Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Once you let them connect, how do you make sure they are behaving? Joseph Karam Director, Network & Telecommunication Services, Hamilton College ResNet 2007 Hamilton College Liberal Arts college in Clinton, New York Chartered in 1812 – one of the oldest colleges in New York State. 1,800 undergraduate students 200 Faculty 400 Administrators and Staff Network Services @ Hamilton 4.5 full-time administrators Team Leader 2.5 Network & Systems Administrators Telephone Administrator Wiring Technician (outsourced) Interns Network Infrastructure @ Hamilton 6,000+ network jacks on-campus 160+ Cisco Switches 200+ Cisco Wireless Access Points 50+ Windows Servers 10 UNIX Servers 5 Macintosh Servers 50 Mbps Internet connection Hamilton College Philosophy All devices are allowed to connect and use the network unless they are behaving in a manner which impacts the operation of the network and the ability for other devices to reliably use the network. Network Security Monitoring Tools Firewalls Network Access Control (NAC) Systems Intrusion Detection/Prevention Systems Network Behavior Analysis Systems Log & Event Management Systems Virus/Spyware/Spam Gateways Etc. Network Behavior Monitoring Network behavior monitoring involves: monitoring a network for deviations in typical activity detecting the unusual activity stopping the unusual activity from impacting network operations. Network Behavior Monitoring vs. Intrusion Detection Systems Intrusion Detection Systems perform signature detection examining the network for packet sequences known to be malicious. Network behavior monitoring systems perform anomaly detection based on behaviors that fall outside predefined accepted guidelines. Intrusion Detection Systems detect ‘intrusions’ from outside a protected network segment. Network behavior monitoring systems detect malicious behavior from endpoints inside & outside the network. Benefits of Network Behavior Monitoring Secure against new “zero-day” vulnerabilities that intrusion systems and firewalls cannot recognize. Detect virus and worm attacks before they impact network operations. Stop threats that start inside the network. Provides visibility into the network to really understand how the network is being used. Unwanted Network Behaviors Network attacks (nmap, TCP/UDP port scans, ICMP floods, port scans) Excessive connections (P2P, Gaming) Unauthorized Servers (Mail, Web, FTP, DHCP, DNS) Unauthorized Routers/Gateways Excessive Bandwidth Unauthorized Applications Network Behavior Monitoring Products Mirage Networks Mazu Networks Lancope Q1 Labs Stealthwatch Cisco MARS Arbor Networks PeakFlow X GraniteEdge Networks PacketFence (OpenSource) NetFort Technologies SourceFire Network Behavior Monitoring with Mirage Networks ARP Cache Manipulation Deception (Honey Pot) Reverse Access Restriction Web page redirection or quarantine Help Desk Support Passive device Alerts, analysis, and reporting Pre-Admission compliance checking MAC/IP address and OS checking Network Design Implementation with Mirage Configured on network in ½ day. Monitored network for 2 to 4 weeks. Configured exceptions. Implemented deception on each VLAN individually. Adjusted profiles for security threats. Implemented security threat restrictions one at a time. Mirage Zones Priority 5 – Full Access Priority 4 – Monitored Access Priority 2 – Out of Policy – Pre-Admission Compliance Priority 1 – Security Threat Mirage Restrict Access Profiles in Security Threat Zone Too Many Managed TCP Scan Too Many Unmanaged UDP Scan Too Many Unused Nmap Usage Too Many SMTP Hosts Port Scan Too Many SMTP SYNs IRC Heartbeat Stolen Devices Unauthorized TFTP IP Telephony Attacks Port Scan Restriction Example Port Scanning 500 TCP ports on one IP Address in 60 seconds. Too Many Unmanaged Restriction Example Connecting to more than 800 IP Addresses in 60 seconds Too Many SMTP Hosts Restriction Example Launch 30 SMTP connections in 60 seconds. Student Perspective Example Student connects computer to the network and gain full access if compliance requirements are met. Student computer starts scanning network due to a virus or worm. Mirage system automatically detects the attack and restricts network access to the student computer. Student receives web page notice saying they are removed from the network. Student Perspective Example (continued) Student contacts Help Desk for assistance. Help Desk uses Mirage System to assist in their troubleshooting and cleaning student computer. Once attack has stopped, Mirage system automatically re-enables student computer to obtain full access to the network. Computer with Full Access Computer with Full Access Computer with Restricted Access Computer with Restricted Access Computer with Restricted Access Number of Computers Restricted 2004 2005 2006 January 84 31 17 September 52 24 44* 10 to 20 5 to 20 5 to 20 Other Months * Increase due to rule changes to restrict access of P2P abuse. Conclusion Saves staff time from monitoring logs and manually disconnecting/reconnecting computers from network. Decreases the number of infected computers by stopping attacks quickly. Requires no changes to user experience. Provides enhanced troubleshooting into network issues. Does not punish ‘good’ network users. Future Goals for Hamilton Self-help remediation quarantine area Pre-admission authentication and compliance for student computers Questions? www.resnetsymposium.org/resnet2007 Joe Karam Hamilton College [email protected] 315-859-4167