Network Monitoring and Security Measures in Campus Networks Network Startup Resource Center These materials are licensed under the Creative Commons Attribution-NonCommercial 4.0 International license (http://creativecommons.org/licenses/by-nc/4.0/)
How we used to build networks
A long time ago
Mid 1990s
Today
Campus networks... aren't corporate networks The network exists to support the education and research activities of the university Having all resources behind a firewall doesn't scale very well and it's not very useful
Top network performance issues (1) Bottleneck/exit point can't handle the traffic Underpowered firewall for the task Content inspection is computationally expensive Too many requests Peer to Peer? Virus?
Top network performance issues (2) Non-scaleable network design Switching instead of routing As more clients are added, network performance within the campus degrades Broadcasts increase Risks of loops
Top network performance issues (3) NAT NAT requires keeping track of every connection Every packet requires an extra lookup
High Speed Network Performance
Non-scaleable networks As capacity grows, it's increasingly difficult to police a network using firewalls Firewalls are often purchased with nearfuture usage patterns in mind, not long term Hardware and licensing is very expensive at high speeds (USD $500,000/10Gbs) Some end up turning off the more advanced features
Do firewalls help at all (1)? Active attacks and scans aren't as big a problem as they used to be End device security has gotten much better Think W indows XP before and after SP2 Vendors now take patching seriously
Do firewalls help at all (2)? Most devices have their own firewall nowadays There is much more focus on securing end nodes and devices Application security is really what matters
Do firewalls help at all (3)? You will have compromises, hackers and viruses anyway Users download malware, and enable virus to spread Best thing you can do is keep your systems and applications up to date and monitor your network!
Campus networks today! W E N Science DMZ is it?
Science DMZ ArsTechnica
Network Management & Monitoring
Network Management & Monitoring Network Management is the foundation that much of the security framework operates on Use managed equipment! Instrument your network, to make it transparent Traffic analysis Logging give you insight into what is happening on your network
Log management & analysis Many networks do not log output from their network equipment Driving blind Large scale DoS can be hard to distinguish from a network outage L2 loop What does the network equipment say?
Log management & analysis Correlate logs from DHCP servers, authentication servers (RADIUS/LDAP), equipment (switches, routers, access points) and you will have a pretty good idea who's doing what. Don't forget NTP (time synchronization)!
Traffic analysis Many tools available SNMP NetFlow (NfSen) Usage patterns give you an idea of what the baseline on your network is You need to be able to tell the difference between failures and anomalous behaviour Is it an attack? A virus? BitTorrent?
Security Policies You might be thinking at this point... What about P2P? What about YouTube and video sites? How do we limit bandwidth misuse?
Security Policies (2) Some issues do not have technical solutions Just because something isn't allowed (or, not all the time) doesn't mean it's necessarily enforceable This is where an Acceptable Use Policy comes into play But you must have the tools to document abuse
Security Policies (3) BAYU Be Aware You're Uploading Rather than try and block P2P (it's very difficult), use monitoring to find out who is using your network If you have people on your network, you should know who they are (Authentication) If you know who they are, you can send then an email
Security Policies (4) Make sure you have support from the management The AUP should be part of the University Policy Must be consequences for violating the AUP Sometimes, knowing that there is monitoring in place, is enough to make people think twice before acting against the AUP
AUP "All use of the network and computing facilities is monitored an recorded for the purposes of enforcing this AUP. Your use of university facilities implies that you consent to your activity being monitored... Failure to comply with this policy may result in your access to computing facilities being suspended or permanently withdrawn. It may also result in action being taken under the university disciplinary procedure, which could lead to expulsio https://it.uoregon.edu/acceptable-use-policy
Tools NetFlow / NfSen Log collectors/aggregators (LogStash, fluentd) Log analysers: Tenshi, Swatch IDS: Snort, Bro
Discussion Points Who has security hat? Policies for dealing with incidents How do firewalls work? Firewalls should protect critical assets Avoid corporate mindset ACLs to block worst issues/traffic No such thing as a secure network Increase visibility in the network (remove NAT). Shaping and prioritization SSL/TLS, VPNs, evasion techniques