border patrol: access denied! robert riley, dan rousseve, bob winding university of notre dame...
TRANSCRIPT
![Page 1: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/1.jpg)
Border Patrol: Access Denied!
Robert Riley, Dan Rousseve, Bob Winding
University of Notre Dame
Copyright 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate
otherwise or to republish requires written permission from the authors.
![Page 2: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/2.jpg)
Background
• University networks are open to facilitate teaching and research
• Most Universities have large public IP blocks
• This has left the door open to malicious activity
• The changing security landscape requires re-thinking the definition of open network
![Page 3: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/3.jpg)
The Problem
• Constant probes from off campus IPs looking for trouble– Syslogs show an average of 10K unique ports used
for inbound connection attempts
• Probe traffic creates too much noise. IDS was receiving 500K+ detects a day
• Need to reduce malicious traffic without impacting the mission of the University
• Laws and regulations have consequences for compromises
![Page 4: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/4.jpg)
Some Questions
• Does the whole University participate in research?
• Who really needs “full” network access?• Should administrator workstations be accessible
to students? To the world?• Do these controls impact academic freedom?• Who should be able to host public services?
![Page 5: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/5.jpg)
Thoughts
• Your unrestricted access to the internet is different than the internets unrestricted access to you
• What’s really needed to support the functions of the University, e.g. academic and administration
![Page 6: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/6.jpg)
The Project
• Analyze traffic and commonly used services and determine allowed inbound traffic.
• Everything allowed out, and of course the responses are allowed back (stateful connections)
• Educating users is critical.
![Page 7: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/7.jpg)
Plan A
• Analyzed firewall logs to determine what ports were being used– Implement ACLs to permit everything in use (status
quo)• Log analysis proved too complex, we needed to
determine a policy independent of the current usage
• 300 inbound ports being used in just one building
• Plan is transparent/analytical (too bad it didn’t work)
![Page 8: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/8.jpg)
Plan B
• Determine list of inbound ports that represent traffic for well known services that are in wide use (subjective policy)
• Vet the list to numerous campus constituencies for consensus
• Provide a mechanism to exempt machines– No one-off rules, keep the border simple
• Educate users on alternative methods of access (e.g. VPN)
• Pilot, then rollout slowly, adjust as we go
![Page 9: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/9.jpg)
Why Bother
• Reduce the exposure of majority of campus systems to unwanted internet traffic
• Quite the network and increase the value of IDS• Reduce the vector by which hackers may seek
to compromise systems• Educate users regarding issues of being
exposed to the internet• Provide basic protection layer at the border, not
the only layer
![Page 10: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/10.jpg)
Perception vs. Reality
• “The researcher/user becomes a minority voice in how they can use their own system!”
• “We need to balance our security concerns against our teaching and research mission. I personally think that research/teaching aspects deserve more importance.”
• “collaborative research with other universities will be severely impacted by this......”
• “I personally feel that many of the security policies/procedures being considered and/or implemented at Notre Dame are overbearing and will probably cause as many or more problems than they solve.”
![Page 11: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/11.jpg)
Perception vs. Reality
• “It seems that as long as we are acting in a responsible manner with those sorts of assets we should be allowed to make well informed mistakes and deal with the consequences.”
• “I question will the system continue to be usable when it's behind the firewall?”
• “In the best case, it doesn't seem to add any security value. In the worst case, it can give me a false sense of security and make me complacent. In all the cases, it is annoying :-(“
![Page 12: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/12.jpg)
Barriers to implementation
• Academic freedom• Detriment to research and experimentation
– What do you mean I can’t run a web server on port 31337
– Faculty may be researching Internet attacks
• Cultural shift– “I want unrestricted access!”– If I’m going to run a public service maybe it
should be on a institutionally managed server
![Page 13: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/13.jpg)
How it works
• Cisco Firewall Services Module at border– List of 14 ports allowed in to all addresses– All outbound connections allowed, implicitly allow
return traffic
• Datacenter still sees all traffic, but has it’s own protection layers
• Unprotected network for exempted systems• Resnet not considered in this phase
![Page 14: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/14.jpg)
How it works
• Final consensus denies all but 14 ports (representing 7 services)– Mail– Web (https/http)– LDAP– FTP– SSH– VPN – This is how you get to everything else– Video Conferencing (H.323)
![Page 16: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/16.jpg)
Pilot
• OIT eats its own cooking– Building subnets placed behind border. Port use goes
from 300 inbound used to 5 (of 14 permitted)– One subway service is discovered, otherwise the
silence is deafening
• Next, we solicit for participants and pilot e.g. Alumni, Law, Performing Arts, Main Building, College of Business, etc.
• Handful of issues discovered in pilot
![Page 17: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/17.jpg)
Pilot Issues
• Remote Vendor support access
• Applications running on non-standard ports
• Lexis/Nexis printing remotely to ND printers
• Remote T1 networks
![Page 18: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/18.jpg)
Outcomes
• Found hidden servers
• Blocked traffic stats– Translates to potential for hacked machines– 31% of inbound traffic is blocked
• Less noise on network for IDS
![Page 19: Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of](https://reader036.vdocuments.mx/reader036/viewer/2022082709/56649d0a5503460f949dcaf6/html5/thumbnails/19.jpg)
Future
• Filter datacenter traffic• Provide increased protection or eliminate
exempted systems• Research net (now exempted systems) with
secure access to institutional data• 802.1x – Better granularity/mobility• Resnet – What’s reasonable
– Diode Opt in/out– Register public services