UC Davis Vulnerability Scanning and Remediation 2005 Larry Sautter Award UC Davis, Information and...
-
date post
19-Dec-2015 -
Category
Documents
-
view
214 -
download
1
Transcript of UC Davis Vulnerability Scanning and Remediation 2005 Larry Sautter Award UC Davis, Information and...
UC Davis Vulnerability UC Davis Vulnerability Scanning and Scanning and RemediationRemediation
2005 Larry Sautter Award2005 Larry Sautter Award
UC Davis, Information and UC Davis, Information and Education TechnologyEducation Technology
UC Davis Vulnerability UC Davis Vulnerability Scanning and Scanning and RemediationRemediation Project description and Project description and
backgroundbackground Project ObjectivesProject Objectives Protecting the campus networkProtecting the campus network Scalable technologyScalable technology EducationEducation QuestionsQuestions
Project DescriptionProject Description
A proactive approach to reducing A proactive approach to reducing threats to computing resources threats to computing resources and enhancing the protection of and enhancing the protection of university electronic information.university electronic information.
Project ObjectivesProject Objectives
Protect the integrity of the campus Protect the integrity of the campus computing environmentcomputing environment
Provide a cost-effective solution for Provide a cost-effective solution for vulnerability scanning and vulnerability scanning and remediationremediation
Develop a scalable systemDevelop a scalable system Educate campus computer users, Educate campus computer users,
support staff and system support staff and system administratorsadministrators
TimelineTimeline
September 2003September 2003– Temporary scanning system deployed to detect RPC vulnerabilitiesTemporary scanning system deployed to detect RPC vulnerabilities
October 2003October 2003– Reduction in vulnerable and/or infected systems on campus Reduction in vulnerable and/or infected systems on campus
network from more than 700 to fewer than 40 in four weeksMay network from more than 700 to fewer than 40 in four weeksMay 20042004
– Planning for a permanent vulnerability scanning system was Planning for a permanent vulnerability scanning system was initiatedinitiated
September 2004September 2004– Computer Vulnerability Scanning Policy adopted by CampusComputer Vulnerability Scanning Policy adopted by Campus– Rebuilding/redeployment of the campus vulnerability scanning Rebuilding/redeployment of the campus vulnerability scanning
system components system components – Threat analysis subscription beginsThreat analysis subscription begins– Database upgrades madeDatabase upgrades made
January 2005January 2005– Honeypot integrated into permanent scanning system Honeypot integrated into permanent scanning system
June 2005June 2005– Intrusion detection system (IDS) integrated into vulnerability Intrusion detection system (IDS) integrated into vulnerability
scanning systemscanning system July 2005July 2005
– Campus vulnerability scanning system is in full production modeCampus vulnerability scanning system is in full production mode
Computer Vulnerability Computer Vulnerability Scanning PolicyScanning Policy
All computers, servers, and other electronic All computers, servers, and other electronic devices connected to the campus network devices connected to the campus network shall be kept free of critical security shall be kept free of critical security vulnerabilities.vulnerabilities.
Individuals whose computers present critical Individuals whose computers present critical security vulnerabilities must correct those security vulnerabilities must correct those vulnerabilities in a timely manner before vulnerabilities in a timely manner before connecting to the campus network.connecting to the campus network.
Computers found to contain critical security Computers found to contain critical security vulnerabilities that threaten the integrity or vulnerabilities that threaten the integrity or performance of campus network will be denied performance of campus network will be denied access to campus computing resources, and access to campus computing resources, and may be disconnected from the campus may be disconnected from the campus network to prevent further dissemination of network to prevent further dissemination of infectious or malicious network activity.infectious or malicious network activity.
Protecting the Campus Protecting the Campus NetworkNetwork
Identification and Analysis of New Threats
`
UC Davis Security Scanning and Remediation Service
Education
Red Hat Linux - mysql
Vulnerability
Vulnerabilitydatabase
Identify VLANS, gateways, exclusions.modem pool, wireless, business systems,residence halls
VLAN Assignments
VLAN managers identify themselvesand provide contact information
VLAN Technical Contact
Arp tables are dumped every 30minutes, allowing a mapping betweenthe IP address and the MAC address
ARP Table Records
UCD account holders register theircomputer's MAC address to usecampus DHCP services. Given a MACaddress, the owner can be identified.
MAC Address Ownership
Input Data
Network HoneypotLaBrea
Email is sent daily toVLAN managers withinsecure systems
Email Notification
Web Authentication ScansNessusUsers who access campus web sites
are scanned
Web Authentication
Daily Scans Nessus
Intrusion DetectionSystem - BRO
Vulnerability AssessmentMechanisms and Storage
http://secalert.ucdavis.edu
Web Redirection to Remedial
or Warning Page
http://selfscan.ucdavis.edu
PerformSelf-Initiated
DesktopScan
http://secalert.ucdavis.edu
Ad hoc Queriesof SecurityDatabase
http://security.ucdavis.edu
Top 10 Portswith
Honeypot Traffic
http://itxmodem.ucdavis.edu
Modem VulnerabilityReport
Vulnerability Vulnerability Assessment Assessment MechanismsMechanisms Nessus (scanlite perl module) is used Nessus (scanlite perl module) is used
to scan campus systems daily for 1-3 to scan campus systems daily for 1-3 vulnerabilitiesvulnerabilities
Nessus is used to identify Nessus is used to identify compromised systems during web-compromised systems during web-based authenticationbased authentication
Labrea (honeypot) is used to identify Labrea (honeypot) is used to identify malicious network traffic on an malicious network traffic on an unannounced network segmentunannounced network segment
Bro (IDS) identifies malicious network Bro (IDS) identifies malicious network traffic. Bro can use the snort rule set.traffic. Bro can use the snort rule set.
Vulnerability Vulnerability Assessment DatabaseAssessment Database IP AddressIP Address DateDate Type (honeypot, scan, IDS)Type (honeypot, scan, IDS) MAC addressMAC address UsernameUsername
Input SourcesInput Sources
VLAN assignments (What IPs shall we scan?)VLAN assignments (What IPs shall we scan?) VLAN technical contact (Who do we contact if VLAN technical contact (Who do we contact if
there is a problem?)there is a problem?) ARP table records (What MAC address is ARP table records (What MAC address is
associated with a particular IP?)associated with a particular IP?) MAC address ownership (Who registered a MAC address ownership (Who registered a
particular MAC address?)particular MAC address?) Web authentication (What IP is attempting to Web authentication (What IP is attempting to
authenticate to a UCD web site?)authenticate to a UCD web site?) Threat selection (What threats represent Threat selection (What threats represent
highest risk to campus?)highest risk to campus?) Web/Daily Scan Capability (What Nessus Web/Daily Scan Capability (What Nessus
security plug-ins are available?)security plug-ins are available?)
Scalable TechnologyScalable Technology
Production System Component Hardware Operating System Application
Web Authentication Scanner Sun V210 (2) SolarisNessus/Scan Lite
Daily Network Scanner Sun V210 (2) Solaris Nessus/Scan Lite
Intrusion Detection Sensor Dell 2650 (2)Linux BRO
Network Honeypot Dell 1750 (1) Linux LaBrea
Database Dell 2650 (1) andDell PowerVault 220 (2)
with 2TB Storage
Linux MySQL
Web Server Sun V210 (1) Solaris Apache
Test Server Dell 1750 (1) Linux VMware
Educating the Campus Educating the Campus CommunityCommunity
Faculty, Staff and Faculty, Staff and StudentsStudents Formal discussions with senior Formal discussions with senior
campus administrators and advisory campus administrators and advisory groupsgroups
Email alerts/announcementsEmail alerts/announcements Print and Web publicationsPrint and Web publications Posters and FlyersPosters and Flyers Self-initiated scansSelf-initiated scans Scan results pagesScan results pages
http://selfscan.ucdavis.ehttp://selfscan.ucdavis.edudu
Technical StaffTechnical Staff
Formal discussionsFormal discussions Computer & Network Security Computer & Network Security
Report (secalert.ucdavis.edu)Report (secalert.ucdavis.edu) Email notificationsEmail notifications ““Top Ten” graphsTop Ten” graphs
http://secalert.ucdavis.edhttp://secalert.ucdavis.eduu
http://secalert.ucdavis.edhttp://secalert.ucdavis.eduu
http://secalert.ucdavis.edhttp://secalert.ucdavis.edu/idsu/ids
http://http://secalert.ucdavis.edu/idssecalert.ucdavis.edu/ids
Lessons Learned and Lessons Learned and Next Steps Next Steps Nessus limitationsNessus limitations Reliance on campus unit system Reliance on campus unit system
administratorsadministrators Enhance integration with Remedy Enhance integration with Remedy
trouble-ticketing systemtrouble-ticketing system Product integration via database Product integration via database
is not readily availableis not readily available
QuestionsQuestions
Contact InformationContact Information
Robert Ono, [email protected] Ono, [email protected]