SC04 Network Security Wrap-Up
Download
Report
Transcript SC04 Network Security Wrap-Up
SC04 Network Security Wrap-Up
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
Version 3
Role of Network Security in SCinet
• ISP role/rule in protecting network
(1) Protect network infrastructure
(2) Protect the Internet from SCinet
(3) Help exhibitors and attendees
• Testbed new tools, techniques, systems
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
SCinet network architecture
• Simple campus architecture routed via Juniper T640,
T320 and Cisco 6509
• Bandwidth Challenge 10G participants given
connectivity via Force10
• WAN connections
– OC3 commodity Internet service via Qwest
– 16 OC192 links (NLR, ESNet, Abilene, Teragrid, etc.)
– 1 OC768 link to PSC
• Wireless architecture (free/open system)
– Integrated wireless system by Trapeze
• Wired conference network to every meeting room
• Argonne address space (140.221.128.0/17)
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
SCinet security team
•
•
•
•
•
•
•
•
Timothy Toole - Sandia
Stephen Lau - NERSC/LBL
Jim Hutchins - Sandia
Scott Campbell - NERSC/LBL
Bill Nickless - PNNL
Tim Witteveen - PNNL
Roger Winslow - NERSC/LBL
Patrick Stevens - Sandia
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
Network Security Features
• Three primary IDS systems
– Mon, Bro, Snort
• Cisco port mirroring
• Packet Engines GigE Hub & NetOptics splitters
• RST responder, Desuckit application, SYN-ACK
responder
• Password display
• MAC address blocking on wireless
• Experimental
– Flo, OSX, AMD64 Opteron, Xyratex RAID system,
S2IO 10GigE NICs
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
Expectations
• Whack-a-mole game with worms (wired and wireless)
• Expect about a handful of successful intrusions
(requiring clean-up)
• Likely target of cluster/HPC systems
– Valuable information provided by FBI
– Expect to see outbound TCP 53 and 55
• Expect other 'phone-home' mechanisms (bot-nets)
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
Worm infections (approx. 35)
• Never really attempted to identify the exact signature
• Location of infected device takes time, especially on DHCP
wireless
• Repeat offenders
• Tried shunning in Trapeze system, but took time to implement
(mainly due to 1 individual having access)
• Shunning induced a load through AP association reqs
• Much success in responding with SYN-acks and window sizes
of zero
– Significantly slowed down the infected host
– Need a good windows administrator who's security
conscious to help repair systems
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
Intrusions
• 11/07 @ 9:00 SCinet rental desktop
– Very poorly configured from PC vendor
• 11/08 @ 11:53 VendorW booth (linux cluster)
– Brute forced ssh password, outbound ftp & IRC
• 11/10 in the AM
– MSSQL null SA password
• 11/11 @ 08:25 & 08:36 VendorX and BoothY (Linux systems)
– Brute forced ssh password; identification of rootkit
• 11/11 @ 10:21-15:07 VendorZ (Windows laptop)
– Windows file sharing exploit/whatever; became FTP server
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
Intrusion Summary
• At least 1 compromised system to deal with per day
• Windows boxes are low hanging fruit on open
Internet
• Weak passwords are also low hanging fruit on open
Internet
• Script-kiddie Romanians are a pain to deal with, but
somewhat entertaining
• Need someone good at explaining problem to
customer (definition of 0wn3d)
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
Lessons learned
•
•
•
•
•
•
•
•
•
Intrusions were caught by good judgment
Need to factor in 2x to 3x amount of time to get stuff done
if (BitTorrent && Wireless) { wireless.usability = crap; }
Users not courteous on wireless
– 500? users associated on empty exhibit hall
RF interference, rogue AP's, mis-configured laptops, old drivers
cause wireless problems
Never got a good data stream to adequately test 10Gbe cards or
application(s)
Not sure how to educate this particular community on good
practices
Outbound IRC ports were easy to pickup suspicious traffic
– Don't confuse GPFS with IRC
Need IPv6 IDS, since we have some native v6 links
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.
Future projects
• SCinet05 network architecture and its impact on
network security
• 10Gbe IDS/Monitoring systems
• BPF/PCAP/IP/TCP on a 1/10Gig card
• Visualization
• Netflow analysis (help from CERT)
• User education?
QuickTime™ and a
TIF F (Uncompressed) decompressor
are needed to see this picture.