Transcript Once You Let Them on the

Once you let them connect,
how do you make sure they
are behaving?
Joseph Karam
Director, Network & Telecommunication Services,
Hamilton College
ResNet 2007
Hamilton College
 Liberal Arts college in Clinton, New York
 Chartered in 1812 – one of the oldest
colleges in New York State.
 1,800 undergraduate students
 200 Faculty
 400 Administrators and Staff
Network Services @ Hamilton
 4.5 full-time administrators
 Team Leader
 2.5 Network & Systems Administrators
 Telephone Administrator
 Wiring Technician (outsourced)
 Interns
Network Infrastructure @ Hamilton
 6,000+ network jacks on-campus
 160+ Cisco Switches
 200+ Cisco Wireless Access Points
 50+ Windows Servers
 10 UNIX Servers
 5 Macintosh Servers
 50 Mbps Internet connection
Hamilton College Philosophy
All devices are allowed to
connect and use the network
unless they are behaving in a
manner which impacts the
operation of the network and
the ability for other devices to
reliably use the network.
Network Security Monitoring Tools
 Firewalls
 Network Access Control (NAC) Systems
 Intrusion Detection/Prevention Systems
 Network Behavior Analysis Systems
 Log & Event Management Systems
 Virus/Spyware/Spam Gateways
 Etc.
Network Behavior Monitoring
Network behavior monitoring involves:
 monitoring a network for deviations
in typical activity
 detecting the unusual activity
 stopping the unusual activity from
impacting network operations.
Network Behavior Monitoring vs.
Intrusion Detection Systems
 Intrusion Detection Systems perform signature
detection examining the network for packet sequences
known to be malicious.
 Network behavior monitoring systems perform anomaly
detection based on behaviors that fall outside predefined
accepted guidelines.
 Intrusion Detection Systems detect ‘intrusions’ from
outside a protected network segment.
 Network behavior monitoring systems detect malicious
behavior from endpoints inside & outside the network.
Benefits of Network Behavior Monitoring
 Secure against new “zero-day”
vulnerabilities that intrusion systems and
firewalls cannot recognize.
 Detect virus and worm attacks before they
impact network operations.
 Stop threats that start inside the network.
 Provides visibility into the network to really
understand how the network is being used.
Unwanted Network Behaviors
 Network attacks (nmap, TCP/UDP port scans,
ICMP floods, port scans)
 Excessive connections (P2P, Gaming)
 Unauthorized Servers (Mail, Web, FTP,
DHCP, DNS)
 Unauthorized Routers/Gateways
 Excessive Bandwidth
 Unauthorized Applications
Network Behavior Monitoring Products
 Mirage Networks
 Mazu Networks
 Lancope
 Q1 Labs
Stealthwatch
 Cisco MARS
 Arbor Networks
PeakFlow X
 GraniteEdge
Networks
 PacketFence
(OpenSource)
 NetFort
Technologies
 SourceFire
Network Behavior Monitoring with
Mirage Networks









ARP Cache Manipulation
Deception (Honey Pot)
Reverse Access Restriction
Web page redirection or quarantine
Help Desk Support
Passive device
Alerts, analysis, and reporting
Pre-Admission compliance checking
MAC/IP address and OS checking
Network Design
Implementation with Mirage
 Configured on network in ½ day.
 Monitored network for 2 to 4 weeks.
 Configured exceptions.
 Implemented deception on each VLAN
individually.
 Adjusted profiles for security threats.
 Implemented security threat restrictions one
at a time.
Mirage Zones
 Priority 5 – Full Access
 Priority 4 – Monitored Access
 Priority 2 – Out of Policy – Pre-Admission Compliance
 Priority 1 – Security Threat
Mirage Restrict Access Profiles in
Security Threat Zone
 Too Many Managed
 TCP Scan
 Too Many Unmanaged
 UDP Scan
 Too Many Unused
 Nmap Usage
 Too Many SMTP Hosts  Port Scan
 Too Many SMTP SYNs  IRC Heartbeat
 Stolen Devices
 Unauthorized TFTP
 IP Telephony Attacks
Port Scan Restriction Example
 Port Scanning 500 TCP ports on one IP
Address in 60 seconds.
Too Many Unmanaged
Restriction Example
 Connecting to more than 800 IP Addresses in
60 seconds
Too Many SMTP Hosts
Restriction Example
 Launch 30 SMTP connections in 60 seconds.
Student Perspective Example
 Student connects computer to the network
and gain full access if compliance
requirements are met.
 Student computer starts scanning network
due to a virus or worm.
 Mirage system automatically detects the
attack and restricts network access to the
student computer.
 Student receives web page notice saying
they are removed from the network.
Student Perspective Example
(continued)
 Student contacts Help Desk for assistance.
 Help Desk uses Mirage System to assist in
their troubleshooting and cleaning student
computer.
 Once attack has stopped, Mirage system
automatically re-enables student computer to
obtain full access to the network.
Computer with Full Access
Computer with Full Access
Computer with Restricted Access
Computer with Restricted Access
Computer with Restricted Access
Number of Computers Restricted
2004
2005
2006
January
84
31
17
September
52
24
44*
10 to 20
5 to 20
5 to 20
Other Months
* Increase due to rule changes to restrict access of P2P abuse.
Conclusion
 Saves staff time from monitoring logs and
manually disconnecting/reconnecting
computers from network.
 Decreases the number of infected computers
by stopping attacks quickly.
 Requires no changes to user experience.
 Provides enhanced troubleshooting into
network issues.
 Does not punish ‘good’ network users.
Future Goals for Hamilton
 Self-help remediation quarantine area
 Pre-admission authentication and compliance
for student computers
Questions?
www.resnetsymposium.org/resnet2007
Joe Karam
Hamilton College
[email protected]
315-859-4167