20070424-security-misra-poepping

Download Report

Transcript 20070424-security-misra-poepping

Security Topics Update
Christopher Misra
Mark Poepping
April 2007
Session outline
• Salsa
• Internet2/EDUCAUSE Security Task Force
• Current Salsa activities
• CSI2 working group
• FWNA working group
• Salsa-DR
• Other topics
• DNS/DNSSec
• REN-ISAC
Salsa
• Salsa is an oversight group consisting of
technical representatives from the higher
education community
• who will advise on leading edge technology
issues, provide prioritization, and set
directions in the security space.
• Salsa works in collaboration with the
EDUCAUSE/Internet2 Security Task
Force
Security Task Force
• Internet2 and EDUCAUSE established the
Computer and Network Security Task Force
in July 2000. The task force works to improve
cybersecurity across the higher education
sector and actively promotes effective
practices and solutions for the protection of
information assets and critical infrastructures.
Security Task Force
• STF Resources
• http://www.educause.edu/security
• Security Professionals Conference
• http://www.educause.edu/sec07
• Held April 10-12 2007
• May 4-6 2008 in Arlington, VA
• Effective Practices Guide
https://wiki.internet2.edu/confluence/display/secguide/
Salsa-CSI2 working group
• Chartered to organize activities/create
tools to identify security incidents
• How they can be better identified
• How information about the incidents can be
shared
• To improve the overall security of the
network and the parties connected to the
network.
• Focusing on the shifting landscape problem
Salsa-CSI2: RENOIR
• Research and Education Networking Operational
Information Repository
• Design around the concept of ticket system handling
security data
• vast array of sources
• Organizing the data into high-level cases
• use for reporting on daily operational incidents.
• Rely on a trusted third-party to facilitate
communication
RENOIR Design
• Accept human input and structured data
to form tickets
• using IODEF in an appropriate format.
• Allow input from users from a variety of
roles
• Reporting party, affected site,
administrators
• Researchers?
RENOIR Design
• Use, widely-accepted, encrypted
transport mechanisms
• In the transport layer
• Encrypting message content.
• Use a registry of contact information
• Facilitate automated notifications of
affected sites
• REN-ISAC contacts?
RENOIR Design
• Extendable to include new security
problems and reported incident types as
they occur.
• Accommodate dynamic threat environment
• Interaction with campus-scoped
ticketing
• Incremental development of capabilities
• Due to system and transaction complexity
RENOIR
Reporting Requirements
• Flexibility in reporting/handling
• We don’t want to replace local workflows!
• Programming API (SOAP)
• Facilitate easy communication and
reporting
• “Ok, but how do we do it well?”
RENOIR
Reporting Well
• Reporting detailed information that others can use
without asking for more information
• Reporting in a timely manner
• See above bullet
• Streamlining report creation and handling process
• Getting useful data from reports in aggregate
• Responding to reports
RENOIR Status
• Functional code segments have been
created by the working group
• Still early in development cycle
• Primarily by Phil Deneault from WPI
• Activities coordinated with REN-ISAC
• As eventual trusted third-party
• Work continues
• Please let us know if you are interested
Salsa-CSI2: Darknets
• A darknet collector listens to one or more blocks of
routed, allocated, but unused IP address space.
• Because the IP space is unused (hence "dark") there
should be very little if any legitimate traffic entering the
darknet
• Team Cymru Darknet Project
• http://www.cymru.com/Darknet/index.html
Shared Darknet
• Develop a wide-aperture, powerful
network security sensor
• directly serve higher-education and
research institutions
• indirectly serve Internet users at large.
• Institutions who run local darknets send
their collector data to REN-ISAC
• Only hits from remote sources
Shared Darknet
• The data is analyzed to identify
compromised machines by IP address,
destination ports
• The REN-ISAC compiles the darknet
data contributions
• Distributes notifications and reports.
• Limited policy overhead
• Low privacy requirements for this data
Shared Darknet
• REN-ISAC project with tools
coordination provided by Salsa-CSI2
• Tools development done extensively by
David Ripley from Indiana University
Advanced Network Management Lab
(ANML)
• First participants (beyond IU) submitting
data for analysis
Salsa-CSI2 Workshop
• Held in Cambridge, MA 5-6 March 2007
• First face to face meeting of working
group
• Made possible by DoJ grant funding CSI2
activities.
• Refined use cases for RENOIR
• Built consensus around tangible problems
• Defined a series of outcomes
Salsa-FWNA working group
• Analysis and proposal toward a pilot
and eventual implementation to support
network access to visiting scholars
among federated institutions
• Engaged with the eduroam community
• Operational server has tested
interoperability
• http://www.eduroam.org/
Salsa-FWNA: Current work
• RADIUS and SAML
• Integrating Network Authentication and Attribute
Exchange
• Work on a specification that defines a profile that
includes messages and flows from both RADIUS
[RFC2865] and SAML specifications (both v1.1
and 2.0).
• Still in draft form
• Continuing topic of discussion...
Salsa-FWNA: RADIUS and SAML
• In traditional Radius usage:
• User's Home Site Radius server makes the
access control decision,
• tells the Radius server at the Network Provider
site whether to grant the user access to its
network.
• When the two Radius servers are in different
organizations
• Additional SAML flows allows the Radius server at
the Network Provider site to obtain trusted
information describing the requesting user;
• Can then make its own access control decision.
Salsa-FWNA: RADIUS and SAML
• The specification is taking advantage of
SAML services
• That are already defined and deployed for exactly
this purpose.
• Availability of these SAML attributes provides:
• Network Provider RADIUS server with the option
of implementing a more flexible access control
policy than possible with standard RADIUS.
• This specification describes a server
communicating with SAML entities
• No web browsers are involved.
Salsa-FWNA: RADIUS and SAML
Presenter’s Name
Salsa-FWNA: Visitor Access
• WLAN technologies are an expected
technology for campus visitors
• There are various solutions that campus
network administrators use to try to reconcile
visitor networks
• Within a policy framework
• Survey conducted
• See 4:30 Visitor Access session today
• Phillipe Hanset (UTK) and Mark Linton (PSU)
Salsa-FWNA: Visitor Access
• Working group meeting held this morning
reflected a need for consensus across the
community
• We are all facing this problem
• Many of us have solved this in similar ways
• Do we need a document to help capture
these thoughts?
• And cast the context of visitor access against the
visiting scholar problem
• Guest access complementing federated network
access deployments
Disaster Recovery
• Salsa-DR has been formed this spring
• to explore and document recommended
practices for disaster planning and
recovery,
• especially for Higher Ed if and as those
needs are distinct from those of other large
enterprises
• liaising with other groups or organizations
as appropriate
Salsa-DR: Charter
• contingency planning;
• developing and testing recovery plans, policies,
and procedures;
• warm and hot site strengths, weaknesses,
and potential pitfalls;
• contractual and SLA models and guidance
• reciprocal agreements with other organizations or
campuses;
• Mass notifications
Salsa-DR
• Already have over 80 people on the
discussion list.
• Interested parties can sign up to participate
by going to the web site:
• http://security.internet2.edu/dr/
• We are particularly interested in institutions
that would like to collaborate in the
investigation and implementation of possible
DR solutions.
Salsa-DR: Mailing list
• Working Group Chair
• Don MacLeod, Cornell University
• To subscribe to the Salsa-DR list, send email
to sympa at internet2 dot edu, with the
subject line:
subscribe <list name> FirstName LastName
• For example:
• subscribe salsa-dr Jane Doe
EDUCAUSE Business Continuity
Management Constituent Group
• Forum for strategic and tactical discussions
• To maintain or restore business and academic
services when some circumstance disrupts normal
operations.
• Discussion topics may include:
• risk and impact assessment
• prioritization of business processes
• restoring operations to a "new normal" after an
event.
http://www.educause.edu/groups/bc
Other Topics: What we all think about
• Protecting sensitive data
• Not just the enterprise data, but the researcher data
• Identity management
• In higher-ed, there's a lot of business process and policy
issues as well as technology
• Malware (viruses, worms, spyware, etc.)
• Distributed denial of service attacks
Others Topics: What we may not all be
thinking about
• The strategic importance of DNS
• The value of sector-based security operations and the
REN-ISAC
• {Spam, DDOS, etc} and its impact on the
infrastructure
• Evolving firewall management strategies to
accommodate advanced applications
• Firewall discussion Wednesday afternoon
• Federated identity and leveraging it for access control
Evolving Firewalls Management
• Wednesday 1:15 session
• Firewalls: Can't live with or without them
• What are firewalls protecting us against?
• Are they still effective?
• What firewall architectures are people using
these days?
• Firewalls very close to the end host?
• How does this relate to campus network
architectures?
Domain Name System (DNS)
• DNS is the foundational service of the network; no
service works without it.
• DNS itself needs better security
• Vulnerable to several attacks and can be exploited
for other attacks
• Remedial steps (e.g. DNSSec) face critical
bootstrap and mass adoption value
• DNS as the basis for many security enhancements
• Spam control mechanisms will leverage it
• Federated security services depend on it
• EDUCAUSE oversees .edu; chance for higher-ed
to lead
Homework: DNS
• Make sure the campus DNS operations are
adequately supported; check out
www.dnsreport.com
• Campus DNS operations should plan to work
with applications
• LDAP/Kerberos RRs
• SPF/DK/DKIM
• Make sure that you’re not part of the problem
– filter outgoing spoofed traffic, don't operate
open recursive servers, etc...
DNS: More to think about
• Consider DNS monitoring
• Using query logs to analyze malicious activity
• How much priority is DNS given locally
• Recent software, proper, secure configuration, change
management
• Name servers aren't just a *tool* for conducting
distributed denial of service attacks, they're also a
*target* for distributed denial of service attacks
DNSsec advisory group
• Goal: Experiment with DNSSEC and gain
operational experience including
• Does it solve anything?
• Participants sign at least one of their zones;
• Exchange keys (trust anchors) that will allow
them to mutually validate DNS data
• Setup security-aware resolvers
• Configured with the trust anchors
• Coordination - Internet2, Shinkuro
• http://www.dnssec-deployment.org/
DNSSec
• DNS Trust anchors for MAGPI
• https://rosetta.upenn.edu/magpi/dnssec.html
• SecSpider
• http://secspider.cs.ucla.edu/
• DNSSec Internet2 Pilot
•
http://www.dnssec-deployment.org/internet2/
• Internet2 Security Weir
https://spaces.internet2.edu/display/securityweir/DNSSEC
Related Activities: REN-ISAC
• A private trust community for R&E
security protection and response
• http://www.ren-isac.net
• collect, derive, analyze, & disseminate
threat information. Supports member
understanding of threats, protection, and
mitigation.
• 24x7 Watch Desk ([email protected],
+1 317 274 6630)
REN-ISAC
• is an integral part of U.S. higher education’s strategy to
improve network security through information collection,
analysis, dissemination, early warning, and response;
• is specifically designed to support the unique
environment and needs of higher education and
research organizations;
• and, supports efforts to protect national cyber
infrastructure by participating in the formal U.S. ISAC
structure.
• Foremost, REN-ISAC is a member-driven trusted
community for sharing sensitive information regarding
cybersecurity threat, incidents, response, and protection.
REN-ISAC Milestones:
Since the Internet2 FMM
• REN-ISAC partnership with Microsoft for SCPe
• New alliance marks the first time Microsoft has worked with
higher education entities within the Security Cooperation
Program (SCP), a worldwide program originally formed for
government entities. The SCP provides a structured way for
Microsoft to share information efficiently, improving responses to
computer security incidents and decreasing the risk of system
attacks at member organizations.
• This unique trust relationship with Microsoft will provide an
information source from which we can impart important security
and product information to our membership, and through which
Microsoft will get input from real-life product experiences from
typically complex campus technology environments.
• http://www.ren-isac.net/relationships/microsoft.html
REN-ISAC Milestones:
Since the Internet2 FMM
• Formed the Microsoft Analysis Team
• Serves as the information sharing interface, analysts, and
relationship advisors for the REN-ISAC and Microsoft SCPe.
• Team members are from University Colorado at Boulder,
University of Illinois at Urban-Champaign, Indiana University,
and New York University
• Formed the Executive Advisory Group
• Initial considerations of the group to be sustainability and
membership models. EAG members are from EDUCAUSE,
Internet2, Louisiana State University, University of Maryland
Baltimore County, University of Montana, Oakland University,
and Reed College
• Formed additional information sharing relationships with
private mitigation groups
REN-ISAC Milestones:
Since the Internet2 FMM
• Held the first annual REN-ISAC Member Meeting
• held in conjunction with the EDUCAUSE and Internet2 Security
Professionals Conference.
Recognition of the following Contributors
•
•
•
•
•
•
•
•
•
Berkeley
Buffalo
Brandeis
Colorado
Cornell
IU
LSU
Oakland
Oregon
(TAG)
•
(systems)
•
(systems)
•
(MAT)
•
(TAG)
•
(host, EAG, TAG, MAT)•
(resources, EAG)
•
(EAG)
•
(TAG)
MOREnet
NYU
Reed
UMass
UMBC
UMN
UMT
WPI
(TAG, TechBursts)
(MAT)
(EAG)
(TAG)
(EAG)
(TAG)
(EAG)
(TAG, systems)
TAG = Technical Advisory Group
EAG = Executive Advisory Group
MAT = Microsoft Analysis Team
Host = host site resources
Resources = dedicated commitment of human resource
Systems = systems, applications, and tools administration
REN-ISAC: Growth of Membership
Compromised System Notifications to
.edu
Botnet Command and Control Hosts
100
50
0
Jan
Feb
Mar
Apr
May
Jun
Jul
Aug
Sep
Oct
Nov
Dec
Jan
Feb
Mar
Infected Hosts
15000
10000
5000
0
Jan Feb Mar Apr May Jun
Jul
Aug Sep Oct Nov Dec Jan Feb Mar
Unique Institutions
1000
500
0
Jan
Feb Mar
Apr May Jun
Jul
Aug Sep
Oct
Nov Dec Jan
Feb Mar
Projects
• Community Plumbing
• Web-based community-building tools to support membercontributed project development, and member subgroups for
specific interest topics
• Malware Analysis Infrastructure for R&E
• Malware sandbox and repository; working in cooperation and
with contributions from CWSandbox. Talks in progress with
Norman.
• DNS Infrastructure Monitoring for R&E
• Using standard queries, probe .edu DNS space for configuration
and security issues. Working in cooperation with John Kristoff
(Neustar)
• Passive DNS Replication Server
• R&E-specific view. Working in cooperation with John Kristoff
(Neustar)
Projects
• CSI2 Shared Darknet Project
• Information from dispersed, member-based darknet sensors is
combined to a single community resource. Provides notifications
of observed scanning sources, reports of aggregate port
scanning statistics, with a more complete view of IPv4-based
scanning activity than provided by a single, standalone darknet.
Working in cooperation with the Internet2 SALSA CSI2 effort.
• CSI2 RENOIR
• Research and Education Networking Operational Incident
Repository provides trust community-based sharing of incident
information. Working in cooperation with the Internet2 SALSA
CSI2 effort.
REN-ISAC
Priorities for the Coming Year
• Not in any particular order
• Membership growth
• Facilitate various forms of member involvement and contribution
• Develop additional and strengthen existing information sharing
relationships, including the new REN-ISAC and Microsoft SCPe
• Assessment of current services and member needs
• Executive Advisory guidance to sustainability
• Cybersecurity Registry
• Services for the combined Internet2 and NLR entity (monitoring,
sensors, and services; especially with consideration to the
commercial transit and peering)
• Tool/service Projects (listed on Projects page)
24x7
Watch
Desk
Information
Sharing
Collect,
analyze,
and
disseminat
e
intelligence
Information
Products
Members
Served
Networks
Intel
Relationship
s
Registry
Tools
Education
Exercises
REN-ISAC – Membership
• Membership is open and free to:
•
•
•
•
institutions of higher education,
teaching hospitals,
research and education network providers, and
government-funded research organizations.
• Membership guidelines are roughly:
• must be permanent staff,
• with organization-wide responsibilities for cybersecurity
protection and response, and
• be vouched-for by 2 existing members
• http://www.ren-isac.net/membership.html
REN-ISAC – Contacts
http://www.ren-isac.net
24x7 Watch Desk:
[email protected]
+1(317)274-6630
Mark Bruhn, Executive Director,
[email protected]
Doug Pearson, Technical Director
[email protected]
Dave Monnier, Principal Security Engineer
[email protected]
REN-ISAC Member Meeting
• CSI2 and REN-ISAC Members met two
weeks ago:
• develop a set of strategies that will facilitate the
development of new methodologies and
technologies to better anticipate and resolve
• evaluate current open source security tools and
their uses
• determine whether there is a need to create
additional tools that do not currently exist. Includes
web application assessment toolkits, event and
incident management toolkits,
• Investigate agent-based endpoint security tools.