Infected Host Isolation via Packeteer PacketShaper - PowerPoint PPT Presentation

1 / 11
About This Presentation
Title:

Infected Host Isolation via Packeteer PacketShaper

Description:

SMTP Related Virii show up in our mail queues. Looks like 148.61.253.182 ... Packeteer Aspect usually only works with Auto Discovery. Step 2 Block the host ... – PowerPoint PPT presentation

Number of Views:22
Avg rating:3.0/5.0
Slides: 12
Provided by: x7191
Learn more at: http://www.merit.edu
Category:

less

Transcript and Presenter's Notes

Title: Infected Host Isolation via Packeteer PacketShaper


1
Infected Host Isolation via Packeteer PacketShaper
  • Ben Freitag
  • Grand Valley State University
  • freitagb_at_gvsu.edu

2
Step 1 Detect the Infected Hosts
  1. Cisco IDS Blade
  2. Firewall Flows/Server Connections
  3. Abnormal Traffic in the Packeteer
  4. Complaints from the outside world

3
Cisco IDS Blade
  • This is the preferred method
  • We use this as a passive monitor to look for
    infected hosts

4
Firewall Flows/Server Connections
  • Manual scanning of the connections table in our
    PIX Blades
  • SMTP Related Virii show up in our mail queues
  • Looks like 148.61.253.182 has the Sasser worm

5
Abnormal Traffic in the Packeteer Complaints
from the outside world
  • These are lucky catches would prefer these
    were caught earlier
  • Packeteer Aspect usually only works with Auto
    Discovery

6
Step 2 Block the host
  • At the top of our Packeteer traffic-tree we have
    created a Folder Small partition for Blocking.
    Within the folder weve created several classes
    depending on the type of violation. These
    classes have a never-admit policy that redirects
    them to an internal web-site.

7
Step 2 (Continued)
  • The Hosts are tied to the classes via a Host
    Lists for each category Virus, Abuse,
    Unauthorized Equipment Other.
  • The additions can be made via CLI or via simple
    VB Application created for our Help Desk

8
The User Experience
  • When a redirected host attempts to view a
    website off of GVSUs network they are greeted
    with a website similar to

9
The User Experience (Cont.)
  • From these websites they can request reactivation
    or are instructed to call the Help Desk for
    further assistance.
  • The Help Desk logs these incidents as Trouble
    Tickets and is separately tracking offending IPs
    - tying them to MAC address, student name etc.

10
Problems
  • Can require an enormous amount of time
    especially at the beginning of the school year.
  • Does not scale well
  • Not proactive no real-time way to tie users to
    IPs.

11
The Future
  • We are evaluating several appliances to provide
    Network Admission Control (NAC) services such as
    Perfigo (Cisco) Blue Socket.
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Infected Host Isolation via Packeteer PacketShaper" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!