1 phil rodrigues, sr network security analyst, nyu its automated policy enforcement november 12,...
TRANSCRIPT
![Page 1: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/1.jpg)
1
Phil Rodrigues, Sr Network Security Analyst, NYU ITS
Automated Policy Enforcement
November 12, 2004
![Page 2: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/2.jpg)
2
Automated Policy Enforcement
NetReg Scan at UConn
NetAuth Working Group
NYU’s SafetyNet
![Page 3: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/3.jpg)
3
Automated Policy Enforcement
NetReg Scan at UConn
![Page 4: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/4.jpg)
4
UConn: Prelude
• During DefCon hundreds of Stealther
• Blaster and Welchia stressed the need
• Late August move-in
![Page 5: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/5.jpg)
5
UConn: rpcscan
• Nessus was too slow, nasl did not exist?
• Developed by Keith Bessette and others
• Based on exploit code
• Fast scanner for one or many computers
![Page 6: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/6.jpg)
6
UConn: NetReg Scan
• Developed by Mike Lang and others
• Forced rpcscan before it allowed access to NetReg
• If client failed, redirected to patch website
![Page 7: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/7.jpg)
7
UConn: Lessons Learned
• Existing NetReg system was critical
• Ability to create code was essential (c, perl)
• Making a scanner is hard, use someone else’s
• Good communication made for good neighbors
![Page 8: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/8.jpg)
8
Automated Policy Enforcement
NetAuth Working Group
![Page 9: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/9.jpg)
9
NetAuth: Brief History
• Educause / Internet2 Security Task Force
• Working group started in May 2004
• Draft whitepaper August 2004, me and Eric Gauthier (BU)
• “Strategies for Automating Network Policy Enforcement”
![Page 10: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/10.jpg)
10
NetAuth: Common Classification
• Registration
• Detection
• Isolation
• Remediation
![Page 11: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/11.jpg)
11
NetAuth: Registration
• Must have it!
![Page 12: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/12.jpg)
12
NetAuth: Detection
• Active (nessus)
• Passive (netflow)
• Agent (commercial or home-grown)
• Interval (once vs on-going)
![Page 13: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/13.jpg)
13
NetAuth: Isolation
• VLAN (homogenous)
• IP (heterogenous)
• Gateway (inline device)
![Page 14: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/14.jpg)
14
NetAuth: Remediation
• LocalStatic (website)Dymanic (SUS)
• External (Windows Update)Proxy (remember SSL)Translation (routing issues)Split-DNS (domain list)
![Page 15: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/15.jpg)
15
NetAuth: Effective Practices Guide
• Looking for working examples of each categoryHome-grown agent
VLAN isolation
Perfigo / Cisco
Bradford
IPS
etc
![Page 16: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/16.jpg)
16
Automated Policy Enforcement
NYU’s SafetyNet
![Page 17: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/17.jpg)
17
SafetyNet: High Level Goals
• Base it on successful systems
• Fairly self-sustaining
• Scalable for 11,000+ ResNet, and more!
• Practical implementation of NetAuth classification
![Page 18: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/18.jpg)
18
SafetyNet: Initially Staff Intensive
• Security Analyst (did not do much…)
• Network Services management and staff (5 people)
• Consultant (scanning cluster and perl glue)
• Client Services and Publications
• NYU specific, but basic strategy should be portable
![Page 19: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/19.jpg)
19
SafetyNet: Pre-Existing Structure
• Pre-existing ResNet registration system (1997!)
• BIND and ISC DHCPD v3
• Static assignment DHCP infrastructure
• perl glue
![Page 20: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/20.jpg)
20
SafetyNet: Registration
• Client authentication against netid
• Housing lookup for room assignment
• SNMP verification of location
• If all that succeeds, start detection
![Page 21: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/21.jpg)
21
SafetyNet: Detection
• Initial active external detection
• nmap and nessus / scanlite
• Limited plugin setrpc-dcom / rpcss
messenger
lsass
• Perl glue to return consistent results
![Page 22: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/22.jpg)
22
SafetyNet: Isolation
• IP DHCP-based isolation
• Had: Home-grown host management system
• Needed: Conversion to DHCPD v3
• Too many vendors and vintages for VLAN
![Page 23: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/23.jpg)
23
SafetyNet: Remediation
• External dynamic NAT/Split-DNS remediation
• Based on Fairfield University’s system
• Private IP -> Split-DNS -> Cisco PBR -> PIX NAT
• Detailed support website
• Windows Update, Symantec LiveUpdate
• Self re-scan. If pass, assigned public IP
![Page 24: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/24.jpg)
24
SafetyNet: Metrics
• 9,500 students through ResNet registration
• 1,000 found to be vulnerable (10%)
• 200 called Client Services (20%) (800 did not?)
• Order of magnitude rule
• 100 slipped through the cracks (1%)
• Less than 50 vulnerable at any time (0.5%)
![Page 25: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/25.jpg)
25
Conclusions
• Well?
![Page 26: 1 Phil Rodrigues, Sr Network Security Analyst, NYU ITS Automated Policy Enforcement November 12, 2004](https://reader036.vdocument.in/reader036/viewer/2022081603/56649ea05503460f94ba37fc/html5/thumbnails/26.jpg)
26
Links
http://www.security.uconn.edu/old_site/netregscan/
http://www.security.uconn.edu/old_site/uconn_response.html
http://security.internet2.edu/netauth/
http://security.internet2.edu/netauth/docs/draft-internet2-salsa-netauth-summary-02.html