Information Technology at Emory Copyright Jay D. Flanagan, 2005. This work is the intellectual...

Information Technology at Emory

Copyright Jay D. Flanagan, 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Network Registration and

Intrusion Prevention Services Implementation at Emory University

Jay D. FlanaganSecurity Professionals ConferenceApril 2005


Information Technology DivisionTechnical Services



Security at Emory

• In 2000 it was determined that more and better security was needed to protect the Emory environment

• In 2001 a Security Initiatives Project was proposed and funded– Over 1 million dollars was set aside for the

initiatives – Initial projects included:

• Firewalls• Virus Scanning• Vulnerability Scanning• Web Content Security



Security at Emory

• Firewalls– Firewall protection is the cornerstone of the

security project– Firewall protection has been implemented

at the Emory border gateway to the internet, for the School of Public Health (SPH), for Resnet and for our Administrative Trusted Core (The Administrative Trusted Core protects those services that are considered confidential and restricted)



Security at Emory

• Border Gateway Firewall– Implemented in the Fall of 2001– Specific rules set up to protect the

Emory Academic network– Rules stop specific vulnerabilities

that could adversely affect machines and their ability to work



Security at EmoryBorder-a

Firewall Load Balancer

FW FW


Academic Core



Security at Emory

• SPH Firewall– Implemented in Summer of 2001– Protects all SPH services with a deny-

all-but-necessary rule set– Supports large distance learning

group



Security at EmoryBorder-a


FW FW


Academic CoreFirewall Load Balancer

FW FW


School of Public Health(SPH)



Security at Emory

• Administrative Trusted Core Firewall– Implemented in Fall of 2003– Very restricted rule set– Utilizes a DMZ (Demilitarized Zone) for publicly

accessible services– Utilizes a VPN firewall for remote access services– Entities protected by the Trusted core include

PeopleSoft, Human Resources, Purchasing, ITD Web Services, Evening at Emory, Ace/Donor and Finance

– Other services preparing to move into the core include ITD AIS Services and ITD System services

– The Security Team is working and planning with other schools and departments to determine if they should move into the Trusted Core



Security at Emory

Border-a


FW FW


Admin Trusted Core

VPN


DMZ



Security at EmoryInternet2

Internet(InterNap)

Border-a

Inets-sw-a

PacketShaper


FW FW


SPH Network


FW FW


Academic Core


FW FW


Admin Trusted Core

VPN


DMZ

Mail Spoolers

State Street Link

Internet2 Probe NLANR



Security at Emory

• Email Virus Scanning– Went production in January of 2003– Service has been a huge success– All inbound and outbound, including

internal outbound email is scanned– Hundreds of thousands of email born

viruses blocked by email virus scanners



Security at Emory

• Virus Scanning– Scanning of email has been extremely successful

Virus Detection (3/28/04 - 12/28/04)

0

50000

100000

150000

200000

250000

3/28/2004 5/28/2004 7/28/2004 9/28/2004 11/28/2004

Virus Count



Security at Emory

Border-a Firewall Load Balancer

FW FW


Email Relay

Email Relay

Load Balancer

Email VirusScannerInbound




Eagle MailOther Emory Email

Servers

Email VirusScanner

Outbound

Email VirusScanner

Outbound

Email VirusScanner

Outbound

Load Balancer

The firewall in this architecture diagram

is the Admin Core / DMZ firewall.

The virus scanners all sit in the DMZ.



Security at Emory

• Desktop Virus Scanning– New desktop antivirus software from

Symantec implemented in Summer of 2003– Pushed out to all users on campus via

Emory on Line (EOL) CD– Set up managed AV services for ITD in Fall

of 2004• Working with other schools and departments on

campus to set up the managed service• Other schools and departments using the

managed service include Emory College, Theology, Campus Life and BioChemistry



Security at Emory

• Spam Scanning Service– A huge problem for Emory email users– Implemented centralized spam scanning in

2003• Scanned all incoming email to Emory’s central

mail service, Eagle Mail

– Other campus email servers added to this service in late 2003 and 2004

• Including Learnlink, Listserv, Nursing, Cell Biology, Spinal, Housing, Physics, Physiology, Bimcore, MathCS, Facilities, SPH, Law School and Biology



Security at Emory• Spam Scanning Service

– We are continuing to upgrade this service. The following graph shows the amount of spam being scanned and found by this service:

Total Mail and Total Spam (3/28/04 - 12/28/04)

0

500000

1000000

1500000

2000000

2500000

3000000

3500000

3/28/2004 5/28/2004 7/28/2004 9/28/2004 11/28/2004

total spam

total mail



Security at Emory• Spam Scanning

– Implemented scanning of all inbound

email utilizing Trend Micro’s IMSS Product The firewall in this architecture diagram

is the Admin Core / DMZ firewall.

The spam scanners all sit in the DMZ.

Border-a Firewall Load Balancer

FW FW


Email Relay

Email Relay

Load Balancer

Email VirusScanner /

Spam ScannerInbound


Spam ScannerInbound


Spam ScannerInbound


Spam ScannerInbound

Eagle MailOther Emory Email

Servers

Email VirusScanner

Outbound

Email VirusScanner

Outbound

Email VirusScanner

Outbound

Load Balancer



Security at Emory

• Vulnerability Scanning Service– Scan servers or desktops upon request

from user (local support)• Utilizing Internet Scanner from Internet Security

Systems (ISS) and Nessus– Over 100 machines are scanned regularly– Including PeopleSoft, ITD, Emory College,

Neurology, University Communications and Campus Life

– Scan all student desktops as part of the Network Registration project

• Utilizing Nessus• Over 4000 machines scanned



Security at Emory

• Vulnerability Scanning Service– Offering a self-service vulnerability

scanning service for system administrators and local support• Implemented in January 2005• Utilizing Nessus• Administrators from Emory College, Bio-

Chemistry and ITD have requested the use of this service



Security at Emory

• Web Content Security– Secure authentication and authorization to

Web Applications– Utilizes Netegrity Siteminder– Production in April of 2002– Utilizes LDAP for Authentication

• Allows use of Healthcare Ldap, so Healthcare users can utilize Healthcare id

– Over 40 applications currently protected by Netegrity

• Including Emory Budget Office, Registrar, Trustee site, Student Voting and Med School



Not Enough?

• In the Fall of 2003, Emory was hit by the Blaster and Welchia viruses/worms like many other Universities– Thousands of machines were infected– Many were never completely cleaned

• In the Spring of 2004, Emory was hit by a rash of DDoS attacks which took down the academic network– Almost 60% of the attacks were initiated by

machines on our Resnet network



More needed to be done

• Even with the many new security initiatives in place, infections, compromises and outages were occurring– Caused major disruptions to Emory operations

• During registration at beginning of school year• During finals at end of the school year

• New options needed to be found and implemented– Network Redesign– Network Registration– Intrusion Prevention



New Security Initiatives

• Network Redesign– Resnet Network

• Over 60% of the DDoS attacks in the spring of 2004 were from our Resnet network

• Copyright violations were increasing, with over 70% from our Resnet network

• How to prevent these attacks and violations from occurring while at the same time protecting the Resnet network?

– Move the Resnet network outside the Academic Core firewall

– Implement IPS / IDS– Implement Firewall




Border-a

Resnet Network

Linux IPTables FW

IPS




• Network Redesign– SPH Network

•Supports large distance learning group

•Moved from Academic Core to Border network to facilitate the distance learning service



New Security InitiativesBorder-a


FW FW


SPH Network

IPS



New Security InitiativesInternet2

Internet(InterNap)

Border-a


FW FW


SPH Network


FW FW


Academic Core


FW FW


Admin Trusted Core

VPN


DMZ

Resnet Network

FW




• Network Registration– User computer hardware (MAC) address is

registered before gaining access to the Emory network

– Initial implementation was on the Resnet network

– Over 4000 student machines were registered

– Those same machines were scanned by the Nessus vulnerability scanner as part of the registration

– Security incidents on Resnet have declined since implementation




• Network Registration– The following graph shows how security incidents have

declined:Incident Count

0

20

40

60

80

100

120

140

160

180

200

Sep-0

3

Oct-

03

Nov-0

3

Dec-0

3

Jan-0

4

Feb-0

4

Mar-

04

Apr-

04

May-0

4

Jun-0

4

Jul-04

Aug-0

4

Sep-0

4

Oct-

04

Nov-0

4

Dec-0

4

Incident Count



New Security Initiatives Resnet w/ NetReg Architecture

Border-a

Resnet Network

Linus IPTables FW

IPS

DHCP Server / NetReg Box

Nessus Scanning Box

eVax BoxeVax Box

Nessus Scanning Box

DHCP Server / NetReg BoxHot Spare

Load Balancing Switch



New Security Initiatives Network Registration Architecture / Flow

Client Requests DHCP number

MAC in known list?

Client Boots

Client gets 170.140 IP

YES

Client gets 10.140 IP and 10.140.

DNS

NO

Client initiates HTTP traffic, redirected to NetReg page

Browser and OS detection

User Authenticates

Password Accepted?

Password Error Message

NO

Windows OS?

MAC and UserID logged. MAC

added to known list. 170.140 IP

leased and logged.

NOClient Reboots

Begin Nessus Attack

Holes > 0 ?

YES

Full eVax for vulnerable machines

NO

YES

Contingency path for Nessus Bottleneck /

Failure

Contingency path for eVax Bottleneck / Failure

Emory NetReg Operational Flow Chart

2004.07.12

YES




• Network Registration – Phase 2– The 2nd phase of Network Registration

implements this service to other portions of the Emory campus

• Initially:– Library – Oxford

• Other schools and departments indicating interest include:

– Law School– School of Public Health




• Network Registration – Phase 2– Implementing at these other entities

has different requirements– Specifically guest access

requirements– With these new requirements, an

evaluation was done of vendor products, including Perfigo’s Clean Machine and Bradford’s Campus Manager




• Network Registration – Phase 2– Implementing network registration in

places like Oxford and the Library will give us an excellent indication of how it will roll out to the entire campus.

– Phase 2 part 1 of the project would implement network registration at Oxford and the Library

– Phase 2 part 2 would move the rest of the campus




• Intrusion Detection / Prevention– Original proposal implemented Intrusion

Detection• Manual intervention necessary for all alerts• Resource intensive• Large number of false positives

– Decided to evaluate Intrusion Prevention• Alerts like intrusion detection• Automatically blocks hacks and attacks without

manual intervention• Less resources necessary to mange multiple

boxes• Non-existent false positives




•Intrusion Prevention– Implemented two IPS boxes in July of 2004•Interfaces for Resnet, Administrative Trusted Core and border network firewalls



New Security InitiativesInternet2

Internet(InterNap)

Border-a

Inets-sw-a

PacketShaper


FW FW


Academic Core


FW FW


Admin Trusted Core

VPN


DMZ

Resnet Network

FW

Mail Spoolers

State Street Link

Internet2 Probe NLANR

IPS IPS

IPS IPS

IPS IPS

IPS

IPS




•Intrusion Prevention– Implemented four more IPS boxes in October of 2004•Interfaces for entire Academic Core and SPH





FW FW


Central1

North

NDB

Clairmont

IPS IPS

IPS IPS IPS IPS

IPS

IPS

IPS

IPS

IPS

IPS





FW FW


SPH Network

IPS




•Intrusion Prevention– The IPS implementation has

been extremely successful•Literally millions of hacks, attacks

and compromises have been blocked by this service

•The graphs on the following two slides shows our success



New Security InitiativesTop 10 Attacks 1/21/2005 - 2/21/2005

0

500,000

1,000,000

1,500,000

2,000,000

2,500,000

3,000,000

3,500,000

4,000,000

4,500,000

Hits

Host Sweep (TCP)

Invalid TCP Traffic: Possiblenmap Scan

MS-RPC: LSASS AD InterfaceOverflow

SMB: Windows SAM Access

MS-RPC: DCOMISystemActivator Overflow

HTTP: Shell Command Exec

Spyware: Gator InformationTransfer

Host Sweep (UDP)

Spyware: MarketScoreInstallation/Update

Spyware: 180solutions/n-CaseDownload



New Security InitiativesTop 10 Misuse and Abuse 1/21/2005 - 2/21/2005

0

50,000

100,000

150,000

200,000

250,000

Hits

BitTorrent: P2PCommunications

Ares/Warez: File TransferRequest

WinMX: File Transfer Request

Soulseek: File TransferResponse

Kazaa: PeerEnabler ContentTransfer

BitTorrent: Tracker Contact

Gnutella: GWebCache Request

eDonkey/eMule/Overnet:Transfer Request

iMesh: File Download/Upload

eDonkey/eMule/Overnet:Transfer Request



Summary

• We have come a long way in securing the Emory network

• Work still remains• The steps outlined here will help

in making Emory more secure by being aggressive and proactive in our vigilance against hacks, attacks, compromises and viruses



Contact Information

• Jay D. Flanagan – Security Team Lead– [email protected]

• [email protected]• http://security.it.emory.edu



Questions?

Information Technology at Emory Copyright Jay D. Flanagan, 2005. This work is the intellectual...

Documents

Transcript of Information Technology at Emory Copyright Jay D. Flanagan, 2005. This work is the intellectual...