indianauniversityindianauniversity automated network isolation at indiana university david a....

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Automated Network Isolation

at Indiana University

David A. Greenberg

Information Technology Security and Policy Office

Indiana University

Copyright Indiana University 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author."

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Indiana University

• Founded in 1820

• 8 campuses

• ~100,000 Students

• ~18,000 Faculty and Staff

http://factbook.indiana.edu/fbook05/fast_facts/fastfacts1.shtml

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

IT Security and Policy Office

• Reports directly to CIO

• University-wide office

• Staff responsible for a wide range of technologies

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Incident Response

• Coordinating response to incidents of abuse or inappropriate use of information or information technology, such as:– Computer and network security breaches– Unauthorized disclosure or modification of

electronic information– Denial of service attacks– Port probes, scans– Identifying virus infected machines– Copyright infringement (DMCA)– Forgery, fraud, harassment, chain mail, etc.

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Incident Response Process

• Reports sent in to our tracking system• Gather supporting technical data• Interact with computer security officers

to assist with technical investigation• Package technical information for IU

governance agencies, IU legal counsel, law enforcement, prosecutors, university administration, etc.

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Incident Response Statistics

0

2000

4000

6000

8000

10000

12000

1997 1998 1999 2000 2001 2002 2003 2004 2005 2006

# o

f in

cid

ents

Total Incidents

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

What types ofcommon blocks exist?

• On Campus– DHCP lease – Switch port– Null Route– Router ACL

• Remote Access– Dialup modem pool– VPN access

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Null Route

• A route that goes nowhere

> route add 192.168.1.1 mask 255.255.255.255 0.0.0.0

• Unicast Reverse Path Filtering (RPF)– Prevents traffic sourced from the null

routed IP

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Internet

129.79.0.0 0.0.0.0

Router

Null Routing

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Block characteristics

• The device can communicate with other hosts on the same VLAN, yet is not routed beyond.

• Typically used as an easier to implement switch port block.

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Null Route• Pros

– Blocks take effect almost instantaneously– Can block many devices efficiently– Integration with web interface and shell interface

• Cons– Devices on same VLAN still exposed to threat– Reporting limited (no means to associate IPs

belonging to computer support staff yet)– Only keeps track of IPs– Not suitable for dynamic ips

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

IU Core Network Map

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Automated NetworkIsolation (ANI)

• The coupling of Network Intrusion Detection and Null Routing made easy

• In a nutshell– ITSO Intrusion Detection Sensors (IDS) detect

malicious activity– IDS notifies Null Route Injector “hub” to block IP– ANI block is set with an expiration time of 10 mins

• Limited view ability

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

ANI cont’d

• Ideal for people that have the authority to block devices from the network but do not maintain network hardware.

• Initial automated ANI rollout focused on only one IDS rule, with fairly low incidence and high confidence.

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Block List

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

3-way Handshake

SYN

SYN + ACK

ACK

FIN

ACK

FIN

ACK

CLIENT SERVER

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

SSH brute force attack

• 13:01:34.006421 IP 128.148.y.z.22 > 129.79.aa.bb.49343: F ack

• 13:01:34.006432 IP 128.148.y.z.22 > 129.79.aa.bb.49358: S ack

• 13:01:34.006812 IP 129.79.aa.bb.49343 > 128.148.y.z.22: . ack

• 13:01:34.006872 IP 129.79.aa.bb.49358 > 128.148.y.z.22: . ack

• 13:01:34.076087 IP 128.148.y.z.22 > 129.79.aa.bb.49358: . ack

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

SSH attack after ANI block

• 13:01:43.325296 IP 129.79.aa.bb.44337 > 128.148.x.y.22: F 0:0(0) ack

• 13:01:43.973671 IP 129.79.aa.bb.49358 > 128.148.a.b.22: F 469:469(0) ack

• 13:01:44.723014 IP 129.79.aa.bb.49358 > 128.148.a.b.22: F 469:469(0) ack

• 13:01:45.117176 IP 129.79.aa.bb.50781 > 128.148.c.d.22: F 468:468(0) ack

• 13:01:45.192800 IP 129.79.aa.bb.44319 > 128.148.c.d.22: F 449:449(0) ack

• 13:01:45.194553 IP 129.79.aa.bb.48956 > 128.148.e.f.22: F 468:468(0) ack

• 13:01:45.237350 IP 129.79.aa.bb.44576 > 128.148.g.h.22: F 469:469(0) ack

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Additional ResourcesAdditional Resources

• Indiana University IT Security Office – http://itso.iu.edu/

• IU Knowledge Base– http://kb.iu.edu/

• Indiana University– http://www.indiana.edu/

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

I

N

D

I

A

N

A

U

N

I

V

E

R

S

I

T

Y

Data submission

my $wddx_data = {requestor => "$user via sniffer",action => "BLOCK",ipaddr => $ipaddr,expire => $expire_time,itso_reason => $sig,itpo_incident => "$incident" };