1 / 20

NetPass and Northwestern

NetPass and Northwestern. By Julian Y. Koh As told by Robert Vance NUIT-Telecom & Network Services. Outline. A Brief History Past Tools and Solutions What is NetPass? How Does NetPass Work? What Will NetPass Become?. A Brief History. Pre-2003 Relatively few virus/worm outbreaks

sshoemaker
Download Presentation

NetPass and Northwestern

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NetPass and Northwestern By Julian Y. Koh As told by Robert Vance NUIT-Telecom & Network Services

  2. Outline • A Brief History • Past Tools and Solutions • What is NetPass? • How Does NetPass Work? • What Will NetPass Become?

  3. A Brief History • Pre-2003 • Relatively few virus/worm outbreaks • Quickly contained • Slowly increasing frequency • And then……

  4. History - Winter 2003 • MS SQL Slammer Worm • Aggressive scanning on TCP Port 1434 • <30 infected hosts crippled over half the network • Still quickly contained

  5. History - Summer/Fall 2003 • Blaster Worm • Exploited DCOM RPC hole • Scanned on TCP port 135 • Welchia Worm • Patched Blaster DCOM hole • Scanned on TCP ports 135 and 80 • Opened backdoor port 707 • Aggressive ICMP pinging to find hosts

  6. History - Winter 2004 • Email Viruses • SoBig • Beagle • NetSky • Backdoors used for spam proxying!

  7. History - Spring 2004 • Sasser Worm • Exploited LSASS hole • Scanned on TCP port 445 • Gaobot/Agobot • Rise of the Botnet • IRC command/control channel • Scanned for previous worm backdoors • Denial of Service attacks swamp Internet connectivity

  8. Past Tools and Solutions • Turning Off Ports • Disruptive to users • No easy self-fixing or information provided • Machine can move • Disabling NetIDs • Very disruptive

  9. Past Tools and Solutions • NUSA • Allowed tech support admins to receive automated reports and reactivate ports • NetReg • Associated NetID with MAC address via DHCP • Rudimentary port scanning

  10. Limitations of NetReg • Relied on DHCP for quarantining • Still had to shut off ports • Problem machines could move ports to regain connectivity

  11. What is NetPass? • Layer 2 quarantine • Selective access • Host-based registration • Associate NetID with MAC address • Vulnerability/Infection scanning • Per-event per-network self-remediation instructions • Integration with other systems

  12. How Does NetPass Work? • General Principles • All ports default to QUAR network • Same DHCP server, DNS server, and IP addresses for QUAR and UNQUAR networks • Traffic routing depends solely on QUAR/UNQUAR switch port assignment • Access allowed to certain Web sites • Windows Update, Symantec, etc.

  13. NetPass Server Internet!! ResNet Computer External IP 165.124.51.8 199.74.105.23 DHCP Server 199.74.105.1 VLAN 100 QUAR VLAN 100 UNQUAR VLAN 200 Router 199.74.105.1 VLAN 200 NetPass Network Diagram Switch

  14. Move to UNQUAR User Disconnects Already Scanned? Yes Remediate Move to QUAR No No Pass Scan? Yes Log In Scan NetPass User Experience User Connects

  15. Additional Capabilities • PQUAR - Permanent Quarantine • Used instead of shutting off ports • PUNQUAR - Permanent Unquarantine • Used for manually registered devices

  16. Interesting Situations • Cookies required • Machine must source network traffic soon after bringing up Ethernet link • Effect: user must launch web browser to force NetPass to recognize the machine • Firewalls • Scan can take up to 1 minute

  17. Interesting Situations • Hublet/Switchlet • NetPass sees multiple MAC addresses • All MAC addresses will have to be registered before port will be moved to UNQUAR • Router or NAT device • NetPass will only see 1 MAC address • If client machines move to other ports, they will have to be scanned again

  18. NetPass Administration • https://netpass.ittns.northwestern.edu/Admin/ • Must connect to VPN from dorms first • All Rescons and SC cons should have access to QuarControl and Manual Registration • Note: with great power comes great responsibility! • Remember to log out!!!

  19. NetPass Futures • Snort IDS integration • Automatic QUAR on suspicious network traffic • Software client integration • More accurate than external scanning • Eliminates firewall problem

  20. Questions? • netpass@ittns.northwestern.edu • kohster@northwestern.edu • http://www.nessus.org/ • http://www.squid.org/ • http://www.it.northwestern.edu/student-support/netpass/

More Related