 2 – Out of Policy – Pre-Admission Compliance
 Priority 1 – Security Threat
Mirage Restrict Access Profiles in
Security Threat Zone
 Too Many Managed
 TCP Scan
 Too Many Unmanaged
 UDP Scan
 Too Many Unused
 Nmap Usage
 Too Many SMTP Hosts  Port Scan
 Too Many SMTP SYNs  IRC Heartbeat
 Stolen Devices
 Unauthorized TFTP
 IP Telephony Attacks
Port Scan Restriction Example
 Port Scanning 500 TCP ports on one IP
Address in 60 seconds.
Too Many Unmanaged
Restriction Example
 Connecting to more than 800 IP Addresses in
60 seconds
Too Many SMTP Hosts
Restriction Example
 Launch 30 SMTP connections in 60 seconds.
Student Perspective Example
 Student connects computer to the network
and gain full access if compliance
requirements are met.
 Student computer starts scanning network
due to a virus or worm.
 Mirage system automatically detects the
attack and restricts network access to the
student computer.
 Student receives web page notice saying
they are removed from the network.
Student Perspective Example
(continued)
 Student contacts Help Desk for assistance.
 Help Desk uses Mirage System to assist in
their troubleshooting and cleaning student
computer.
 Once attack has stopped, Mirage system
automatically re-enables student computer to
obtain full access to the network.
Computer with Full Access
Computer with Full Access
Computer with Restricted Access
Computer with Restricted Access
Computer with Restricted Access
Number of Computers Restricted
2004
2005
2006
January
84
31
17
September
52
24
44*
10 to 20
5 to 20
5 to 20
Other Months
* Increase due to rule changes to restrict access of P2P abuse.
Conclusion
 Saves staff time from monitoring logs and
manually disconnecting/reconnecting
computers from network.
 Decreases the number of infected computers
by stopping attacks quickly.
 Requires no changes to user experience.
 Provides enhanced troubleshooting into
network issues.
 Does not punish ‘good’ network users.
Future Goals for Hamilton
 Self-help remediation quarantine area
 Pre-admission authentication and compliance
for student computers
Questions?
www.resnetsymposium.org/resnet2007
Joe Karam
Hamilton College
[email protected]
315-859-4167
Related documents
8th Grade Week 15 Lesson Plans Nov 21
8th Grade Week 15 Lesson Plans Nov 21
Debt Enforcement around the World - British Institute of International
Debt Enforcement around the World - British Institute of International
Near-Earth Asteroid Tracking Summary of NEAT Results 12/95
Near-Earth Asteroid Tracking Summary of NEAT Results 12/95
One major reason that Alexander Hamilton proposed a national
One major reason that Alexander Hamilton proposed a national
Alexander Hamilton PowerPoint
Alexander Hamilton PowerPoint
ppt - ECT - Bell Labs
ppt - ECT - Bell Labs
9.1
9.1
Chapter 11 - The John Crosland School
Chapter 11 - The John Crosland School
Final Presentation
Final Presentation
Washington and Congress
Washington and Congress
Washington and the New Government
Washington and the New Government
MIRAGE: A Model for Latency in Communication
MIRAGE: A Model for Latency in Communication