UC Davis Vulnerability UC Davis Vulnerability Scanning and Scanning and RemediationRemediation

2005 Larry Sautter Award2005 Larry Sautter Award

UC Davis, Information and UC Davis, Information and Education TechnologyEducation Technology

UC Davis Vulnerability UC Davis Vulnerability Scanning and Scanning and RemediationRemediation Project description and Project description and

backgroundbackground Project ObjectivesProject Objectives Protecting the campus networkProtecting the campus network Scalable technologyScalable technology EducationEducation QuestionsQuestions

Project DescriptionProject Description

A proactive approach to reducing A proactive approach to reducing threats to computing resources threats to computing resources and enhancing the protection of and enhancing the protection of university electronic information.university electronic information.

Project ObjectivesProject Objectives

Protect the integrity of the campus Protect the integrity of the campus computing environmentcomputing environment

Provide a cost-effective solution for Provide a cost-effective solution for vulnerability scanning and vulnerability scanning and remediationremediation

Develop a scalable systemDevelop a scalable system Educate campus computer users, Educate campus computer users,

support staff and system support staff and system administratorsadministrators

TimelineTimeline

September 2003September 2003– Temporary scanning system deployed to detect RPC vulnerabilitiesTemporary scanning system deployed to detect RPC vulnerabilities

October 2003October 2003– Reduction in vulnerable and/or infected systems on campus Reduction in vulnerable and/or infected systems on campus

network from more than 700 to fewer than 40 in four weeksMay network from more than 700 to fewer than 40 in four weeksMay 20042004

– Planning for a permanent vulnerability scanning system was Planning for a permanent vulnerability scanning system was initiatedinitiated

September 2004September 2004– Computer Vulnerability Scanning Policy adopted by CampusComputer Vulnerability Scanning Policy adopted by Campus– Rebuilding/redeployment of the campus vulnerability scanning Rebuilding/redeployment of the campus vulnerability scanning

system components system components – Threat analysis subscription beginsThreat analysis subscription begins– Database upgrades madeDatabase upgrades made

January 2005January 2005– Honeypot integrated into permanent scanning system Honeypot integrated into permanent scanning system

June 2005June 2005– Intrusion detection system (IDS) integrated into vulnerability Intrusion detection system (IDS) integrated into vulnerability

scanning systemscanning system July 2005July 2005

– Campus vulnerability scanning system is in full production modeCampus vulnerability scanning system is in full production mode

Computer Vulnerability Computer Vulnerability Scanning PolicyScanning Policy

All computers, servers, and other electronic All computers, servers, and other electronic devices connected to the campus network devices connected to the campus network shall be kept free of critical security shall be kept free of critical security vulnerabilities.vulnerabilities.

Individuals whose computers present critical Individuals whose computers present critical security vulnerabilities must correct those security vulnerabilities must correct those vulnerabilities in a timely manner before vulnerabilities in a timely manner before connecting to the campus network.connecting to the campus network.

Computers found to contain critical security Computers found to contain critical security vulnerabilities that threaten the integrity or vulnerabilities that threaten the integrity or performance of campus network will be denied performance of campus network will be denied access to campus computing resources, and access to campus computing resources, and may be disconnected from the campus may be disconnected from the campus network to prevent further dissemination of network to prevent further dissemination of infectious or malicious network activity.infectious or malicious network activity.

Protecting the Campus Protecting the Campus NetworkNetwork

Identification and Analysis of New Threats

`

UC Davis Security Scanning and Remediation Service

Education

Red Hat Linux - mysql

Vulnerability

Vulnerabilitydatabase

Identify VLANS, gateways, exclusions.modem pool, wireless, business systems,residence halls

VLAN Assignments

VLAN managers identify themselvesand provide contact information

VLAN Technical Contact

Arp tables are dumped every 30minutes, allowing a mapping betweenthe IP address and the MAC address

ARP Table Records

UCD account holders register theircomputer's MAC address to usecampus DHCP services. Given a MACaddress, the owner can be identified.

MAC Address Ownership

Input Data

Network HoneypotLaBrea

Email is sent daily toVLAN managers withinsecure systems

Email Notification

Web Authentication ScansNessusUsers who access campus web sites

are scanned

Web Authentication

Daily Scans Nessus

Intrusion DetectionSystem - BRO

Vulnerability AssessmentMechanisms and Storage

http://secalert.ucdavis.edu

Web Redirection to Remedial

or Warning Page

http://selfscan.ucdavis.edu

PerformSelf-Initiated

DesktopScan

http://secalert.ucdavis.edu

Ad hoc Queriesof SecurityDatabase

http://security.ucdavis.edu

Top 10 Portswith

Honeypot Traffic

http://itxmodem.ucdavis.edu

Modem VulnerabilityReport

Vulnerability Vulnerability Assessment Assessment MechanismsMechanisms Nessus (scanlite perl module) is used Nessus (scanlite perl module) is used

to scan campus systems daily for 1-3 to scan campus systems daily for 1-3 vulnerabilitiesvulnerabilities

Nessus is used to identify Nessus is used to identify compromised systems during web-compromised systems during web-based authenticationbased authentication

Labrea (honeypot) is used to identify Labrea (honeypot) is used to identify malicious network traffic on an malicious network traffic on an unannounced network segmentunannounced network segment

Bro (IDS) identifies malicious network Bro (IDS) identifies malicious network traffic. Bro can use the snort rule set.traffic. Bro can use the snort rule set.

Vulnerability Vulnerability Assessment DatabaseAssessment Database IP AddressIP Address DateDate Type (honeypot, scan, IDS)Type (honeypot, scan, IDS) MAC addressMAC address UsernameUsername

Input SourcesInput Sources

VLAN assignments (What IPs shall we scan?)VLAN assignments (What IPs shall we scan?) VLAN technical contact (Who do we contact if VLAN technical contact (Who do we contact if

there is a problem?)there is a problem?) ARP table records (What MAC address is ARP table records (What MAC address is

associated with a particular IP?)associated with a particular IP?) MAC address ownership (Who registered a MAC address ownership (Who registered a

particular MAC address?)particular MAC address?) Web authentication (What IP is attempting to Web authentication (What IP is attempting to

authenticate to a UCD web site?)authenticate to a UCD web site?) Threat selection (What threats represent Threat selection (What threats represent

highest risk to campus?)highest risk to campus?) Web/Daily Scan Capability (What Nessus Web/Daily Scan Capability (What Nessus

security plug-ins are available?)security plug-ins are available?)

Scalable TechnologyScalable Technology

Production System Component Hardware Operating System Application

Web Authentication Scanner Sun V210 (2) SolarisNessus/Scan Lite

Daily Network Scanner Sun V210 (2) Solaris Nessus/Scan Lite

Intrusion Detection Sensor Dell 2650 (2)Linux BRO

Network Honeypot Dell 1750 (1) Linux LaBrea

Database Dell 2650 (1) andDell PowerVault 220 (2)

with 2TB Storage

Linux MySQL

Web Server Sun V210 (1) Solaris Apache

Test Server Dell 1750 (1) Linux VMware

Educating the Campus Educating the Campus CommunityCommunity

Faculty, Staff and Faculty, Staff and StudentsStudents Formal discussions with senior Formal discussions with senior

campus administrators and advisory campus administrators and advisory groupsgroups

Email alerts/announcementsEmail alerts/announcements Print and Web publicationsPrint and Web publications Posters and FlyersPosters and Flyers Self-initiated scansSelf-initiated scans Scan results pagesScan results pages

http://selfscan.ucdavis.ehttp://selfscan.ucdavis.edudu

Technical StaffTechnical Staff

Formal discussionsFormal discussions Computer & Network Security Computer & Network Security

Report (secalert.ucdavis.edu)Report (secalert.ucdavis.edu) Email notificationsEmail notifications ““Top Ten” graphsTop Ten” graphs

http://secalert.ucdavis.edhttp://secalert.ucdavis.eduu

http://secalert.ucdavis.edhttp://secalert.ucdavis.eduu

http://secalert.ucdavis.edhttp://secalert.ucdavis.edu/idsu/ids

http://http://secalert.ucdavis.edu/idssecalert.ucdavis.edu/ids

Lessons Learned and Lessons Learned and Next Steps Next Steps Nessus limitationsNessus limitations Reliance on campus unit system Reliance on campus unit system

administratorsadministrators Enhance integration with Remedy Enhance integration with Remedy

trouble-ticketing systemtrouble-ticketing system Product integration via database Product integration via database

is not readily availableis not readily available

QuestionsQuestions

Contact InformationContact Information

Robert Ono, raono@ucdavis.eduRobert Ono, raono@ucdavis.edu