NACS Network Planning and Security team has implemented scripts in the campus Intrusion Detection System (IDS) which provide the first dynamic measures to utilize the PIX firewall’s blocking capability. These scripts automate the process of denying access to external hosts attempting to compromise systems on campus. This allows attacks to be stopped when they are detected and prevent further attempts against other campus targets.
Previously, the information gathered by the IDS was used in forensic analysis to identify problems after the fact. While this allowed for the halt of continued problems from the same host and helped alert computing support personnel to current vulnerabilities, it did not generally deter the attacker’s first attempts.
The scripts, written by NACS Chief Security Officer, Mike Iglesias, are run when the IDS detects certain signatures in network traffic which are known to indicate the presence of malicious code. A command is then sent to the PIX firewall and the intruder’s IP address is blocked at the border, preventing all further campus access. All blocking, or “shunning,” is automatically logged to a web page for easy reference by help-desk and other campus personnel.
The signatures included for dynamic blocking are carefully considered to avoid producing “false positives” (legitimate network activity which has the appearance of hostile intent). The blocks are removed after a period of time, and reinstated if the system is still attacking UCI systems or starts attacking again later.