Campus Network Management

How much control do you have over your network?

Academic networks bring with them a unique set of challenges. Network management and control solutions aimed at the mainstream commercial networks are often unsuitable to be deployed in academic environments.

What's needed is a set of solutions tailor made for this sector. This is where Netservers and FireRack come in. Our FireRack network management appliance has been deployed at 12 colleges in Cambridge University, to address the following issues:

Detect the use of unauthorised applications on College networks (e.g. Person-to-Person file sharing)
Rate limit or block traffic going to and from Peer to Peer applications
Identify users using excessive and amounts of Internet bandwidth
Rate limit bandwidth to users exceeding specified quotas
Segment the College network, while still permitting controlled flow of legacy protocols (e.g. ipx, appletalk)
Simplify student computer registration and management
Enforce computer registration policies by blocking Internet access for unregistered machines
Permanently log detailed traffic flow data (i.e. protocol, source and destination IP addresses and ports)
Provides a web based user interface to interrogate log data
..... and much much more

Problems and Solutions

Problem	Solution
Bandwidth Wastage With the increasing popularity of the Internet and in particular person-to-person file sharing applications, bandwidth usage is now climbing sharply. In addition to this, there has been an increasing trend of virus and worm infection, which also leads to increased bandwidth consumption. Although much of this unwanted traffic can easily be identified (by port number) and eliminated at the router, increasingly this is not the case. Kazaa for instance can use any port number, including port 80, and can use normal proxy servers.	Identify and eliminate unwanted traffic FireRack performs Dynamic Traffic Classification by watching for giveaway signatures in the data stream. For example Kazaa, eDonkey etc. can be identified through data stream analysis. FireRack can eliminate this traffic or throttle it to acceptable levels. For traffic which is more readily classified by port number or protocol, the user can classify traffic and group traffic, using simple address/port/protocol based rules. Enforced per-user bandwidth quotas Once FireRack has been deployed, the college can allocate per-user bandwidth quotas to its students. This can only be done if the student and machine have first been registered in the system (See below).
Worm and Virus Infestation Any student or staff machines is a potential source of viruses and worms. No matter how well you defend your network perimeter, you cannot prevent infected machines being carried in from the outside from being plugged directly into your local area network. In an otherwise sheltered environment, there may be many susceptible machines which will then rapidly fall prey to the worm. These worms usually start by attacking the Local Area Network (LAN) and quickly move on to systematically or randomly scanning for vulnerable hosts on the Internet	Worm detection and containment Worms can be detected using FireRack's built-in Intrusion Detection System (IDS). This system identifies infected machines both through port scan detection and through data stream analysis. Worm infected hosts can then be automatically quarantined until such time as they have been cleaned up. Unlike other Firewall/IDS solutions offered by other vendors, FireRack is not limited to containing worm infected hosts at the network perimeter. FireRack's IDS can detect worms as they scan the Local Area Network. Then through a combination of firewalling, bridging and switch management, FireRack is capable of dynamically disconnecting an infected machine from the LAN and placing it in quarantine, thus isolating it from the rest of the machines on the LAN.
Unauthorised Network Use Many colleges now permit student to connect their own computers to the college network. Usually this will involve the student being assigned a fixed IP address, which they must assign to their computer. All too often however, computers are configured with the wrong IP address. Sometimes this is accidental, sometimes not. Some students may even attempt to connect their computer to the network without even having been assigned an IP address. It this case, they might assign themselves someone else's IP address.	Automated Host Registration (and enforcement) When an unknown host is connected to the network, the FireRack firewall assigns it an IP address by DHCP. This IP address does not give the user access to the Internet, or other protected college resources. When the user tries to go to a web site, they are automatically sent to a "Host Registration" web page. Once the student and their machine have been authenticated, registered and authorised, the DHCP server issues the student with a new IP address which is valid for accessing the Internet and other controlled resources. If a student assigns another users IP address to their machine, the FireRack will detect this and block the machine in question. It can optionally send an alert to the Network Administrators.

Problem

Solution

Bandwidth Wastage

With the increasing popularity of the Internet and in particular person-to-person file sharing applications, bandwidth usage is now climbing sharply. In addition to this, there has been an increasing trend of virus and worm infection, which also leads to increased bandwidth consumption.

Although much of this unwanted traffic can easily be identified (by port number) and eliminated at the router, increasingly this is not the case. Kazaa for instance can use any port number, including port 80, and can use normal proxy servers.

Identify and eliminate unwanted traffic

FireRack performs Dynamic Traffic Classification by watching for giveaway signatures in the data stream. For example Kazaa, eDonkey etc. can be identified through data stream analysis. FireRack can eliminate this traffic or throttle it to acceptable levels.

For traffic which is more readily classified by port number or protocol, the user can classify traffic and group traffic, using simple address/port/protocol based rules.

Enforced per-user bandwidth quotas

Once FireRack has been deployed, the college can allocate per-user bandwidth quotas to its students. This can only be done if the student and machine have first been registered in the system (See below).

Worm and Virus Infestation

Any student or staff machines is a potential source of viruses and worms. No matter how well you defend your network perimeter, you cannot prevent infected machines being carried in from the outside from being plugged directly into your local area network.

In an otherwise sheltered environment, there may be many susceptible machines which will then rapidly fall prey to the worm. These worms usually start by attacking the Local Area Network (LAN) and quickly move on to systematically or randomly scanning for vulnerable hosts on the Internet

Worm detection and containment

Worms can be detected using FireRack's built-in Intrusion Detection System (IDS). This system identifies infected machines both through port scan detection and through data stream analysis. Worm infected hosts can then be automatically quarantined until such time as they have been cleaned up.

Unlike other Firewall/IDS solutions offered by other vendors, FireRack is not limited to containing worm infected hosts at the network perimeter. FireRack's IDS can detect worms as they scan the Local Area Network. Then through a combination of firewalling, bridging and switch management, FireRack is capable of dynamically disconnecting an infected machine from the LAN and placing it in quarantine, thus isolating it from the rest of the machines on the LAN.

Unauthorised Network Use

Many colleges now permit student to connect their own computers to the college network. Usually this will involve the student being assigned a fixed IP address, which they must assign to their computer.

All too often however, computers are configured with the wrong IP address. Sometimes this is accidental, sometimes not. Some students may even attempt to connect their computer to the network without even having been assigned an IP address. It this case, they might assign themselves someone else's IP address.

Automated Host Registration (and enforcement)

When an unknown host is connected to the network, the FireRack firewall assigns it an IP address by DHCP. This IP address does not give the user access to the Internet, or other protected college resources. When the user tries to go to a web site, they are automatically sent to a "Host Registration" web page.

Once the student and their machine have been authenticated, registered and authorised, the DHCP server issues the student with a new IP address which is valid for accessing the Internet and other controlled resources.

If a student assigns another users IP address to their machine, the FireRack will detect this and block the machine in question. It can optionally send an alert to the Network Administrators.

You are here