Protecting school networks against attacks (Mike Pennell with NewNet66)

These are my notes from a network security presentation by Mike Pennell of NewNet66 in Oklahoma. I shared a brief overview for attendees and then turned over this presentation to Mike. I am recording this as an audio podcast and will post this subsequently in several parts. These are my notes from part 1 of Mike’s presentation.

We are in a BIG TIME war in network operations
– at the NewNet66 core, we take over 1 million attacks per day

What are the risks?

virus and worms are not nearly as bad as they were, social engineering now via phishing is getting VERY ugly
– spyware
– viruses
– worms
– trojans
– backdoors
– root kits
– malware
– phishing
– emial attachments
– spam with www links
– spyware

attacks can come from inside or outside
– in the past, most people thought they needed to protect themsevlves mainly from the bad guys on the outside
– now there are multiple entr ypoints
– like shoplifting: 75% comes from the inside (shrink)
– in this network world, it is more like 95%
– so you need to watch your people

Implementing network security is not a “fire and forget” solution
– have to watch it every day
– network attacks are ever changing and must be closely monitored resulting in security changes to your network

Use hardware solution

How the bad guys work and why
– graphic that shows what a teacher doesn’t know
– teachers or students don’t have to be going somewhere bad for bad things to happen
1- when they go out and get something from a computer somewhere, could be Pacific Rim or elsewhere (50% of malware attacks now come from the pacific rim)
2- when that packet comes back (which WAS requested by the user) but it also has a backdoor or keylogger
3- Then that malware transmits data to the bad guys
4- that leads to withdrawing $$$

The bad guys might make 10,000 transactions per month on 10,000 different bank accounts
– do the math!
– this is a lucrative business!
– so MONEY is now driving a great deal of what we see happening with network security

Identity Theft is the #1 problem
– it is so bad out there, higher ed is REAL bad
– lots of stories, anecdotes, credit card numbers
– what you don’t want is have KEYSTONE PUBLIC SCHOOLS show up on the Tulsa World News headlines that the district’s Wave server is now owned by the bad guys

Tools that protect your network
– I’ll show you tools we use, there are 100s of ways to skin this cat
1- Intermapper is our primary tool: network monitoring software, what we use to identify network anomalies, track bandwidth, alert us when critical network devices are down or in error status. InterMapper’s job is to “alert” you to network problems and anomalies

2- Juniper NetScreen Firewalls

3- 3Com TippingPoint 50 Intrusion Prevention appliance. This device will block and report on all network threats including spyware

There is NOT a single solution that will protect your your network from the bad guys. It takes at least 2 hardware network devices to offer the level of protection required by K12.

Understanding Internet Bandwidth Usage (1)
– Intermapper really opens up some windows of learning for people
– MONITORING YOUR BANDWIDTH is one of the most important tools you can use in securing your network! If you monitor the utilization of your link to the Intenet you will see trends about your school’s network activity. Each school has it’s own personality.
– the use of network monitoring is the first step in securing your network and will raise a lot of questions you should get answers to

Graph of normal bandwidth utilization on a weekend

Contrast to incoming and outgoing data during the week when school is in session
– for a single T-1 line, you’ll see about a 30% utilization change for a 384 kbps duplex connection

Graph of Abnormal bandwidth utilization
– what information is going “out” of the network on the weekend?
– who is it, what is it, why is it, and what data are they getting

Do you know where everything LIVES on your network?

We tell our schools to kill 3rd party email generally
– if you put rules on the firewall that puts blocks on outgoing port 25 (SMTP)
– it is getting harder and harder to get off the blacklist

Was a state dept of ed guy that encouraged everyone to look at server logs every day
– he was right, but you need to look at firewall logs too
– example of 1 am attack from India on a school yesterday
– what about on the INSIDE?
– we can see in this example computers on our network going out trying to visit Buenos Aires, Rogers Cable in Ontario, Canada, and Belgium in the middle of the night
– those are all suspect connections

KNOW WHERE EVERYTHING LIVES
– if you don’t, you can’t chase the bad guys down
– I don’t like DHCP, but you can look at those server logs if you are managing your DHCP server

When I get up in the morning, the first thing I look at is bandwidth

Understanding Internet Bandwidth during the day, where some usage is masked by other traffic
– red outbound traffic is often due to spyware and peer-to-peer file sharing

Intrusion detection and prevention
– we like the TippingPoint Unity 50
– that is probably the biggest home run we’ve found in a long time
– we looks for devices that are powerful and easy to use
– example of malware “Gator” phoning home on port 80 (and many firewalls miss that because it is port 80)
– so the Tipping Point box catches that, where the firewall does not

What can be going on
– YouTube can be a bandwidth hog, PhotoBucket is a disease
– but there are thousands of machines with PhotoBucket on them

MY QUESTION: HOW CAN WE THROTTLE AND MANAGE BANDWIDTH FOR SPECIFIC APPLICATIONS?

In the tipping point box, you can create a filter that, for instance, when a student tries to go to MySpace quarantines a box from Internet access for 3 minutes and presents them with a browser message

What you can do to protect your network?
– use strong passwords: a strong password is a combination of a six or more letters, numbers, and symbols that are NOT a word or common phrase. This is the most abused security practice.
– We feel it is best to use Internet Explorer for those websites that require it (i.e. PeopleSoft) and use a different browser for all other web activity. The Internet Explorer web browser that comes with MS Windows seems to have a new security flaw almost every month. While you apply patches for these flaws as quickly as possible, the use of Mozilla’s Firefox is a very good alternative offering increased security. Firefox is free and can be downloaded at http://download-firefox.org
– Educate your staff about network security risks: NewNet66 has a very good document on our webite which your staff can review (PDF) – Support site: www.newnet66.org/Support/
– Secure wireless access points
– Get a firewall and manage it.
– Get an Intrusion detection and Prevention hardware device and manage it
– Create, implement and enforce network use policies.
– Don’t allow the use of 3rd party email
– Don’t allow Peer-to-Peer file sharing on your network. This is very popular with students and is a severe security risk
– Lock down your Student Information Systems and WAVE servers
– Get rid of Windows98 workstations.
– Apply software patches as soon as soon as they are available to your serves and workstations
– Be proactive about network security

As an administrator GET INVOLVED with the security of your school’s network. If you farm it out to a vendor get the security procedures documented. Ask a lot of questions and try to understand the basics. At the end of the day you don’t need to know it all, but you do need to know what questions to ask– and in the end you are responsible!

[THIS PRESENTATION IS BEING CONTINUED AFTER LUNCH]

Technorati Tags: myspace, networksecurity, intermapper, tippingpoint

If you enjoyed this post and found it useful, subscribe to Wes’ free newsletter. Check out Wes’ video tutorial library, “Playing with Media.” Information about more ways to learn with Dr. Wesley Fryer are available on wesfryer.com/after.

Protecting school networks against attacks (Mike Pennell with NewNet66)

On this day..

Comments

One response to “Protecting school networks against attacks (Mike Pennell with NewNet66)”