Advanced Internet Bandwidth and Security Strategies

Fred Miller

Illinois Wesleyan University

Advanced Internet Bandwidth & Security Strategies

• How Illinois Wesleyan University:– Minimizes copyright infringement notices

– Allows peer-to-peer computing

– Maintains sub-second web performance

– Mitigates denial of service attacks

– Identifies virus infections

– Controls illegal activities on the campus network

Advanced Internet Bandwidth & Security Strategies

• Layers of security• Intrusion Detection

– Host based intrusion detection– Network based intrusion detection

• Knowledge based• Behavior based

• Bandwidth management & monitoring• User education and enforcement

About Illinois Wesleyan University• Liberal arts - 2100 students

– 1800 on-campus residents

• IT Resource limitations– 16 IT Staff– Voice, video, & data

• Environment– 100mpbs switched port per pillow– 18mbps Internet connection – No technology fee– Some wireless– LDAP authentication

Bandwidth & Security Strategies• User Education (and results)

• Firewall & IP address policies

• Response Time Measurement

• Bandwidth Policies

• Monitoring and detection

• Redirection & quarantine

• Judicial procedures

• Future plans

User Education• Computer Incident Factor Analysis

and Categorization (CIFAC) Project– IT personnel

• More education and training…

– Users• More education and training…

– Non IT Staff• More education…

– Networks• More resources, more and better procedures…

User Education @ Illinois Wesleyan

• Freshman orientation

• Web site, portal & e-mail lists

• One on one training

• Help desk

• Assessment

• Our customers– Novices– “The Mistaken”

User Education - ResultsIllinois Wesleyan DMCA Notices

0

1

2

3

4

5

6

7

8

9

10

Sep-04

Oct-04

Nov-04

Dec-04

Jan-05

Feb-05

Mar-05

Apr-05

May-05

Jun-05

Jul-05

Aug-05

Sep-05

Oct-05

User Education - ResultsIllinois Wesleyan - Web Redirects

0

10

20

30

40

50

60

70

80

90

100

110

120

130

Aug-04

Sep-04

Oct-04

Nov-04

Dec-04

Jan-05

Feb-05

Mar-05

Apr-05

May-05

Jun-05

Jul-05

Aug-05

Sep-05

Oct-05

Firewall & IP Address Policies

• No MAC registration (yet)

• DHCP

• All local 10.x.x.x IP numbers

• Ports blocked inbound, few outbound

• Restrict SMTP, SNMP, etc.

Response Time Measurement• Library consortium RRDTOOL

• MRTG ping probe

• Packetshaper command: rtm sho

rtm sho

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Bandwidth Policies Detail*

• Traffic classification

• Flow control

• Host lists

• Class licenses

*Command line vs. web interface

Traffic classification• Classify in and out - hundreds of classes

• No changes for time of day

• Can block/restrict by IP#, port, or protocol

• Partitions and policies

• Peer to peer - low priority, typically 10k policy in, 1k policy out

• Gamers are a challenge

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Flow control• Limits the number of new flows per minute

for client or server actions

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Classification and Flow Control• No auto-discovery, but all traffic classified

Host lists

• Groups of internal or external IP numbers using bandwidth rules

• Quarantine internal users

• Limit groups of high bandwidth servers

• Quickly block intruders

• Identify servers for additional priority

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Class licenses• Limit how many connections per class

• Know what’s typical and atypical

• Check for top bandwidth users

• Watch number of flows - active and failed

• Spot check

• Automation

• Community

Monitoring and Detection

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Monitoring and Detection• Know what’s typical & atypical

– sys heal

Monitoring and Detection

• Check for top bandwidth users– Over time

• hos top sho /outbound• Host top sho /inbound• Host inf -sr -i

– Right now• Host inf -sr -n 10

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Monitoring and Detection• Watch number of flows - active and failed

– host inf -sf -n 10

– host inf -sp -n 10

Monitoring and Detection

• Spot check– Overall (e.g., check tree)

• tr tr– Individual classifications

• tr fl -tupIc/outbound/discoveredports/students• tr his recent /inbound/multimedia/mpeg-video

– Individual machines (servers & clients)• tr fl -tupIA10.x.x.x• tr his find 10.x.x.x

Monitoring and Detection

Automation Rule sets: application and port rules E-mail notifications Identify & isolate violators

Packetshaper Adapative Response Snort

Monitoring and Detection

Automation - Packetshaper Adaptive Response

Monitoring and DetectionAutomation - Packetshaper Adaptive Response

Monitoring and DetectionAutomation - Snort

By Martin Roesch Extensive rule sets Henwen & Letterstick = Snort GUI for Mac

Monitoring & Detection

Monitoring and DetectionCommunity - firewall log analysis

D-Shield Distributed Intrusion Detection System http://www.dshield.org/

D-Shield Academic http://dshield.infosecurityresearch.org/

SANS Internet Storm Center http://isc.sans.org

Computer Emergency Response Team http://www.cert.org

Redirection & Quarantine• Soft quarantine

• Hard quarantine with redirect

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Judicial Procedures

• Network disruption - logical disconnect

• RIAA notices - less than 1 per month

• Students referred to Associate Dean of Students for judicial processes

Future Plans

• Cisco ASA - firewall, VPN, intrusion detection• More Adaptive Response• More Snort• 45mbps Internet• NetReg?• Clean Access?

– VLAN Quarantine

• Wireless authentication

Advanced Internet Bandwidth & Security Strategies

• Summary– User education is key – Need layers of security– Bandwidth management & monitoring– Intrusion detection and prevention

• Hosts and network

• More application level detection

• Support more community efforts

– Enforce policies with judicial procedures

Additional References…• Packeteer Education e-mail list

http://www.packeteer.com/prod-sol/stanford.cfm

• EDUCAUSE Intrusion Detection Resources http://www.educause.edu/Browse/645?PARENT_ID=661

• CIFAC Project Report (volume 1)http://www.educause.edu/LibraryDetailPage/666?ID=CSD4207

• Illinois Wesleyan IT Policieshttp://titan.iwu.edu/IT/policies/

• Snort http://www.snort.org

• Henwen & Letterstick http://seiryu.home.comcast.net/henwen.html