PacketFencePacketFence…because good fences make good neighbors…because good fences make good neighbors

Michael Garofano, Director of IT, Harvard KSGMichael Garofano, Director of IT, Harvard KSGKevin Amorin, Sr. Security & Systems Engineer, Harvard KSG Kevin Amorin, Sr. Security & Systems Engineer, Harvard KSG

David LaPorte, Manager Network Security, Harvard (not present today)David LaPorte, Manager Network Security, Harvard (not present today)

mgarofano@ksg.harvard.edumgarofano@ksg.harvard.edukamorin@ksg.harvard.edukamorin@ksg.harvard.edu

david_laporte@harvard.edudavid_laporte@harvard.edu

22

AgendaAgenda

Academic IssuesAcademic Issues

Perimeter & Internal SecurityPerimeter & Internal Security

PacketFence featuresPacketFence features

Inline vs. Passive (out of line)Inline vs. Passive (out of line)

33

Academic Issues Academic Issues

Help Desk SupportHelp Desk Support– Limit spread of WormsLimit spread of Worms– Identify infected userIdentify infected user

DMCA (movie/music download violations)DMCA (movie/music download violations)– IP to user mappingIP to user mapping

44

Academic Issues Academic Issues

InventoryInventory– List of MAC’s and ownersList of MAC’s and owners

Gather StatisticsGather Statistics– Get the more money!Get the more money!– Number of IP’s, infections, helpdesk time, etc, Number of IP’s, infections, helpdesk time, etc,

active nodes,active nodes,

55

Academic Issues Academic Issues

Open vs. closed environmentOpen vs. closed environment– Professors and students want unfettered Professors and students want unfettered

access to the internetaccess to the internet

You can take your FIREWALL and put it…You can take your FIREWALL and put it…– Some things break:Some things break:

Videoconferencing (H.323), Games (UDP non-Videoconferencing (H.323), Games (UDP non-statefull firewall), P2P, IM etc…statefull firewall), P2P, IM etc…

66

Average Network SecurityAverage Network Security

Perimeter securityPerimeter security– Firewalls, IDS, IPS, Router ACLsFirewalls, IDS, IPS, Router ACLs

Current architectureCurrent architecture– ““Hard on the outside soft on the inside”Hard on the outside soft on the inside”

Hard to protect the “inside”Hard to protect the “inside”

60-80% of attacks originate from 60-80% of attacks originate from systems on the internal network systems on the internal network (behind the firewall)(behind the firewall)

77

Worms wreak havocWorms wreak havoc

August 11, 2003 Blaster and Welchia/NachiAugust 11, 2003 Blaster and Welchia/Nachi

How did the worms get in? We block all How did the worms get in? We block all types of traffic from the internet? types of traffic from the internet? (especially RPC) LAPTOPS!!!!(especially RPC) LAPTOPS!!!!

Backdoors bypass perimeter defenses:Backdoors bypass perimeter defenses:– Roaming usersRoaming users– VPNVPN– WirelessWireless– DialupDialup

88

Internal Network Internal Network Protection/ControlProtection/Control

Mirage Networks (ARP)Mirage Networks (ARP)

qRadar (ARP)qRadar (ARP)

Wholepoint (ARP)Wholepoint (ARP)

RNA networks (ARP)RNA networks (ARP)

Tipping Point (inline)Tipping Point (inline)Etc..Etc..

Cisco (NAC)Cisco (NAC)

Trend Micro (NAC)Trend Micro (NAC)

Symantec (NAC)Symantec (NAC)

Microsoft (NAP Q2-2005)Microsoft (NAP Q2-2005)

Juniper (TNC)Juniper (TNC)

Foundry Networks (TCC)Foundry Networks (TCC)

Etc..Etc..

Internal Network Security Funding 2004Internal Network Security Funding 2004– More then $80M ($13M Sept)More then $80M ($13M Sept)

99

What is PacketFenceWhat is PacketFence

Open-source network registration and Open-source network registration and worm mitigation solutionworm mitigation solution– Co-developed by Kevin Amorin andCo-developed by Kevin Amorin and

David LaPorteDavid LaPorte– Captive portalCaptive portal

Intercepts HTTP sessions and forces client to view contentIntercepts HTTP sessions and forces client to view content

Similar to NoCatAuth, BluesocketSimilar to NoCatAuth, Bluesocket

– Based on un-modified open-source Based on un-modified open-source componentscomponents

1010

FeaturesFeatures

Network registrationNetwork registration– Register systems to an authenticated userRegister systems to an authenticated user

LDAP, RADIUS, POP, IMAP…anything Apache supportsLDAP, RADIUS, POP, IMAP…anything Apache supports

– Force AUP acceptanceForce AUP acceptance– Stores assorted system informationStores assorted system information

NetBIOS computer name & Web browser user-agent stringNetBIOS computer name & Web browser user-agent string

Presence of some NAT device Presence of some NAT device

– Stores no personal informationStores no personal informationID->MAC mapping onlyID->MAC mapping only

– Above data can provide a rough system inventoryAbove data can provide a rough system inventory– Vulnerability scans at registrationVulnerability scans at registration

1111

FeaturesFeatures

Worm mitigationWorm mitigation– Signature and anomaly based detectionSignature and anomaly based detection– Action based responseAction based response

Optional isolation of infected nodesOptional isolation of infected nodes

– Content specific information Content specific information Empower usersEmpower usersProvides remediation instruction specific to Provides remediation instruction specific to infectioninfection

Network scansNetwork scans– Preemptively detect and trap vulnerable hostsPreemptively detect and trap vulnerable hosts

1212

FeaturesFeatures

RemediationRemediation– Redirection to the captive portalRedirection to the captive portal– Requires signature-based detectRequires signature-based detect– Provides user context-specific remediation Provides user context-specific remediation

instructionsinstructionsProxyProxy

Firewall pass-throughFirewall pass-through

– Helpdesk support number if all else failsHelpdesk support number if all else fails

1313

InlineInline

Security bottleneckSecurity bottleneck– immune to subversionimmune to subversion

Fail-closedFail-closed

Performance bottleneckPerformance bottleneck

Single point of failureSingle point of failure

1414

PassivePassive

Fail-open solutionFail-open solution– Preferable in academic environmentPreferable in academic environment

No bandwidth bottlenecksNo bandwidth bottlenecks

Network visibilityNetwork visibility– Hub, monitor port, tapHub, monitor port, tap

Easy integrating – no changes to Easy integrating – no changes to infrastructureinfrastructure– plug and play (pray?)plug and play (pray?)

Manipulates client ARP cacheManipulates client ARP cache– ““Virtually” in-lineVirtually” in-line

1515

Passive ArchitecturePassive Architecture

Internet

User

Router

`

Host

DB

PacketFence

1616

Why ARP?Why ARP?

TrustingTrusting– Easy to manipulateEasy to manipulate

RFC826 1982RFC826 1982

OS independentOS independent– Windows 95,98,ME,2k,xp,mac both type Windows 95,98,ME,2k,xp,mac both type

1 & 21 & 2– Linux only type 1Linux only type 1– Solaris ICMP & type 2 or 1Solaris ICMP & type 2 or 1

1717

Methods of IsolationMethods of Isolation

ARPARP– Change the router’s ARP entry on the local system to Change the router’s ARP entry on the local system to

enforcement pointenforcement point

DHCPDHCP– Change DHCP scope (reserved IP with enforcer gateway)Change DHCP scope (reserved IP with enforcer gateway)– or Change DNS server to resolve all IP’s to Enforceror Change DNS server to resolve all IP’s to Enforcer

VLAN switchVLAN switch– Switch host to an isolation network with enforcer as the Switch host to an isolation network with enforcer as the

gatewaygateway

If all else fails… BlackholeIf all else fails… Blackhole– Router dynamic updateRouter dynamic update– Firewall/ACL updateFirewall/ACL update– Disable switch portDisable switch port

1818

ARP ManipulationARP Manipulation

All Traffic

`

Host User

PacketFence

Switch

Internet

Router

Switch

1919

VLAN Change (Futures)VLAN Change (Futures)

User

Internet

Router

Switch

`

Host User

`

Host

Enforcement Point

Switch

2020

DNS DNS (Futures)(Futures)

`

Host User

Switch

Internet

Router

DNS Requests

Switch

DHCP

Enforcement Point &DNS

2121

DHCP DHCP (Futures)(Futures)

`

Host User

Enforcement Point & DNS/DHCP Server

Switch

Internet

Router

DHCP & DNS Requests

Switch

2222

Blackhole Injection (risky)Blackhole Injection (risky)

User

Internet

Router

Switch

`

HostUser

Router

Switch

`

Host

2323

2424

2525

ImplementationsImplementations

All current deployments are “passive” modeAll current deployments are “passive” mode

Several residential networks and 2 schoolsSeveral residential networks and 2 schools– ~4500 users~4500 users– 3781 registrations3781 registrations– ~125 violations~125 violations

Nachi / Sasser,Agobot,Gaobot,etc / IRC botsNachi / Sasser,Agobot,Gaobot,etc / IRC bots

2626

Thanks!!!Thanks!!!

Hot “fun” topic!Hot “fun” topic!

Questions?Questions?

Software available at:Software available at:http://www.packetfence.orghttp://www.packetfence.org

2727

ReferencesReferences

http://http://www.ece.cmu.edu/~lbauer/papers/policytrwww.ece.cmu.edu/~lbauer/papers/policytr.pdf.pdfftp://www6.software.ibm.com/software/devftp://www6.software.ibm.com/software/developer/library/ws-policy.pdfeloper/library/ws-policy.pdfhttp://www9.org/w9cdrom/345/345.htmlhttp://www9.org/w9cdrom/345/345.htmlhttp://www.sans.org/resources/policies/Polihttp://www.sans.org/resources/policies/Policy_Primer.pdfcy_Primer.pdfhttp://www.cs.sjsu.edu/faculty/stamp/studhttp://www.cs.sjsu.edu/faculty/stamp/students/Silky_report.pdfents/Silky_report.pdfHarvard University network security Best Harvard University network security Best practices – Scott Bradnerpractices – Scott Bradner