1 information security vision network planning task force 9/29/2003 deke kassabian and dave millar
Post on 19-Dec-2015
215 views
TRANSCRIPT
1
Information Security Vision
Network Planning Task Force9/29/2003
Deke Kassabian and Dave Millar
2
Our Common Problem
■ Productivity Loss■ Slammer worm interrupts Internet connectivity
campus-wide for several hours and in a few locations on campus for longer.
■ 1000+ windows machines compromised in four weeks by Blaster worm.
■ Managing hundreds of disconnections: run a trace, disable the port, contact the owner, get box fixed, get port re-enabled.
■ 1,000 infected email attachments a day.
3
Estimated cost of Blaster/Welchia
ITEM EST. COST
1200 compromised machines
-Manage detection and notification
-Format and rebuild machines
-Remove Blaster from machines
15-25%
15-25%
15-25%
9,000 Vulnerable machines (patched twice)
-20 campus-wide scans, 14 mass notifications of
vulnerability
-4,500 Patch automatically (twice)
-4,500 Patch manually (twice)
2-3%
1-2%
30-40%
Total $287,000
Lost productivity of faculty/staff machines disconnected
?
4
Security Vision: Defense in Depth
■ Prevent■ Patch management tools & services■ Training & education■ Anti-virus filtering on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning
■ Detect■ Intrusion detection
■ Respond■ Find a better way to locate compromised and vulnerable DHCP
and wireless devices.
5
Patch Management
■ Managed vs. Unmanaged■ Managed – LSP runs a Windows Domain Controller; all desktops and workstations are configured
to participate in the domain, all users authenticate to the central Domain Controller. LSP has Administrator rights on all machines in the domain, and can manage domain workstations and desktops remotely – i.e. pushing out patches and service packs, applying group policies, etc.
■ Unmanaged – Users run their Windows desktop or workstation “stand-alone.” The only way that patches can be applied is if the owner or LSP sits down physically at each desktop/workstation.
■ Windows Update ■ Window Update client points to Microsoft’s Windows Update site. ■ Operates in one of three modes: manual, semi-automatic and completely automatic.
■ SUS – Software Update Server■ Allows you to point Windows Update client on your desktops and workstations to your own
“mirror” of Microsoft’s Windows Update site. Allows you to test MS patches before deploying them.
■ Can run either in managed domain or unmanaged workgroup■ SMS – Systems Management Server
■ Administrator downloads patch, creates installation routine, creates query to find machines that need patch, deploys patch to machines from the result of query.
■ Commercial products, e.g. HFNetChk Pro, PatchLink, BigFix■ Simplified management■ Handles application hotfixes as well as operating system
6
Four Patch Management OptionsOption For which
environment?Pros Cons
Windows Update
Managed or unmanaged
Free
No messy hardware to manage
No provision for testing patches – you’re at Microsoft’s mercy. Too risky for servers, but OK for some desktops and workstations.
SUS Managed or unmanaged
Free software?
Allows you to test patches before deploying
Must manage your own SUS server(s)
Testing patches takes time
Critical updates only today. Service packs are still coming in future version.
Won’t support Office Update until SUS 2.0 (February, 2004?)
SMS Managed Powerful, remote management, monitoring tool.
More demanding and complex to manage
Only appropriate for managed machines.
Commercial tools, e.g. HFNetChk Pro
Managed or unmanaged
Support Windows and Office update
Some products handle patches for applications like IIS, SQL server, etc,; service packs and feature updates -- not just Windows OS hotfixes.
Price
7
Critical Challenge: Patching Student machines
■ Distributing patches through SUS requires either that each desktop/workstation join a Microsoft domain, or at least make a registry change on each “managed” machine.
■ Obviously we don’t own student, machines. We will have an easier time figuring out how to manage patches on staff and faculty machines than students’.
# of Windows machines
# infected % infected
Student-owned 2963 501 17%
Penn-owned 8037 700 9%
8
Patch Management Recommendation
■ Establish a policy requiring that by 7/1/04, all campus PennNet-connected Windows systems: servers, desktops and workstations, have all critical updates applied within three business days
■ ………………………………………………………………existing staff■ Create a new ISC service: “Patch Management Services” tasked to:
■ Work with campus LSPs to identify and share best patch management practices
■ Evaluate and license patch management tools■ Create a campus SUS service, testing Microsoft patches against benchmark
platforms.■ Support LSPs implementing their own SUS services■ Provide security patch documentation and conduct training for campus LSPs
■ Estimated Costs■ Staff…………………………………………………………………….$100,000/yr■ Hardware for campus SUS service…………………...$10,000 every 2-3 yrs.■ Campus license for commercial patch management software ■ Software – 1000
seats……………….............................……..…$6/seat/yr
9
Security: Defense in Depth
■ Prevent■ Patch management tools & services■ Training & education■ Virus filtering on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning
■ Detect■ Intrusion detection
■ Respond■ Find a better way to locate compromised and vulnerable
DHCP and wireless devices.
10
Virus Filtering
■ Typical Windows virus spreads via■ Email messages■ Network file transfer■ Network file server shares■ Web traffic■ Other direct attacks over networks■ Removable storage (floppies, CDs, etc)
■ Good anti-virus software on Windows desktops can address all of these.
11
Mail Server Virus Filtering
■ Separate from Spam filtering■ Usually involves checking for virus
signatures in email messages■ Can be implemented on the mail server
directly or on a separate server (local or external ASP).
■ Can help to slow virus spread for Windows desktops without adequate virus protection and OS patches
12
POBOX Virus Filtering
■ Proposing use of an outside virus filtering service, separate from our local server-based Spam control tools
■ Mail destined for POBOX users will take a detour through the service provider for filtering of virus messages
13
Campus-Wide Virus Filtering for email?
■ Two possible implementations, building on the POBOX approach:
■ Replicate the POBOX configuration on other mail servers, but take advantage of the existing business relationship and established pricing
■ Create a new [email protected] mail forwarding service, and have mail to users of that service pass through an outside virus filtering service.
14
Campus-Wide Virus Filtering for email?
Per server virus filtering
-- Pros --
• Involves no change in email address to take advantage of virus filtering
-- Cons --
• Distributes complexity
• Likely will not achieve best pricing
Campus-wide virus filtering based on a new [email protected] service
• Probably easier to implement
• Likely to be much more cost effective
• Virus filtering only available for messages using the new [email protected] format
15
Security: Defense in Depth
■ Prevent■ Patch management tools & services■ Training & education■ Anti-virus filtering on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning
■ Detect■ Intrusion detection
■ Respond■ Find a better way to locate compromised and vulnerable
DHCP and wireless devices.
16
Simple Building NetworkR
oute
r
switch
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
Sw
itch switch
17
Simple Building Network, Firewall for all of subnetR
oute
r
switch
QuickTime™ and a TIFF (Uncompres s ed) decompres s or are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres s or are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres s or are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres s or are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres s or are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres s or are needed to s ee this pic ture.
Sw
itch
switch
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
Pros:° More coverage from one FW device
Cons:° Blunt instrument, may subject too many things to one set of rules° Problematic for network management
18
Simple Building Network, with firewall for serversR
oute
r
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Sw
itch
switch
swit
ch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Pros:° Excellent server- or service-specific protection possible
Cons:° None
19
Simple Building Network, Firewall for one workgroupR
oute
r
switch
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
Sw
itch
switchQuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Pros:° Group-specific control and protection
Cons:° Can still be a blunt instrument° Still problematic for network management
20
Simple Building Network,using VLAN FirewallR
oute
r
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Sw
itch
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
Pros:° Very flexible in terms of participation° Addresses net management problem
Cons:° Add complexity and cost
21
Perimeter Firewall: Current Situation
Pros:° Provides limited protection from common attacks
Cons:° Collateral damage ° No provision for legitimate access to risky services.
Rou
ter
Rou
ter
switch
QuickT ime™ and a TIFF (Uncompre ssed) decompres sor are needed to s ee this picture.
QuickTime™ and a TIFF (Uncompressed) decompres sor are needed to s ee this picture.
QuickTime™ and a TIFF (Unco mpressed) decompres sor are needed to s ee this picture .
switch
QuickT ime™ and a TIFF (Uncompre ssed) decompres sor are needed to s ee this picture.
QuickTime™ and a TIFF (Uncompressed) decompres sor are needed to s ee this picture.
QuickTime™ and a TIFF (Unco mpressed) decompres sor are needed to s ee this picture .
QuickT ime™ an d a TIF F (Un co mp ressed) decomp res sor are needed to s ee th is picture .
QuickT ime™ an d a TIF F (Un co mp ressed) decomp res sor are nee ded to s ee this picture.
Qu ickT ime™ and a TIF F (Un co mp ressed) decomp res sor are need ed to see th is picture .
switch
QuickT ime™ an d a TIF F (Un co mp ressed) decomp res sor are needed to s ee th is picture .
QuickT ime™ an d a TIF F (Un co mp ressed) decomp res sor are nee ded to s ee this picture.
Qu ickT ime™ and a TIF F (Un co mp ressed) decomp res sor are need ed to see th is picture .
switch
Rou
ter
Internet QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
22
Campus VPN Service
Pros:° Allows us to block the most troublesome services and permit legitimate use.
Cons:° Complexity and cost° Traffic is not encrypted on PennNet.° Given the transient nature of PennNet this will at best stave off attacks for a few days
Rou
ter
Rou
ter
switch
Quick Tim e™ an d a TIFF (Un co mpress ed ) decomp res sor are needed to s ee this picture .
Quick Time™ a nd a TIFF (Unco mp ressed) d ec ompres so r are need ed to s ee this pictu re.
Qu ick Time™ a nd a TIFF (Unco mp ress ed) d ec ompres sor are need ed to s ee this picture.
switch
Quick Tim e™ an d a TIFF (Un co mpress ed ) decomp res sor are needed to s ee this picture .
Quick Time™ a nd a TIFF (Unco mp ressed) d ec ompres so r are need ed to s ee this pictu re.
Qu ick Time™ a nd a TIFF (Unco mp ress ed) d ec ompres sor are need ed to s ee this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switch
Rou
ter
Internet QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
VP
N G
atew
ayV
PN
Gat
eway
VPN Client
23
Local VPN Service
Pros:° Allows Schools and Centers to implement more restrictive firewall policies.° Unencrypted traffic need not travel over PennNet.Cons:° Complexity and cost
QuickTime™ and a T IFF (Uncompressed) decompressor are needed to see this picture.QuickTime™ and a T IFF (Uncompressed) decompressor are needed to see this picture.Rou
ter
Rou
ter
switch
Qu ick Tim e™ a n d a TIFF (Un co mpress ed ) decomp res sor are need ed to s ee this pi cture .
Quick Time™ a nd a TIFF (Unco mp ressed ) d ec omp res so r are n eed ed to s ee this pi ctu re.
Qu ick Time™ a nd a TIFF (Un co mp ress ed ) d ec omp res sor are n eed ed to s ee this pi cture.
switch
Qu ick Tim e™ a n d a TIFF (Un co mpress ed ) decomp res sor are need ed to s ee this pi cture .
Quick Time™ a nd a TIFF (Unco mp ressed ) d ec omp res so r are n eed ed to s ee this pi ctu re.
Qu ick Time™ a nd a TIFF (Un co mp ress ed ) d ec omp res sor are n eed ed to s ee this pi cture.
Quick Time™ and a TIFF (Uncompress ed) decompres sor are needed to s ee this picture.
Quick Time™ and a TIFF (Uncompress ed) decompressor are needed to s ee this picture.
QuickTime™ and a TIFF (Uncompress ed) decompres sor are needed to s ee this picture.
switch
Quick Time™ and a TIFF (Uncompress ed) decompres sor are needed to s ee this picture.
Quick Time™ and a TIFF (Uncompress ed) decompressor are needed to s ee this picture.
QuickTime™ and a TIFF (Uncompress ed) decompres sor are needed to s ee this picture.
switch
Rou
ter
Internet
VPN
Gat
eway
VPN
Gat
eway
VPN Client
24
Where to put a perimeter firewall?
Rou
ter
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switch
Rou
ter
Internet
Rou
ter
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switch
Rou
ter
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switchRou
ter
25
Minimal perimeter filtering in edge routers
Rou
ter
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switch
Rou
ter
Internet
Rou
ter
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switch
Rou
ter
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switchRou
ter
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
26
Minimal perimeter filtering in internal routers
Rou
ter
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switch
Rou
ter
Internet
Rou
ter
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switch
Rou
ter
switch
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
QuickTime™ and a TIFF (Uncompressed) decompressor are needed to see this picture.
switchRou
ter
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
27
Campus firewall is not a panacea
University Date Netbios ports blocked
# Windows machines
# infected
% infected
Penn 9/11/2003 11,000 1,100 10%
Large state university
7/28/2003 12,000 1,500 13%
Ivy League peer 1/2/2002 18,000 3,146 17%
28
Personal firewallsR
oute
r
switch
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
Sw
itch switch
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
QuickTime™ and a TIFF (Uncompres s ed) decompres sor are needed to s ee this pic ture.
29
Firewalls Recommendations & Estimated Costs
Time-frame
Target Recommendations
Long-term
Servers, desktops and workstations
Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting more flexible use of internal and external router filtering/firewall technology…...................................................under evaluation
Near-term
Servers, desktops and workstations
Provide a basic level of network security by implementing router filter rules on external interfaces after campus consultation and on internal interfaces at the request of Schools/Centers
Hardware/software for internal filtering…........................$20,000/bldg every 3 years
Near-term
Servers, desktops and workstations
Enable Schools and Centers to implement tighter local security policies:
-Publish support for VLANs……………..........…………………….N&T Documentation
-Select a campus firewall and VPN standard, avoiding a campus VPN “Tower of Babel”, buying time to patch systems, and enabling Schools and Centers to better implement local firewalls and VPN gateways…………………………under evaluation
Near-term
Desktops and workstations
Evaluate and recommend a personal firewall software product for targeted users and do a pilot evaluation.
Software license for 50-100 users…………………..………$2500 - $5000 for 3 years
30
Security: Defense in Depth
■ Prevent■ Patch management tools & services■ Training & education■ Anti-virus filtering on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning
■ Detect■ Intrusion detection
■ Respond■ Find a better way to locate compromised and vulnerable
DHCP and wireless devices.
31
Secure out-of-the box
■ When someone buys a new Dell or IBM machine in the Fall Truckload sale, it is very easy for them to complete the system install without creating an Administrator password. This has led to hundreds of compromised machines within days of going on PennNet.
■ Recommendation: Work with Dell, IBM and Microsoft to create more secure default images for newly purchased Penn machines
………………...…negotiated price < $25/image
32
Security: Defense in Depth
■ Prevent■ Patch management tools & services■ Training & education■ Anti-virus filtering on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning
■ Detect■ Intrusion detection
■ Respond■ Find a better way to locate compromised and vulnerable
DHCP and wireless devices.
33
RPC DCOM Scan results
# of Penn Machines Vulnerable
010002000300040005000600070008000
8/1/
2003
8/8/
2003
8/15
/2003
8/22
/2003
8/29
/2003
9/5/
2003
9/12
/2003
9/19
/2003
RPC Round 1
RPC Round 2
34
Campus-Wide Vulnerability Scanning
■ Vulnerability scanning has been a very useful tool in helping to manage the patching process University-wide.
■ Focused, campus-wide scans for single vulnerabilities campus-wide can be done quickly (i.e. in 45 minutes or so). This is very helpful to defend against a particular worm.
■ Broader, campus-wide scans for top twenty vulnerabilities take longer – more like 3-4 weeks. This is very helpful for “good hygiene” to ensure that we stay patched as new machines come onto PennNet over time. Goal: 1-3 weeks/campus-wide scan.
■ Finding contact information for the owners of thousands of DHCP (wired and wireless) is difficult and time-consuming.
■ The effectiveness of campus-wide scans is limited to the extent that laptops come and go at different locations on PennNet. We probably miss many vulnerable laptops if they’re “off-line” at the time we scan.
35
Vulnerability Scanning Recommendations
■ Develop more efficient methods of locating the owners of DHCP (wired and wireless) devices. See “Respond” section below.
36
Security: Defense in Depth
■ Prevent■ Patch management tools & services■ Training & education■ Anti-virus filtering on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning
■ Detect■ Intrusion detection
■ Respond■ Find a better way to locate compromised and vulnerable DHCP and
wireless devices.
37
How do worms spread?
Rou
ter
switch
Quic kTime™ and a T IF F (Unc ompres sed) dec ompres s or a re nee ded to se e th is pic ture .
Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .
Quic kTime™ and a T IF F (Unc ompres sed) dec ompres s or a re nee ded to se e th is pic ture .
Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .
Quic k Time™ a nd a TIF F (Unco mpre ss ed) decom pre s so r are nee ded to se e th is pic ture .
Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .
switch
Rou
ter
Internet
Rou
ter
switch
Quic kTime™ and a T IF F (Unc ompres sed) dec ompres s or a re nee ded to se e th is pic ture .
Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .
Quic kTime™ and a T IF F (Unc ompres sed) dec ompres s or a re nee ded to se e th is pic ture .
Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .
Quic k Time™ a nd a TIF F (Unco mpre ss ed) decom pre s so r are nee ded to se e th is pic ture .
Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .
switch
Rou
ter
switch
Quic kTime™ and a T IF F (Unc ompres sed) dec ompres s or a re nee ded to se e th is pic ture .
Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .
Quic kTime™ and a T IF F (Unc ompres sed) dec ompres s or a re nee ded to se e th is pic ture .
Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .
Quic k Time™ a nd a TIF F (Unco mpre ss ed) decom pre s so r are nee ded to se e th is pic ture .
Quic k Time ™ a nd a TIFF (Uncompres s ed) dec ompress o r a re ne eded to s e e th is pic ture .
switch
Rou
ter
■ 60% of the time attack Penn systems
■ 40% of the time: attack external systems
38
How did we learn about Blaster/Welchia infected machines?
■ Outsiders automatically send personal firewall logs to central services like MyNetWatchman, who in turn email the report to us.
■ Penn people have automated extracts from their firewall logs and email us the results.
■ We are automatically scanning our firewall logs and extracting the results every four hours.
■ Strengths: simple approach, inexpensive
■ Weaknesses: limited coverage, relies on Penn people’s willingness to continue to devote the time.
39
How could we improve our detection capability?
Rou
ter
switch
Quic kTi me™ and a T IF F (Unc omp res sed) dec omp res s or a re n eed ed to se e thi s pi c ture .
Q uic kTi me™ and a TIFF (U ncomp res s ed) dec omp ress or a re needed to s e e thi s pic ture .
Quic kTi me™ and a T IF F (Unc omp res sed) dec ompres s or are nee ded to s e e th i s pi c ture .
Q uic kTi me™ and a TIFF (U ncomp res s ed) dec omp ress or a re needed to s e e thi s pic ture .
Q uick Time™ a nd a TI F F (U nco mpre ss e d) d ecom pre s so r are nee ded to see th is pic ture.
Q uic k Time ™ a nd a TIFF (U ncomp res s ed) dec ompress o r a re ne eded to s ee th is pi c ture.
switch
Rou
ter
Internet
Rou
ter
switch
Q uickTime™ and a TIF F (U nc ompres sed) decompres s or a re nee ded to s ee th is pi c ture.
Q uick Ti me ™ a nd a TIFF (U n compres s ed ) dec ompress o r are ne eded to s ee th i s pi c ture.
Q uic kTi me™ and a T IF F (U nc omp res sed) dec omp res s or a re n eed ed to s ee thi s pic ture.
Q uick Ti me ™ a nd a TIFF (U n compres s ed ) dec ompress o r are ne eded to s ee th i s pi c ture.
Quic kTi me™ and a TI F F (Uncompress ed) decom pres sor are nee ded to se e th is pic ture .
Quic kTi me ™ a nd a TIFF (Un comp res s ed ) dec omp ress o r a re needed to s e e th i s pi c ture .
switch
Rou
ter
switch
Quic kTi me™ and a T IF F (Unc ompres sed) dec ompres s or are nee ded to s e e th i s pi c ture .
Quic kTi me ™ a nd a TIFF (Un compres s ed ) decomp ress o r a re needed to s e e th i s pi c ture .
Q uickTime™ and a TIF F (U nc ompres sed) decompres s or a re nee ded to s ee th is pi c ture.
Quic kTi me ™ a nd a TIFF (Un compres s ed ) decomp ress o r are needed to s e e th i s pi c ture .
Q uic kTi me™ and a TI F F (U nco mpress ed) decom pres sor are needed to see this pic ture.
Quic kTi me™ and a TIFF (Un comp res s ed ) dec omp ress or a re needed to s e e thi s pi c ture .
switch
Rou
ter
IDS
Box
IDS
Box
IDS
Box
40
How could we improve our detection capability?
Options Pros ConsIDS box connects to local switches
■Inexpensive ■Limited visibility
IDS box connects to internal routers
■Broader visibility ■More expensive equipment – e.g. fiber taps.
IDS box connects to edge routers
■Complete visibility of outbound attacks
■Technically challenging given our redundant internet connectivity.■Most expensive
Use edge router flow logs ■Limited visibility of outbound attacks■Less expensive, challenging than IDS on edge routers.
41
Targeted Intrusion Detection Recommendations & Estimated Costs
Near-term Create policy establishing authority of ISC, Schools and Centers to conduct intrusion detection addressing privacy, log retention and related issues…………....................................no incremental cost
Near-term Deploy and manage six-ten switch-connected IDS boxes to quickly identify compromised campus systems.
Hardware………………………$15,000-$20,000 every 2-3 years
Staff to configure, manage, analyze IDS systems and
follow up on intrusion reports………………….…$100,000/yr
Long-term Evaluate and determine best method to provide router flow logs for intrusion detection……………………………..under evaluation
Long-term Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection
…………............................................................under evaluation
42
Security Vision: Defense in Depth
■ Prevent■ Patch management tools & services■ Training & education■ Anti-virus filtering on mail servers■ Firewalls/Router filtering■ Virtual Private Network■ Personal firewalls■ Secure out-of-the box■ Campus-wide vulnerability scanning
■ Detect■ Intrusion detection
■ Respond■ Find a better way to locate compromised and vulnerable machines
as well as targets of copyright complaints.
43
How do we find problem machines?
■ Problem machine is reported either by the RIAA, intrusion detection or campus vulnerability scan.
■ If static IP – look it up in assignments.■ If DHCP – ask NOC for a port trace
which translates the DHCP address to a physical location.
44
Current situation
■ Unable to respond to problems with wireless machines on parts of campus. Can’t very well disable the port :-(
■ Had to just drop 40-50 cases of infected machines because of short DHCP lease lengths.
■ Requested 1149 port traces and 126 disconnects in calendar year 2003 (~$45,000). Trend is up (requested 270 this week alone).
■ Had to hold off requesting some disconnects because it would have been unmanageable.
45
Incident Response Recommendations & Estimated Costs
Near-term Provide tools to better support quick lookup of host and DNS contacts………………............…….under evaluation
Near-term Targeted deployment of PennKey authenticated network access in, for example, College Houses, GreekNet, Library…............................................$2,000 - $5,000/bldg
Long-term Full deployment of PennKey authenticated network access on campus
Hardware/Software (one-time)…………..........$1,000,000
Near-term Research ways of ensuring security of newly connected machines:
•Vulnerability scan of machines as they connect to PennNet•Ability to block infected/vulnerable machines based on MAC address
Hardware/Software…………...………..under evaluation
Staff………………………………………under evaluation
46
Summary of Recommendations & Estimated Costs
Near-term Establish a policy requiring that by 7/1/04, all campus PennNet-connected Windows systems: servers, desktops and workstations, have all critical updates applied within three business days………………………………………………………………………………………………………….existing staff
Near-term Create a new ISC service: “Patch Management Services”
Staff……………………………………………………………..………………………………….$100,000/yr
Hardware for campus SUS service………………………………………………...$10,000 every 2-3 yrs.
Campus license for commercial patch management software……………………………….…$6/seat/yr
Near-term Virus filtering……………………………………………………………………………..………….$5-$6/account/year
Long-term Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting more flexible use of internal and external router filtering/firewall technology…................................................................................................................................under evaluation
Near-term Provide a basic level of network security by implementing router filter rules on external interfaces after campus consultation and on internal interfaces at the request of Schools/Centers
Hardware/software for internal filtering…...............................................................$20,000/bldg every 3 years
Near-term Enable Schools and Centers to implement tighter local security policies:
-Publish support for VLANs……………..........………………………………..……………….N&T Documentation
-Select a campus firewall and VPN standard, avoiding a campus VPN “Tower of Babel”, buying time to patch systems, and enabling Schools and Centers to better implement local firewalls and VPN gateways………………………………………………………………………………….………...…under evaluation
Near-term Evaluate and recommend a personal firewall software product for targeted users and do a pilot evaluation.
Software license for 50-100 users…………………..……………………………………$2500 - $5000 for 3 years
47
Summary of Recommendations & Estimated Costs
Near-term Work with Dell, IBM and Microsoft to create more secure default images for newly purchased Penn machines
………………...…………………………………………………………………………negotiated price < $25/image
Near-term Create policy establishing authority of ISC, Schools and Centers to conduct intrusion detection addressing privacy, log retention and related issues…………..................................................................no incremental cost
Near-term Deploy and manage six-ten switch-connected IDS boxes to quickly identify compromised campus systems.
Hardware…………………………………………………………………………$15,000-$20,000 every 2-3 years
Staff to configure, manage, analyze IDS systems and
follow up on intrusion reports…………………………………………………………………………$100,000/yr
Long-term Evaluate and determine best method to provide router flow logs for intrusion detection………………………………………………………………………………………………..under evaluation
Long-term Evaluate a network design and migration strategy that better balances availability against security, and capable of supporting broader intrusion detection…..................................................................under evaluation
Near-term Provide tools to better support quick lookup of Host and DNS contacts………..………….…….under evaluation
Near-term Targeted deployment of PennKey authenticated network access in, for example, College Houses, GreekNet, Library…...............................................................................................................................$2,000 - $5,000/bldg.
Long-term Full deployment of PennKey authenticated network access on campus
Hardware/Software (one-time)………………………………………………………………................$1,000,000
Near-term Implement two additional functions in PennKey network authentication of DHCP connections:Vulnerability scan of machines as they connect to PennNet
Ability to block infected/vulnerable machines based on MAC address
Hardware/Software…………...………………………………………………..………………..…..under evaluation
Staff……………………………………………………………………………………………………under evaluation