advanced internet bandwidth and security strategies fred miller illinois wesleyan university
TRANSCRIPT
Advanced Internet Bandwidth & Security Strategies
• How Illinois Wesleyan University:– Minimizes copyright infringement notices
– Allows peer-to-peer computing
– Maintains sub-second web performance
– Mitigates denial of service attacks
– Identifies virus infections
– Controls illegal activities on the campus network
Advanced Internet Bandwidth & Security Strategies
• Layers of security• Intrusion Detection
– Host based intrusion detection– Network based intrusion detection
• Knowledge based• Behavior based
• Bandwidth management & monitoring• User education and enforcement
About Illinois Wesleyan University• Liberal arts - 2100 students
– 1800 on-campus residents
• IT Resource limitations– 16 IT Staff– Voice, video, & data
• Environment– 100mpbs switched port per pillow– 18mbps Internet connection – No technology fee– Some wireless– LDAP authentication
Bandwidth & Security Strategies• User Education (and results)
• Firewall & IP address policies
• Response Time Measurement
• Bandwidth Policies
• Monitoring and detection
• Redirection & quarantine
• Judicial procedures
• Future plans
User Education• Computer Incident Factor Analysis
and Categorization (CIFAC) Project– IT personnel
• More education and training…
– Users• More education and training…
– Non IT Staff• More education…
– Networks• More resources, more and better procedures…
User Education @ Illinois Wesleyan
• Freshman orientation
• Web site, portal & e-mail lists
• One on one training
• Help desk
• Assessment
• Our customers– Novices– “The Mistaken”
User Education - ResultsIllinois Wesleyan DMCA Notices
0
1
2
3
4
5
6
7
8
9
10
Sep-04
Oct-04
Nov-04
Dec-04
Jan-05
Feb-05
Mar-05
Apr-05
May-05
Jun-05
Jul-05
Aug-05
Sep-05
Oct-05
User Education - ResultsIllinois Wesleyan - Web Redirects
0
10
20
30
40
50
60
70
80
90
100
110
120
130
Aug-04
Sep-04
Oct-04
Nov-04
Dec-04
Jan-05
Feb-05
Mar-05
Apr-05
May-05
Jun-05
Jul-05
Aug-05
Sep-05
Oct-05
Firewall & IP Address Policies
• No MAC registration (yet)
• DHCP
• All local 10.x.x.x IP numbers
• Ports blocked inbound, few outbound
• Restrict SMTP, SNMP, etc.
Response Time Measurement• Library consortium RRDTOOL
• MRTG ping probe
• Packetshaper command: rtm sho
Bandwidth Policies Detail*
• Traffic classification
• Flow control
• Host lists
• Class licenses
*Command line vs. web interface
Traffic classification• Classify in and out - hundreds of classes
• No changes for time of day
• Can block/restrict by IP#, port, or protocol
• Partitions and policies
• Peer to peer - low priority, typically 10k policy in, 1k policy out
• Gamers are a challenge
Flow control• Limits the number of new flows per minute
for client or server actions
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Classification and Flow Control• No auto-discovery, but all traffic classified
Host lists
• Groups of internal or external IP numbers using bandwidth rules
• Quarantine internal users
• Limit groups of high bandwidth servers
• Quickly block intruders
• Identify servers for additional priority
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Class licenses• Limit how many connections per class
• Know what’s typical and atypical
• Check for top bandwidth users
• Watch number of flows - active and failed
• Spot check
• Automation
• Community
Monitoring and Detection
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Monitoring and Detection• Know what’s typical & atypical
– sys heal
Monitoring and Detection
• Check for top bandwidth users– Over time
• hos top sho /outbound• Host top sho /inbound• Host inf -sr -i
– Right now• Host inf -sr -n 10
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Monitoring and Detection• Watch number of flows - active and failed
– host inf -sf -n 10
– host inf -sp -n 10
Monitoring and Detection
• Spot check– Overall (e.g., check tree)
• tr tr– Individual classifications
• tr fl -tupIc/outbound/discoveredports/students• tr his recent /inbound/multimedia/mpeg-video
– Individual machines (servers & clients)• tr fl -tupIA10.x.x.x• tr his find 10.x.x.x
Monitoring and Detection
Automation Rule sets: application and port rules E-mail notifications Identify & isolate violators
Packetshaper Adapative Response Snort
Monitoring and DetectionAutomation - Snort
By Martin Roesch Extensive rule sets Henwen & Letterstick = Snort GUI for Mac
Monitoring and DetectionCommunity - firewall log analysis
D-Shield Distributed Intrusion Detection System http://www.dshield.org/
D-Shield Academic http://dshield.infosecurityresearch.org/
SANS Internet Storm Center http://isc.sans.org
Computer Emergency Response Team http://www.cert.org
Redirection & Quarantine• Soft quarantine
• Hard quarantine with redirect
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Judicial Procedures
• Network disruption - logical disconnect
• RIAA notices - less than 1 per month
• Students referred to Associate Dean of Students for judicial processes
Future Plans
• Cisco ASA - firewall, VPN, intrusion detection• More Adaptive Response• More Snort• 45mbps Internet• NetReg?• Clean Access?
– VLAN Quarantine
• Wireless authentication
Advanced Internet Bandwidth & Security Strategies
• Summary– User education is key – Need layers of security– Bandwidth management & monitoring– Intrusion detection and prevention
• Hosts and network
• More application level detection
• Support more community efforts
– Enforce policies with judicial procedures
Additional References…• Packeteer Education e-mail list
http://www.packeteer.com/prod-sol/stanford.cfm
• EDUCAUSE Intrusion Detection Resources http://www.educause.edu/Browse/645?PARENT_ID=661
• CIFAC Project Report (volume 1)http://www.educause.edu/LibraryDetailPage/666?ID=CSD4207
• Illinois Wesleyan IT Policieshttp://titan.iwu.edu/IT/policies/
• Snort http://www.snort.org
• Henwen & Letterstick http://seiryu.home.comcast.net/henwen.html