Transcript The Role of Security in NRENs

The Role of Security in NRENs
Christoph Graf
SWITCH
<[email protected]>
2005 © SWITCH
The Origins: Insider and Outsider
Online
Offline
Internet
“bad” user
“good” user
2005 © SWITCH
“wannabees”
2
Les amis de mes amis… (1)
Online
“bad” user
“good” user
2005 © SWITCH
Offline
“wannabees”
3
JEKAMI (Jeder kann mitmachen = everybody can particpate)
“bad” user
“good” user
2005 © SWITCH
4
Walls and Fortresses
Organisation A
Organisation C
Guardian/firewall
“bad” user
Organisation B
2005 © SWITCH
“good” user
5
Les amis de mes amis… (2)
Organisation A
Organisation C
Guardian/firewall
“bad” user
Organisation B
2005 © SWITCH
“good” user
6
Mobility and Roaming
Organisation A
Organisation C
Welcome to
The Present Times!
Guardian/firewall
“bad” user
Organisation B
2005 © SWITCH
“good” user
7
Agenda
In 80 seconds through the ages of the INTERNET
The NREN environment
The security landscape
The security activities in GÉANT
The “netflow divide”
A sample portfolio of NREN security activities
Outlook/Trends
2005 © SWITCH
8
The NREN Environment
NRENs (National Research and Education Networks)
– Come in many flavours
– I’m wearing my NREN (SWITCH) hat... It might show
Characterising NRENS...
– Designing, implementing and running services
... which are not (yet) commercially available
... including network services and security services (CSIRT)
– High level of technical expertise
– Well networked with the academic world (their customers)
– Not doing research, but collaborating with research and learning from it
– Well networked among each other (TERENA, DANTE, GÉANTx)
– Open to collaboration and information sharing, if perceived beneficial
2005 © SWITCH
9
Security Landscape
role-based
formal
abstract
indirect
Lobbying, BCP, trust enabling, knowledge
Industry
representation
Focused
groups
FIRST
TF-CSIRT
(TERENA)
Networking, projects,
knowledge
GÉANT Security
undisclosed
groups
TI
(TERENA)
swirt.ch
(Swiss ISPs)
Incident co-ordination
CSIRTs
Campus
Security
Teams
Admins,
endusers
2005 © SWITCH
SWITCH-CERT
NREN/ISP/Gov CERTs
Vendor CERTs
site security team
site security team site security team
Customer relationship
personal
informal
concrete
direct
10
Security Activities in GÉANT2
WI1: Securing GN2 network elements and services
– Policy work
WI2: Building of security services
– Building the “toolset”, which makes life easier for CSIRTS
WI3: Infrastructure for co-ordinated security incident handling
– Set-up of an information exchange infrastructure between CSIRTs
– Reliable, secure and efficient for operational work on daily basis
WI4: Relationship with TF-CSIRT
– TF-CSIRT is THE European CSIRT networking platform
– Member subsets form project groups and gather around TF-CSIRT meetings
– The GÉANT security activities do it alike (membership is a subset)
WI5: Establishment of an advisory panel
– Commenting the work, observe the trends, give recommendations
2005 © SWITCH
12
Some observations
Most teams are operationally oriented
– Clear idea of existing problems and know what they want: the “toolset”
– Operationally relevant results count more than “pure” research results
The “toolset” is heavily linked to NREN networks
– Anomaly detection, network forensics and other network related tasks is
where teams feel they need support
The “netflow divide”
– The toolset requires network data (currently: netflow)
– Not all teams get access to netflow data
2005 © SWITCH
13
Overcoming the “netflow divide”
Message to outsiders: try to get on board!
It’s a synergy opportunity of hosting a security team and operating a
network within the same NREN!
The “toolset” helps to extract highly relevant data from the network
– Hacked customer systems, anomalies, (unnoticed) attacks
– ... Often before creating operational problems
Security teams become more proactive
– “the toolset” provides stuff to share
– It fosters trust within your constituency
In short: It adds value to NRENs, their customers and the rest of the
world
2005 © SWITCH
14
Business Unit Security @SWITCH
Security
Incident Handling
CSIRT
Beratung
CIIP
Labor
Security Services
Interne DL
HW/OS, Beratung,
E-Mail
Laboratory
• CSIRT
– Proactive CSIRT tasks (information services, community
building)
– Reactive CSIRT tasks (security helpdesk, incident handling and
co-ordination)
• Critical Information Infrastructure Protection (CIIP)
– Threat/risk analysis
– Crisis management support
• Security Services
– Anomaly detection, malware signature sensing
– Internet threat related consulting
• Laboratory
– Malware analysis lab
– Network sensor development
– Security research collaboration
2005 © SWITCH
15
Trends to Consider in Future Phases
CIIP (Critical Information Infrastructure Protection)
– The criticality of the “network” is increasing
– New expectations, potentially new service needs (7x24)
Law enforcement, legal issues
– Laws increasingly enforced in the “virtual” world
– New regulatory requirements looming? Mandating the “toolset”???
– Education needs, new vocabulary, new service needs
Convergence voice/data/gadgets
– Old and new threats hitting an unaware community (DoS, SPIT)
– Protecting new services: education, new tools
“Grid Impact”
– Lightpath/BoD: NREN/GN2 overlay networks without “toolset” protection
– High-risk parallel world, with high-bandwidth interconnects on IP layer
2005 © SWITCH
16
Security Activities of GÉANT2: Outlook
Still driven by operational needs of GÉANT partner security teams
– ... the needs of network-minded GÉANT partner security teams
Not focused on “pure” research
– we are too eager for operationally relevant results
– but nevertheless moving in uncharted territory
Pushing to reach full GÉANT-coverage for some issues (BCP)
–
–
–
–
Hosting of a security team
Equipped with a minimum set of capabilities
Embedded in a co-ordination infrastructure
Following agreed operational standards
Focused on the description of work
– Other interesting things popping up? TF-CSIRT takes care of that
2005 © SWITCH
17
Mobility and Roaming
Organisation A
Organisation C
The Present Times
Part two
Guardian/firewall
“bad” user
Organisation B
2005 © SWITCH
“good” user
18
Guess, What’s This?
2005 © SWITCH
19
It’s a Bot!
“(...) not only is it an oscilloscope, but
in the background it also runs
windows 2000 (without updates of
course and naturally with bots as
extra add-ins!). No updates, no
AntiVirus, No firewall.
“It was difficult to find because it
wasn't always on the net and even
when we blocked the port, the user
therefore didn't really notice. On top
of that we were not looking for an
oscilloscope!”
SWITCH-CERT customer feedback, after receiving our bot warning
2005 © SWITCH
20
2005 © SWITCH
21