110 likes | 247 Views
Infected Host Isolation via Packeteer PacketShaper. Ben Freitag Grand Valley State University freitagb@gvsu.edu. Step 1 – Detect the Infected Hosts. Cisco IDS Blade Firewall Flows/Server Connections Abnormal Traffic in the Packeteer Complaints from the outside world. Cisco IDS Blade.
E N D
Infected Host Isolation via Packeteer PacketShaper Ben Freitag Grand Valley State University freitagb@gvsu.edu
Step 1 – Detect the Infected Hosts • Cisco IDS Blade • Firewall Flows/Server Connections • Abnormal Traffic in the Packeteer • Complaints from the outside world
Cisco IDS Blade • This is the preferred method • We use this as a passive monitor to look for infected hosts
Firewall Flows/Server Connections • Manual scanning of the connections table in our PIX Blades • SMTP Related Virii show up in our mail queues • Looks like 148.61.253.182 has the Sasser worm:
Abnormal Traffic in the Packeteer &Complaints from the outside world • These are ‘lucky catches’ – would prefer these were caught earlier • Packeteer Aspect usually only works with Auto Discovery
Step 2 – Block the host • At the top of our Packeteer traffic-tree we have created a Folder & Small partition for Blocking. Within the folder we’ve created several classes depending on the type of violation. These classes have a never-admit policy that redirects them to an internal web-site.
Step 2 (Continued) • The Hosts are tied to the classes via a Host Lists for each category: Virus, Abuse, Unauthorized Equipment & Other. • The additions can be made via CLI or via simple VB Application created for our Help Desk:
The User Experience • When a ‘redirected host’ attempts to view a website off of GVSU’s network – they are greeted with a website similar to:
The User Experience (Cont.) • From these websites they can request reactivation or are instructed to call the Help Desk for further assistance. • The Help Desk logs these incidents as Trouble Tickets and is separately tracking offending IPs - tying them to MAC address, student name etc.
Problems • Can require an enormous amount of time – especially at the beginning of the school year. • Does not scale well • Not proactive – no real-time way to tie users to IPs.
The Future • We are evaluating several appliances to provide Network Admission Control (NAC) services such as Perfigo (Cisco) & Blue Socket.