indianauniversityindianauniversity automated network isolation at indiana university david a....
TRANSCRIPT
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Automated Network Isolation
at Indiana University
David A. Greenberg
Information Technology Security and Policy Office
Indiana University
Copyright Indiana University 2006. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author."
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Indiana University
• Founded in 1820
• 8 campuses
• ~100,000 Students
• ~18,000 Faculty and Staff
http://factbook.indiana.edu/fbook05/fast_facts/fastfacts1.shtml
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
IT Security and Policy Office
• Reports directly to CIO
• University-wide office
• Staff responsible for a wide range of technologies
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Incident Response
• Coordinating response to incidents of abuse or inappropriate use of information or information technology, such as:– Computer and network security breaches– Unauthorized disclosure or modification of
electronic information– Denial of service attacks– Port probes, scans– Identifying virus infected machines– Copyright infringement (DMCA)– Forgery, fraud, harassment, chain mail, etc.
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Incident Response Process
• Reports sent in to our tracking system• Gather supporting technical data• Interact with computer security officers
to assist with technical investigation• Package technical information for IU
governance agencies, IU legal counsel, law enforcement, prosecutors, university administration, etc.
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Incident Response Statistics
0
2000
4000
6000
8000
10000
12000
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006
# o
f in
cid
ents
Total Incidents
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
What types ofcommon blocks exist?
• On Campus– DHCP lease – Switch port– Null Route– Router ACL
• Remote Access– Dialup modem pool– VPN access
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Null Route
• A route that goes nowhere
> route add 192.168.1.1 mask 255.255.255.255 0.0.0.0
• Unicast Reverse Path Filtering (RPF)– Prevents traffic sourced from the null
routed IP
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Internet
129.79.0.0 0.0.0.0
Router
Null Routing
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Block characteristics
• The device can communicate with other hosts on the same VLAN, yet is not routed beyond.
• Typically used as an easier to implement switch port block.
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Null Route• Pros
– Blocks take effect almost instantaneously– Can block many devices efficiently– Integration with web interface and shell interface
• Cons– Devices on same VLAN still exposed to threat– Reporting limited (no means to associate IPs
belonging to computer support staff yet)– Only keeps track of IPs– Not suitable for dynamic ips
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
IU Core Network Map
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Automated NetworkIsolation (ANI)
• The coupling of Network Intrusion Detection and Null Routing made easy
• In a nutshell– ITSO Intrusion Detection Sensors (IDS) detect
malicious activity– IDS notifies Null Route Injector “hub” to block IP– ANI block is set with an expiration time of 10 mins
• Limited view ability
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
ANI cont’d
• Ideal for people that have the authority to block devices from the network but do not maintain network hardware.
• Initial automated ANI rollout focused on only one IDS rule, with fairly low incidence and high confidence.
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Block List
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
3-way Handshake
SYN
SYN + ACK
ACK
FIN
ACK
FIN
ACK
CLIENT SERVER
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
SSH brute force attack
• 13:01:34.006421 IP 128.148.y.z.22 > 129.79.aa.bb.49343: F ack
• 13:01:34.006432 IP 128.148.y.z.22 > 129.79.aa.bb.49358: S ack
• 13:01:34.006812 IP 129.79.aa.bb.49343 > 128.148.y.z.22: . ack
• 13:01:34.006872 IP 129.79.aa.bb.49358 > 128.148.y.z.22: . ack
• 13:01:34.076087 IP 128.148.y.z.22 > 129.79.aa.bb.49358: . ack
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
SSH attack after ANI block
• 13:01:43.325296 IP 129.79.aa.bb.44337 > 128.148.x.y.22: F 0:0(0) ack
• 13:01:43.973671 IP 129.79.aa.bb.49358 > 128.148.a.b.22: F 469:469(0) ack
• 13:01:44.723014 IP 129.79.aa.bb.49358 > 128.148.a.b.22: F 469:469(0) ack
• 13:01:45.117176 IP 129.79.aa.bb.50781 > 128.148.c.d.22: F 468:468(0) ack
• 13:01:45.192800 IP 129.79.aa.bb.44319 > 128.148.c.d.22: F 449:449(0) ack
• 13:01:45.194553 IP 129.79.aa.bb.48956 > 128.148.e.f.22: F 468:468(0) ack
• 13:01:45.237350 IP 129.79.aa.bb.44576 > 128.148.g.h.22: F 469:469(0) ack
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Additional ResourcesAdditional Resources
• Indiana University IT Security Office – http://itso.iu.edu/
• IU Knowledge Base– http://kb.iu.edu/
• Indiana University– http://www.indiana.edu/
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
I
N
D
I
A
N
A
U
N
I
V
E
R
S
I
T
Y
Data submission
my $wddx_data = {requestor => "$user via sniffer",action => "BLOCK",ipaddr => $ipaddr,expire => $expire_time,itso_reason => $sig,itpo_incident => "$incident" };