TransPAC2 Security and the Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University [email protected] http://www.transpac2.net http://www.ren-isac.net/ Copyright Trustees of Indiana University 2003.
Download
Report
Transcript TransPAC2 Security and the Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University [email protected] http://www.transpac2.net http://www.ren-isac.net/ Copyright Trustees of Indiana University 2003.
TransPAC2 Security
and the
Research and Education Networking
Information Sharing and Analysis Center
REN-ISAC
John Hicks
TransPAC2/Indiana University
[email protected]
http://www.transpac2.net
http://www.ren-isac.net/
Copyright Trustees of Indiana University 2003. Permission is granted for this material to be shared for non-commercial educational
purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by
permission of Indiana University. To disseminate otherwise or to republish requires written permission from Indiana University (via
email to [email protected])
TransPAC2 - REN-ISAC
The relationship between TransPAC2 and the REN-ISAC is one
of mutual support.
Supported by Indiana University and through relationship with
EDUCAUSE and Internet2, the REN-ISAC:
• is an integral part of the U.S. higher education strategy to
improve network security through information collection,
analysis, dissemination, early warning, and response;
specifically designed to support the unique environment
and needs of organizations connected to served higher
education and research networks, and
• supports efforts to protect the U.S. national cyber
infrastructure by participating in the formal U.S. ISAC
structure.
2
Complementary Relationships
• REN-ISAC has core complimentary relationships with:
– EDUCAUSE
– Internet2
– EDUCAUSE and Internet2 Security Task Force
– IU Global NOC and Abilene network engineering
– IU Advanced Network Management Lab
– IU Information Technology Security Office
– US Department of Homeland Security & US-CERT
– IT-ISAC
– ISAC Council
– SALSA
3
Complementary Relationships
• US Department of Homeland Security - Information Analysis and
Infrastructure Protection Directorate has the objective so
implement the national strategy and to promote public/private
partnerships for information sharing and analysis – ISACs.
• ISACs are encouraged in each critical sector of national security
and the economy, e.g. IT, water, agriculture, energy,
transportation, finance, etc.
• ISAC Council is a body of the private sector ISACs that promotes
cooperation, sharing, and relation to DHS.
• National Cyber Security Partnership is a public-private
collaboration focused on strategies and actions to assist the DHS
National Cyber Security Division in implementation of the
President’s National Strategy to Secure Cyberspace.
4
Information Resources
• Network instrumentation
•
•
•
•
Router NetFlow data
Router ACL counters
Darknet
Global NOC operational monitoring systems
• Daily cybersecurity status calls with ISACs and US-CERT
• Vetted/closed network security collaborations
• Backbone and member security and network engineers
• Vendors, e.g. monthly ISAC calls with vendors
• Security mailing lists, e.g. EDUCAUSE, etc.
• Members – related to incidents on local networks
5
NetFlow Analysis
• Through partnership with TransPAC2, Internet2, and the IU
Abilene NOC, the REN-ISAC has access to Abilene and
TransPAC2 NetFlow data.
• In conjunction with the IU Advanced Network Management
Lab the NetFlow data is analyzed to characterize general
network security threat activity, and to identify specific
threats.
6
Abilene NetFlow Policy
• REN-ISAC & Internet2 NetFlow data policy agreement,
highlights:
– Data is anonymized to /21. Under perceived threat and
at the request of involved institutions the REN-ISAC can
selectively turn off anonymization.
– Publicly reported information is restricted to aggregate
views of the network. Information that identifies specific
institutions or individuals cannot be reported publicly.
– Detailed and sensitive information must be
communicated with designated representatives of the
affected institutions and refer only to local activity,
unless otherwise authorized.
– TransPAC2 has adopted the Abilene NetFlow Policy.
7
NetFlow Analysis
• Custom analysis
– Aggregate reports
– Detailed reports
• Data anonymized to /21
8
NetFlow Analysis – Traffic Grapher
IU ANML developed tool. Graph netflow by source and
destination IP port numbers, IP addresses and networks (in
CIDR format), and AS numbers. ICMP, TCP or UDP.
Optimized performance.
9
Traffic on Common and Threat Vector Ports
• Utilize Traffic Grapher to provide public views of Abilene
traffic on common application and threat vector ports.
• http://ren-isac.net/monitoring.cgi
• Also utilize ACL counters in routers to collect and publish
similar views.
10
11
Warning and Response
• REN-ISAC Watch Desk
– 24 x 7
– Co-located and staffed with the Global Research NOC
– +1 (317) 278-6630
– [email protected]
• Public reports to the U.S. higher education community regarding
analysis at aggregate views.
• Private reports to institutions regarding active threat involving
their institution.
• Daily Reports
– REN-ISAC Weather Report
– Darknet Report
• Alerts
• Public views from monitoring systems
12
Weather Report
• Daily Weather Report distributed via email to closed/vetted
communities, including:
– REN-ISAC members
– Inter-ISAC + DHS cybersecurity community
• Contains aggregate observations of threat traffic based on:
– Abilene netflow
– REN-ISAC darknet
13
Daily REN-ISAC Weather Report
• Critical notes
• News watch
• Netflow analysis
• Darknet Monitor - Top Ports
• Notes
• Reference
14
Daily REN-ISAC Darknet Reports
• Individual report per institution
• List Darknet source by IP
• List of watched networks
• Time Stamped Detail Files
15
Alerts
• Alerts are sent as required, distributed to:
– REN-ISAC members
• and, as appropriate to:
– Inter-ISAC + DHS cybersecurity community
– UNISOG
– EDUCAUSE security mailing list
– NSP-SEC
16
Communications Challenge
• Early warning and response to threat requires the
communication of timely and sensitive information to
designated contacts. The proper contact is one who can act
immediately, with knowledge and authority upon conveyed
information, and who is cleared to handle potentially
sensitive information.
• Publicly published contact points rarely serve those
requirements. Privacy considerations prevent deep and rich
contact information from being publicly published.
17
REN-ISAC Cyber Security Registry
• To provide contact information for cyber security matters in
US higher education, the REN-ISAC is developing a cyber
security registry. The goal is to have deep and rich contact
information for all US colleges and universities.
• The primary registrant is the CIO, IT Security Officer,
organizational equivalent, or superior.
• All registrations will be vetted for authenticity.
• Primary registrant assigns delegates. Delegates can be
functional accounts.
• Currency of the information will be aggressively maintained.
18
Summary of Activities
• Within US higher education, provide warning and response to
cyber threat and vulnerabilities; improve awareness, information
sharing, and communications.
• Support efforts to protect the national cyber infrastructure by
participating in the formal U.S. ISAC structure.
• Receive, analyze, and disseminate network security operational,
threat, warning, and attack information.
• REN-ISAC Cyber Security Registry
• Operational 24 x 7 watch desk
• Daily information sharing with ISACs, US-CERT, and others
• Cultivate relationships and outreach to complimentary
organizations and efforts
19
Opportunities for Collaboration with APAN?
• Tools
– Netflow tools
– Darknet information analysis tools
• Information sharing
– Such as daily reports and darknet information
• Common published views of activtity
– Such as port traffic
• Other?
John Hicks ([email protected])
20
Links
•
TransPAC2
– http://www.transpac2.org
•
REN-ISAC
– http://www.ren-isac.net
•
Internet2
– http://www.internet2.edu
•
EDUCAUSE
– http://www.educause.edu
•
EDUCAUSE and Internet2 Security Task Force
– http://www.educause.edu/security/
•
Indiana University Global NOC
– http://globalnoc.iu.edu
•
IU Internet2 Abilene network engineering
– http://globalnoc.iu.edu
•
SALSA:
– http://www.internet2.edu/security
21
Links
•
IAIP Daily Open Source Report
– http://www.nipc.gov/dailyreports/dailyindex.htm
•
IU Advanced Network Management Lab
– http://www.anml.iu.edu/
•
IU Information Technology Security Office
– http://www.itso.iu.edu/
•
IT-ISAC
– https://www.it-isac.org/
•
US-CERT
– www.us-cert.gov/
•
Flow Tools
– http://www.splintered.net/sw/flow-tools/
22