Network Security Initiatives at UC Davis

1
Network Security Initiatives at UC Davis

• IT Security Symposium
• 6/21/07
• Mark Redican UC Davis NOC Manager

2
Agenda

• Introduction
• Current Security Measures
• Effectiveness
• Security Initiatives In-progress
• Planned/Programmed Security Initiatives
• Some Future Challenges

3
Introduction

• Network Originally Built for Speed not Security
  (2002-2003)
• Open Borders / ISP Model
• Reliance on End-point Security
• No Centrally Managed/Enforced Security Measures
• Department Responsibility
• No Real Security Policies
• No Policy for End-point Security Requirements
• Emergency Network Security Policy
• Acceptable Use Policy

4
Introduction

• Changes In Security Posture
• Consensus that Security is Important
• Address at Campus Level and Department Level
• Recognition of the Costs
• Both Costs of Hacks and Counter-measures
• Leverage Centrally Managed Systems
• Improved Security Policies and Resources
• Cyber Safety Program
• Education and Enforcement

5
Introduction

• What Changed Our Minds
• Proliferation of Trojans, Malware, etc.
• Information Security
• Vulnerability of Sensitive Information
• Vulnerability of Personal Information
• Costs Associated with Hacks
• Financial
• Reputation
• Productivity
• Etc

6
Current Security Measures

• Cyber Safety Program Policy

7
Current Security Measures

• Cyber Safety Program Policy
• Mandates Host-Based and VLAN Firewalls
• Required and Recommended Rulesets
• IET Established a Managed Firewall Service
• Blanket PO for NetScreen Firewall Purchases
• Rates and Services for Turnkey Firewall
  Management
• Develop IET and Campus Expertise
• Disable Unnecessary Network Ports
• On-line Vulnerability Scanner

8
Current Security Initiatives

• Education

9
Current Security Measures

• Border and ResNet Firewalls
• NetScreen 5400s and 5200s
• Limited Rulesets
• Screening Functions
• Stop Brute-Force Attacks
• Obvious Scans
• Flood Protection ICMP, UDP, SYN
• TCP Illegal Flag Combinations (e.g. OS Detect)
• Host Session Limits

10
Current Security Measures

• Border and ResNet Firewalls
• Current Configuration has Limited Effectiveness
• Allow Inbound Connections
• Slow Scans not Blocked
• Have seen 1000 source IPs scanning 200K campus
  destination addresses in 24 hour period.
• Tightening Screening Functions Impact End-Users
  and Firewall Performance
• Only very aggressive attacks are blocked at
  campus border routers

11
Current Security Measures

• Packet Shapers
• Located at Campus and ResNet Borders
• Principally Used to Constrain
• P2P Traffic Reduce DMCA Violations
• Recently took amore aggressive stance, time will
  tell if effective.
• ResNet Bandwidth Abuse Penalty Box
• Excessive Sessions Inbound and Outbound

12
Current Security Measures

• Campus Honeypot
• Tracks Port and Source IP Address Information
• Characterizes Attacks
• Creates Reports for Attacks Sourced from UCD
• By VLAN for Department Network Admins
• Generates E-mails for End-Users and Network
  Admins
• Generates Alerts Based on Thresholds
• Can be used to add rules to firewalls or campus
  border router ACLs (manual process)

13
Current Security Measures

• Campus Honeypot (Sample Output)

14
Current Security Measures

• Campus Honeypot
• Effective for Department End-points
• Department Admins Take Action
• Not Effective for ResNet and Wireless Users
• No Network or System Admin
• End-users Not Required to Address the Problem
  (yet)
• Provides Useful and Actionable Information
• Weakness No Prevention or Real Time Enforcement

15
Current Security Measures

• Intrusion Detection Systems - BRO
• Reports Integrated with Honeypot Notifications
• Monitors a Subset of Border Traffic
• Daily Nessus Scans
• Campus Address Space Scanned Once/Day
• ResNet, Modem Pools and Wireless Scanned
  Twice/Day
• Notifications Generated
• Limited Nessus Scans
• On Wireless and Web Portal Authentication
• Failure Re-directs to Remediation Page

16
Current Security Measures

• sFlow Sampling and Collection
• All network electronics send sFlow samples to
  collectors/databases
• InMon Application
• Traffic Analysis, Anomaly Triggers, Threshold
  Alerts
• Slow-scan Detection
• Bot Net Detection
• Floods
• Anomalous TTL

17
Current Security Measures

• InMon Application
• Forensics
• Detailed packet traces stored for 6 months
• Data rolled-up and stored for 4 years
• Data used to analyze possible compromises
• Currently Expanding Anomaly Detection Role
• Snort rules (next server upgrade)
• More detailed packet traces

18
Current Security Measures

• InMon Summary

19
Current Security Measures

• InMon

20
Current Security Measures

• InMon

21
(No Transcript)
22
Current Security Measures

• Wireless Network
• Open Access Points (no encryption)
• Both centrally managed and department APs
• Wireless Gateways
• Captive portal, Web page re-directs Kerberos
  login
• Some ports blocked via ACLs
• Nessus Scan
• Guest access via sponsor registration
• Temporary passwords
• No restrictions on guest access

23
Current Security Measures

• Areas Where Improvement is Needed
• Lack of Real-Time Prevention/Enforcement
• Wireless Security
• Authentication
• More Robust for Network Admission
• Policy Decisions Roles, LDAP Attributes
• Segregated Guest Access
• End-Point Audits, Enforcement and Remediation

24
Improvements In-Progress

• Real-Time Prevention/Enforcement
• Intrusion Prevention System (Tipping Point)
• Currently Piloting Monitoring Border (tap)
• Looks Very Promising
• Layer 2-7 Inspection
• Filters and Options for Granular Policies
• Ability to Block Malicious Traffic in Real Time
• Some Rate Limiting Capabilities
• Not quite a packet shaper however

25
Improvements In-Progress

• Real-Time Prevention/Enforcement
• Next Steps with IPS
• Deploy in-line
• Develop policies to block selected traffic and
  notify users
• Monitor system performance
• More blocking, more performance monitoring
• Introduce rate-limiting for P2P traffic
• Develop lookup tools for users, NOC and Help Desk
• Re-purpose border firewalls and packet shapers????

26
Improvements In-Progress

• Real-Time Prevention/Enforcement
• IPS Goals
• Deploy at network border, ResNet
• Proactive prevention and enforcement
• IPS Concerns
• Border and Core connections upgrading to 10 GE
• Stopping the bad without affecting the good
• Managing Exceptions (e.g. Yahoo Messenger Login)
• Expertise required to set meaningful policies
• Encrypted malware hard to characterize

27
Improvements In-Progress

• Real-Time Prevention/Enforcement
• Proposal Submitted to Reconfigure ResNet Firewall
• True stateful firewall configuration (vs.
  screening)
• Deny unsolicited inbound connections
• No servers on ResNet (almost)
• DMCA violations are driving this proposal
• Goals
• Primarily to reduce P2P traffic and DMCA
  violations
• Provide some added protection to ResNet users

28
Improvements In-Progress

• Real-Time Prevention/Enforcement
• ResNet Firewall Concerns
• May affect some services (station to station)
• Most services can accommodate firewalls and NAT
  (e.g. Skype SuperNode)
• Complaints from restrictions on network use
• Not many Universitys are doing this
• More aggressive packet shaping can affect DMCA
  violations
• Mobile user environment cross infections

29
Improvements In-Progress

• Wireless Security
• 802.1x in Limited Production on Existing
  Centrally Managed Wireless Network
• Separate SSID Currently not beaconed
• WPA/TKIP Encryption
• MSCHAPv2, PEAP
• Ramping up Help Desk services
• Auto-configuration tool, self-help guides, splash
  pages
• Full Production this Summer
• Stateful Firewall

30
Improvements In-Progress

• Wireless Security
• 802.1x on Existing Wireless Network
• Goals
• Begin the process of migrating to 802.1x for all
  wireless access
• Begin the process of encrypting all wireless
  sessions
• Begin moving away from MAC address registration
• Concerns
• Not all supplicants work well
• Help Desk support, troubleshooting, configuration

31
Improvements In-Progress

• Wireless Security
• Moving Toward Total Central Management
• Upgrading Wireless Infrastructure
• Controller based solution
• Integrated Firewall Role, time, location based
  policies
• 802.1x, MSCHAPv2, PEAP, WPA
• Captive Portal
• Legacy systems that dont play with 802.1x
• Guest / Visitor access
• Rogue Access Point Detection and Suppression

32
Improvements In-Progress

• Wireless Security
• Total Central Management
• Goals
• Role based firewall rules and enforcement
• Standardized services with more security
• 802.1x, WPA encryption
• Same services throughout campus
• Seamless roaming VoIP services
• Control of the RF environment (rogue APs)

33
Improvements In-Progress

• Wireless Security
• Total Central Management
• Concerns
• Funding Initial and on-going
• Time will take years
• Department hold-outs or exceptions
• Strengthen policies to require strong security on
  department WLANs (in-progress)
• Offer a better service

34
Improvements In-Progress

• Authentication
• RADIUS/LDAP
• RADIUS Server Deployed (Identity Engines)
• Initial Application - Support Network
  Authentication
• 802.1x Authentication via MSCHAPv2 hash stored
  in LDAP
• Captive Portal Authentication via Kerberos with
  LDAP query for role and other attributes
• Other devices Restricted VLANs
• Foundry switches will authenticate registered MAC
  Addresses via RADIUS

35
Improvements In-Progress

• Authentication
• RADIUS/LDAP
• Authenticator and Policy Decisions
• Location, time, method (802.1x, captive portal)
• Source (wireless, VPN, wired network, etc)
• LDAP attributes
• Role / Group Staff, faculty, student, guest,
  visitor
• Preferred VLAN Department, restricted, default
• Permits Wireless, ResNet, blacklist

36
Improvements In-Progress

• Authentication
• RADIUS/LDAP
• Developing Web Interfaces
• Help Desk Tools
• Faculty Restrict student wireless access in
  classrooms
• Network Admins Specify preferred VLANs for
  department personnel
• Restrict wireless access to department VLANs by
  time-of-day, role, etc.
• Enable/Disable authentication per port (e.g.
  network printers)
• NOC Revoke permits, or blacklist

37
Improvements In-Progress

• Authentication
• RADIUS/LDAP - Goals
• Implement Role Based Network Access
• On wireless controllers Enforced via role based
  firewall rule sets or VLAN assignment
• On wired network Enforced via VLAN assignment
• Allow Net Admins and Faculty to have some control
• RADIUS/LDAP Concerns
• Updating LDAP attributes feeds from
  authoritative sources

38
Improvements In-Progress

• SSL VPN
• Deployment of a Juniper SA6000 In-progress
• Enter into production this summer
• Campus Authentication
• Kerberos via RADIUS
• Apply RADIUS policies based on LDAP query
• Initial application Access to library resources
• License requires access only from campus IP
  addresses
• Anticipate more campus systems allowing access
  from campus IP addresses only
• Trusted port(s) monitored by IPS

39
Improvements In-Progress

• SSL VPN - Goals
• Enable campus systems to restrict access to
  campus IP addresses
• Facilitates management of more comprehensive
  policies on border IPS
• SSL VPN Concerns
• Access to Department Resources
• Domains and distributed administration

40
Planned Improvements

• 802.1x on Wired Network
• Initial Rollout on Wireless
• Integrating Tests for Wired Network
• Foundry edge switches 802.1x testing successful
  using same back-end as wireless (RADIUS/LDAP)
• More testing needed on multi-port authentication
• 802.1x fails, go to MAC addresses authentication
• Requested feature enhancements to code
• Default and quarantine VLAN
• Choices for authentication servers

41
Planned Improvements

• 802.1x on Wired Network
• Mandate 802.1x on ResNet and public ports
• Failover to captive portal and/or RADIUS MAC
  address authentication
• Opt-in for Department VLANs
• Can be deployed on a per-port basis
• Prefer deployment on a per-VLAN basis
• Department administrative VLAN vs. server farm
• Conference room VLANs, etc
• RADIUS Policies can be Applied

42
Planned Improvements

• Network Admission Control (NAC)
• Evaluating Solutions
• Product Testing
• RFP Developed and Released
• Re-Thinking

43
Planned Improvements

• Network Admission Control (NAC)
• Product Testing
• Impulse Point Safe Connect
• Agent based
• Uses SFlow to detect end-points without agent SW
  installed
• Does not use 802.1x
• Dynamic ACLs on routers to re-direct
• Agent contacts policy manager after network
  connection
• Agent enforces policy
• No VLAN changes

44
Planned Improvements

• Network Admission Control (NAC)
• Product Testing
• Info Express Cyber Gatekeeper
• Agent based - Persistent and temporary (Java)
• 802.1x Based Policy manager acts as RADIUS
  proxy
• Agent passes end-point status information to
  policy manager prior to network connection
• Audit information used to make access decision
• VLAN changes Quarantine, restricted, etc

45
Planned Improvements

• Network Admission Control (NAC)
• RFP Requirements
• Out-of-Band Solution
• Cost and Scalability
• Favor 802.1x Based, not Required
• Agent Based Windows (up to Vista), Mac, Linux
• Agent-less capability for guests, unsupported
  platforms, etc

46
Planned Improvements

• Network Admission Control (NAC)
• RFP
• Phase I ResNet
• Phase II Wireless and VPN
• Phase III Opt-in for Department VLANs
• NAC Deployment Dovetails with 802.1x RADIUS
  Efforts
• Obvious dependencies
• No Bid-Responses met all Requirements
• Wait
• Re-Think Requirements

47
Planned Improvements

• Network Admission Control (NAC)
• Re-Thinking Our Requirements
• Considering In-Line Solutions for ResNet
• Positives
• Well defined aggregation points for placement of
  in-line appliances
• Enforcement functions not dependant on 802.1x and
  RADIUS
• More self-contained, less moving parts
• Easier to manage, troubleshoot
• Pre and Post Inspection Monitors traffic in-band

48
Planned Improvements

• Network Admission Control (NAC)
• Re-Thinking Our Requirements
• Considering In-Line Solutions for ResNet
• Negatives
• Solution does not scale to meet all anticipated
  needs
• Expense Reasonable for ResNet, gets pricy for
  wireless
• Not feasible for goal of department opt-in
• Would need an out-of-band solution also

49
Planned Improvements

• Network Admission Control (NAC)
• Re-Thinking Our Requirements
• Agent Capabilities Vanilla to Very Fancy
• Enforcement at the End-Point
• Restrictions applied at the end-point via
  firewall-like shim
• Thorough interrogation of end-point for auditing
• Can do interesting things like prohibit P2P
  shares
• Drawbacks
• Possibly gets IET into the business of
  troubleshooting PCs
• IET controls switches (VLAN assignment), user
  controls PC

50
Outcomes

• Better Enforcement at Campus Border
• Intrusion Prevention System
• VPN
• Policy Decisions at Authentication
• Role based Decisions
• Geography, time, preferences, etc
• Accounting by Username vs. MAC Address
• Lock Down Wireless
• Enforce End-point Hygiene

51
Future Challenges

• Research Networks
• Performance vs. Security
• 10 GE at Border and Core
• VoIP/Smartphones
• More Encryption in Malware
• Supporting Innovative Network Services
• Cutting Edge Applications
• Balancing Tradition of Open Communications with
  the Need for Secure Communications

52
Further Information

• Contact
• Mark Redican
• 752-9500
• mredican_at_ucdavis.edu
• More Information
• security.ucdavis.edu