The traffic cop: Stopping bugs in transit


Like most colleges, Dartmouth had a big problem: an ever-changing student population connecting to the network using a variety of devices, many infected with malware.

The compromised systems slowed down the network for other users and tried to attack critical subnets, recalls Jason Jeffords, director of security services at the Ivy League college in Hanover, NH.

With a large network that has up to 20,000 active IP addresses at a time, including laptops, routers, and switches, tracking down the infected machines was a laborious, manual process.

Engineers studied network traffic patterns, using tools such as protocol analyzers to detect anomalous behavior, and blocked compromised hosts.

"The whole process could take hours, days, or weeks depending on the severity of the attack," Jeffords says.

It became obvious that Dartmouth needed something to streamline and automate the process to stop attacks. Jeffords and his team decided to try StealthWatch from Lancope. The appliance-based system monitors network behavior, detects anomalies and blocks or isolates threats.

"It's worked out remarkably well for us," says Jeffords. "It has helped to stop the attacks that were causing network service disruptions."

When StealthWatch first arrived, Jeffords spent some time tuning the box to recognize legitimate traffic at the college. The system came without blocking enabled, which is useful because automatic blocking is problematic, he notes: "You don't want to go around blocking things willy-nilly, because you don't know if there's a problem."

Tuning StealthWatch was a simple process, says Jeffords. "You train the box to recognize hosts, such as a mail server. You train it so it can recognize the traffic pattern from that mail server as legitimate mail traffic."

Anything that falls outside of normal patterns, such as a host suddenly sending more traffic than normal, indicates there could be a problem. The system can be set to block the attack or issue an alarm.

"You can set up certain subnets or hosts so they never get blocked," explains Jeffords. "In that situation, I will get alarms for them, whereas if other subnets, such as a residential hall, are propagating a worm, that gets blocked immediately."

StealthWatch is also catching something that Jeffords says plagues a lot of colleges – distributed denial-of-service attacks. Recently, two Linux servers were hit, launching DoS attacks and swamping the network with traffic.

"The good news is that when those things happen, the system is tuned in a way so the duration lasts only a minute and a half, as opposed to having to manually figure out why the internet is slow, which could take hours," he remarks.

StealthWatch also lets Dartmouth do some forensics when a host is compromised by recording session information. If engineers believe a system has been compromised on a certain date, they can go back and look and see what was happening on that machine that day.

When StealthWatch does detect a compromised system and blocks it, the machine is typically brought into one of Dartmouth's helpdesks or consultants, who fixes it and installs tools to remove viruses, spyware and adware, explains Jeffords. They also install Sygate Secure Enterprise, which enforces security policies and is centrally managed.

Lancope's technology is part of the overall security architecture at Dartmouth, including intrusion prevention from Tipping Point (recently bought by 3Com), Cisco PIX firewalls, Juniper Networks firewalls, and firewall rules on its Aruba wireless switches and host-based firewalls.

Jeffords, who does technical work such as network engineering in addition to security, says the college plans to set up a security office for all security implementations and architecture. At the moment, Dartmouth takes a decentralized approach to infosec. This means a member of each technical team also wears a security hat.

The college also plans to continue its tradition of staying on the leading edge of networking, says Jeffords. As well as high-end, multi-gigabit Cisco switches and routers, the college has a large-scale wireless network, and voice over IP, both wired and wireless.

It is replacing its wireless infrastructure with tri-mode wireless points in every building on campus. With multiple SSIDs, users will connect to the wireless network at different security levels, which will dictate their level of service and privileges.

Dartmouth's user community includes employees, students, visiting professors, conference attendees, all using a range of systems from Linux and Macintosh back to old versions of Windows 3.1.

"Colleges are a unique environment. You really do have to listen to a diverse user community," concludes Jeffords.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.