Ruijie Networks: Linking Network + Security to Prevent Campuses from Becoming "Mines"

Campus networks have a large number of users and many access ports, which are easy to hide and are easily attacked by mining Trojans. Many universities have suffered from this. At the same time, the Cyberspace Administration of China and other departments jointly issued the "Notice on the Rectification of Virtual Currency "Mining"" in September, upgrading the supervision of virtual currency "mining" activities. Ruijie has a deep insight into the campus network scenarios of universities. How to prevent the campus from becoming a "mine" and protect the security of the campus network, Ruijie has provided a "network + security" solution.

What is a mining trojan? What harm will it bring to the campus?

Obtaining virtual currency through a large number of computer operations is called "mining", and the mining program illegally implanted in the victim's computer without the victim's knowledge is called a mining Trojan. Mining Trojans will seriously occupy the host computing resources and interfere with normal business operations. At the same time, they consume a lot of electricity, which runs counter to the current energy strategy and carbon neutrality strategy. Some universities have even had their enrollment websites invaded by mining Trojans, seriously affecting the normal work. Many universities have been criticized for inadequate supervision of campus mining.

In fact, when the mining Trojans first emerged, many universities began to explore prevention measures, but they still encountered difficulties:

First, the firewalls that have been built are ineffective. On the one hand, the performance of some firewalls has dropped significantly after the antivirus function is turned on, and they cannot meet the protection requirements. On the other hand, the protection methods of some firewalls are not perfect, and they still step on the "high-voltage line" of the report.

Second, IP alarm tracing is difficult. Campus networks are mostly DHCP environments, and current firewalls are mostly based on IP alarms, requiring operation and maintenance teachers to query multiple logs to trace the source. There are a large number of college students, and there are often only a few operation and maintenance teachers. It is inevitable that they are unable to cope with the real-time processing of a large number of alarms.

Third, the lateral spread of the virus cannot be suppressed. The prevention and control of mining Trojans is similar to the prevention and control of epidemics: in addition to avoiding external sources of infection, internal transmission must be cut off in a timely manner to minimize the harm. The virus cannot be completely controlled by intercepting the export alone.

So, how can colleges and universities comprehensively investigate and rectify virtual currency "mining" activities and create a safe and orderly campus network environment? Ruijie has provided its own solution based on the characteristics of higher education scenarios: exploring the security capabilities of network equipment and linking security equipment to solve the mining problem from the overall architecture.

Overall architecture of university Trojan protection solution

An overview of the Trojan protection solution for colleges and universities

1. No worries about notifications, no need to step on the "high voltage line"

Ruijie anti-mining Trojan solution Ruijie firewalls are deployed at the export, and flow probes are attached to the core switches. Linked with Tencent Cloud Security Platform, flow detection technology is used to accurately identify mining Trojans.

The general steps of mining Trojans are to first apply for mining-related DNS domain names, and then log in and interact with the mining pool based on the IP returned by DNS. The traditional solution requires first detecting the domain name, and then blocking subsequent IP communications. Although it also has the effect of blocking mining, it is easy to be identified and reported by the monitoring system of the regulatory department due to the release of the DNS resolution process.
Ruijie and Tencent Cloud Security work together to catch all mining DNS domain names. Once the host initiates an application for a mining domain name, situational awareness and firewalls can immediately block it and directly block its resolution process to avoid being notified. At the same time, the flow probe deeply identifies the traffic. Even if the mining Trojan is more hidden and directly writes the IP in the host, there is no need to worry. The recognition library of the flow probe can accurately identify it based on the characteristic behaviors of mining such as wallet fields and secret key interactions, and completely block the mining virus.

Threat intelligence and Tencent Cloud security linkage

2. Accurately locate student IDs and free up operation and maintenance teachers

After intercepting the DNS of mining trojans, it is necessary to manage them, and those who are notified must provide a complete chain of evidence. Ruijie uses the architecture of linking firewalls with situational awareness (BDS) and identity authentication (SAM) , matching the student/teacher account, IP, and time information in SAM with the alarm, IP, and time information in security devices such as firewalls in BDS, so that the complete traceability including student ID, time, and specific alarm information can be easily obtained.
This allows centralized tracing and processing of mining hosts at a unified time, significantly improving operation and maintenance efficiency. Moreover, the solution locates the student ID instead of the IP address, so the operation and maintenance teacher can directly contact the teacher and students who need to perform antivirus operations through the student ID, avoiding the problem of not being able to accurately locate personnel in the DHCP environment.

BDS links SAM + real-name positioning to account

3. Block lateral spread and curb internal transmission

For the treatment of mining Trojans, prevention and notification are only one aspect, and the key is to form an effective governance system. Currently, most solutions in the industry deploy security equipment at the network boundary, which cannot prevent the virus from spreading internally. Some mining Trojans also have the characteristics of worms, which can penetrate the intranet and seriously threaten the security of servers.

Ruijie situational awareness is linked with switches, and by collecting switch Sflow samples, it can identify and block the east-west mining traffic of the entire school. After the situational awareness platform identifies the infected host, it also sends policies to the switch to take the infected host offline at the port, blocking the lateral virus replication inside the mining trojan, making the mining control more thorough.

BDS sends policies to switches to prevent lateral spread

Ruijie has been deeply involved in the education industry and has a deep understanding of campus network applications and regulatory scenarios. In view of the anti-mining scenarios of colleges and universities, starting from the overall architecture of the campus network, we fully explore the security capabilities of existing network equipment, and through three means such as export blocking, real-name tracing, and internal blocking, we can quickly discover and block mining viruses, accurately locate them, and prevent their spread, thus safeguarding a clear and safe campus network environment.