OIT Upgrades Interface to the Internet

border router

Border Router

OIT used the holiday break as an opportunity to upgrade the border router and campus firewall, improving network performance and reliability.  The timing  was chosen to minimize the impact on the campus community who rely on UCInet Internet connectivity.

Prior to this project, UCI had a single system providing the link between UCInet and the Internet, and this device was also responsible for providing the campus firewall service.  This represented a vulnerability, in that hardware failure could result in loss of connectivity.

The border router was also aging, having been put into service in August of 2003, and Cisco had announced the end of maintenance for this model later this year.

The project replaced the components within the border router, added a second border router, distributed Internet services between them, and isolated the firewall service to its own redundant systems.  Tests have demonstrated a significant increase in network bandwidth as well.  Now if one of the two routers should go down, connectivity will be sustained by the redundant architecture of the new system.

The current arrangement also makes use of Cisco’s Virtual Switching System technology, allowing the two routers to be managed as a single service.

An upcoming goal is to house the two border routers in different buildings.  One will remain in Central Plant, and the other will be housed in OIT’s SSPA network vault.  This geographic distribution will further reduce the risk that loss of power or other facilities to a single building could interrupt UCI’s connection to the Internet.

Tripwire Watches for Hackers

There are a great many ways malicious users of the Internet are devising to sneak software onto a computer. It can be simply annoying but benign (adware), invasive of privacy (tracking visited web sites), and even destructive.

Security patches and firewalls are excellent defensive measures, but if something gets past those defenses, it’s important to find out before any data can be stolen or destroyed. And if your department runs a server, any disruption can be far-reaching.

Wouldn’t it be nice if something monitored the software installed on a key computer, and the configuration of the system, and notified the appropriate person any time it spotted a change? He or she could ignore changes that were deliberate, but take swift action when something was changed without permission.

This is just what Tripwire offers. Tripwire takes a snapshot of a computer, and stores this “baseline configuration” in a database. It then makes regular “integrity checks” and reports any changes (what changed, when, and by whom). Authorized changes become part of a  new baseline configuration.

Tripwire is available for Linux, Sun’s Solaris, HP’s OSF1, IBM’s AIX, and Microsoft Windows. NACS systems administrators, as well as Computing Support Coordinators in some other campus units, are deploying Tripwire to protect their key servers. The NACS Distributed Computing Support (DCS) group is also deploying Tripwire on servers it has under contract, thereby making the benefits of the software available to DCS clients.

A recent UC system wide agreement has made the Tripwire software very affordable. Departmental computing support staff and others interested are invited to contact NACS to discuss deploying Tripwire in their units.

Network Attacks Blocked

NACS Network Planning and Security team has implemented scripts in the campus Intrusion Detection System (IDS) which provide the first dynamic measures to utilize the PIX firewall’s blocking capability. These scripts automate the process of denying access to external hosts attempting to compromise systems on campus. This allows attacks to be stopped when they are detected and prevent further attempts against other campus targets.

Previously, the information gathered by the IDS was used in forensic analysis to identify problems after the fact. While this allowed for the halt of continued problems from the same host and helped alert computing support personnel to current vulnerabilities, it did not generally deter the attacker’s first attempts.

The scripts, written by NACS Chief Security Officer, Mike Iglesias, are run when the IDS detects certain signatures in network traffic which are known to indicate the presence of malicious code. A command is then sent to the PIX firewall and the intruder’s IP address is blocked at the border, preventing all further campus access. All blocking, or “shunning,” is automatically logged to a web page for easy reference by help-desk and other campus personnel.

The signatures included for dynamic blocking are carefully considered to avoid producing “false positives” (legitimate network activity which has the appearance of hostile intent). The blocks are removed after a period of time, and reinstated if the system is still attacking UCI systems or starts attacking again later.