Network Security – It Takes a Village

May 14th, 2008 by Louis DiMeglio

Something that should not be a surprise – it turns out that securing the world’s largest temporary network takes a variety of vendors working together.

For three days, InteropNet is one of the largest hacking targets on the planet. Attacks and threats come from both inside and outside the network. While the external attacks are certainly more malicious in intent, most of the internal ones ended up being due to misconfiguration or just plain misunderstanding.

Let’s play a game. It’s called Malicious or Not.

1. Video streaming devices flooded the network with millions of multicast packets per second. EM7 noticed a big bump in latency on that network segment at the same time that the Enterasys Dragon IDS caught the flood of packets. Both tools could tell the origin of the packets and traced them back to misconfigured video multicast devices. In this case Not Malicious, but the result was still degradation to that network segment until the problem was fixed.
2. One vendor at the show purposely scanned all other devices on the show network to model them in their product demos. They didn’t ask anyone’s permission (or at least they didn’t ask ours). They purposely used multiple community strings to see if any would work. Malicious or Not? I’ll let you guys take this one. Personally I don’t think they meant it to be malicious, but as a monitoring tool in this space, they should have known that doing all that scanning would actually degrade network and other vendors’ device performance. I wonder if this is the vendor that was telling people that it does this at every show, and this is the first time it’s been caught.

Connect the Vendors

Enterasys took care of external attacks by identifying them and asking Qwest to block them. But it’s with the internal “devices behaving badly”, that the real fun began. It took a combination of vendors to identify, confirm and track down the offenders on the network.

First Enterasys Dragon IDS alerted on suspicious behaviors. Dragon identified what IP, MAC address or port on a switch was having the issue – which information was cross-checked against vendor registry info in EM7 to track down offenders to a booth, a room or a wireless access point in the facility. Splunk was also used to look at logs and verify the source of bad behavior.

For tracking down wireless misbehavior, Aruba Networks had a cool tool that took the info from Dragon and EM7 and used it to literally triangulate the location (down to a laptop).

Before the show started, we played wireless security hide and seek – testing our security process by sending people out with laptops and finding them, gps-style, whether they were walking around or hiding under a desk.

Overall, I think the real-life multi-vendor network security solutions I’ve described here are great examples of why interoperability is so important and why InteropNet was such a great experience.

Popularity: 55% [?]

May 14th, 2008