• No results found

How To Protect Gante From Attack On A Network With A Network Security System

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "How To Protect Gante From Attack On A Network With A Network Security System"

Copied!
17
0
0

Loading.... (view fulltext now)

Download now ( 17 Page )

Full text

(1)

NSHaRP: Network Security Handling and

Response Process

Wayne Routly, DANTE

TF-CSIRT Technical Seminar Malahide.ie, 03 June 2011

(2)

Contents

GEANT : Who What How GEANT : Security

Protecting GEANT Users A Security Conundrum

Overflowing with Requirements Early Work….Lots of It

Early Work….Lots of It A Process is Born

A Solution

A Look Under the Hood So What Are the Options To Profile or Not to Profile The Process in Action

Where Are We Now? Conclusion

(3)

‘GEANT : Who What How’

State of the Art Pan-European Network

…..Transit Network….ISP

18 Physical Pops

40 GB links -> 100GB

TB of Data shifted

10 million+ IPs

>100 Workstations

Unusual Traffic

Truly Global

Interconnects

NRENs

European Network

(4)

‘Protecting GEANT Users’

• In an age of ever faster networks, greater connectivity, networks and users are under even greater risk of attack.

• Network Based Attacks

• Paypal, VISA • Paypal, VISA • Amazon

• Wikileaks • Political

• Maintain service levels by

proactively monitoring and mitigating against potential attacks?

(5)

‘A Security Conundrum’

How do we notify potential victims / sources & assist in solving those incidents for dozens of situations?

0 500 1000 1500 2000 2500 3000 3500 # O f E V E N T S

How do we double the number of tickets we can handle without doubling the manpower? Automate it?

0 50 100 150 200 250 300 0

How do we notify potential victims / sources & assist in solving those

Number of Events Detected - 12 mnts

How do we double the number of tickets we can handle without doubling the

Attacks where NREN DST - April 2011

(6)

‘Overflowing with Requirements’

Dozens of ways to report events…..

How do we notify potential victims & assist in solving those incidents for dozens of situations?

• I only want to see events that have a HIGH severity rating

• I want Information gathering events to be sent to the CERT & my manager • I want Denial of Service events sent to the CERT and Network Scan events

_ sent to the Security Officer

_ sent to the Security Officer

• I want evidence of attack to be included for all events

• I only want to be notified of a maximum of 30 events per week • I want to see all events originating from my network

• I want to see events targeting my network and coming from my network • I can only handle 5 incidents per day

• I only want to be notified of DoS events

• I want to know what incidents are attacks on my network • I need my notifications to be digitally signed

‘Overflowing with Requirements’

How do we notify potential victims & assist in solving those incidents for I only want to see events that have a HIGH severity rating

I want Information gathering events to be sent to the CERT & my manager I want Denial of Service events sent to the CERT and Network Scan events I want evidence of attack to be included for all events

I only want to be notified of a maximum of 30 events per week I want to see all events originating from my network

I want to see events targeting my network and coming from my network

I want to know what incidents are attacks on my network I need my notifications to be digitally signed

(7)

‘Early work….lots of it’

Presentations @ TF-CSIRT / TNC / APM

Quantitative Cross Comparative Analysis of Tools for Anomaly Detection Anomaly Tool Implementation in GÉANT

Anomaly Detection in Backbone Networks: Building a Security Service Upon an Innovative Tool

GEANT Access Port Manager (APM) Meetings A dozen internal presentations ;-)

Papers – Computers & Security / IEEE

Operational Experiences with Anomaly Detection in Backbone Networks

Poster/Demo - SIGCOMM

Towards Automatic Root-Cause Analysis of Network Anomalies using Frequent Itemset Mining

CSIRT / TNC / APM

Quantitative Cross Comparative Analysis of Tools for Anomaly Detection Anomaly Tool Implementation in GÉANT

Anomaly Detection in Backbone Networks: Building a Security Service GEANT Access Port Manager (APM) Meetings

Computers & Security / IEEE

Operational Experiences with Anomaly Detection in

(8)

‘A Process is Born’

DANTE is rolling out NSHaRP

Complete security solution

Provides mechanism to quickly and effectively inform affected users Adds Value - Serves as an extension to NRENs CERT

An Automated Incident Notification & Handling System

Extends NRENs detection and mitigation capability to GEANT borders Innovative and Unique - Caters for different types of requirements

Supported with GEANT NOC TTS

Provides mechanism to quickly and effectively inform affected users Serves as an extension to NRENs CERT

An Automated Incident Notification & Handling System

Extends NRENs detection and mitigation capability to GEANT borders Caters for different types of requirements

(9)

‘A Look Under The Hood’

Netreflex 2.5

BGP, IS-IS & Netflow Mashup Anomaly Detection & Alerting

Ability to create profiles…..lots of profiles Expandable Anomaly Type capability Can also be used by the NOC?

Can also be used by the NOC? Service Desk Express

Automated GEANT NOC Ticket Creation 2nd – 3rd Line Support

Automated Ticket Closure Modular & Extendable

……about those profiles….

Ability to create profiles…..lots of profiles Expandable Anomaly Type capability Can also be used by the NOC?

Can also be used by the NOC?

(10)
(11)

‘To Profile or Not to Profile’

‘To Profile or Not to Profile’

(12)

‘User Warning’

POWERPOINT ANIMATION

POWERPOINT ANIMATION

VIEWER DISCRETION IS ADVISED

VIEWER DISCRETION IS ADVISED

POWERPOINT ANIMATION

POWERPOINT ANIMATION

VIEWER DISCRETION IS ADVISED

VIEWER DISCRETION IS ADVISED

(13)

‘The Process….In Action’

NREN A GÉANT NREN B GÉANT Domain A

Profile for NREN A Profile for NREN A Profile for NREN B Profile for NREN B Profile for Domain A Profile for Domain A

Usage of GÉANT

NREN B

Usage of GÉANT

resources to

protect end users

(14)

‘Where Are We Now…’

Development Process Completed

Testing in progress

Training

Next Steps

Pilot – 2 months (Invitation)

Production August 2011

IP Peering

Reporting

Future enhancements

Adding external sources?

Correlate multiple events

Expanding incident palette

Evolution of threats
(15)

Conclusions

Big….Really Big Network Protect Users - Wikileaks

How to cater for user requirements? Can this be automated?

I want it my way, oh, and that way as well

NSHaRP – Network Security Handling & Response Process NSHaRP – Network Security Handling & Response Process

Pieces that make it all work Netreflex & SDE TTS

Profiles, Profiles and even more Profiles Pilot July, Production August

Future Work

New Anomalies

I want it my way, oh, and that way as well

Network Security Handling & Response Process Network Security Handling & Response Process

(16)
(17)

Thank You

Wayne Routly

Thank-You

Wayne Routly [email protected] Juan Quintanilla [email protected]

Thank You

References

Download now ( PDF - 17 Page - 1.01 MB )

Related documents

Development of thulium-doped and co-doped fiber lasers for 1.9 micron region operation / Norazlina Saidin

In the following year, (Alvarez-Chavez et al., 2000) reported on the actively Q-switched Yb 3+ - doped fiber laser which is capable of generating a 2.3 mJ of output pulse energy at

Consumer Financial Services Fact Sheet

Did You Know?: Financial Service Centers offer a wide array of financial products and services, including check cashing, small dollar, short-term loans, money transfers, money

The effect of top‐predator presence and phenotype on aquatic microbial communities

Additionally, the reappearance of significant effects of phenotypic plasticity of fish on BCC during the last sampling (October 27th) could be due to the persistence

CELTA Pre-Course Task Booklet

For example, we can combine the base form have with the past participle of be  been together with the -ing form of a lexical verb in order to create a verb phrase that describes

Improving Outcomes for Infants with Single Ventricle Physiology through Standardized Feeding during the Interstage

The purpose of this quality improvement project was to im- plement an evidence-based standardized feeding approach, as recommended by the JCCHD-NPCQIC, for infants with single

Re-storying and visualizing the changing entrepreneurial identities of Bill Gates and Richard Branson.

We use visual discourse and storytelling methods to analyze how Microsoft and Virgin Group use various kinds of entrepreneurial images and textual narratives to re- narrate

Understanding the dual perspectives on workforce diversity in a British police service.

A limited number of studies have focussed on what employees think about diversity and the possibility that the level of shared perspectives on diversity could influence work relations

the Performance Appraisal System of HDFC SLIC(Js)

From the above data it shows that 84% of employees feel that organization facilitate growth & learning due to performance appraisal, where as 16% of employees feel