1 / 11

Infected Host Isolation via Packeteer PacketShaper

Infected Host Isolation via Packeteer PacketShaper. Ben Freitag Grand Valley State University freitagb@gvsu.edu. Step 1 – Detect the Infected Hosts. Cisco IDS Blade Firewall Flows/Server Connections Abnormal Traffic in the Packeteer Complaints from the outside world. Cisco IDS Blade.

dahlia
Download Presentation

Infected Host Isolation via Packeteer PacketShaper

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Infected Host Isolation via Packeteer PacketShaper Ben Freitag Grand Valley State University freitagb@gvsu.edu

  2. Step 1 – Detect the Infected Hosts • Cisco IDS Blade • Firewall Flows/Server Connections • Abnormal Traffic in the Packeteer • Complaints from the outside world

  3. Cisco IDS Blade • This is the preferred method • We use this as a passive monitor to look for infected hosts

  4. Firewall Flows/Server Connections • Manual scanning of the connections table in our PIX Blades • SMTP Related Virii show up in our mail queues • Looks like 148.61.253.182 has the Sasser worm:

  5. Abnormal Traffic in the Packeteer &Complaints from the outside world • These are ‘lucky catches’ – would prefer these were caught earlier • Packeteer Aspect usually only works with Auto Discovery

  6. Step 2 – Block the host • At the top of our Packeteer traffic-tree we have created a Folder & Small partition for Blocking. Within the folder we’ve created several classes depending on the type of violation. These classes have a never-admit policy that redirects them to an internal web-site.

  7. Step 2 (Continued) • The Hosts are tied to the classes via a Host Lists for each category: Virus, Abuse, Unauthorized Equipment & Other. • The additions can be made via CLI or via simple VB Application created for our Help Desk:

  8. The User Experience • When a ‘redirected host’ attempts to view a website off of GVSU’s network – they are greeted with a website similar to:

  9. The User Experience (Cont.) • From these websites they can request reactivation or are instructed to call the Help Desk for further assistance. • The Help Desk logs these incidents as Trouble Tickets and is separately tracking offending IPs - tying them to MAC address, student name etc.

  10. Problems • Can require an enormous amount of time – especially at the beginning of the school year. • Does not scale well • Not proactive – no real-time way to tie users to IPs.

  11. The Future • We are evaluating several appliances to provide Network Admission Control (NAC) services such as Perfigo (Cisco) & Blue Socket.

More Related