ITAC Meeting November 17, 2005 2:00 pm Dumke Conference Room, EBC Agenda: 1. Network Connection Agreement http://www.it.utah.edu/leadership/policies/NetworkConnection.pdf The Network Connection agreement, dated November 2001, shows signs of technology and organizational changes over its 4 year life span. Please take a moment to read this agreement and prepare to discuss necessary changes. Also, OIT will begin drafting a Service Level Agreement for its network services. A circumstance on campus forces the issue of addressing network connections terminating on campus from external service providers. This will also be the case for layer 2 NLR connections that span networks between institutions. Bryan Morris has drafted a proposed addendum for these cases: IP Network Connections Via External (non-University) Service Providers University colleges and departments which have data network connections with service providers other than the University network will ensure that such connections will not be used as a transit point or allow data traffic to flow between services on the University network and the service provider network. 2. Automation of Blackholing malicious hosts ISO has developed the ability to identify via netflow data, with 5 9's accuracy and within 30 minutes, machines that are doing malicious scans of University of Utah address space for specific services. Presently we identify SSH (port 22) and Remote Desk Top (port 5900) scans, and have the ability to identify scans for any port. Currently the process for blocking these machines and stopping these attacks is manual and cumbersome, and the malicious machines are typically done scanning by the time we get the block in place. OIT (ISO and NOC) proposes that we investigate a method to automatically create and insert rules on the firewall to stop these scans as soon as they are identified. With ITAC's blessing we will start the process and create a test system, and will present our findings and proposed architecture at the next ITAC meeting. 3. Using Smartmanager to enforce application of patches The NOC has deployed a Cisco Smartmanager device for use in authenticating wired users in student housing, replacing the ANA system, and on several wireless networks on campus. The Smartmanager has functionality built in to scan and identify potential problems on machines before they are allowed access to the campus network. If problems are identified the smartmanager will move the machine to an unrouted network where it can download and apply proper patches and anti-virus updates before it will be allowed on the routed network. OIT (NOC and ISO) propose that we configure and test this feature on a test network with a test configuration to guage the effectiveness of the feature. If the feature is effective, and provides minimal impact to the authentication process for clean users, we request that the feature be enabled on all address space in student housing and wireless networks. 4. Class C at each distribution for ISO use in "honeynet" style intrusion detection ISO requests a class C address range, preferably the lowest numerically available, at each of the distribution nodes. This "unused" address space will be monitored via netflow data for activity that is directed at it from inside and outside the U network, indicating either malicious activity or poorly configured machines. We would further propose that all VLANs configured on each node have an explicit permit statement in the ACLs or firewall rules to allow all traffic to these unused but monitored networks so that we can see scanning that is currently hidden because of ACLs (e.g., Microsoft ports). 5. Consistent wireless network ACL configurations ISO proposes that all publicly available wireless networks on campus have the same ACL/firewall configuration to prevent malicious traffic/SPAM/unintentional scanning from originating on these networks. The ACLs/firewall rules would be very similar to what is currently in place at campus housing; denying Microsoft ports (135-139, 445)in and out, and only allowing port 25 (SMTP) to on campus addresses. access-list wireless_in access-list wireless wireless in permit icmp 155.98.253.0 0.0.0.255 any (NOC) access-list wireless_in permit icmp host 155.97.160.133 any (Openview) access-list wireless_in permit icmp wireless_address_range any echo-reply access-list wireless_in permit icmp wireless_address_range any echo access-list wireless_in permit icmp wireless_address_range 155.97.0.0 0.0.255.255 time-exceeded access-list wireless_in permit icmp wireless_address_range 155.98.0.0 0.1.255.255 time-exceeded access-list wireless_in permit icmp wireless_address_range 155.100.0.0 0.1.255.255 time-exceeded access-list wireless_in deny icmp any any access-list wireless_in permit tcp wireless_address_range 128.110.0.0 0.0.255.255 eq smtp access-list wireless_in permit tcp wireless_address_range 155.97.0.0 0.0.255.255 eq smtp access-list wireless_in permit tcp wireless_address_range 155.98.0.0 0.1.255.255 eq smtp access-list wireless_in permit tcp wireless_address_range 155.100.0.0 0.1.255.255 eq smtp access-list wireless_in permit tcp wireless_address_range host 66.18.28.45 eq smtp access-list wireless_in deny tcp any any eq smtp access-list wireless_in deny tcp any any range 135 139 access-list wireless_in deny udp any any range 135 netbios-ss access-list wireless_in deny tcp any any eq 445 access-list wireless_in deny udp any any eq 445 access-list wireless_in deny tcp any any eq 1025 access-list wireless_in deny udp any any eq 1025 access-list wireless_in deny tcp any any range 1433 1434 access-list wireless_in deny udp any any range 1433 1434 access-list wireless_in permit ip wireless_address_range any access-list wireless_in permit udp host 0.0.0.0 host 255.255.255.255 eq bootps access-list wireless_in permit ip 199.104.93.244 0.0.0.1 any (DHCP server) access-list wireless_in deny ip any any log access-list wireless_out access-list wireless_outpermit icmp any any echo-reply access-list wireless_outpermit icmp any any unreachable access-list wireless_outpermit icmp any any source-quench access-list wireless_outpermit icmp 199.104.93.240 0.0.0.15 any echo access-list wireless_outpermit icmp 155.97.0.0 0.0.255.255 any echo access-list wireless_outpermit icmp 155.98.0.0 0.1.255.255 any echo access-list wireless_outpermit icmp 155.100.0.0 0.1.255.255 any echo access-list wireless_outpermit icmp any any time-exceeded access-list wireless_outdeny icmp any any access-list wireless_outdeny tcp any any range 135 139 access-list wireless_outdeny udp any any range 135 netbios-ss access-list wireless_outdeny tcp any any eq 445 access-list wireless_outdeny udp any any eq 445 access-list wireless_outpermit ip any any