QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

SC04 Network Security Wrap-Up

Version 3

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Role of Network Security in SCinet

• ISP role/rule in protecting network(1) Protect network infrastructure

(2) Protect the Internet from SCinet

(3) Help exhibitors and attendees

• Testbed new tools, techniques, systems

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

SCinet network architecture

• Simple campus architecture routed via Juniper T640, T320 and Cisco 6509

• Bandwidth Challenge 10G participants given connectivity via Force10

• WAN connections– OC3 commodity Internet service via Qwest– 16 OC192 links (NLR, ESNet, Abilene, Teragrid, etc.)– 1 OC768 link to PSC

• Wireless architecture (free/open system)– Integrated wireless system by Trapeze

• Wired conference network to every meeting room• Argonne address space (140.221.128.0/17)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

SCinet security team

• Timothy Toole - Sandia• Stephen Lau - NERSC/LBL• Jim Hutchins - Sandia• Scott Campbell - NERSC/LBL• Bill Nickless - PNNL• Tim Witteveen - PNNL• Roger Winslow - NERSC/LBL• Patrick Stevens - Sandia

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Network Security Features

• Three primary IDS systems– Mon, Bro, Snort

• Cisco port mirroring• Packet Engines GigE Hub & NetOptics splitters• RST responder, Desuckit application, SYN-ACK

responder• Password display• MAC address blocking on wireless • Experimental

– Flo, OSX, AMD64 Opteron, Xyratex RAID system, S2IO 10GigE NICs

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Expectations

• Whack-a-mole game with worms (wired and wireless)• Expect about a handful of successful intrusions

(requiring clean-up)• Likely target of cluster/HPC systems

– Valuable information provided by FBI

– Expect to see outbound TCP 53 and 55

• Expect other 'phone-home' mechanisms (bot-nets)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Worm infections (approx. 35)• Never really attempted to identify the exact signature• Location of infected device takes time, especially on DHCP

wireless• Repeat offenders• Tried shunning in Trapeze system, but took time to implement

(mainly due to 1 individual having access)• Shunning induced a load through AP association reqs• Much success in responding with SYN-acks and window sizes

of zero– Significantly slowed down the infected host– Need a good windows administrator who's security

conscious to help repair systems

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Intrusions• 11/07 @ 9:00 SCinet rental desktop

– Very poorly configured from PC vendor• 11/08 @ 11:53 VendorW booth (linux cluster)

– Brute forced ssh password, outbound ftp & IRC• 11/10 in the AM

– MSSQL null SA password• 11/11 @ 08:25 & 08:36 VendorX and BoothY (Linux systems)

– Brute forced ssh password; identification of rootkit• 11/11 @ 10:21-15:07 VendorZ (Windows laptop)

– Windows file sharing exploit/whatever; became FTP server

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Intrusion Summary

• At least 1 compromised system to deal with per day• Windows boxes are low hanging fruit on open

Internet• Weak passwords are also low hanging fruit on open

Internet• Script-kiddie Romanians are a pain to deal with, but

somewhat entertaining• Need someone good at explaining problem to

customer (definition of 0wn3d)

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Lessons learned• Intrusions were caught by good judgment• Need to factor in 2x to 3x amount of time to get stuff done• if (BitTorrent && Wireless) { wireless.usability = crap; }• Users not courteous on wireless

– 500? users associated on empty exhibit hall• RF interference, rogue AP's, mis-configured laptops, old drivers

cause wireless problems• Never got a good data stream to adequately test 10Gbe cards

or application(s)• Not sure how to educate this particular community on good

practices• Outbound IRC ports were easy to pickup suspicious traffic

– Don't confuse GPFS with IRC• Need IPv6 IDS, since we have some native v6 links

QuickTime™ and aTIFF (Uncompressed) decompressor

are needed to see this picture.

Future projects

• SCinet05 network architecture and its impact on network security

• 10Gbe IDS/Monitoring systems• BPF/PCAP/IP/TCP on a 1/10Gig card• Visualization• Netflow analysis (help from CERT)• User education?