Bob's
Blogs
The
kIDS are all right!
I
just love "my" new IDS. After being frustrated trying
to understand and configure the ISS product (2003 to be fair)
and spending time playing with Snort (which I also like), I've
been working on a Juniper IDP system (running in passive mode)
and seeing just how well to tune it.
This
is for a customer who is a college, so a lot of the "open
academic environment" mentality still applies. While the
firewall has been locked down a fair amount, the key difference
here is that every department, teacher, etc. can make their systems
available via a Web page, database, SSH login, telnet (on campus
only) and some oddball ports -- as if the normal range isn't
enough. There are also courses thata have a lot of online content.
This is an overall trend. My kids' high school distributes a
lot of their homework etc. the same way. I've started the planning
for a full audit of all exposed systems, but that's another story.
One
of the bigger successes that has come about as a result of examination
-- the IDP reports was a discovery of just how much nosy traffic
was being allowed past the firewall. Case in point was MS SQL
Server traffic. After tracking down the professors running those
servers, it turned out that they were intended for on-campus
students attending their classes only -- no exceptions.
Since
most of the port scans were coming from the Asia-Pacific region
(APNIC) and Europe (RIPE), I was able to set the border router
to block large chunks of IP address space with an ACL (Access
Control List) from at least port 1433 by doing ARIN lookups to
determine any blocks not on the North American continent. Additionally,
any scans coming from China and Korea would get a class-C-sized
range blocked from all IP access. I'd love to say that this solution
was perfect, but it wasn't. It turned out that one instructor-run
Web site makes a link back to somewhere in China, and I broke
his page -- so I had to remove that particular ACL entry. Since
then, I've also been adding other geographically identifiable
network ranges that are highly unlikely to belong to on-campus
students. The large nationwide ones (Comcast, AOL, for example)
I don't dare block. At least not without more research.
However,
between blocking SQL and narrower ranges for everything, the
IDS reports that I'm seeing are now producing results that show
where the on-campus "threats" are coming from. The
area I'm currently working on refining is the SYN Flood and distributed
network scan reports. Since some networks are proxied out through
a gateway, the IDP has no way of knowing that a given single
address is actually an entire network, so it sees normal innocent
traffic as a distributed attack. The trick now is to refine the
filter definitions so as to not raise as many false alarms, while
still being sensitive to an actual incident (which may or may
not be an actual attack).
There
is lots more progress to be made and, to quote Silicon Graphics,
"serious fun." |