NetPass and Northwestern

Download Report

Transcript NetPass and Northwestern

NetPass and Northwestern
By Julian Y. Koh
As told by Robert Vance
NUIT-Telecom & Network Services
Outline
•
•
•
•
•
A Brief History
Past Tools and Solutions
What is NetPass?
How Does NetPass Work?
What Will NetPass Become?
A Brief History
• Pre-2003
– Relatively few virus/worm outbreaks
– Quickly contained
– Slowly increasing frequency
• And then……
History - Winter 2003
• MS SQL Slammer Worm
– Aggressive scanning on TCP Port 1434
– <30 infected hosts crippled over half the
network
– Still quickly contained
History - Summer/Fall 2003
• Blaster Worm
– Exploited DCOM RPC hole
– Scanned on TCP port 135
• Welchia Worm
– Patched Blaster DCOM hole
– Scanned on TCP ports 135 and 80
– Opened backdoor port 707
– Aggressive ICMP pinging to find hosts
History - Winter 2004
• Email Viruses
– SoBig
– Beagle
– NetSky
– Backdoors used for spam proxying!
History - Spring 2004
• Sasser Worm
– Exploited LSASS hole
– Scanned on TCP port 445
• Gaobot/Agobot
–
–
–
–
Rise of the Botnet
IRC command/control channel
Scanned for previous worm backdoors
Denial of Service attacks swamp Internet connectivity
Past Tools and Solutions
• Turning Off Ports
– Disruptive to users
– No easy self-fixing or information provided
– Machine can move
• Disabling NetIDs
– Very disruptive
Past Tools and Solutions
• NUSA
– Allowed tech support admins to receive
automated reports and reactivate ports
• NetReg
– Associated NetID with MAC address via
DHCP
– Rudimentary port scanning
Limitations of NetReg
• Relied on DHCP for quarantining
• Still had to shut off ports
• Problem machines could move ports to
regain connectivity
What is NetPass?
• Layer 2 quarantine
• Selective access
• Host-based registration
– Associate NetID with MAC address
• Vulnerability/Infection scanning
• Per-event per-network self-remediation
instructions
• Integration with other systems
How Does NetPass Work?
• General Principles
– All ports default to QUAR network
– Same DHCP server, DNS server, and IP
addresses for QUAR and UNQUAR networks
– Traffic routing depends solely on
QUAR/UNQUAR switch port assignment
– Access allowed to certain Web sites
• Windows Update, Symantec, etc.
NetPass Network Diagram
ResNet Computer
NetPass Server
External IP
165.124.51.8
Internet!!
199.74.105.23
199.74.105.1
VLAN 100
QUAR
VLAN
100
UNQUAR
VLAN
200
Switch
Router
199.74.105.1
VLAN 200
DHCP Server
NetPass User Experience
User Connects
Move to
UNQUAR
Already
Scanned?
Yes
Remediate
Move to
QUAR
No
No
Log In
User Disconnects
Scan
Pass
Scan?
Yes
Additional Capabilities
• PQUAR - Permanent Quarantine
– Used instead of shutting off ports
• PUNQUAR - Permanent Unquarantine
– Used for manually registered devices
Interesting Situations
• Cookies required
• Machine must source network traffic soon
after bringing up Ethernet link
– Effect: user must launch web browser to force
NetPass to recognize the machine
• Firewalls
– Scan can take up to 1 minute
Interesting Situations
• Hublet/Switchlet
– NetPass sees multiple MAC addresses
– All MAC addresses will have to be registered
before port will be moved to UNQUAR
• Router or NAT device
– NetPass will only see 1 MAC address
– If client machines move to other ports, they
will have to be scanned again
NetPass Administration
• https://netpass.ittns.northwestern.edu/Admin/
• Must connect to VPN from dorms first
• All Rescons and SC cons should have
access to QuarControl and Manual
Registration
• Note: with great power comes great
responsibility!
• Remember to log out!!!
NetPass Futures
• Snort IDS integration
– Automatic QUAR on suspicious network traffic
• Software client integration
– More accurate than external scanning
– Eliminates firewall problem
Questions?
•
•
•
•
[email protected]
[email protected]
http://www.nessus.org/
http://www.squid.org/
• http://www.it.northwestern.edu/student-support/netpass/