Transcript Northwestern University

UNITS meeting
September 30, 2004
Network Security
Roger Safian
[email protected]
Agenda
• Our environment
• Statistics
• Why these incidents occur
– What can be done to prevent them
• Future improvements
• Questions
Firewalls
• Recommending personal firewalls
– Typically Zone Alarm or XP firewall
• Some departments have traditional
firewalls
– This number is growing
• Central IT has a purchasable solution
Optional Router Filters
• Block traffic from entering NU’s network
– On more than 75% of the network
– Use VPN to bypass filters
• Ports filtered
– MS networking - 135, 137, 138, 139, 445
– Unix NFS & portmapper - 111, 2049
– MS Terminal Services - 3389
– MS SQL – 1433, 1434
Packeteer
• Classifies traffic by application
• Per application bandwidth partitioning
– Mainly P2P
• Enforces service level agreements
– Research park
• Provides detailed flow information
• Very limited data lifespan
Flow Data
• Statistical data from border router
• Sampled – 1 in 100 packets
– Source and Destination address
– Source and Destination ports
– Byte count
– Timestamp
• Used to produce top 20 reports
Intrusion Detection System
• We use two solutions in parallel
• StealthWatch
– A statistical/anomaly based system
– Currently two devices
• One at the border the other at 2020 Ridge
• Snort
– Currently 15 devices
Get Control
• Home for NU security and virus
warnings
• Updated frequently
• Has tips on staying secure
• Contains instructions on removing
viruses
– Links to online removal tools
• http://www.it.northwestern.edu/security/index.html
• http://www.it.northwestern.edu/5steps/
Statistics
• FY 2002/2003
– Virus = 1166
– Compromised = 727
– Total incidents =
3042
• 9/1/02 – 8/31/03
• FY 2003/2004
– Virus = 7976
– Compromised = 467
– Total incidents =
9264
• 9/1/03 – 8/31/04
Why these incidents occur?
• Weak Passwords
– All machines and accounts need
passwords
– Use rules similar to the NetID rules
• Opening viral attachments
– Don’t open unexpected attachments
– Only open specific types of extensions
– Make sure to look at the LAST extension
Why these incidents occur?
(2)
• Updates not applied
– Ensure Windows update runs automatically
– Don’t forget about layered products
• Network use
– P2P
– Be careful when clicking on links
Why these incidents occur?
(3)
• Out of date anti-viral software
– Ensure you install the NU supplied
software
– Set to update automatically EVERY day
• Blended Threats
– Multiple attack vectors directed at hosts
• Home Networks
– Frequently attacked with little monitoring
Why these incidents occur?
(4)
• Lack of firewall
– Even if user has one they don’t understand
it
– Often installed after the infection
• Not a good idea
• This is most serious on home networks
– Mitigated by routers with NAT
NUSA
• Network User Status Agent
– Automatic notification
• Two events port off and display
– Allows authorized users to re-enable ports
– Accepts input from other sources
• Future use as data correlation agent
– Current systems are stand-alone
NetPass
• Current system NetReg
– Deployed in the dorms
– Associates MAC address with NetID
– Checks for 3 vulnerabilities
• NetPass
– Checks for 25 vulnerabilities
– Includes self-remediation
Questions?
• Contact Information
– 1-847-491-4058
– 1-847-467-6662 (NOC 24x7)
– [email protected]
– [email protected]