Auto redirection
Download
Report
Transcript Auto redirection
Advanced Internet Bandwidth
and Security Strategies
Fred Miller
Illinois Wesleyan University
Advanced Internet Bandwidth &
Security Strategies
• How Illinois Wesleyan University:
– Minimizes copyright infringement notices
– Allows peer-to-peer computing
– Maintains sub-second web performance
– Mitigates denial of service attacks
– Identifies virus infections
– Controls illegal activities on the campus network
Advanced Internet Bandwidth &
Security Strategies
• Layers of security
• Intrusion Detection
– Host based intrusion detection
– Network based intrusion detection
• Knowledge based
• Behavior based
• Bandwidth management & monitoring
• User education and enforcement
About Illinois Wesleyan University
• Liberal arts - 2100 students
– 1800 on-campus residents
• IT Resource limitations
– 16 IT Staff
– Voice, video, & data
• Environment
–
–
–
–
–
100mpbs switched port per pillow
18mbps Internet connection
No technology fee
Some wireless
LDAP authentication
Bandwidth & Security Strategies
•
•
•
•
•
•
•
•
User Education (and results)
Firewall & IP address policies
Response Time Measurement
Bandwidth Policies
Monitoring and detection
Redirection & quarantine
Judicial procedures
Future plans
User Education
• Computer Incident Factor Analysis and
Categorization (CIFAC) Project
– IT personnel
• More education and training…
– Users
• More education and training…
– Non IT Staff
• More education…
– Networks
• More resources, more and better procedures…
User Education @ Illinois Wesleyan
•
•
•
•
•
•
Freshman orientation
Web site, portal & e-mail lists
One on one training
Help desk
Assessment
Our customers
– Novices
– “The Mistaken”
User Education - Results
Illinois Wesleyan DMCA Notices
10
9
8
7
6
5
4
3
2
1
0
Sep04
Oct04
Nov04
Dec04
Jan05
Feb05
Mar05
Apr- May05
05
Jun05
Jul05
Aug- Sep05
05
Oct05
User Education - Results
Illinois Wesleyan - Web Redirects
130
120
110
100
90
80
70
60
50
40
30
20
10
0
Aug- Sep- Oct- Nov- Dec- Jan- Feb- Mar- Apr- May- Jun04
04
04
04
04
05
05
05
05
05
05
Jul05
Aug- Sep- Oct05
05
05
Firewall & IP Address Policies
•
•
•
•
•
No MAC registration (yet)
DHCP
All local 10.x.x.x IP numbers
Ports blocked inbound, few outbound
Restrict SMTP, SNMP, etc.
Response Time Measurement
• Library consortium RRDTOOL
• MRTG ping probe
• Packetshaper command: rtm sho
rtm sho
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Bandwidth Policies Detail*
•
•
•
•
Traffic classification
Flow control
Host lists
Class licenses
*Command line vs. web interface
Traffic classification
•
•
•
•
•
Classify in and out - hundreds of classes
No changes for time of day
Can block/restrict by IP#, port, or protocol
Partitions and policies
Peer to peer - low priority, typically 10k
policy in, 1k policy out
• Gamers are a challenge
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Flow control
• Limits the number of new flows per minute
for client or server actions
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Classification and Flow Control
• No auto-discovery, but all traffic classified
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Host lists
• Groups of internal or external IP numbers
using bandwidth rules
• Quarantine internal users
• Limit groups of high bandwidth servers
• Quickly block intruders
• Identify servers for additional priority
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Class licenses
• Limit how many connections per class
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Monitoring and Detection
•
•
•
•
•
•
Know what’s typical and atypical
Check for top bandwidth users
Watch number of flows - active and failed
Spot check
Automation
Community
Monitoring and Detection
• Know what’s typical & atypical
– sys heal
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Monitoring and Detection
• Check for top bandwidth users
– Over time
• hos top sho /outbound
• Host top sho /inbound
• Host inf -sr -i
– Right now
• Host inf -sr -n 10
Monitoring and Detection
•
Watch number of flows - active and failed
– host inf -sf -n 10
– host inf -sp -n 10
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Monitoring and Detection
•
Spot check
– Overall (e.g., check tree)
• tr tr
– Individual classifications
• tr fl -tupIc/outbound/discoveredports/students
• tr his recent /inbound/multimedia/mpeg-video
– Individual machines (servers & clients)
• tr fl -tupIA10.x.x.x
• tr his find 10.x.x.x
Monitoring and Detection
Automation
Rule sets: application and port rules
E-mail notifications
Identify & isolate violators
Packetshaper Adapative Response
Snort
Monitoring and Detection
Automation - Packetshaper Adaptive Response
Monitoring and Detection
Automation - Packetshaper Adaptive Response
Monitoring and Detection
Automation - Snort
By Martin Roesch
Extensive rule sets
Henwen & Letterstick = Snort GUI for Mac
Monitoring & Detection
Monitoring and Detection
Community - firewall log analysis
D-Shield Distributed Intrusion Detection System
http://www.dshield.org/
D-Shield Academic
http://dshield.infosecurityresearch.org/
SANS Internet Storm Center
http://isc.sans.org
Computer Emergency Response Team
http://www.cert.org
Redirection & Quarantine
• Soft quarantine
• Hard quarantine with redirect
QuickTime™ and a
TIFF (LZW) decompressor
are needed to see this picture.
Judicial Procedures
• Network disruption - logical disconnect
• RIAA notices - less than 1 per month
• Students referred to Associate Dean of
Students for judicial processes
Future Plans
•
•
•
•
•
•
Cisco ASA - firewall, VPN, intrusion detection
More Adaptive Response
More Snort
45mbps Internet
NetReg?
Clean Access?
– VLAN Quarantine
• Wireless authentication
Advanced Internet Bandwidth &
Security Strategies
• Summary
–
–
–
–
User education is key
Need layers of security
Bandwidth management & monitoring
Intrusion detection and prevention
• Hosts and network
• More application level detection
• Support more community efforts
– Enforce policies with judicial procedures
Additional References…
• Packeteer Education e-mail list
http://www.packeteer.com/prod-sol/stanford.cfm
• EDUCAUSE Intrusion Detection Resources
http://www.educause.edu/Browse/645?PARENT_ID=661
• CIFAC Project Report (volume 1)
http://www.educause.edu/LibraryDetailPage/666?ID=CSD4207
• Illinois Wesleyan IT Policies
http://titan.iwu.edu/IT/policies/
• Snort http://www.snort.org
• Henwen & Letterstick
http://seiryu.home.comcast.net/henwen.html