SC04 Network Security Wrap-Up

Version 3

Role of Network Security in SCinet

ISP role/rule in protecting network

(1) Protect network infrastructure

(2) Protect the Internet from SCinet

(3) Help exhibitors and attendees

Testbed new tools, techniques, systems

SCinet network architecture

Simple campus architecture routed via Juniper T640, T320 and Cisco 6509

Bandwidth Challenge 10G participants given connectivity via Force10

WAN connections

OC3 commodity Internet service via Qwest

16 OC192 links (NLR, ESNet, Abilene, Teragrid, etc.)

1 OC768 link to PSC

Wireless architecture (free/open system)

Integrated wireless system by Trapeze

Wired conference network to every meeting room

Argonne address space (140.221.128.0/17)

Slide 4

SCinet security team

Timothy Toole - Sandia

Stephen Lau - NERSC/LBL

Jim Hutchins - Sandia

Scott Campbell - NERSC/LBL

Bill Nickless - PNNL

Tim Witteveen - PNNL

Roger Winslow - NERSC/LBL

Patrick Stevens - Sandia

Network Security Features

Three primary IDS systems

Mon, Bro, Snort

Cisco port mirroring

Packet Engines GigE Hub & NetOptics splitters

RST responder, Desuckit application, SYN-ACK responder

Password display

MAC address blocking on wireless

Experimental

Flo, OSX, AMD64 Opteron, Xyratex RAID system, S2IO 10GigE NICs

Expectations

Whack-a-mole game with worms (wired and wireless)

Expect about a handful of successful intrusions (requiring clean-up)

Likely target of cluster/HPC systems

Valuable information provided by FBI

Expect to see outbound TCP 53 and 55

Expect other 'phone-home' mechanisms (bot-nets)

Slide 8

Worm infections (approx. 35)

Never really attempted to identify the exact signature

Location of infected device takes time, especially on DHCP wireless

Repeat offenders

Tried shunning in Trapeze system, but took time to implement (mainly due to 1 individual having access)

Shunning induced a load through AP association reqs

Much success in responding with SYN-acks and window sizes of zero

Significantly slowed down the infected host

Need a good windows administrator who's security conscious to help repair systems

Intrusions

11/07 @ 9:00 SCinet rental desktop

Very poorly configured from PC vendor

11/08 @ 11:53 VendorW booth (linux cluster)

Brute forced ssh password, outbound ftp & IRC

11/10 in the AM

MSSQL null SA password

11/11 @ 08:25 & 08:36 VendorX and BoothY (Linux systems)

Brute forced ssh password; identification of rootkit

11/11 @ 10:21-15:07 VendorZ (Windows laptop)

Windows file sharing exploit/whatever; became FTP server

Intrusion Summary

At least 1 compromised system to deal with per day

Windows boxes are low hanging fruit on open Internet

Weak passwords are also low hanging fruit on open Internet

Script-kiddie Romanians are a pain to deal with, but somewhat entertaining

Need someone good at explaining problem to customer (definition of 0wn3d)

Lessons learned

Intrusions were caught by good judgment

Need to factor in 2x to 3x amount of time to get stuff done

if (BitTorrent && Wireless) { wireless.usability = crap; }

Users not courteous on wireless

500? users associated on empty exhibit hall

RF interference, rogue AP's, mis-configured laptops, old drivers cause wireless problems

Never got a good data stream to adequately test 10Gbe cards or application(s)

Not sure how to educate this particular community on good practices

Outbound IRC ports were easy to pickup suspicious traffic

Don't confuse GPFS with IRC

Need IPv6 IDS, since we have some native v6 links

Future projects

SCinet05 network architecture and its impact on network security

10Gbe IDS/Monitoring systems

BPF/PCAP/IP/TCP on a 1/10Gig card

Visualization

Netflow analysis (help from CERT)

User education?


	ISP role/rule in protecting network
		(1) Protect network infrastructure
		(2) Protect the Internet from SCinet
		(3) Help exhibitors and attendees
	Testbed new tools, techniques, systems


	Simple campus architecture routed via Juniper T640, T320 and Cisco 6509
	Bandwidth Challenge 10G participants given connectivity via Force10
	WAN connections
		OC3 commodity Internet service via Qwest
		16 OC192 links (NLR, ESNet, Abilene, Teragrid, etc.)
		1 OC768 link to PSC
	Wireless architecture (free/open system)
		Integrated wireless system by Trapeze
	Wired conference network to every meeting room
	Argonne address space (140.221.128.0/17)


	Timothy Toole - Sandia
	Stephen Lau - NERSC/LBL
	Jim Hutchins - Sandia
	Scott Campbell - NERSC/LBL
	Bill Nickless - PNNL
	Tim Witteveen - PNNL
	Roger Winslow - NERSC/LBL
	Patrick Stevens - Sandia


	Three primary IDS systems
		Mon, Bro, Snort
	Cisco port mirroring
	Packet Engines GigE Hub & NetOptics splitters
	RST responder, Desuckit application, SYN-ACK responder
	Password display
	MAC address blocking on wireless
	Experimental
		Flo, OSX, AMD64 Opteron, Xyratex RAID system, S2IO 10GigE NICs


	Whack-a-mole game with worms (wired and wireless)
	Expect about a handful of successful intrusions (requiring clean-up)
	Likely target of cluster/HPC systems
		Valuable information provided by FBI
		Expect to see outbound TCP 53 and 55
	Expect other 'phone-home' mechanisms (bot-nets)


	Never really attempted to identify the exact signature
	Location of infected device takes time, especially on DHCP wireless
	Repeat offenders
	Tried shunning in Trapeze system, but took time to implement (mainly due to 1 individual having access)
	Shunning induced a load through AP association reqs
	Much success in responding with SYN-acks and window sizes of zero
		Significantly slowed down the infected host
		Need a good windows administrator who's security conscious to help repair systems


	11/07 @ 9:00 SCinet rental desktop
		Very poorly configured from PC vendor
	11/08 @ 11:53 VendorW booth (linux cluster)
		Brute forced ssh password, outbound ftp & IRC
	11/10 in the AM
		MSSQL null SA password
	11/11 @ 08:25 & 08:36 VendorX and BoothY (Linux systems)
		Brute forced ssh password; identification of rootkit
	11/11 @ 10:21-15:07 VendorZ (Windows laptop)
		Windows file sharing exploit/whatever; became FTP server


	At least 1 compromised system to deal with per day
	Windows boxes are low hanging fruit on open Internet
	Weak passwords are also low hanging fruit on open Internet
	Script-kiddie Romanians are a pain to deal with, but somewhat entertaining
	Need someone good at explaining problem to customer (definition of 0wn3d)


	Intrusions were caught by good judgment
	Need to factor in 2x to 3x amount of time to get stuff done
	if (BitTorrent && Wireless) { wireless.usability = crap; }
	Users not courteous on wireless
		500? users associated on empty exhibit hall
	RF interference, rogue AP's, mis-configured laptops, old drivers cause wireless problems
	Never got a good data stream to adequately test 10Gbe cards or application(s)
	Not sure how to educate this particular community on good practices
	Outbound IRC ports were easy to pickup suspicious traffic
		Don't confuse GPFS with IRC
	Need IPv6 IDS, since we have some native v6 links


	SCinet05 network architecture and its impact on network security
	10Gbe IDS/Monitoring systems
	BPF/PCAP/IP/TCP on a 1/10Gig card
	Visualization
	Netflow analysis (help from CERT)
	User education?