The purpose of this article is to present a list of some measures practised to provide the security of the campus networks and to exemplify as far as
possible. Some standards in use will also be mentioned. Even though many of these standards are of general nature it is important for work to
establish the infrastructure to have been completed.
Campus Network Security
Networks without a policy text can not be managed and providing security to an unmanageable network is unthinkable. Hence, all security measures taken
and implementation applied will be void without a written policy. The first thing to do is to establish a network usage policy including a security
policy and conduct the related tasks.
Campus security starts at the borders, very similar to that of a country. We ought to be ready for any assault that may come from our borders. Well,
is determining campus borders as difficult as defining the borders of a country? Yes, campus borders are made up of several points.
Campus borders are not only composed of outside connections. It will be appropriate to include remote connections and modems and also RAS and finally
Wi-Fi connections to those. Unfortunately these connections make the campus prone to be an attack resource and/or target.
All these connections must be handled and investigated separately. Basically it must be born in mind that the policy one has implemented at the border
router is also current in this case. Further more some annexes will have to be added to these policies.
Regrettably, the direction of security threats have changed lately due to the increasing usage of portable devices. For this reason all the portable
devices should also be defined as not inland but out of borders and concordant policies should be developed.
System security forms an inseparable component of network security. Many security firms have started to devise PC based solutions recently. At the
same time, Windows systems have started to come with built-in firewall feature. It must be compulsory for such systems to possess a firewall and a
virus protection tool. In fact some suppliers are producing software to make these mandatory, in order to provide a network connection.
ICMP (Internet Control Message Protocol) must be restricted. This restriction must not engulf every aspect of ICMP, some message types (Echo Reply,
Destination Unreachable, Echo Request etc.) should be permitted. ICPM must be shaped by QoS parameters.
All unused protocols except for Ipv4 should be blocked. Specifically the newly released Ipv6 must be obstructed since this protocol causes many
security breaches/gaps. Similarly, any type of multicast traffic should be stopped or at least kept under control. Although there are various types of
Multicast traffic (http://en.wikipedia.org/wiki/Multicast), the most well-known one is the one
named IP multicast.
Some general assaults may be listed as follows:
Application based assaults; e-mail applications can set a good example. These applications bear threats of Trojans and viruses.
Denial of Service, (DoS) assaults; is the attack of the aggressor with false requests. If the attack is carried out by more than one aggressor it is
called Distributed DoS. During these attacks the server will be too overloaded to comply with demand and there will be services outage.
IP Spoofing; is employed in concealing the IP address by changing the IP addresses registered in the packages. Thus, elusion of the security measures
constructed according to the third degree IP address is ensured.
Password assaults; these attacks are executed for getting hold of passwords used for accessing a network. One of these methods of assault is performed
by using a dictionary.
All users who have been provided with security restrictions on the basis of IP addresses, user codes or MAC Addresses must be informed accordingly.
This can be achieved by a web page as well as e-mail messages or telephone.
Finally, all these security measures implemented must not intervene with the network usage. That is, the network must be an efficient one. A very
secure network that no one can make use of is meaningless. Therefore, there must be a balance between security and usage for a network.
System of Management
Components like, syslog, user approval, single use passwords, keeping a record of the settings, system authorization, tools of identifying and
obscuring assaults make up the system of management.
It is imperative that all devices are centrally managed. If possible, devising a separate network to access all these devices would be appropriate. It
is also necessary to keep track of the operation of these devices and the services they provide. There are free software (snips, nagios, etc.) for
this purpose as well as commercial ones.
The incoming info should be gathered on a network management server (NMS) and overviewed. Keeping daily logs meticulously is essential and this must
be kept to and checked regularly if the need arises. Scripts may be written to keep track of logs and thus instantaneous intervention can become
rapid. For instance, the trials of an aggressor making a dictionary attack can be identified instantly by means of the daily log mechanisms and the
informed operators can take measures in time. Even though Syslog performs this task efficiently, syslog-ng application is more useful for such tasks.
This application is UNIX based but a windows version is also available. For tracking logs, applications like logwatcher and swatch are more
Gathering the tracks from boundary routers and processing them is of vital importance. For this job, flow-tools is generally used and applied by
Netflow data developed by Cisco. Flow-tools is a practical tool for the purpose.
It is only natural that these are smart devices and it is unavoidable that these perform Ipv4 routing. These devices must facilitate filtering from
level four to level seven. The desired filtering level is preferably level 7.
At this point, the type of the device to be considered is dependent on the policy text mentioned earlier at the beginning. If the policy text inflicts
enough restrictions on persons the requirement on the device to be mounted will be less demanding. If, however, the sanctions are not very effective
than the device to be chosen will have to be more demanding and for certain networks much more so.
Since universities are public bodies cost analysis is hardly done if any is done. In reality, the analysis must be performed meticulously. For
instance, how many universities do reflect power consumption cost on to the cost of devices?
From where we have left, it is appropriate for boundary routers to make use of level 4 filtering. For campuses with more than one connection line to
the wide web BGPv4 is essential. Naturally, depending on the structure load distribution for such campuses will also be necessary. This will only be a
whiz for technical people who are competent at what they are doing.
Some manufacturers perform all tasks on the boundary routers and this does not fit well with campus networks. The logic behind these is to "restrict
everything and allow only the necessary". Networks that work at the first frame, drop the performance or impose higher costs when run 'INLINE'.
Having a firewall on the boundary director is a specification generally required and in most cases yields good results. Specifically systems with
connection tracking give good results even though they cause performance issues.
It prevents vital security problems to let access from the inside to the outside but restrict access from outside to inside, unless there is an
internal demand, on the boundary director.
This system enables one to locate loitering packages in campus and take the necessary measures. Most network viruses scan for active IPs and during
their scan try to reach IPs with no directive in campus. That is how blackhole IP directive may be performed.
An IDS device with the proper hardware may be used as a blackhole machine. Tight security measures should be kept for this device. All daily input to
the device must be gone over and related measures be taken or scripts be run, which can. Another important point here is not to access the device on
the same interface.
In order for this system to be used (default routing) should not be used. For systems with default routing settings it may be proposed to redirect
unused IP blocks to IP of the blackhole. For instance all reserved networks, (see http://www.iana.org/assignments/ipv4-address-space, Reserved
Networks) may be used for this process. You can always direct the unused IP blocks in your own IP blocks. Finally, you may route the ports which are
used by same known operating systems and are a source of viruses to this IP.
Lately, a similar procedure is being used for the DNS. The process is described in detail at the http://www.bleedingsnort.com/blackhole-dns/
Security of wireless networks comes up as a real big issue. Because devices operating on these networks are portable and this causes security problems
to move from location to location. No matter how much you block every entrance of the campus network, threats coming with portable computers can
strike the system from any point in the campus. The most this is experienced is the node points of the wireless network.
The access at these points must be arranged thoroughly (if possible 802.1X must be used) and packages incoming from these networks must be treated
with security scans as if coming from outside.
It is a method that provides authorised access to the web. It is an IEEE standard, port based application controlling web access. It checks the users
who want an access at second level and manages the access. Applications like RADIUS, LDAP may be used. It is possible to provide authorization with
EAP-TLS, PEAP methods.
For this method to be applied, the physical protection must also be active. It is only secure with the port security within the devices. However, all
the devices must confirm with the standard. This, of course, comes up with cost escalating factor for the network administrator.
It is a sharing method named as Peer2Peer and is on the agenda due to its intense occupation of web resources. Effectuated by sharing methods as in
the case of Bittorrent, emule, edonkey applications, its usage has increased recently.
These applications are being used in duplicating and distributing films, music, books etc. which is not necessarily legal. These applications which
have come up with such activities are now frequently being used for updating games, and the distribution of operating systems like linux, bsd. This
brings about difficulties in blocking such applications.
A not apparent facet of the task is security. Such applications not only expose many computers, connected to the media of internet, to attacks but
also to many security breaches due to viruses and worms that come into picture when running the software downloaded. To cut things short, these
applications act as a natural Trojan horse and enable the seizure of many operating systems.
Due to these reasons it is unpleasant for a security administrator to perceive these applications as a warm prospect. On the other hand, well intended
attempts should not be over looked upon and it is necessary to make use of other methods to suit the purpose. For instance, pre-preparing OS
distribution version mirrors to be made available to users to download.
The material problems that arise from giving no permission may be overcome by making use of QoS parameters. The access of IPs caught on snort, to
exemplify, can be restricted. For this purpose the bandwidth formed by a device which can define QoS statements may be used. There are two reasons for
not applying any restriction in this case. The first is, being in an academic platform, not to encourage the users to resort to new methods. The other
is that the main aim is to enable access to the network. An dysfunctional network will not serve for any purpose.
Honeypots and Honeynets
These days attacks can occur from many sources. The users may not be aware of what is running in their systems, as mentioned above. This situation
results in many attacks from the inside as well as the outside. In order to inhibit these attacks we have to be informed of them and IDS systems are
ideal structures for the purpose.
These systems spread out fake information and attract the intruders onto themselves and thus gather information about them and as a result enable
counter methods to be developed in order to prevent the attacks. The gathered information can be operative on the firewall in real time.
Seizure of the system will cause many problems. It, therefore, is necessary to take precaution. Honeypots installed on real systems can become very
dangerous in such situations.
To exemplify, a honeypot installed in the vicinity of a boundary router can register all connections to be an attack and will take the necessary
measures. Tarpit (http://labrea.sourceforge.net/) system is a good example for a honeypot. KFsensor as
well (http://www.keyfocus.net/kfsensor/) is a
windows based IDS/honeypot system. Honeyd (http://www.honeyd.org/) may also be given as a final example.
Honeynet, on the other hand, is the name given to a network composed of honeypots. Thanks to this network all data control, data gathering and IDS
work is done centrally. This is also helpful in rapidly detecting a seized honeypot. Honeypots can be devised to work at level 2 or level 3. The first
provides the development of a more secure system.
Providing security on campus networks which operate with the 'Let It Be' mentality is really tricky. Methods of providing security by interactive
procedures become intricate and pose to be costly for campuses with heavy traffic. The procedure of 'observe and react' is more functional for such
systems. In this method the IDS, honeynet and system management plays an important role. A network under continuous surveillance enables necessary
intervention in case of problems that arise and attacks by taking measures and thus the system can be kept secure and running. Naturally founding such
a system and keeping it running requires a skilled workforce.
Presented on Akademik Bilişim 2007.
Gökhan Eryol - Hüsnü Demir