Duke

• OIT News 2012
• OIT News 2011
• OIT News 2010
• OIT News 2009
• OIT News 2008
• OIT News 2007

April 6, 2009

A newly installed intrusion prevention system (IPS) monitors traffic on Duke’s network to more quickly and efficiently identify potential threats such as exploits, worms and viruses.

The Tipping Point system, installed by the IT Security Office and OIT’s networking group, monitors patterns and signatures of packets in traffic to and from the Internet and on Duke’s network. Unlike Duke’s earlier intrusion detection system, Tipping Point allows Duke not only to identify bad traffic but also to block it.

“With the IDS, we were reactive; now we can be proactive,” explained Mike Cullen, OIT senior network engineer.

Duke’s network sees about 4,000 to 20,000 attacks per hour. An IPS monitors network activity and takes action against suspicious traffic. The IT Security Office has set up more than 1,700 filters and quarantines any IP address that attempts more than 500 SSH logins per hour. In the first two months, the system quarantined about 1,000 IP addresses, with only one known false positive. Those quarantined are denied access to all Duke sites and redirected to a URL with information on how valid traffic can regain access.

Because all invalid traffic is stopped, Security also uses the system to identify troubled devices at Duke.

“I use it as a way to identify infected users – a window into bad traffic, to alert a user or system admin of a misconfigured or compromised machine,” said Artem Kasantsev, senior security analyst in the IT Security Office.

Tipping Point is especially valuable for large enterprises with relatively small IT security departments because it can identify and block security risks even before a vendor patch is developed or installed. This better protects the network and allows the IT department to schedule critical patches to key services during off-peak times, meaning less service interruptions.

“It’s like a virtual patch for your system,” said Howie Howerton, mid-Atlantic security engineer for Tipping Point. “It protects your most valuable assets from attack before they’re patched, providing a compromise between security and service delivery.”

The system also allows fine-tuned settings that can provide customized profiles and detailed reports for schools, departments and IT staff.

As IT Security staff adjust the IPS settings and bring new functionality online, some false positives are inevitable. If you notice a machine being blocked from the network or have questions or concerns, call the OIT Service Desk (684-2200).

“Our goal is to make this transition as transparent and seamless as possible,” Kasantsev said.