Jekyll and Hyde the Art of Managing a Student Campus Network Herman Moons – KULeuvenNet University of Leuven herman@kuleuven.net Terena Networking Conference 2006 1 KotNet project goals provide students/personnel of the K.U.Leuven and its associated partners with a high-speed and low-cost connection to the campus network and Internet network access from within the natural work habitat (kot for students, home office for personnel) comfortable Internet access is a requirement for todays academic environment with its emphasis on E-learning and coached self-study. KotNet is an enabler for the E-university 2 KotNet project history KotNet today is an integral part of the common university IT infrastructure almost every student room has its KotNet connection >20.000 users / day KotNet is a very successful project ~300 Mbps Internet traffic 3 KotNet infrastructure 1Gbps trunk CMTS HF network KULeuvenNet backbone cable router upc belgium 1 user/cablemodem = 199 EUR/year 16 users/cablemodem = 299 EUR/year UNIVERSITY typically 50 – 300 students/building 100Mbps trunk single-mode fiber student residency 100Mbps trunk WiFi hotspot 4 Jekyll and Hyde how to manage a network of 25.000 students in private rooms, whose computers are not under your control ? be nice... the network must support students with their study and research, and allow for recreational use ...but firm network abuse must be avoided, and measures must be implemented to actively counter such abuses a balance must be reached between enhancing usability and maintaining control. 5 Lesson 1 NAT Internet NAT is good for you KotNet servers public IP's invite network abuse and expose vulnerable student pc's to the worldwide Internet private addresses with NAT on the Internet boundary • effectively blocks illegal, publicly accessible servers • serves as an implicit firewall for vulnerable student pc's public IP subnets are made available to student computer clubs • Internet accessible servers in a controlled environment private IP's are routed normally on the Intranet • internal servers are not a problem students are well-known for "accidentally" distributing copyrighted material. With NAT, this is no longer an issue 6 Lesson 2 know thy enemy (Sun Tzu) authentication users must identify themselves before gaining access to the network enables us to identify users when the need arises following up on complaints helpdesk support solution: network login mechanism new users are automatically redirected to a login webpage when using their browser access to the network is granted only on successful login KotNet is not anonymous reduces misbehavior on the network (users know that complaints can be followed up) 7 user provides userid/password of his/her home organization 8 9 authentication infrastructure userid: s2005011 password: ******** organisation: kuleuven ldap server of home organisation ssl connection netlogin server KotNet router permit s2005011@10.0.0.1 verify against user database at home organisation check authorizations if everything ok, add user's ip address to access list of logged-in users network access is only allowed after successful login 10 Lesson 3 controlling the byte stream students eat bandwidth... but >50% of their traffic is non-educational a substantial amount of the above is illegal this cannot be tolerated, time for the Hyde attack... • string filters block P2P protocols • upstream quota (200MB/day) stop intranet file-sharing • downstream quota (4GB/month) keep traffic under control soften the blow... • exceptions for student research projects (professor approval required) • traffic to e-learning systems is free 11 Lesson 4 click me automated virus detection the problem KotNet users work at home in a non-controlled enviroment KotNet users are often computer-illiterate • they install all kinds of software without much regard for its origin • they click on everything they see when new viruses arrive, lots of KotNet users get infected, causing all kinds of havoc • typically they infect other KotNet users (i.e. the virus spreads rapidly) • lots of viruses often means increased network load requirements viruses need to be detected and contained as soon as possible end-user must be informed that his/her computer has a problem click me click me click me 12 automated virus detection problem analysis viruses typically try to distribute themselves to other computers • by scanning lots of other hosts in order to find a weakness they can exploit shows up in netflow accounting data as hostscans and portscans • by emailing themselves to other users (using the infected user's address book) central anti-virus cluster will detect the virus in outgoing mail message 13 see http://www.splintered.net/sw/flow-tools/ virus detection architecture kotnet login server user (s200501) with his infected pc (10.0.0.1) virus detected @ 10.0.0.1 email central antivirus cluster whois 10.0.0.1 ? 10.0.0.1 = s200501 logout s200501@10.0.0.1 blacklist server portscan hostscan portscan/hostscan detected @ 10.0.0.1 netflow analysis scripts blacklist database insert s200501@10.0.0.1 into blacklist database 14 blacklist database general overview of the blacklist database 15 blacklist database zoomed in on a specific incident 16 KotNet login and blacklist when blacklisted, a user is logged out automatically within 15 min we try to minimize the time an infected pc is connected to the network • infected pc's typically contact hundreds to thousands of other hosts on the Internet. Blocking them as soon as possible means the K.U.Leuven university behaves as a responsible net citizen. notifying end-users that their pc has a problem is not enough • end-users never listen to net-administrators, unless you force them new login attempts will fail, unless the end-user actively reactivates his/her account 17 Login attempt for a blacklisted user login fails because the user appears on the blacklist. The user also gets detailed instructions explaining why his account is blocked, and how the situation can be rectified 18 user can click a link on the login result page to reactivate his/her account (once the problem on his/her pc has been fixed) This is an automated process without net-admin intervention only ONE reactivation per day !!! typically users immediately try to reactivate their account, only to be blacklisted again. Then they start reading instead of clicking, and begin to fix the problem. 19 conclusions <quote> $lang =~ s/^.*$/Perl/; print “${lang} rules!\n”; </quote> KotNet = basic infrastructure standard student room has a KotNet connection requirement for a successful E-learning environment control is essential Jekyll-Hyde technology unobtrusive to normal user, but activated when abuses are detected in-house software development required to address specific KotNet needs (login, bandwidth control, auto-anti-virus, ...) change is the norm continuously changing student populations new applications arriving at an ever-increasing rate network management in a student campus network is a continuous quest for the optimal Jekyll-Hyde balance 20