Information Technology News Archive

1996 - 2017

You are here: Home / Archives for Voice and Data Services / Network Security

Network Security

Network Planning & Security

by

NACS Network Planning & Security Group (NetPlanSec) responds to faculty requests for atypical network requirements, and oversees “big picture” coordination of the campus network and wide-area network initiatives. Additionally, NetPlanSec ensures that the campus network as a whole supports campus research and education, both in terms of the reliability and functionality of the network, and in terms of the security of computers on the network.

NetPlanSec includes:

  • Garrett Hildebrand (Manager)
  • Mike Iglesias (Computer and Network Security Coordinator)
  • John Lenning (Network Consultant)

Remote Access to Windows

by

When NACS closed NetBios ports at the border router as a critical security measure, it was no longer possible for campus personnel to use Windows file sharing services between work and home, at least not without working through the campus VPN device. (SeeNACSNews 2002.10)

But there is an alternative for those who need to use a campus Windows computer from home or other remote location which does not depend on NetBios ports.

Windows 2000 Server’s Terminal Services (or “Remote Desktop” for Windows XP) are the recommended means of remotely using and administering Windows systems. It’s free, and secure when configured correctly. Moreover, if you use a Macintosh at home, you can download an ICA client which uses the same technology (based on Citrix Metaframe) to access a Windows system from your Mac.

It is important to note that two recent security flaws were detected in these services for which Microsoft has issued a patch, which resolves the problems. All default installations should be patched prior to use on UCInet. An explanation of the issues and a link to the patch may be found on the Microsoft Web site.

As with all security issues, turning this service on is expected to be safe with the patches installed, but may leave the machine open to manipulation if further vulnerabilities are discovered.

Security Planning Stops Two Attacks

by

Network-based attacks are in the news with increasing frequency. Among the preventative steps NACS takes is to close network “ports” used by these attackers. Two recent examples are “Messenger spam” and the “SQL Slammer Worm.”

The Windows Messenger Service is a normal part of the Windows Operating system, intended to allow system administrators to communicate with computer users. But hackers have figured out how to send pop-up ads to your computer, without your permission, using this same mechanism. Once NACS closed the Messenger network port, UCI computer users could no longer be reached by these innovative spammers.

The weekend of January 25-26, thousands of computers and networks around the country were disabled by the SQL Slammer Worm, aka “Sapphire,” which attacks computers through the MS SQL service. Vern Paxson of LBNL reports,

“This worm required roughly 10 minutes to spread worldwide making it by far the fastest worm to date. In the early stages the worm was doubling in size every 8.5 seconds. At its peak, achieved approximately 3 minutes after it was released, Sapphire scanned the net at over 55 million IP addresses per second. It infected at least 75,000 victims and probably considerably more.”

UCI users hardly noticed the attack that crippled other campuses, and even parts of Microsoft itself, because NACS had previously closed the SQL network port used by the worm (following advice from Foundstone, one of UCI’s security partners).

Network Attacks Blocked

by

NACS Network Planning and Security team has implemented scripts in the campus Intrusion Detection System (IDS) which provide the first dynamic measures to utilize the PIX firewall’s blocking capability. These scripts automate the process of denying access to external hosts attempting to compromise systems on campus. This allows attacks to be stopped when they are detected and prevent further attempts against other campus targets.

Previously, the information gathered by the IDS was used in forensic analysis to identify problems after the fact. While this allowed for the halt of continued problems from the same host and helped alert computing support personnel to current vulnerabilities, it did not generally deter the attacker’s first attempts.

The scripts, written by NACS Chief Security Officer, Mike Iglesias, are run when the IDS detects certain signatures in network traffic which are known to indicate the presence of malicious code. A command is then sent to the PIX firewall and the intruder’s IP address is blocked at the border, preventing all further campus access. All blocking, or “shunning,” is automatically logged to a web page for easy reference by help-desk and other campus personnel.

The signatures included for dynamic blocking are carefully considered to avoid producing “false positives” (legitimate network activity which has the appearance of hostile intent). The blocks are removed after a period of time, and reinstated if the system is still attacking UCI systems or starts attacking again later.

New VPN on UCInet

by

NACS has purchased a new device to offer yet another layer of network security for users of UCInet.

Called a VPN (for “Virtual Private Network”) the new Cisco 3060 VPN Concentrator offers a wide range of security features, depending on how and where you use UCI network resources.The main purpose of the VPN is to allow desirable network traffic and to exclude unwelcome network access.

The VPN in operation is invisible to most users. Then only kind of traffic the VPN won’t permit onto or off campus involves NetBIOS, Microsoft’s proprietary network protocol. NetBIOS is used when accessing shared directories from Windows servers. Accessing Windows “shares” from off campus is inherently insecure, and has resulted in a number of serious network attacks.

In order to take advantage of the VPN, users will have to download and install a client application which works with the VPN to “tunnel” your network traffic through the barrier the VPN otherwise imposes. Permission to tunnel is granted after authenticating with one’s UCInetID and password.

However, protecting the campus from insecure use of NetBIOS is not the only advantage to the VPN. All traffic may be routed through the VPN, at your discretion, in which case it is all encrypted to prevent “packet sniffing.” Ordinarily, appropriately situated computers can watch (“sniff”) network traffic, and possibly reconstitute confidential information such as passwords.

Also, use of the VPN can make your off-campus computer appear to be a UCInet host, which means you can access campus-only network resources (such as Library reference materials).

Since encryption and address translation impose a modest cost to the performance of the network, the VPN offers two modes of tunneling: full tunneling (in which case all traffic is encrypted by the VPN client, routed onto campus, and forwarded to its final destination) and split tunneling, in which case only traffic bound for UCI goes through this process. Activation of the VPN client and choice of tunneling modes can be made a boot-time option for permanently installed (desktop) systems but is not recommended for roaming (laptop) systems which may need different configurations in different places.

This may all seem complex. NACS is ready to help you examine how you use the network, and which option makes sense for your style of use. More information and examples of how to take advantage of various features of the VPN can be found athttp://www.nacs.uci.edu/security/vpn.html