packetfence …because good fences make good neighbors

Download PacketFence …because good fences make good neighbors

Post on 30-Dec-2015




0 download

Embed Size (px)


PacketFence …because good fences make good neighbors. Michael Garofano, Director of IT, Harvard KSG Kevin Amorin, Sr. Security & Systems Engineer, Harvard KSG David LaPorte, Manager Network Security, Harvard (not present today) - PowerPoint PPT Presentation


  • PacketFencebecause good fences make good neighborsMichael Garofano, Director of IT, Harvard KSGKevin Amorin, Sr. Security & Systems Engineer, Harvard KSG David LaPorte, Manager Network Security, Harvard (not present today)

  • AgendaAcademic IssuesPerimeter & Internal SecurityPacketFence featuresInline vs. Passive (out of line)

  • Academic Issues Help Desk SupportLimit spread of WormsIdentify infected user

    DMCA (movie/music download violations)IP to user mapping

  • Academic Issues InventoryList of MACs and owners

    Gather StatisticsGet the more money!Number of IPs, infections, helpdesk time, etc, active nodes,

  • Academic Issues Open vs. closed environmentProfessors and students want unfettered access to the internet

    You can take your FIREWALL and put itSome things break:Videoconferencing (H.323), Games (UDP non-statefull firewall), P2P, IM etc

  • Average Network SecurityPerimeter securityFirewalls, IDS, IPS, Router ACLsCurrent architectureHard on the outside soft on the insideHard to protect the inside60-80% of attacks originate from systems on the internal network (behind the firewall)

  • Worms wreak havocAugust 11, 2003 Blaster and Welchia/Nachi

    How did the worms get in? We block all types of traffic from the internet? (especially RPC) LAPTOPS!!!!

    Backdoors bypass perimeter defenses:Roaming usersVPNWirelessDialup

  • Internal Network Protection/ControlInternal Network Security Funding 2004More then $80M ($13M Sept)

  • What is PacketFenceOpen-source network registration and worm mitigation solutionCo-developed by Kevin Amorin and David LaPorteCaptive portalIntercepts HTTP sessions and forces client to view contentSimilar to NoCatAuth, Bluesocket Based on un-modified open-source components

  • FeaturesNetwork registrationRegister systems to an authenticated userLDAP, RADIUS, POP, IMAPanything Apache supportsForce AUP acceptanceStores assorted system informationNetBIOS computer name & Web browser user-agent stringPresence of some NAT device Stores no personal informationID->MAC mapping onlyAbove data can provide a rough system inventoryVulnerability scans at registration

  • FeaturesWorm mitigationSignature and anomaly based detectionAction based responseOptional isolation of infected nodesContent specific information Empower usersProvides remediation instruction specific to infectionNetwork scansPreemptively detect and trap vulnerable hosts

  • FeaturesRemediationRedirection to the captive portalRequires signature-based detectProvides user context-specific remediation instructionsProxyFirewall pass-throughHelpdesk support number if all else fails

  • InlineSecurity bottleneckimmune to subversionFail-closedPerformance bottleneckSingle point of failure

  • PassiveFail-open solutionPreferable in academic environmentNo bandwidth bottlenecksNetwork visibilityHub, monitor port, tapEasy integrating no changes to infrastructureplug and play (pray?)Manipulates client ARP cacheVirtually in-line

  • Passive Architecture


  • Why ARP?TrustingEasy to manipulateRFC826 1982OS independentWindows 95,98,ME,2k,xp,mac both type 1 & 2Linux only type 1Solaris ICMP & type 2 or 1

  • Methods of IsolationARPChange the routers ARP entry on the local system to enforcement pointDHCPChange DHCP scope (reserved IP with enforcer gateway)or Change DNS server to resolve all IPs to EnforcerVLAN switchSwitch host to an isolation network with enforcer as the gatewayIf all else fails BlackholeRouter dynamic updateFirewall/ACL updateDisable switch port

  • ARP Manipulation



  • VLAN Change (Futures)





  • DNS (Futures)



  • DHCP (Futures)



  • Blackhole Injection (risky)






  • ImplementationsAll current deployments are passive modeSeveral residential networks and 2 schools~4500 users3781 registrations~125 violationsNachi / Sasser,Agobot,Gaobot,etc / IRC bots

  • Thanks!!!Hot fun topic!


    Software available at:

  • References University network security Best practices Scott Bradner


View more >