The kIDS are all right!

I just love "my" new IDS. After being frustrated trying to understand and configure the ISS product (2003 to be fair) and spending time playing with Snort (which I also like), I've been working on a Juniper IDP system (running in passive mode) and seeing just how well to tune it.

This is for a customer who is a college, so a lot of the "open academic environment" mentality still applies. While the firewall has been locked down a fair amount, the key difference here is that every department, teacher, etc. can make their systems available via a Web page, database, SSH login, telnet (on campus only) and some oddball ports -- as if the normal range isn't enough. There are also courses thata have a lot of online content. This is an overall trend. My kids' high school distributes a lot of their homework etc. the same way. I've started the planning for a full audit of all exposed systems, but that's another story.

One of the bigger successes that has come about as a result of examination -- the IDP reports was a discovery of just how much nosy traffic was being allowed past the firewall. Case in point was MS SQL Server traffic. After tracking down the professors running those servers, it turned out that they were intended for on-campus students attending their classes only -- no exceptions.

Since most of the port scans were coming from the Asia-Pacific region (APNIC) and Europe (RIPE), I was able to set the border router to block large chunks of IP address space with an ACL (Access Control List) from at least port 1433 by doing ARIN lookups to determine any blocks not on the North American continent. Additionally, any scans coming from China and Korea would get a class-C-sized range blocked from all IP access. I'd love to say that this solution was perfect, but it wasn't. It turned out that one instructor-run Web site makes a link back to somewhere in China, and I broke his page -- so I had to remove that particular ACL entry. Since then, I've also been adding other geographically identifiable network ranges that are highly unlikely to belong to on-campus students. The large nationwide ones (Comcast, AOL, for example) I don't dare block. At least not without more research.

However, between blocking SQL and narrower ranges for everything, the IDS reports that I'm seeing are now producing results that show where the on-campus "threats" are coming from. The area I'm currently working on refining is the SYN Flood and distributed network scan reports. Since some networks are proxied out through a gateway, the IDP has no way of knowing that a given single address is actually an entire network, so it sees normal innocent traffic as a distributed attack. The trick now is to refine the filter definitions so as to not raise as many false alarms, while still being sensitive to an actual incident (which may or may not be an actual attack).

There is lots more progress to be made and, to quote Silicon Graphics, "serious fun."