Title: UC Davis Vulnerability Scanning and Remediation
1UC Davis Vulnerability Scanning and Remediation
- 2005 Larry Sautter Award
- UC Davis, Information and Education Technology
2UC Davis Vulnerability Scanning and Remediation
- Project description and background
- Project Objectives
- Protecting the campus network
- Scalable technology
- Education
- Questions
3Project Description
- A proactive approach to reducing threats to
computing resources and enhancing the protection
of university electronic information.
4Project Objectives
- Protect the integrity of the campus computing
environment - Provide a cost-effective solution for
vulnerability scanning and remediation - Develop a scalable system
- Educate campus computer users, support staff and
system administrators
5Timeline
- September 2003
- Temporary scanning system deployed to detect RPC
vulnerabilities - October 2003
- Reduction in vulnerable and/or infected systems
on campus network from more than 700 to fewer
than 40 in four weeksMay 2004 - Planning for a permanent vulnerability scanning
system was initiated - September 2004
- Computer Vulnerability Scanning Policy adopted by
Campus - Rebuilding/redeployment of the campus
vulnerability scanning system components - Threat analysis subscription begins
- Database upgrades made
- January 2005
- Honeypot integrated into permanent scanning
system - June 2005
- Intrusion detection system (IDS) integrated into
vulnerability scanning system - July 2005
- Campus vulnerability scanning system is in full
production mode
6Computer Vulnerability Scanning Policy
- All computers, servers, and other electronic
devices connected to the campus network shall be
kept free of critical security vulnerabilities. - Individuals whose computers present critical
security vulnerabilities must correct those
vulnerabilities in a timely manner before
connecting to the campus network. - Computers found to contain critical security
vulnerabilities that threaten the integrity or
performance of campus network will be denied
access to campus computing resources, and may be
disconnected from the campus network to prevent
further dissemination of infectious or malicious
network activity.
7Protecting the Campus Network
8Vulnerability Assessment Mechanisms
- Nessus (scanlite perl module) is used to scan
campus systems daily for 1-3 vulnerabilities - Nessus is used to identify compromised systems
during web-based authentication - Labrea (honeypot) is used to identify malicious
network traffic on an unannounced network segment - Bro (IDS) identifies malicious network traffic.
Bro can use the snort rule set.
9Vulnerability Assessment Database
- IP Address
- Date
- Type (honeypot, scan, IDS)
- MAC address
- Username
10Input Sources
- VLAN assignments (What IPs shall we scan?)
- VLAN technical contact (Who do we contact if
there is a problem?) - ARP table records (What MAC address is
associated with a particular IP?) - MAC address ownership (Who registered a
particular MAC address?) - Web authentication (What IP is attempting to
authenticate to a UCD web site?) - Threat selection (What threats represent highest
risk to campus?) - Web/Daily Scan Capability (What Nessus security
plug-ins are available?)
11(No Transcript)
12Scalable Technology
Production System Component Hardware Operating System Application
Web Authentication Scanner Sun V210 (2) Solaris Nessus/Scan Lite
Daily Network Scanner Sun V210 (2) Solaris Nessus/Scan Lite
Intrusion Detection Sensor Dell 2650 (2) Linux BRO
Network Honeypot Dell 1750 (1) Linux LaBrea
Database Dell 2650 (1) and Dell PowerVault 220 (2) with 2TB Storage Linux MySQL
Web Server Sun V210 (1) Solaris Apache
Test Server Dell 1750 (1) Linux VMware
13- Educating the Campus Community
14Faculty, Staff and Students
- Formal discussions with senior campus
administrators and advisory groups - Email alerts/announcements
- Print and Web publications
- Posters and Flyers
- Self-initiated scans
- Scan results pages
15http//selfscan.ucdavis.edu
16Technical Staff
- Formal discussions
- Computer Network Security Report
(secalert.ucdavis.edu) - Email notifications
- Top Ten graphs
17http//secalert.ucdavis.edu
18http//secalert.ucdavis.edu
19http//secalert.ucdavis.edu/ids
20http//secalert.ucdavis.edu/ids
21Lessons Learned and Next Steps
- Nessus limitations
- Reliance on campus unit system administrators
- Enhance integration with Remedy trouble-ticketing
system - Product integration via database is not readily
available
22Questions
23Contact Information
- Robert Ono, raono_at_ucdavis.edu