Emory Law Scholarly Commons | Emory University School of ...
Information Technology at Emory Copyright Jay D. Flanagan, 2005. This work is the intellectual...
-
Upload
cale-bunting -
Category
Documents
-
view
216 -
download
1
Transcript of Information Technology at Emory Copyright Jay D. Flanagan, 2005. This work is the intellectual...
Information Technology at Emory
Copyright Jay D. Flanagan, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Network Registration and
Intrusion Prevention Services Implementation at Emory University
Jay D. FlanaganSecurity Professionals ConferenceApril 2005
Information Technology at Emory
Information Technology DivisionTechnical Services
Information Technology at Emory
Information Technology DivisionTechnical Services
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• In 2000 it was determined that more and better security was needed to protect the Emory environment
• In 2001 a Security Initiatives Project was proposed and funded– Over 1 million dollars was set aside for the
initiatives – Initial projects included:
• Firewalls• Virus Scanning• Vulnerability Scanning• Web Content Security
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Firewalls– Firewall protection is the cornerstone of the
security project– Firewall protection has been implemented
at the Emory border gateway to the internet, for the School of Public Health (SPH), for Resnet and for our Administrative Trusted Core (The Administrative Trusted Core protects those services that are considered confidential and restricted)
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Border Gateway Firewall– Implemented in the Fall of 2001– Specific rules set up to protect the
Emory Academic network– Rules stop specific vulnerabilities
that could adversely affect machines and their ability to work
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at EmoryBorder-a
Firewall Load Balancer
FW FW
Firewall Load Balancer
Academic Core
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• SPH Firewall– Implemented in Summer of 2001– Protects all SPH services with a deny-
all-but-necessary rule set– Supports large distance learning
group
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at EmoryBorder-a
Firewall Load Balancer
FW FW
Firewall Load Balancer
Academic CoreFirewall Load Balancer
FW FW
Firewall Load Balancer
School of Public Health(SPH)
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Administrative Trusted Core Firewall– Implemented in Fall of 2003– Very restricted rule set– Utilizes a DMZ (Demilitarized Zone) for publicly
accessible services– Utilizes a VPN firewall for remote access services– Entities protected by the Trusted core include
PeopleSoft, Human Resources, Purchasing, ITD Web Services, Evening at Emory, Ace/Donor and Finance
– Other services preparing to move into the core include ITD AIS Services and ITD System services
– The Security Team is working and planning with other schools and departments to determine if they should move into the Trusted Core
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
Border-a
Firewall Load Balancer
FW FW
Firewall Load Balancer
Admin Trusted Core
VPN
Firewall Load Balancer
DMZ
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at EmoryInternet2
Internet(InterNap)
Border-a
Inets-sw-a
PacketShaper
Firewall Load Balancer
FW FW
Firewall Load Balancer
SPH Network
Firewall Load Balancer
FW FW
Firewall Load Balancer
Academic Core
Firewall Load Balancer
FW FW
Firewall Load Balancer
Admin Trusted Core
VPN
Firewall Load Balancer
DMZ
Mail Spoolers
State Street Link
Internet2 Probe NLANR
Information Technology at Emory
Information Technology DivisionTechnical Services
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Email Virus Scanning– Went production in January of 2003– Service has been a huge success– All inbound and outbound, including
internal outbound email is scanned– Hundreds of thousands of email born
viruses blocked by email virus scanners
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Virus Scanning– Scanning of email has been extremely successful
Virus Detection (3/28/04 - 12/28/04)
0
50000
100000
150000
200000
250000
3/28/2004 5/28/2004 7/28/2004 9/28/2004 11/28/2004
Virus Count
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
Border-a Firewall Load Balancer
FW FW
Firewall Load Balancer
Email Relay
Email Relay
Load Balancer
Email VirusScannerInbound
Email VirusScannerInbound
Email VirusScannerInbound
Email VirusScannerInbound
Eagle MailOther Emory Email
Servers
Email VirusScanner
Outbound
Email VirusScanner
Outbound
Email VirusScanner
Outbound
Load Balancer
The firewall in this architecture diagram
is the Admin Core / DMZ firewall.
The virus scanners all sit in the DMZ.
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Desktop Virus Scanning– New desktop antivirus software from
Symantec implemented in Summer of 2003– Pushed out to all users on campus via
Emory on Line (EOL) CD– Set up managed AV services for ITD in Fall
of 2004• Working with other schools and departments on
campus to set up the managed service• Other schools and departments using the
managed service include Emory College, Theology, Campus Life and BioChemistry
Information Technology at Emory
Information Technology DivisionTechnical Services
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Spam Scanning Service– A huge problem for Emory email users– Implemented centralized spam scanning in
2003• Scanned all incoming email to Emory’s central
mail service, Eagle Mail
– Other campus email servers added to this service in late 2003 and 2004
• Including Learnlink, Listserv, Nursing, Cell Biology, Spinal, Housing, Physics, Physiology, Bimcore, MathCS, Facilities, SPH, Law School and Biology
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory• Spam Scanning Service
– We are continuing to upgrade this service. The following graph shows the amount of spam being scanned and found by this service:
Total Mail and Total Spam (3/28/04 - 12/28/04)
0
500000
1000000
1500000
2000000
2500000
3000000
3500000
3/28/2004 5/28/2004 7/28/2004 9/28/2004 11/28/2004
total spam
total mail
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory• Spam Scanning
– Implemented scanning of all inbound
email utilizing Trend Micro’s IMSS Product The firewall in this architecture diagram
is the Admin Core / DMZ firewall.
The spam scanners all sit in the DMZ.
Border-a Firewall Load Balancer
FW FW
Firewall Load Balancer
Email Relay
Email Relay
Load Balancer
Email VirusScanner /
Spam ScannerInbound
Email VirusScanner /
Spam ScannerInbound
Email VirusScanner /
Spam ScannerInbound
Email VirusScanner /
Spam ScannerInbound
Eagle MailOther Emory Email
Servers
Email VirusScanner
Outbound
Email VirusScanner
Outbound
Email VirusScanner
Outbound
Load Balancer
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Vulnerability Scanning Service– Scan servers or desktops upon request
from user (local support)• Utilizing Internet Scanner from Internet Security
Systems (ISS) and Nessus– Over 100 machines are scanned regularly– Including PeopleSoft, ITD, Emory College,
Neurology, University Communications and Campus Life
– Scan all student desktops as part of the Network Registration project
• Utilizing Nessus• Over 4000 machines scanned
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Vulnerability Scanning Service– Offering a self-service vulnerability
scanning service for system administrators and local support• Implemented in January 2005• Utilizing Nessus• Administrators from Emory College, Bio-
Chemistry and ITD have requested the use of this service
Information Technology at Emory
Information Technology DivisionTechnical Services
Security at Emory
• Web Content Security– Secure authentication and authorization to
Web Applications– Utilizes Netegrity Siteminder– Production in April of 2002– Utilizes LDAP for Authentication
• Allows use of Healthcare Ldap, so Healthcare users can utilize Healthcare id
– Over 40 applications currently protected by Netegrity
• Including Emory Budget Office, Registrar, Trustee site, Student Voting and Med School
Information Technology at Emory
Information Technology DivisionTechnical Services
Not Enough?
• In the Fall of 2003, Emory was hit by the Blaster and Welchia viruses/worms like many other Universities– Thousands of machines were infected– Many were never completely cleaned
• In the Spring of 2004, Emory was hit by a rash of DDoS attacks which took down the academic network– Almost 60% of the attacks were initiated by
machines on our Resnet network
Information Technology at Emory
Information Technology DivisionTechnical Services
Information Technology at Emory
Information Technology DivisionTechnical Services
More needed to be done
• Even with the many new security initiatives in place, infections, compromises and outages were occurring– Caused major disruptions to Emory operations
• During registration at beginning of school year• During finals at end of the school year
• New options needed to be found and implemented– Network Redesign– Network Registration– Intrusion Prevention
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
• Network Redesign– Resnet Network
• Over 60% of the DDoS attacks in the spring of 2004 were from our Resnet network
• Copyright violations were increasing, with over 70% from our Resnet network
• How to prevent these attacks and violations from occurring while at the same time protecting the Resnet network?
– Move the Resnet network outside the Academic Core firewall
– Implement IPS / IDS– Implement Firewall
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
Border-a
Resnet Network
Linux IPTables FW
IPS
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
• Network Redesign– SPH Network
•Supports large distance learning group
•Moved from Academic Core to Border network to facilitate the distance learning service
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security InitiativesBorder-a
Firewall Load Balancer
FW FW
Firewall Load Balancer
SPH Network
IPS
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security InitiativesInternet2
Internet(InterNap)
Border-a
Firewall Load Balancer
FW FW
Firewall Load Balancer
SPH Network
Firewall Load Balancer
FW FW
Firewall Load Balancer
Academic Core
Firewall Load Balancer
FW FW
Firewall Load Balancer
Admin Trusted Core
VPN
Firewall Load Balancer
DMZ
Resnet Network
FW
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
• Network Registration– User computer hardware (MAC) address is
registered before gaining access to the Emory network
– Initial implementation was on the Resnet network
– Over 4000 student machines were registered
– Those same machines were scanned by the Nessus vulnerability scanner as part of the registration
– Security incidents on Resnet have declined since implementation
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
• Network Registration– The following graph shows how security incidents have
declined:Incident Count
0
20
40
60
80
100
120
140
160
180
200
Sep-0
3
Oct-
03
Nov-0
3
Dec-0
3
Jan-0
4
Feb-0
4
Mar-
04
Apr-
04
May-0
4
Jun-0
4
Jul-04
Aug-0
4
Sep-0
4
Oct-
04
Nov-0
4
Dec-0
4
Incident Count
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives Resnet w/ NetReg Architecture
Border-a
Resnet Network
Linus IPTables FW
IPS
DHCP Server / NetReg Box
Nessus Scanning Box
eVax BoxeVax Box
Nessus Scanning Box
DHCP Server / NetReg BoxHot Spare
Load Balancing Switch
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives Network Registration Architecture / Flow
Client Requests DHCP number
MAC in known list?
Client Boots
Client gets 170.140 IP
YES
Client gets 10.140 IP and 10.140.
DNS
NO
Client initiates HTTP traffic, redirected to NetReg page
Browser and OS detection
User Authenticates
Password Accepted?
Password Error Message
NO
Windows OS?
MAC and UserID logged. MAC
added to known list. 170.140 IP
leased and logged.
NOClient Reboots
Begin Nessus Attack
Holes > 0 ?
YES
Full eVax for vulnerable machines
NO
YES
Contingency path for Nessus Bottleneck /
Failure
Contingency path for eVax Bottleneck / Failure
Emory NetReg Operational Flow Chart
2004.07.12
YES
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
• Network Registration – Phase 2– The 2nd phase of Network Registration
implements this service to other portions of the Emory campus
• Initially:– Library – Oxford
• Other schools and departments indicating interest include:
– Law School– School of Public Health
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
• Network Registration – Phase 2– Implementing at these other entities
has different requirements– Specifically guest access
requirements– With these new requirements, an
evaluation was done of vendor products, including Perfigo’s Clean Machine and Bradford’s Campus Manager
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
• Network Registration – Phase 2– Implementing network registration in
places like Oxford and the Library will give us an excellent indication of how it will roll out to the entire campus.
– Phase 2 part 1 of the project would implement network registration at Oxford and the Library
– Phase 2 part 2 would move the rest of the campus
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
• Intrusion Detection / Prevention– Original proposal implemented Intrusion
Detection• Manual intervention necessary for all alerts• Resource intensive• Large number of false positives
– Decided to evaluate Intrusion Prevention• Alerts like intrusion detection• Automatically blocks hacks and attacks without
manual intervention• Less resources necessary to mange multiple
boxes• Non-existent false positives
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
•Intrusion Prevention– Implemented two IPS boxes in July of 2004•Interfaces for Resnet, Administrative Trusted Core and border network firewalls
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security InitiativesInternet2
Internet(InterNap)
Border-a
Inets-sw-a
PacketShaper
Firewall Load Balancer
FW FW
Firewall Load Balancer
Academic Core
Firewall Load Balancer
FW FW
Firewall Load Balancer
Admin Trusted Core
VPN
Firewall Load Balancer
DMZ
Resnet Network
FW
Mail Spoolers
State Street Link
Internet2 Probe NLANR
IPS IPS
IPS IPS
IPS IPS
IPS
IPS
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
•Intrusion Prevention– Implemented four more IPS boxes in October of 2004•Interfaces for entire Academic Core and SPH
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security InitiativesBorder-a
Firewall Load Balancer
FW FW
Firewall Load Balancer
Central1
North
NDB
Clairmont
IPS IPS
IPS IPS IPS IPS
IPS
IPS
IPS
IPS
IPS
IPS
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security InitiativesBorder-a
Firewall Load Balancer
FW FW
Firewall Load Balancer
SPH Network
IPS
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security Initiatives
•Intrusion Prevention– The IPS implementation has
been extremely successful•Literally millions of hacks, attacks
and compromises have been blocked by this service
•The graphs on the following two slides shows our success
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security InitiativesTop 10 Attacks 1/21/2005 - 2/21/2005
0
500,000
1,000,000
1,500,000
2,000,000
2,500,000
3,000,000
3,500,000
4,000,000
4,500,000
Hits
Host Sweep (TCP)
Invalid TCP Traffic: Possiblenmap Scan
MS-RPC: LSASS AD InterfaceOverflow
SMB: Windows SAM Access
MS-RPC: DCOMISystemActivator Overflow
HTTP: Shell Command Exec
Spyware: Gator InformationTransfer
Host Sweep (UDP)
Spyware: MarketScoreInstallation/Update
Spyware: 180solutions/n-CaseDownload
Information Technology at Emory
Information Technology DivisionTechnical Services
New Security InitiativesTop 10 Misuse and Abuse 1/21/2005 - 2/21/2005
0
50,000
100,000
150,000
200,000
250,000
Hits
BitTorrent: P2PCommunications
Ares/Warez: File TransferRequest
WinMX: File Transfer Request
Soulseek: File TransferResponse
Kazaa: PeerEnabler ContentTransfer
BitTorrent: Tracker Contact
Gnutella: GWebCache Request
eDonkey/eMule/Overnet:Transfer Request
iMesh: File Download/Upload
eDonkey/eMule/Overnet:Transfer Request
Information Technology at Emory
Information Technology DivisionTechnical Services
Summary
• We have come a long way in securing the Emory network
• Work still remains• The steps outlined here will help
in making Emory more secure by being aggressive and proactive in our vigilance against hacks, attacks, compromises and viruses
Information Technology at Emory
Information Technology DivisionTechnical Services
Information Technology at Emory
Information Technology DivisionTechnical Services
Contact Information
• Jay D. Flanagan – Security Team Lead– [email protected]
• [email protected]• http://security.it.emory.edu
Information Technology at Emory
Information Technology DivisionTechnical Services
Questions?