Information Technology News

The latest news from the Office of Information Technology

You are here: Home / Archives for Network Security

Network Security

Intrusion Detection System

by

NACS has implemented an Intrusion Detection System (IDS) in an effort to reduce “Distributed Denial of Service” attacks which both deny legitimate users access to the network and drive up UCI’s network costs.

The Dragon IDS and Argus (Audit Record Generation and Utilization System) systems were installed recently at the campus border router. At present, the IDS is in a “learning” state so that it does not adversely impact campus users. This involves turning off network usage patterns (“signatures”) that are common at UCI or otherwise not worth worrying about, tuning others to report just traffic from off-campus to on-campus hosts, and telling it to ignore some signatures for some hosts. This will be an on-going effort, and should result in better sensor performance on the IDS server over time.

The Argus software is collecting data on the flows it sees. This data will be useful if we find a system that has been compromised, as we may be able to track down what system attacked it using what exploit, and then we can report it to the off-campus network service provider responsible for the offending computer.

NACS has already found two systems on campus that appear to be “stacheldraht” agents, and two that appear to be “trin00” daemons (stacheldraht and trin00 are distributed denial of service attack programs). You can read more about trin00 and stacheldraht at

http://staff.washington.edu/dittrich/misc/trinoo.analysis.txt
http://staff.washington.edu/dittrich/misc/stacheldraht.analysis.txt

Security for Windows

by

In light of the many viruses and network attacks directed against Windows systems (klez, myparty, Code Red, nimda, etc.), proper security planning is a necessity for departments using Windows 2000 (W2K) or Windows XP (WXP) and Microsoft software such as Outlook, Exchange, or Internet Information Server (IIS).

Common security practices and updates have consistently kept most systems secured against such attacks. But the staff time required to maintain reasonable security is rather costly. NACS will continue to publish the best available information on installation, configuration, and security of Windows systems. (See http://www.nacs.uci.edu/w2kinfo andhttp://www.nacs.uci.edu/security/virus.html).

Windows system administrators are advised to consider Microsoft’s HFNetCheck tool as a good internal Hot Fix/service Pack auditing tool for W2K/IIS systems. Microsoft Baseline Security Advisor (which works with HFNetCheck) or Cerberus Internet Scanner v.5.02 are also worthwhile simple, free security auditing tools.

NACS hosts periodic meetings with Computing Support Coordinators and other departmental Windows system administrators to discuss security and other timely issues. Please contact NACS if you would like to participate.

NACS also hosts a number of discussion lists which provide timely information on virus and security issues, including UC-Antivirus, Network-Security-Alerts, and UCICSCG. Interested readers are invited to browse http://www.nacs.uci.edu/org/nacslists.html for descriptions of these and other lists, or to subscribe.

Network Security Group

by

NACS has formed a new 3-person team, Network Planning and Security (NPS or NetPlanSec). NPS is active in a variety of ways to improve the safety and reliability of UCInet.

NPS runs periodic scans for vulnerable servers on campus before attackers do. They also regularly publicize security information and notify system administrators when weaknesses are discovered. Presently, NPS is implementing the campus firewall and Intrusion Detection System. (Details may be found in the Border Router article below.)

NPS staff Garrett Hildebrand, Mike Iglesias, and John Lenning are available for consulting, both one-on-one and in public forums, on such issues as network security, wireless networking and security, and network planning.

Finally, they participate in the UC Policy and Security Officers Group, to develop and assess UC system-wide strategies to resist “cyberterrorism.”

Computer Security

by

Computer security continues to demand attention at UCI. In the first eight months of 2001, at least 952 attempts were made to scan systems on campus, seeking one of at least 60 different security vulnerabilities.

The good news is that almost all of these efforts failed, thanks to the ongoing effort of NACS staff and system administrators around campus. The bad news is that it will continue to be necessary for computer users on campus to stay informed and protect themselves. Three relatively recent attacks have gained publicity: Sircam, Code Red, and Nimda.

Sircam is a virus which comes as an e-mail attachment. Opening that attachment on Windows computers will execute “malicious code” which can harm your computer or distribute confidential information. Once a system is infected, it can also infect any other computer with which it is sharing disk resources (i.e., “network drives.”) Sircam can generate a large number of e-mail messages, each with a large attachment (200KB or more). It floods new victims’ mailboxes and places a great load on campus mail servers, thus interfering with systems beyond those infected. All “antivirus software” (such as McAfee and Norton) if up-to-date can detect and eliminate Sircam. This is easiest if you allow your antivirus software to use its automatic update feature. Code Red (and Code Red II) are “internet worms” which act through the Web server software IIS. This worm would change the content of your web site, and possibly launch “denial of service” attacks against other systems (seehttp://www.nacs.uci.edu/news/2001.4.html). Because Code Red could generate a lot of network traffic, it could even render HP printers with network (JetDirect) cards unusable. Code Red is deterred by having the latest update (“patch”) for IIS, but even the most careful administrators of Windows NT systems are vulnerable. (Windows 2000 systems are can be more thoroughly secured against Code Red.)

Nimda was another internet worm, which (among other techniques) could exploit vulnerabilities left behind by Code Red. Nimda was particularly insidious in that it could infect any computer using Internet Explorer to browse an affected Web site, with no sign to the person doing the browsing. Defense against Nimda is available at both ends: by patching IIS and making other prudent security changes to servers, and by running an up-to-date browser (Internet Explorer 5.01 or 5.5 with Service Pack 2, or Internet Explorer 6.)

NACS is coordinating a series of discussions on security techniques for computer support staff. If you would like to be included in the next meeting (to be held in October), please contact NACS.

Network Attacks Continue

by

A May 5, 2001 advisory from NIPC (National Infrastructure Protection Center) reported an increase in “distributed denial of service” (DDOS) attacks around the country. In fact, even whitehouse.gov was laid low by such an attack on Friday, May 4. (For more information, please see http://www.cnn.com/2001/TECH/internet/05/08/dos.warning.idg/index.html)

Ordinary DOS attacks involve keeping a computer or network device so busy handling spurious requests that the device becomes unable to manage the business for which it is intended. Sometimes these attacks are launched from a computer directly under the control of an attacker. Other times the attack is indirect, where a hacker takes control of a remote computer and uses it to launch an attack. (This intermediate computer is called a Zombie). Distributed DOS goes one step further by using a fleet of Zombies to launch coordinated streams, or to send many small bursts so that no one Zombie is easily noticed. (More can be found at http://www.staff.washington.edu/dittrich/misc/ddos/elias.txt)

NACS is undertaking a project to upgrade the campus border router which will provide better management of incoming network traffic. This project includes an intrusion detection system and a firewall to help detect such traffic flows. Additionally, UCI’s border router has already been configured to limit certain types of network traffic which reduces the threat of DOS attacks.

But firewalls and intrusion detection are only part of the picture. The best defense against having a computer being broken into and turned into a Zombie is to keep the system software on it up-to-date (“patched”), turn off all unused network services (“ports”), and to log activity on the system and scan the logs regularly.

Recently, NACS ran a scan on campus subnets looking for Windows 2000 machines running Microsoft IIS5.0, which has a well-publicized vulnerability on port 80 that allows remote hackers to establish telnet sessions with the system. Over 100 potentially vulnerable machines were found on campus, and this information was made available to departmental Computing Support Coordinators. NACS also regularly updates all DCS-supported machines to protect them against known kinds of attacks, and monitors the logs of these machines looking for suspicious connections from the Internet. NACS offers security updates to key support personnel around campus as well. If you do your own support and do detect DDOS activity of the type described by NIPC, please contact nacs@uci.edu. NACS is responsible for evaluating attacks and reporting to the FBI when warranted.