Martí Griera (Marti.Griera@uab.es) Ángel Jarabo (Angel.Jarabo@cc.uab.es) Maribel Jiménez (Maribel.Jimenez@uab.es) Juan Antonio Martínez (Juanan.Martinez@uab.es)

Network Department - Servei d’Informàtica Universitat Autònoma de Barcelona. Barcelona-Spain

Abstract

Security is an everyday problem for network administrators. Much work has been done in the recent years concerning high-level security. In this paper we describe the work carried out in our campus network in order to provide security at lower levels. We will show that this level of security is, at least, so important as security at higher levels. The main tool used will be the well-known SNMP protocol. Some other aspects as the integration of management protocols with user databases (mainly LDAP) will be explained.

Contents

Description of the problem
Objectives
Whole network ‘anti-sniffing’ securization
Solution for teaching classrooms
Solution for the libraries free-access points
State of implementation
Requirements for the implementation of such a system
Concluding remarks
References

Description of the problem

The University can be considered a heterogeneous environment with different users and different requirements. This paper shows in detail the issues we have considered in order to implement a global security policy for our campus network. We explain the actions we have taken in order to avoid security holes in the various environments the university has.

These actions are not restricted to a campus environment. Any network with management facilities in its devices is suitable for our design. Our main goal is to develop a vendor-independent solution which can even work in a environment where devices from many vendors coexist. This solution must take maximum profit of the standard SNMP management protocol. In our opinion, powerful features of this protocol are not widely used today, although their use would increase greatly security in today's networks.

To begin with, we explain the work carried out concerning physical security and the access policy to the network resources. We will discuss the policies we implement on the basis of the functional differences on the points where the network is present. We will introduce the concept of ‘authorized points’. For this kind of points we will try to develop a technique to avoid the inherent insecure nature of the Ethernet topologies. In such networks, one machine in a segment can easily see traffic not addressed to it (‘sniffing attacks’). We will implement a solution that is almost ‘port bridging’ without its hardware requirements.

Then we will introduce another type of points. Computers are everyday more important in teaching and educational purposes. Some teachers have their own laptop computer, with an ethernet adapter. This laptop is used to teach classes. These network points at the classrooms are potential security holes. The idea implemented and explained in this paper is an ‘on-demand restricted activation’ based on the integration of authorized identification (LDAP) and network management (SNMP). Only authorized users with authorized machines will be able to use that point.

In addition to teaching, the University means also studying. So we have developed a system for our students to connect their laptops to our network access points in the libraries. Here again, security is a must, but can not restrict the need for the service.

To sum up we will show the exact definition and results of these policies and the technical requirements to implement them.
 

Objectives

This project began with the following objectives:

• Eliminate the security hole of the Ethernet Networks. Our idea was to achieve a solution as near as possible to a ‘bridging per port’ in a hub based network. Each machine would only be able to see the traffic for it.
• Allow the teachers to make use of the laptops computers in the teaching classrooms without a security problem (selective authentication).
• Offer the students the possibility to connect their laptops in our university libraries.
• Evaluate the cost of the implementation of the above policies. This cost should be as low as possible.

Whole network ‘anti-sniffing’ securization

Our first objective was to avoid the sniffing of the Ethernet shared networks. In fact this problem had been greatly reduced with the switching structure of our campus network and the separation of the critic areas with routing (more exactly our computer classrooms for students). Anyway, we looked for a more ambitious solution, that were independent of the network physical topology.

Our approach is to take advantage of the SNMP network management protocol. Our campus hubs have management capabilities and they have the possibility to secure their ports. With these security capacity we can achieve that only those packets directed to the machine connected to a port are delivered to this port. Technically it’s a masking solution, that makes the packets not addressed to the receiver on a port uninteligible to it.

This policy can be thought as quite simple, but it is really powerful. To begin with, after being implemented no hubs will work on the network without the knowledge of the network managers. A user will not be able to install more than one physical (MAC) address on a secured closet, as the hub will only allow the operation of one of them. So, we achieve a perfect control of our network infrastructure, avoiding the uncontrolled growth of the network.

We can go even further. We can –if it’s necessary- associate a unique port-MAC address relation. This means that a machine can only work where it is supposed to. Furthermore, the system interacts with the network database (obtained also with SNMP) not allowing unauthorized machines to work. For example, we don’t allow a network node to connect if its Ethernet address won’t be able to find an IP address from our dhcp servers.

The operation of the system described above is fully automatic. A set of scripts defines the policies we are to follow. The system generates a conceptual view of the network, on which it operates. So, we have not only a security tool but also a real viewer of the network status.

Solution for teaching classrooms

When we look for a teaching classroom solution, the following points should be considered:

• The person that connects the PC (normally laptops) should be an authorized person.
• The system should manage the activation-deactivation of the network points.

The interface was basically a CGI in which we asked for the MAC address to be authorized, the wiring-closet to use and the time interval (typically a lesson). We generate a log with the people using each point at each time. A graphic view of the system described above would be that in figure 1.

The achieved solution is essentialy correct in terms of security: the user is asked for authentication, we keep a log file with the accesses to the system and the machine can get access to the network perfectly. There is no problem for the authorization of multiple systems in a single point, because up to 36 points can be authorized in our hubs ( this is valid for most network vendors). The basic problem was the timing policy and the need for the users to get authorized every time they wanted to use the system.
 
 
 

Figure 1: First approach for the teaching classrooms solution

In order to avoid the inconveniences while keeping the functionalities, our next approach was to use a trap-policy. We activated the trap functionalities in our SNMP hubs. Whenever a machine tries to connect to one of these points the hub generates a trap. In this trap, the MAC address of the connecting machine is present. A script runs in the background in a trap manager station. When a trap arrives to the trap manager station, it tests whether the MAC address is authorized or not. If it is, immediate authomatic access is allowed. The first authorization of the MAC address must be done as outlined in figure 1. Once done, this MAC gets into the 'MAC authorized' database. We reduce to one the number of accesses to the LDAP directory. Additional requests are managed directly by the trap manager.

Figure 2 shows the global view of the system. For simplicity, the first access to the LDAP directory is not included. This first access works as explained in figure 1.

Fig.2 Final implementation for the teaching classrooms security system solution

Before offering this system, we wondered whether it would mean a high load on the network. A traffic analysis showed that there was no great impact on traffic because of this use of traps.

Solution for the libraries free-access points

Once we have studied the former problem, it can be seen that such a solution would be optimal for the libraries. No additional PC is required for control, but a new problem arises. We have not a LDAP database for our students. We have evaluated using the intelligent identification cards our students have, but that would imply an important development cost.

Because of this, our idea has been to include this functionality as a part of the services offered to the student regarding access to the university network. The implementation consists on a model based on the previous solution but changing the LDAP authentication for a RADIUS one. Thus, we could use the same database for authenticating users that we have for remote access to our facilities.

There is still one problem left. In the analysis of the teaching classrooms, teachers’ laptops were used. That means that they have a static IP address assigned. This is not possible in this case, because a static IP-Ethernet binding would mean the risk of running out of IP addresses.

The solution has been the definition of a pool of IP address that will be used for the access from these points. This pool will be a DHCP pool, where only authorized Ethernet address will obtain IP addresses. This feature is available in most implementations of the DHCP servers. When the user of the service (typically pupils) asks for it for the first time, he should give the MAC address he is to use for his connection to the network. Moreover, this approach gives us additional security control, because we know that an IP address of this pool is connected to a network free access point, making it easily locatable.

State of implementation

Up to now, we have described the ideas of our low-level security project. We have also implemented them. More exactly:

• We have utilities to manage the ports, anti-sniffing secure them, discover the network topology and selectively activate network points based on authentication. All these utilities work on a UNIX environment. Portability to other platforms should be easyly done due to its modular design.
• The anti-sniffing securization has been applied to the whole network. More precisely, 97% of it (that means almost 4000 points)has been secured. The remaining 3% of the network are ports belonging to hubs which have no management capabilities or which are conflictive for any reasons. In the first case, our policy of network updates considers the upgrade to hubs with SNMP management. In the second, we have discovered that some hubs not belonging to the network infrastructure were being used. These hubs have been forbidden, because they suppose not only potential security holes but also a problem when analyzing network problems or evaluating traffic needs.
• We have databases with the points for teaching operations.
• We have documented and defined the service for network access in the teaching classrooms.
• We have logging of all accesses to the system.

• We have detected illegal hardware, not belonging to the university, connected to the campus network. These points have been revoked and converted to legal points.
• It is impossible with the new system to read non-encrypted passwords that travel through the network. This is for us a very important achievement.
• Full integration of the network security policies with the network management. The graphic Web-based environment allows our users to have a clear view of the network with the traffic levels in each segment.

 

In our opinion, the system described is not only powerful in terms of security, but also of low-constraints. The basic requirements are:

• SNMP management in the hubs.
• Fully SNMP ready monitoring machine. In our implementation it’s a UNIX machine with freeware SNMP queryingutilities. It needs not to be dedicated only to this purpose.
• A database management system. It does not need to be complex. In the first stages of development of our project, we had simple text tables.
• A Web server with LDAP integration.

 

To sum up we can state that the system described gives two important functionalities concerning security. First of all, it makes sniffing impossible. Second, selective activation of network ports is fully operational.

The implantation of the system adds new services to the network. This is a significant point regarding security, because normally, adding security means reducing functionalities. This project is a breakpoint in the classic relation more security-less access capacity.

The system explodes the capacities of the network. Many of us have today powerful networks with extreme powerful management capacities. Nevertheless, not everyone makes use of powerful tools such as SNMP utilities. It must be remarked that the extra functionalities have been added without a complex model and without the additional overhead of other models. The cost is also kept small. 

As a final remark, our mechanisms can integrate perfectly with other higher-level security applications. In fact, they complement themselves perfectly and a good security policy must consider both. We don’t think of reducing classic mechanisms, but instead we try to add new security functions to the network where the classic approach fails.

References

[1]: D.J.Hughes,Wu Z.D. , Minerva- An Event Based Model for Extensible Network Management. Proceedings INET 93
[2]: Michael L.Kornegay. Toward Useful ans Standarized SNMP Management Applications. The Simple Times.
[3]: David T.Perkins. Understanding SNMP MIBs.
[4]: Carlos Picoto,Pedro Veiga. Management of a WWW Server using SNMP. Proceedings JENC6
[5]: J.Case,M.Fedor,M.Schoffstall,J.Davin. RFC 1157: A Simple Network Management Protocol (SNMP)
[6] : P. Roca. Control de acceso a las aulas informatizadas de la UAB. RedIRIS network magazine nº 41-42.
[7]: Marshall T.Rose. Management Information Base for Network Management of TCP/IP-based Internets:MIB-II. RFC 1213
[8]: W.Stallings. SNMP,SNMPv2 and CMIP: The Practical Guide to Network Management Standards.
[9]: M.Wahl,T.Howes,S.Kille. RFC 2251: Lightwight Directory Access Protocol (version 3).