At a Glance
 
Central Software
CityVoD - CSC Forum Archive
Software List on CSC Student LAN
Online Tour of the CSC Student Terminal Area
Opening Hours of the CSC
Systems Maintenance Schedule
List of Blocked Network Cards / IP Addresses
List of CSC Representatives
List of Departmental Network Administrators
Staff Computer Courses
 
Newsbits
 
Down Stop Up Top


A3 Printing Support Available

The Fast Printing Service has been well-received since its launch on 31 January 2007 (please see "Guideline for Fast Network Printing Service" for details.) In view of the need for A3 Black & White and A3 Colour printouts, we are glad to announce that the Fast Printing Service also supports them with immediate effect. Users may simply set the document size to A3 for A3 printouts, and to simplify the calculation, we will maintain both A4 and A3 printing at the same rates for the moment. The charging rates for the Fast Printing Service may be adjusted in future reviews to reflect the updated operation costs if necessary.

Relocation of Express Printing Service and Fast Printing Service

In order to improve the working environment at the CSC Student Terminal Area, the Express Printing Service located along the main corridor of the CSC has been moved to the new Printing and Plotting Room situated between Teaching Studios B and D, while the Fast Printing Service has been relocated to the area outside Teaching Studio G.

Illegal Storing or Sharing Activities of Copyrighted Materials – Your Personal Liability

The entire CityU community is reminded of the University's commitment to the protection of intellectual property and copyrighted material. When it comes to illegal storing or sharing of digital materials - whether music, video, text, or picture - the University imposes its own penalties (disciplinary action, loss of network connectivity) on anyone who is found to be using CityU facilities or campus network for such purposes.

Moreover, organisations hired by the copyright owners are aggressively searching for copyright violators on the Internet and will take independent legal action against such violators. Peer-to-peer file sharing activity using the campus network is easily subject to their scrutiny as long as they remain as one of the participants. Many past legal actions by these organisations have resulted in successful imposition of substantial monetary penalties on the violators.

Please be aware that the target of these actions is not only the individuals engaged in the violations but also the University if it has not shown its diligence in curbing these violations being carried out on its computers or network. As an Internet service provider, the University has no way to prevent but to be obliged without delay to cooperate fully with any law enforcement agency requesting the names of individuals who use computers to share copyrighted materials illegally.

As such, users who use their accounts on the University facilities for such activity inevitably expose both themselves and potentially the University to legal action. Therefore, to protect yourself and the University, make sure you will not engage in illegal storing or sharing of copyrighted materials.

Please Tell Us If You No Longer Need a Booked CSC Teaching Studio

The teaching studios in the Computing Services Centre (CSC) have always been under great demands. For better uses of University resources and for benefits of those staff and students who may still wait for these rooms, as soon as you know that you no longer need the booked CSC teaching studio, please kindly cancel your booking through the CSC Teaching Studio Booking System or through our staff at the Service Counter in the CSC Terminal Areas at least one day in advance. If you have any enquiries, please contact the CSC Service Counter.
 
CSC e-Forms
 
Submit CSC Work Req.
Req. for Printing
Req. for Dump / Restore
Teaching Studio Booking / Cancellation
Apply for a Computer Account
Email Alias Application
Apply for a New Domain Name
Remove an Existing Domain Name
Modify the Hosting of an Existing Domain Name
 
Past Articles by Topic
 
E-mail
Admin. Systems
Intranet/Internet
Central Systems
Network
Remote Access
Chinese Computing
PC Support
Security
General
 
Useful Links
 
網上中文網頁繁簡轉換
CityU Email Services
Computing Dictionary
High-Tech Dictionary
Webopedia
Web Glossary
What is?
 
Got any questions, comments or suggestions? Contact the editors at ccnetcom@cityu.edu.hk
 
Issue 50 - December 2006
New IPS to Boost Security, Reliability and Performance of the Campus Network
By Alex Lam

Virus, Worm or Trojan is no longer a technical jargon.  They are so common and their impacts are so severe that they have appeared many times in the headlines of newspaper and media, such as CNN at http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html.

Although anti-virus vendors are trying their best to stop these attacks, new types of virus/worm are discovered everyday. New techniques must be employed to supplement our existing methods to detect and stop these attacks.

In order to protect against the massive and evolving networking virus/worm attacks, the Computing Services Centre (CSC) had recently deployed the network based Intrusion Protection System (NIPS). In this article, we shall discuss the features of the new IPS .  For background information of IPS and security appliance deployment on our campus, please read the articles on Network Computing, Issue 41 - September 2004 and Issue 47 March 2006.

Features of the new IPS

In the following sections, we will look at how our new IPS can provide unique countermeasures to stop the propagation of viruses/worms.

  1. Intelligent Port Scanning detection

  2. Behavior-based Denial of Service (DoS) protection (Zero Day Attack Protection)

  3. Brute Force Protection for Central Servers and Application Servers

  4. Multiple Segments Support - Virtual IPS

  5. Programmable API for Dynamic Policy management


a. Intelligent Port Scanning detection

CityU has a large and contiguous IP address pool (more than 60,000 IP addresses).  From the hacker's point of view, it is a good place to search for vulnerable hosts by performing massive port scan activities.

Although our existing IPS can perform port scanning detection and blocking functionality, after further analysis, we can still detect the following types of port scanning activities.

  • Horizontal Port Scanning

    • Scanning for the same port for the whole subnet range

  • Slow and Very Slow Port Scanning

    • Scanning a few hosts (5 to 10 hosts) in every 5 minutes for the whole day

    • A complete Class B network can be scanned within 2 weeks

Our IPS's Solution to Port Scanning

Our IPS can protect CityU from the above attacks by providing advanced and fine tunable port scanning detection and blocking functionalities:

  • Vertical Port Scanning ( scanning multiple ports on a single host)

  • Horizontal Port Scanning ( scanning single port for each host in the whole subnet)

  • ICMP (ping) scanning

  • Very slow scan

  • Scanning from many source ports

  • Scanning of multiple destination IP and ports

The most impressive feature is the "Very Slow Scan" detection which can

  • Detect and block the slow port scanning activities that only scan for 10 hosts in every 5 minutes

  • The blocking period/time will be extended based on the number of occurrences of attacks from the same source.

With the new IPS deployed, both the "Very fast scan" and "Very slow scan" activities are detected and blocked effectively.  This further tightens the security level of our Internet gateway.  The diagram below shows details of a port scanning attack and how it can be blocked by the IPS.

Step 1.  Hacker performs Port Scanning techniques to find targets with  vulnerabilities Step 2. Hacker can inject virus, trojan to targets with vulnerabilities found Step 3.  The infected machines further SCAN and INFECT  for vulnerable hosts within INTERNAL network
Step 4.  The hacker can issue commands to hosts with virus/trojan installed to perform further attacks. e.g. Sending of SPAM MAIL or DDOS attacks IPS Protection:  Our IPS stops the Port Scanning activities at the First Step.  Thus, it prevents further infection/attack.


b. Behavior-based DoS and Zero Day Attack Protection

Most IPS provides signature-based attack detection mechanism.  Under this approach, the attack is detected by comparing the virus/worm characteristics (file or binary footprints) with the IPS signatures database. In order to improve the accuracy, other factors such as the network ports, traffic direction, protocol handshaking information are put together to conclude a network attack.

However, as many new variants of virus/worm and vulnerabilities emerge everyday, this signature-based detection can no longer discover new attacks during the first day of their outbreak (Zero Day).

Our IPS's Solution to Zero Day DoS Attack Protection

Our IPS provides Zero Day DoS Attack Protection by a Self-Learning Adaptive System. For simplicity, the system composes of 3 self-learning and adaptive components:

  1. Detection Module

  2. Attack Footprints Lookup Module

  3. Blocking Module


The block diagram below shows the components of the Behavior DoS protection system.



i. Detection Module

The Detection Module discovers attacks by analyzing every individual packet in real time and comparing the real time traffic parameters with the base-lined value. The traffic parameters include

  • Rate-based behavior parameters such as packet rate, traffic volume, traffic sessions, etc

  • Rate-invariant behavior parameters, such as input/output session ratio, TCP flag distribution

Rate-invariant parameters are used to reduce the false positive when there is a shape change in the traffic parameters. For example, during course registration period, the followings will be detected:

  • Shape increase in Web traffic volume (http – TCP 80 port)

  • Ratio of SYN and SYN-ACK will remain nearly constant (it is a normal Web traffic)

As the ratio of SYN and SYN-ACK remains the same for the Web traffic, the shape increase in traffic volume will NOT be classified as an attack.
Conversely, during a SYN flooding attack using Port 80, the ratio of SYN and ACK-SYN will be much higher than a normal Web traffic.  The detection engine will then report an attack.

ii. Attack Footprints Lookup Module

The "attack footprints lookup" module will then try to find the pattern/characteristics of the attack traffic.  This is achieved by analyzing about 17 parameters that can be found in every packet.  These parameters include the packet checksum, packet size, TTL, ports, sequences no, etc. Based on these parameters, the "attack footprints lookup" module creates a highly accurate, real-time signature of this specific attack.

iii. Blocking Module

The blocking module will make use of the footprint found in the above module to block the DoS attack. Being a self-learning adaptive protection system, this module will collect the result of the blocking and   feed back to the "footprint lookup" module. This process will fine-tune the effectiveness of the attack blocking until an optimized footprint is found or the attack stops.  The fine-tuning process handles the following conditions:

  • Positive Result Found
    If the attack traffic is reduced after using the new footprints, the blocking module will continue to use this footprints.  In addition, it will try to search for a more specific footprint by adding more footprints characteristics; this makes the footprint more specific and reduces false positive.

  • Negative Result Found
    If the newly applied footprint cannot reduce the attack traffic, it will look for other footprints.

  • Attack Stop
    If the attack stops, the IPS will stop applying the footprints immediately.


The main advantage of the behavioral DoS Attack protection is the ability to detect statistical traffic anomalies and automatically create an accurate attack footprint based on the traffic analysis.  With the adaptive feed back mechanism to fine tune the footprint, this ensures the DoS protection with very low false positive.

c. Multiple Segments IPS – Virtual IPS

Our IPS is a high port density device.  There is a total of 20 gigabit ports and it allows 9 independent network segments to be connected to it.  Our IPS acts as multiple virtual IPSes which protects multiple LAN segments concurrently.  The following figure shows the possible deployment of the IPS.


The advantages of the multi-segments IPS are as follows:

  • Low Cost; No need to buy multiple IPS for different segments

  • Centralize Administration of Policy

  • Maximize the Internal Network Protection
    Attack can be stopped at the segment with IPS protected.  It blocks the virus spreading quicker

d. Brute Force Protection for Central Servers and Application Servers

One of the main objectives of our IPS is to protect CityU’s central servers and applications. The following IPS features provide protection for the latter:

  • Server resources protection. 
    The following IPS modules protect against server resources

    • SYN packet protection module

    • Connection Limit module

    • Bandwidth Management module

  • Application protection
    The following type of attacks are protected by the IPS using signature-based protection

    • Brute Force Password Guess

    • Buffer Overflow

    • SQL Injection

    • Cross-site scripting

e. Programmable API for Dynamic Policy management

One of the advantages of our IPS is the support of programming API that allows user to update the IPS policy dynamically.  For example, if the mail server detects that some hosts are sending spam mail to the Internet, the administrator can make use of the programmable API to update the IPS policy automatically to block the Internet access of the host. Without such integration, it may take longer time to block the attack.
This greatly improves the interoperability and response time between different security systems.  In addition, it integrates all the security devices into a single autonomy system.

Conclusion

Nowadays, tremendous numbers of software vulnerability are found everyday. In addition, the techniques used by the viruses/worms are evolving quickly; we must make use of the latest techniques to stop these attacks.  The use of advanced features of our new IPS discussed above further tightens the security level at our Internet gateway.  Besides, the vendor is working closely with us to incorporate new features into our IPS.  This makes the CSC capable of responding quickly and directly to stop new attacks and provide maximum security protection for CityU.

Also in this issue...
Future Enhancements to the CityU's Email Infrastructure
Planned Network upgrade
Preparation for Microsoft Internet Explorer 7
 Improving Desktop Security with McAfee Anti-Spyware
Desktop and Notebook Purchase Guidelines
Power Interruption in Data Center


 
Current & Back Issues
 
Search Articles
 
FAQs
 
中文支援常見問題
Anti-spyware
Internet Explorer 7
General Email Services
Wireless LAN
CityU-Net for Alumni
Virtual Private Network (VPN)
Cascading Style Sheets (CSS)
 
Tips & Tricks
 

Create a Watermark Using a Clip Art Gallery image
10+ Tips for Boosting Your Word 2007 Productivity
Save Time Reformatting by Using Excel’s Fill Function Across Worksheets
Quickly Add Text to Your Excel 2002/2003 Charts
10 Key Enhancements in PowerPoint 2007
Handle Windows Vista Like a Pro with These Tricks
 
User Guides
 
VPN Connection Setup Guide for Windows XP
VPN Connection Setup Guide for Windows 2000
Network Connection Management System - User Guide
Student Residence Network Connection Guide
CityLink Plus User Guide
Webmail User 2.0 Guide
 
Freebies
 

DBAN - utility to securely wipe the hard disk
TrueCrypt - open-source disk encryption software
CCleaner - system optimization and privacy tool
Paint.NET - image and photo editing software
Cobian Backup 9 - schedule and backup your files and directories
SpywareBlaster 4.0 - prevent the installation of spyware and other potentially unwanted software
 
Home
 
CityU e-Portal
CityU Home
Personal Web
CSC Home
 

Copyright© Computing Services Centre, City University of Hong Kong. Best viewed in 1024x768 with IE. Javascript enabled. Last modified on Tuesday, 17-Jun-08 12:18:26 .