GEANT - Fotis Gagadis

Download Report

Transcript GEANT - Fotis Gagadis 

GÉANT - Implementing Security at Terabit Speed
Security in Europe’s Research and Education Network
Fotis Gagadis
Security Officer
Wayne Routly
Head of Information & Infrastructure Security
WISE Workshop, Barcelona.ES
20 October 2015
Networks ∙ Services ∙ People
www.geant.org
The New Security Reality
Diverse Environment:
• Multiple Pressure Points
• Understand where to focus
• What the NRENS actually needs
Not Just Another tool:
• Must deliver value to NRENs
• Must enhance capabilities and not workload
• Automate, threshold, trigger
No Crystal Ball is Ever Clear:
• Planning for an uncertain future
• Scalable, solve achievable problems
Networks ∙ Services ∙ People
www.geant.org
2
Networks ∙ Services ∙ People
www.geant.org
3
TRUST In The Integrity of the Network
Security of the Network
 Dedicated Security Officer
 Policy Creation & Enforcement (Acceptable Use, Patch Management)
 Yearly Peer Security Audit (Community Involvement)
 Measurable Security for Physical Infrastructure
 Risk Assess Co Locations
 Web Camera’s
 Access Control & Network Segmentation
 Triggers & Alerts
Networks ∙ Services ∙ People
www.geant.org
4
TRUST In The Integrity of the Networks Systems
Risk & Vulnerability Assessment
 Asset Discovery
 Vulnerability Detection
 Configuration Auditing
 Risk Assessment and Suggested fixes
…more in depth view of vulnerabilities and any other kind of
misconfiguration … at risk GÉANT infrastructure
Networks ∙ Services ∙ People
www.geant.org
5
A Modular Approach Towards Security
Security Services - Create encompassing security
solution - NSHaRP
Risk Posture - Monitor to ensure management
controls are in place
Anomaly Detection – Scalable mechanisms to report
on Denial of Service trends
Firewall on Demand – Technologies to grow with
and defend the network
Networks ∙ Services ∙ People
www.geant.org
NSHaRP – Security Service For Users
A GÉANT Solution
• Complete Security Solution
• Provides mechanism to quickly and effectively inform parties
• Adds Value - Serves as an extension to NRENs CERTs
• An Automated Incident Notification & Handling System
• Extends NRENs detection and mitigation capability to GÉANT borders
• Innovative and Unique - Caters for different types of requirements
Networks ∙ Services ∙ People
www.geant.org
Effective Risk Management
The GÉANT Approach
• Understand the nature of the risks the organisation faces
• Become aware of the extent of risks
• Recognize our ability to control and reduce risk
• Report the risk status at any point in time
• Have in place risk event "early warning" factors and upward
reporting thresholds
Networks ∙ Services ∙ People
www.geant.org
8
Example Risk Register
Networks ∙ Services ∙ People
www.geant.org
9
Proactive Risk Management
Vulnerability & Patch Management Control
Weekly Scans
Proactive Approach
• Backbone + Corporate
• Respond to New Threats
• Sent to Teams Directly
• Create Triggers, Thresholds
• Is it Improving?
• Cleary Define & Identify Risk Areas
• Drill-Down Capabilities
• Risk Register Approach
Networks ∙ Services ∙ People
www.geant.org
10
Proactive Risk Management
Host Identification
What is on the Network?
• Weekly Scan of Backbone
• Does it belong to a Defined Zone?
• Have I seen it before?
Goes to core of controlling your network
• Ensures New Devices are Identified
• Ensures Devices are owned!
• Central to effective Risk Management
• Differential Scans
Networks ∙ Services ∙ People
www.geant.org
11
Proactive Risk Management
Access Management
What accounts are active?
Who are the real bad IP’s?
• Control over script overload
• See the forest for the trees….
• Misconfiguration?
• Look for Trends
• Notify someone – Reduce Noise
• Blacklist correlated & confirmed bad
actors.
Networks ∙ Services ∙ People
www.geant.org
12
Proactive Risk Management
Remote Management
What accounts are active?
• Control over script overload
• Misconfiguration?
• Notify someone – Reduce Noise
Networks ∙ Services ∙ People
www.geant.org
GeoIP
• Why is the NOC engineer in China?
• ….especially since he called me from
the office
13
Multi-Faceted DDoS Detection System
Alerting to Events
Networks ∙ Services ∙ People
www.geant.org
14
Structured Alerting Mechanism
Require Clear & Rapid Notification
One event per mail for the most critical events
Daily report for the less critical and/or “noisy”
ones:
- Text or HTML that can be parsed by the
NREN
<ID>: num;
<Category>: ANOMALY;
<Type>: Behavior anomaly;
<Perspective>: NREN;
<Severity>: Critical;
<Time>: 2015-05-13 09:55:00;
<Protocol>: ;
<Source IP>: x.y.z.t;
<Target IPs>: a.b.c.d;
<Ports involved>: ;
<Flows sample>:
Source IP;Source port;Destination IP;Destination
port;Protocol;Timestamp;Duration;Transferred;Packets;Flags;
Source AS;Destination AS
x.y.z.t;42096;a.b.c.d;24384;TCP;2015-05-13
10:54:31.770;3.43900012969971;208000;4000;.A....;786;2108
Networks ∙ Services ∙ People
www.geant.org
Dear NREN,
We have detected a CAT. event affecting your network. All the information pertaining to it can be found below:
=============
#Start Time: 2015-05-14 01:56:04 UTC
#Protocol: UDP
#Source IP: x.y.z.t
#Target IPs: a.b.c.d
#Ports: 60312
#Evidence:
Source IP;Source port;Destination IP;Destination
port;Protocol;Timestamp;Duration;Transferred;Packets;Flags;Source AS;Destination AS
x.y.z.t;a.b.c.d;60312;UDP;2015-05-14 02:56:04.566;0;84500;500;......;36351;766
=============
If you wish to reply to this email please leave the subject unaltered so the ticket can be updated accordingly.
If no response is received, this ticket will be automatically closed after 5 working days.
Regards,
GEANT CERT
[email protected] (PGP Key ID: 99833085 / Fingerprint: 3CBF F211 8305 635D 5839 BB27 BA6B F34A 9983 3085)
Phone no.: +44 (0)1223 866 140
15
What actions can NRENs request
• Filter / Block
• You can request the Security Team to Filter / Block traffic from and or to a specific
IP and or prefix. Specific port ranges can be included in this block. The OC Security
Team will apply this block for a period of time after which you will be given the
option to remove the block or have it kept in place.
• Monitor
• You can request the OC Security Team to monitor this incident for a specific period
of time. After the time has elapsed and you request the ticket to be closed, the
Security team will inform you of all incidents linked to the original ticket if any have
been alerted.
• Investigate
• You can request the OC Security Team to provide additional information about the
incident. For example, you may require additional flow records for a larger time
window.
• Nothing
• Ticket closes automatically after 5 working days
Networks ∙ Services ∙ People
www.geant.org
Firewall on Demand - Next Generation Firewall Filtering
Designed and Developed by GRnet
BGP Flowspec defined in RFC 5575
Layer 4 (TCP and UDP) firewall filters distributed in BGP on both a intra-domain and inter-domain basis
• Benefits
• Gives users flexibility; Alternative Use Cases?
• AAI
• NREN Credentials to login and stop attacks
• Limit Accidental & Damaging blocks
• “Better” in terms of
• Granularity: Per-flow level (Source/Dest IP/Ports, TCP flag)
• Action: Drop, rate-limit, redirect
• Speed: More responsive
• Efficiency: Closer to the source, Multi Domain
• Automation: Integration with other systems (NSHaRP)
Networks ∙ Services ∙ People
www.geant.org
Firewall on Demand
Interface
Networks ∙ Services ∙ People
www.geant.org
18
Conclusions
Delivering a Comprehensive & Future-Driven Security Eco-System
benefiting the GÉANT Community
1.
Take a holistic approach towards defending your network
• Understand the risks the organisation faces
• Collate, correlate, and automate your capabilities
2.
Make changes that have significant impacts
• Use tools that radically improve your capabilities
• Use tools that provide flexibility
Networks ∙ Services ∙ People
www.geant.org
Thank you
Questions
[email protected]
[email protected]
Networks ∙ Services ∙ People
www.geant.org
Networks ∙ Services ∙ People
www.geant.org
20