University of Notre Dame Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.
21
Embed
University of Notre Dame Border Patrol: Access Denied! Robert Riley, Dan Rousseve, Bob Winding University of Notre Dame Copyright 2007. This work is the.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
University of Notre Dame
Border Patrol: Access Denied!
Robert Riley, Dan Rousseve, Bob WindingUniversity of Notre Dame
Copyright 2007. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials
and notice is given that the copying is by permission of the authors. To disseminate otherwise or to republish requires written permission from the authors.
University of Notre Dame
Background
• University networks are open to facilitate teaching and research
• Most Universities have large public IP blocks and lots of bandwidth
• This has left the door open to malicious activity
• The changing security landscape requires re-thinking the definition of open network
University of Notre Dame
The Problem
• Constant probes from Internet looking for trouble– Syslog data shows an average of 10K unique ports used for
inbound connection attempts
• Probe traffic creates too much noise. IDS was receiving 150K+ detects a day at the border
• Need to reduce malicious traffic without impacting the mission of the University
• Laws and regulations have consequences for compromises
University of Notre Dame
Some Questions
• Does the whole University participate in network based research?
• Who really needs “full” network access?• Can researchers benefit from protection?
– What if my research became public prematurely?– Do these controls impact academic freedom?
• Should administrator workstations be accessible to students? To the world?
University of Notre Dame
Thoughts
• Your unrestricted access to the Internet is different than the Internet’s unrestricted access to you
• What’s really needed to support the functions of the University, e.g. academic and administration?
• Who should be able to host public services?• Most people assume their systems are secure
University of Notre Dame
The Project
• Analyze traffic and commonly used services and determine allowed inbound traffic.
• Everything allowed out, and of course the responses are allowed back (stateful connections)
• Educating users is critical. – People fear the worst– Transparency is key to success
University of Notre Dame
Plan A
• Use firewall logs to determine what was being used– Implement ACLs to permit everything in use
(status quo)• Log analysis too complex, we needed to determine a
policy independent of the current usage• 300 inbound ports being used in just one building• Plan is transparent/analytical (too bad it didn’t work)
University of Notre Dame
Plan B• Determine list of inbound ports that represent traffic
for well known services that are in wide use (subjective policy)
• Vet the list to numerous campus constituencies for consensus
• Provide a mechanism to exempt machines– No one-off rules, keep the border simple
• Educate users on alternative methods of access (e.g. VPN)
• Pilot, then rollout slowly, adjust as we go
University of Notre Dame
Why Bother
• Reduce the exposure of majority of campus systems to unwanted Internet traffic
• Quiet the network and increase the value of IDS• Reduce the vector by which hackers may seek to
compromise systems• Educate users regarding issues of being exposed to
the Internet• Provide basic protection layer at the border, not the
only layer
University of Notre Dame
Perception vs. Reality• “The researcher/user becomes a minority voice in how they
can use their own system!”• “We need to balance our security concerns against our
teaching and research mission. I personally think that research/teaching aspects deserve more importance.”
• “collaborative research with other universities will be severely impacted by this......”
• “I personally feel that many of the security policies/procedures being considered and/or implemented at Notre Dame are overbearing and will probably cause as many or more problems than they solve.”
University of Notre Dame
Perception vs. Reality
• “It seems that as long as we are act in a responsible manner with those sorts of assets we should be allowed to make well informed mistakes and deal with the consequences.”
• “I question will the system continue to be usable when it's behind the firewall?”
• “In the best case, it doesn't seem to add any security value. In the worst case, it can give me a false sense of security and make me complacent. In all the cases, it is annoying :-(“
University of Notre Dame
Barriers to implementation
• Academic freedom• Detriment to research and experimentation
– What do you mean I can’t run a web server on port 31337
– Faculty may be researching Internet attacks• Cultural shift
– The Windows firewall is good enough– If I’m going to run a public service maybe it should
be on a institutionally managed server
University of Notre Dame
How it works
• Cisco Firewall Services Module at border– List of 14 ports allowed in to all addresses– All outbound connections allowed, implicitly allow return
traffic
• Datacenter still sees all traffic, but has it’s own protection layers
• Unprotected network for exempted systems• Resnet will be addressed in zoned network project
University of Notre Dame 14
Desired Function Required Specs FWSM Specs
Multi OSI Layer Protection
Layers 2 – 7 Protection Layers 2 – 7 Protection
Throughput 1Gbps 5Gbps
Simultaneous Connections
300,000 Connections 1,000,000 Connections
Connections per Second 50,000 Connections/sec 100,000 Connections/sec
High Availability Active/Standby Active/Standby or Active/Active
Virtualization 2 or more Virtual Firewalls
Up to 250 Virtual Firewalls
Multicast Support
Technical Requirements
University of Notre Dame
How it works
• Final consensus denies all but 14 ports (representing 7 services)– Mail (encrypted user email, smtp)– Web (https/http)– LDAPS– FTP– SSH– VPN – This is how you get to everything else– Video Conferencing (H.323)
University of Notre Dame 16
Unprotected Network
CampusNetwork
DMZ Router
Border Router
Internet2Internet
Resnet
Cisco Firewall Services Module (FWSM)
University of Notre Dame
Pilot
• OIT “eats its own cooking”– Building subnets placed behind border. Port use goes from
300 inbound used to 5 (of 14 permitted)– One subway service is discovered, otherwise the silence is
deafening
• Next, we solicited participants for an expanded pilot, e.g. Alumni, Law, Performing Arts, Main Building, College of Business, etc.
• Handful of issues discovered in pilot
University of Notre Dame
Pilot Issues
• Remote Vendor support access• Legacy Applications• Lexis/Nexis printing remotely to ND printers• Remote T1 networks
University of Notre Dame
Outcomes
• Academic Freedom unaffected• No impact to University business functions• Implementation transparent to vast majority
of users• 35% of inbound traffic is blocked• Less noise on network for IDS
– IDS alerts went from 150K/day to 90K/day
University of Notre Dame
Future
• Filter datacenter traffic• Provide increased protection or eliminate exempted
systems• Research net (now exempted systems) with secure