Slide 1

Security Services @SURFnet: Towards a coherent portfolio Walter van Dijk TF-MSP - 27 November 2014

Slide 2

Our playing field HE&R institutions are more and more connected. ICT facilitates and plays an instrumental role The ICT infrastructure becomes ever more critical for both education and research This connectedness and indispensability increases the impact of security incidents Attacks get more complex and thereby the associated security measures just as well: should we expect that institutions have all the required knowledge and manpower in-house available? Hence: how can institutions offer an open and safe campus environment?

Slide 3

Security Privacy & Trust: role of SURFnet

Slide 4

Existing security services(1) SURFcert Operational security for the SURFnet constituency 24x7 service in close coop with local security teams Members from connected institutions and SURFnet Oldes emergency response team in the Netherlands SCIRT Community-of-practice incident response teams Share operational experience within trusted community Discussions on security issues Facilitated by SURFnet

Slide 5

Existing security services(2) Cybersave Yourself Awareness campaign around security issues Joint program with connected institutions SURFibo Community of practice for information security Collaboration on policy in the fields of security en privacy SURFaudit Compliance with information security (ISO 27001) Standards framework and software tooling Self-auditing, peer-auditing & 3rd party auditing

Slide 6

New since 2014: Security, Privacy & Trust Further development of existing security services and scouting of new services Applied research in the field of Security, Privacy en Trust Enlarge visibility of services, sharing of best practices & knowledge dissemination

Slide 7

Service development SURFnet currently explores different options for new services: Security Diagnosis toolset: Vulnerability scanning (Outpost24 has been contracted) Penetration testing (first experience gathered with tooling) Protection-as-a-Service Facilitate institutions to set filters in the SURFnet-network as a protection against DDoS attacks Firewall-as-a-Service

Slide 8

Security Diagnosis toolset Starting point: lots of tools (vulnerability scanning, penetration testing etc) available on the market. How can an NREN add value to all that? Differentiating factor: working closely with the community Support selection process of institutes by: Creating checklists for tools SCIRT certified: recommended products per type Products should be easy to acquire via SURFmarket Facilitate sharing of information: Reporting templates: SURFaudit, external auditers etc. Common vulnerabilities including solutions for HE&R systems Develop workflows for scans/pentests Currently considering Specialised penetration testing team for: Deep testing ICT systems on campus Tests on cloud services contracted by customers

Slide 9

Protection-as-a-Service Why? Number and intensity of denial-of-service attacks in general (and in our constituency) grows significantly 2014: heaviest denial-of-service attack ever noticed (400Gbit/s) Goal: Control the vulnerability of our constituency What? Exploration of protection-as-a-service Investigate denial-of-service detection with academia (applied research) Close collaboration with THTC/National Police

Slide 10

Current solution: Incident Response as a Service SURFcert: helping hand in the line of fire

Slide 11

DDoS: two types Flooding of an application or a server (or firewall!) -E.g. TCP SYN flood -Typically: lots of requests Flooding of the connection (or firewall!) - reflection/amplification attacks -DNS, SNMP, NTP amplification (UDP) -Typically: lots of volume

Slide 12

Finding the best place to mitigate Firewall (institutions) Not always the right solution Not a remedy for flooded connections Can help in case of SYN flooding and attacks on applications and servers (rate limiting) Upstream (us) Standard security measures on customer connection The washing-machine for first aid Filters (rate limiters) on the core routers Protection-as-a-Service Firewall-as-a-Service

Slide 13

Security on customer connection Customer network SURFnet Security base Input packet filter BGP Prefix filter Output policer (contracted bandwidth) Incident ACL (inbound/outbound) on request

Slide 14

Sidestep: its not always technology The (D)DoS source is often an internal factor (person) Match timestamps of attacks with exam schedules Collaborate with the education people Report findings to the police

Slide 15

SURFnet washing-machine SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet SURFcert

Slide 16

SURFnet washing-machine Denial-of-Service SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet SURFcert

Slide 17

SURFnet washing-machine Detection SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet Telephone E-mail Alarm SURFcert

Slide 18

SURFnet washing-machine Activate washprogram SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet SURFcert

Slide 19

SURFnet washing-machine DDoS in the washing-machine SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet SURFcert

Slide 20

Pre-wash & main wash

Slide 21

Curently considering: Protection-as-a Service Idea: develop a service to service institutions in a less ad-hoc way Self-service interface for DIY network configurations Currently testing GRnets Firewall on demand No replacement of the corporate firewall

Slide 22

Protection-as-a-Service versus Firewall-as-a-Service Protection-as-a-Service: a service which offers network protection based on rule based filters, rate limiting, IP-address range-, protocol- and port blocking. Protection filters are set on the SURFnet core side and are typically used to prevent saturated links to the customer (i.e. DDoS protection). Does not replace firewall of institutions but offers additional protection. FaaS: centralised offering of a fully intelligent, deep packet inspection, intrusion detection and prevention service, which is state/session based and application aware. Could replace a firewall which is typically on the institutional side of the network.

Slide 23

Main questions Where do we as NRENs see the most potential for collaboration? Are NRENs looking at application based firewalling (e.g. Cloudflare, Fortinet etc) and would demand bundling be useful? Should we collaborate by means of organizing joint (TRANSITS) trainings on vulnerability testing, pentesting etc Is cooperation on service development sufficiently facilitated by GN3+/GN4 or do we need more?