2005 © switch the role of security in nrens christoph graf switch
TRANSCRIPT
2005 © SWITCH 2
The Origins: Insider and Outsider
Online Offline
“bad” user
“good” user“wannabees”
Internet
2005 © SWITCH 3
Les amis de mes amis… (1)
Online Offline
“bad” user
“good” user“wannabees”
2005 © SWITCH 4
JEKAMI (Jeder kann mitmachen = everybody can particpate)
“bad” user
“good” user
2005 © SWITCH 5
Walls and Fortresses
Organisation A
Organisation B
Organisation C
“bad” user
“good” user
Guardian/firewall
2005 © SWITCH 6
Les amis de mes amis… (2)
Organisation A
Organisation B
Organisation C
“bad” user
“good” user
Guardian/firewall
2005 © SWITCH 7
Mobility and Roaming
Organisation A
Organisation B
Organisation C
Welcome toThe Present Times!
“bad” user
“good” user
Guardian/firewall
2005 © SWITCH 8
Agenda
In 80 seconds through the ages of the INTERNET
The NREN environment
The security landscape
The security activities in GÉANT
The “netflow divide”
A sample portfolio of NREN security activities
Outlook/Trends
2005 © SWITCH 9
The NREN Environment
NRENs (National Research and Education Networks)– Come in many flavours
– I’m wearing my NREN (SWITCH) hat... It might show
Characterising NRENS...– Designing, implementing and running services
... which are not (yet) commercially available
... including network services and security services (CSIRT)
– High level of technical expertise
– Well networked with the academic world (their customers)
– Not doing research, but collaborating with research and learning from it
– Well networked among each other (TERENA, DANTE, GÉANTx)
– Open to collaboration and information sharing, if perceived beneficial
2005 © SWITCH 10
TI(TERENA)
Security Landscape
site security team site security teamsite security team
SWITCH-CERT
FIRST
NREN/ISP/Gov CERTs
undisclosedgroups
Industryrepresentation
Campus Security Teams
TF-CSIRT(TERENA)
CSIRTs
Focused groups
Vendor CERTs
GÉANT Security
personalinformalconcrete
direct
role-basedformal
abstractindirect
Customer relationship
Incident co-ordination
Networking, projects, knowledge
Lobbying, BCP, trust enabling, knowledge
swirt.ch(Swiss ISPs)
Admins,endusers
2005 © SWITCH 12
Security Activities in GÉANT2
WI1: Securing GN2 network elements and services– Policy work
WI2: Building of security services– Building the “toolset”, which makes life easier for CSIRTS
WI3: Infrastructure for co-ordinated security incident handling– Set-up of an information exchange infrastructure between CSIRTs
– Reliable, secure and efficient for operational work on daily basis
WI4: Relationship with TF-CSIRT– TF-CSIRT is THE European CSIRT networking platform
– Member subsets form project groups and gather around TF-CSIRT meetings
– The GÉANT security activities do it alike (membership is a subset)
WI5: Establishment of an advisory panel– Commenting the work, observe the trends, give recommendations
2005 © SWITCH 13
Some observations
Most teams are operationally oriented– Clear idea of existing problems and know what they want: the “toolset”
– Operationally relevant results count more than “pure” research results
The “toolset” is heavily linked to NREN networks– Anomaly detection, network forensics and other network related tasks is
where teams feel they need support
The “netflow divide”– The toolset requires network data (currently: netflow)
– Not all teams get access to netflow data
2005 © SWITCH 14
Overcoming the “netflow divide”
Message to outsiders: try to get on board!
It’s a synergy opportunity of hosting a security team and operating a network within the same NREN!
The “toolset” helps to extract highly relevant data from the network– Hacked customer systems, anomalies, (unnoticed) attacks
– ... Often before creating operational problems
Security teams become more proactive– “the toolset” provides stuff to share
– It fosters trust within your constituency
In short: It adds value to NRENs, their customers and the rest of the world
2005 © SWITCH 15
Business Unit Security @SWITCH
• CSIRT– Proactive CSIRT tasks (information services, community building)
– Reactive CSIRT tasks (security helpdesk, incident handling and co-ordination)
• Critical Information Infrastructure Protection (CIIP)– Threat/risk analysis
– Crisis management support
• Security Services– Anomaly detection, malware signature sensing
– Internet threat related consulting
• Laboratory– Malware analysis lab
– Network sensor development
– Security research collaboration
Incident Handling
Beratung
Labor
Interne DLHW/OS, Beratung,
Security
CSIRT
Security Services
Laboratory
CIIP
2005 © SWITCH 16
Trends to Consider in Future Phases
CIIP (Critical Information Infrastructure Protection)– The criticality of the “network” is increasing
– New expectations, potentially new service needs (7x24)
Law enforcement, legal issues– Laws increasingly enforced in the “virtual” world
– New regulatory requirements looming? Mandating the “toolset”???
– Education needs, new vocabulary, new service needs
Convergence voice/data/gadgets– Old and new threats hitting an unaware community (DoS, SPIT)
– Protecting new services: education, new tools
“Grid Impact”– Lightpath/BoD: NREN/GN2 overlay networks without “toolset” protection
– High-risk parallel world, with high-bandwidth interconnects on IP layer
2005 © SWITCH 17
Security Activities of GÉANT2: Outlook
Still driven by operational needs of GÉANT partner security teams– ... the needs of network-minded GÉANT partner security teams
Not focused on “pure” research– we are too eager for operationally relevant results
– but nevertheless moving in uncharted territory
Pushing to reach full GÉANT-coverage for some issues (BCP)– Hosting of a security team
– Equipped with a minimum set of capabilities
– Embedded in a co-ordination infrastructure
– Following agreed operational standards
Focused on the description of work– Other interesting things popping up? TF-CSIRT takes care of that
2005 © SWITCH 18
Mobility and Roaming
Organisation A
Organisation B
Organisation C
The Present Times
Part two
“bad” user
“good” user
Guardian/firewall
2005 © SWITCH 19
Guess, What’s This?
2005 © SWITCH 20
It’s a Bot!
“(...) not only is it an oscilloscope, but in the background it also runs windows 2000 (without updates of course and naturally with bots as extra add-ins!). No updates, no AntiVirus, No firewall.
“It was difficult to find because it wasn't always on the net and even when we blocked the port, the user therefore didn't really notice. On top of that we were not looking for an oscilloscope!”
SWITCH-CERT customer feedback, after receiving our bot warning
2005 © SWITCH 21