Transcript Slides - TERENA Networking Conference 2006

Jekyll and Hyde
the Art of Managing a Student Campus Network
Herman Moons – KULeuvenNet
University of Leuven
[email protected]
Terena Networking Conference 2006
1
KotNet project goals
 provide students/personnel of the
K.U.Leuven and its associated partners
with a high-speed and low-cost connection
to the campus network and Internet
 network access from within the natural work
habitat (kot for students, home office for
personnel)
 comfortable Internet access is a requirement
for todays academic environment with its
emphasis on E-learning and coached self-study.
KotNet is an enabler for the E-university
2
KotNet project history
KotNet today is an integral
part of the common university
IT infrastructure
almost every student room
has its KotNet connection
>20.000 users / day
KotNet is a very successful project
~300 Mbps Internet traffic
3
KotNet infrastructure
1Gbps trunk
CMTS
HF network
KULeuvenNet backbone
cable router
upc belgium 1 user/cablemodem = 199 EUR/year
16 users/cablemodem = 299 EUR/year
UNIVERSITY
typically 50 – 300
students/building
100Mbps trunk
single-mode fiber
student residency
100Mbps trunk
WiFi hotspot
4
Jekyll and Hyde
 how to manage a network of 25.000 students in
private rooms, whose computers are not under your
control ?
be nice...
the network must support students with their study and
research, and allow for recreational use
...but firm
network abuse must be avoided, and measures must
be implemented to actively counter such abuses
a balance must be reached between enhancing
usability and maintaining control.
5
Lesson 1
NAT
Internet
NAT is good for you
KotNet
servers
 public IP's invite network abuse and expose
vulnerable student pc's to the worldwide Internet
private addresses with NAT on the Internet boundary
• effectively blocks illegal, publicly accessible servers
• serves as an implicit firewall for vulnerable student pc's
public IP subnets are made available to student computer clubs
• Internet accessible servers in a controlled environment
private IP's are routed normally on the Intranet
• internal servers are not a problem
students are well-known for "accidentally" distributing
copyrighted material. With NAT, this is no longer an issue
6
Lesson 2
know thy enemy
(Sun Tzu)
 authentication
 users must identify themselves before gaining access to the network
 enables us to identify users when the need arises
following up on complaints
helpdesk support
 solution: network login mechanism
 new users are automatically redirected to a login webpage when using
their browser
 access to the network is granted only on successful login
KotNet is not anonymous  reduces misbehavior on the network
(users know that complaints can be followed up)
7
user provides userid/password
of his/her home organization
8
9
authentication infrastructure
userid:
s2005011
password:
********
organisation: kuleuven
ldap server
of home
organisation
ssl connection
netlogin server
KotNet
router
permit [email protected]
verify against user database at home organisation
check authorizations
if everything ok, add user's ip address to access list
of logged-in users
network access is only allowed
after successful login
10
Lesson 3
controlling the byte stream
 students eat bandwidth... but
 >50% of their traffic is non-educational
 a substantial amount of the above is illegal
this cannot be tolerated,
time for the Hyde attack...
• string filters block P2P protocols
• upstream quota (200MB/day) stop intranet file-sharing
• downstream quota (4GB/month) keep traffic under control
soften the blow...
• exceptions for student research projects (professor approval required)
• traffic to e-learning systems is free
11
Lesson 4
click me
automated virus detection
 the problem
 KotNet users work at home in a non-controlled enviroment
 KotNet users are often computer-illiterate
• they install all kinds of software without much regard for its origin
• they click on everything they see
 when new viruses arrive, lots of KotNet users get infected, causing all
kinds of havoc
• typically they infect other KotNet users (i.e. the virus spreads rapidly)
• lots of viruses often means increased network load
 requirements
 viruses need to be detected and contained as soon as possible
 end-user must be informed that his/her computer has a problem
click me
click me
click me
12
automated virus detection
 problem analysis
 viruses typically try to distribute themselves to other computers
• by scanning lots of other hosts in order to find a weakness they can
exploit
shows up in netflow accounting data
as hostscans and portscans
• by emailing themselves to other users (using the infected user's
address book)
central anti-virus cluster will detect
the virus in outgoing mail message
13
 see http://www.splintered.net/sw/flow-tools/
virus detection architecture
kotnet login server
user (s200501)
with his infected
pc (10.0.0.1)
virus detected @ 10.0.0.1
email
central antivirus
cluster
whois 10.0.0.1 ?
10.0.0.1 = s200501
logout [email protected]
blacklist server
portscan
hostscan
portscan/hostscan
detected @ 10.0.0.1
netflow analysis
scripts
blacklist database
insert [email protected]
into blacklist database
14
blacklist database
general overview of the
blacklist database
15
blacklist database
zoomed in on a
specific incident
16
KotNet login and blacklist
 when blacklisted, a user is logged out automatically
within 15 min
 we try to minimize the time an infected pc is connected to the
network
• infected pc's typically contact hundreds to thousands of other hosts on
the Internet. Blocking them as soon as possible means the
K.U.Leuven university behaves as a responsible net citizen.
 notifying end-users that their pc has a problem is not enough
• end-users never listen to net-administrators, unless you force them
 new login attempts will fail, unless the end-user
actively reactivates his/her account
17
Login attempt for a blacklisted user
login fails because the user
appears on the blacklist.
The user also gets detailed
instructions explaining why his
account is blocked, and how
the situation can be rectified
18
user can click a link on the login result page to reactivate his/her account
(once the problem on his/her pc has been fixed)
This is an automated process without net-admin intervention
only ONE reactivation per day !!!
typically users immediately try to
reactivate their account, only to be
blacklisted again. Then they start
reading instead of clicking, and begin
to fix the problem.
19
conclusions
<quote>
$lang =~ s/^.*$/Perl/;
print “${lang} rules!\n”;
</quote>
 KotNet = basic infrastructure
 standard student room has a KotNet connection
 requirement for a successful E-learning environment
 control is essential  Jekyll-Hyde technology
 unobtrusive to normal user, but activated when abuses are detected
 in-house software development required to address specific KotNet
needs (login, bandwidth control, auto-anti-virus, ...)
 change is the norm
 continuously changing student populations
 new applications arriving at an ever-increasing rate
network management in a student campus network is
a continuous quest for the optimal Jekyll-Hyde balance
20