Transcript Isolating Threats on the University Network

Isolating Threats on the
University Network
Tom N. Jagatic
IT Policy Office
Overview
•
•
•
•
•
•
About us
Types of incidents
Blocks: pros/cons and diagnosing
Intrusion detection
ANI: Automated Network Isolation
Tips to better identify hosts and up-to-date
contact info
• Questions
Incident Response
(ITPO/ITSO)
•
Respond and investigate incidents
related to misuse or abuse of Indiana
University information technology
resources.
– computer and network security breaches
– unauthorized disclosure or modification of
electronic institutional or personal
information
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Types of Incidents
• Non-behavioral
– Malicious code: worms, viruses, trojans,
IRC bots
– Misconfiguration: network bridge, ethernet
loop, rogue dhcpd
• Behavioral
– Account misuse, student suspension,
copyright violation (DMCA)
Who can block and why?
• ITPO/ITSO
– Incidents of misuse/abuse of technology
resources
• Network Operations
– Misconfigured devices, causing degredation to
network stability or performance
– Wireless network bridges, Ethernet loops, rogue
wireless access points (WAPs), unauthorized
network address translation (NAT) devices.
Who can block and why?
• Per IT-11: Excessive Use of Information
Technology Resources
– “Emergency actions: Service managers, system
administrators, and security and network engineers may
temporarily suspend or block access to an information
technology resource, or stop processes active in an account
when it reasonably appears necessary to do so in order to
protect the integrity, security, or functionality of university or
other computing resources, or to protect the university from
liability.”
• Such blocks may be tied to the service or
host (not necessarily network blocks).
What types of
“common” blocks exist?
• On campus
– DHCP lease
– Switch port
– Black hole/null route
• Remote Access
– Dialup modem pool
– VPN access
DHCP lease block
• Pros
– Reporting via MAS tools (https://mas.iu.edu/)
– Effective on all networks using central DHCP
services (follows user if they move)
– Can be used in lieu of VPN account block for
campus wireless
• Cons
– Doesn’t take effect immediately
– Possible to block MAC address w/o knowing
registrant. This will change January (IPSAP).
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
IP Address Security &
Accountability Project (IPSAP)
• To increase network security and
accountability, the UITS IP Address Security
and Accountability Project (IPSAP) requires
IU network computers to use DHCP to
acquire a dynamic IP address.
• Note: As part of this project, beginning
January 4, 2006, all computers on IUB and
IUPUI DHCP subnets must be registered.
Switch port block
• Pros
– Conceptually equivalent to unplugging the network
cable
• Cons
– Easy to circumvent: use adjacent jack
– Manual process: not feasible for many hosts
– Recordkeeping can be tricky: which jack/port was
associated with the blocked ip. What was the
MAC address of the ip?
– Device must be on the network in order to block
Black hole/null route
• Pros
– Blocks take effect almost instantaneously
– Can block many devices efficiently
– Integration with ANI
• Cons
– Devices on same VLAN still exposed to threat
– Reporting limited within UITS/Support Center (no
means to associate IPs belonging to LSP yet)
Black hole/null route
– Only keeps track of IPs, registrants not
associated with blocked ips (notification
best-effort and handled outside of null
route injector)
– Not suitable for dynamic ips, such as
remote access (VPN and dialup)
Remote Access: Modem
• Pros
– Simple to diagnose the block
– Difficult to circumvent (unless you have a second
account)
• Cons
– Can take up to several hours before session
terminates, and stop records written.
– Block prevents modem access from *any* device
(not solely the offending one)
Remote Access: VPN
• Subtleties
– Wireless: dhcp block
– Remote: change to ADS (wireless access)
• Pros
– For wireless hosts, can target only
offending host
– Excellent logging (radius and dhcp) and
reporting (wireless--MAS)
Remote Access: VPN cont’d.
• Cons
– For wireless, block latency same as dhcp; for
remote, block doesn’t take effect until session
terminates
– May be confusing to diagnose, as some blocks
may be a combination of wireless and remote
– VPN account block sometimes confused with
users not granted VPN access (during account
creation)
Notifications
• Remote access (VPN and dialup), and
registered DHCP hosts, notifications are
easily correlated with subscriber
records.
• Static IPs or devices which fit into
“other” category, manual record
searches must be done to determine
host “ownership”. Can be very arduous!
Subject: IT Policy Office: Notice of compromised host (uliblsp/1e:a7:de:ad:be:ef)
Date: Mon, 31 Oct 2005 14:06:24 -0500 (EST)
From: IT Policy Office <[email protected]>
To: [email protected]
ULIBLSP,
Network reports indicate that the computer listed below has been
compromised. It appears a bot has taken over the system. A "bot,"
or "robot," is a program that is installed by an intruder, so that
the machine takes actions automatically, as programmed by the
intruder and at times specified by the intruder who put the bot there.
Our research indicates that these bots are being spread through
several methods. One method is instant messenger programs like AOL
Instant Messenger (AIM). The Knowledge Base article "What should I
do if my computer is infected with an AIM Trojan?"
(http://kb.iu.edu/data/aqhm.html) contains some good advice about
how to prevent your computer from being infected through instant
messaging.
Date
----------------------2005-10-30 14:05:38
***
***
Type
IP address
MAC address
------- --------------- ----------------dhcp
134.68.0.1
1e:a7:de:ad:be:ef
Network access for this user or computer is being blocked to ***
protect the University network from this threat.
***
To recover from this compromise it is necessary to completely rebuild
the computer. When a computer is compromised in this manner, anything
on the system can be modified and/or monitored by someone else.
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
How do we know
what to block?
• Investigation of reports sent to us via
(abuse|it-incident|itso|itpo)@(indiana|iupui|iu).edu
• Data gleaned from network flow
analysis (netflow)
• IDS: Intrusion detection (network)
• Other resources used to identify
malicious activity, sometimes combined
with above.
Intrusion Detection
• Detecting actions that attempt to compromise
the confidentiality, integrity or availability of a
resource
• Network based
• Packet inspection or “sniffing”: snort, ngrep
• Emphasis on high confidence, low false
positives
• In some instances, we act upon anomalous
activity (e.g. FTPd using nonstandard ports)
Automated Network
Isolation (ANI)
• The coupling of Network Intrusion Detection
and Null Routing made easy
• In a nutshell
– ITSO IDS sensors detect malicious activity
– IDS notifies Null Route Injector “hub” to block IP
– ANI block is set with an expiration time of 10 mins
• Support Center has ability to view null routed
IPs (ANI and manually entered)
ANI cont’d
• Null route/blackhole: In some sense,
can be viewed as a “poor man’s” switch
port block
– Not as effective as switch port or dhcp
block (device can still communicate on its
own VLAN)
• Initial ANI rollout focusing on only one
IDS rule, with fairly low incidence and
high confidence.
I suspect a device is blocked,
what steps should I take?
• Step 0 (avoid subsequent steps): If possible
associate device with your department or
network id (IPSAP/dhcp).
• Step 1: diagnose it’s indeed a block, before
calling the Support Center
• Characteristics of each block
– DHCP: Device will not be given a DHCP lease;
therefore it will not be put on a public nor private
10 network. NOTE: If wireless, the device may
appear on the guest wireless network.
Block characteristics cont’d
– Switch port: Link light may be dark. Using
a network tester or laptop, the jack remains
unresponsive.
– Null route/blackhole: The device can
communicate with other hosts on the same
VLAN, yet is not routed beyond.
– Modem: End-user will be unable to
establish PPP session. Following
message may be displayed: “Your account
has been disabled.”
Block characteristics cont’d
– VPN: wireless (see dhcp); remote, user is
unable to authenticate to VPN server.
• Step 2: Contact the Support Center for
further info if all troubleshooting options
have been exhausted.
Once a block has
been identified
• All blocks will be labeled with:
– A reason: (see next page)
– An action: What needs to occur before reenabling.
• Rebuild (in which case they need to take ALL steps as
outlined in http://kb.iu.edu/data/anbp.html)
• Clean
• Reconfigure (fix configuration to stop this)
• Contact ITPO.
• MAS reporting interface, LSPs can leverage
only if end-users associate themselves
Block codes
•
•
•
•
•
•
•
•
•
•
•
•
•
Backdoor.Migmaf
Backdoor.Sinit
Botted host
Compromised host
Contact ITPO
Dameware
DMCA; DMCA1; DMCA2;
DMCA3
FTPd
HOD
Marketscore
NOC request
Open proxy
Port scanning
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Probing for FTP
Rogue DHCPd
Router
RPC overflow
RPC scanning
Slammer
Spam
W32.Beagle
W32.Blaster
W32.Korgo
W32.MyDoom
W32.Welchia
WAP
Wireless bridge
As a LSP, how do I get improved
notifications & block reporting
• Notifications
– IPSAP: be identified as the LSP of record for the
blocked device (will show how to update)
– Only dhcp is supported under IPSAP at this time.
– Non-dhcp (with the exception of remote access)
continue as best-effort manual process to identify
owner
• Reporting
– https://mas.iu.edu/ : View real-time dhcp blocks for
machines where you are identified as LSP.
• IPSAP is the pillar
https://dhcp.indiana.edu/
Other ways to better identify your
hosts and contact info
• For static ips, use intuitive names for DNS
records (A records and inverse)
• Same with computer name
• Notify dns-admin@(indiana|iupui).edu when
– IPs deallocated; or reallocated within your group
– Changes in staffing occur that may be impacted
• Ensure your department/unit information is
correct in the PICs LSP database
Questions?