Security Topics Update

1
Security Topics Update

• Christopher Misra
• Mark Poepping
• April 2007

2
Session outline

• Salsa
• Internet2/EDUCAUSE Security Task Force
• Current Salsa activities
• CSI2 working group
• FWNA working group
• Salsa-DR
• Other topics
• DNS/DNSSec
• REN-ISAC

3
Salsa

• Salsa is an oversight group consisting of
  technical representatives from the higher
  education community
• who will advise on leading edge technology
  issues, provide prioritization, and set
  directions in the security space.
• Salsa works in collaboration with the
  EDUCAUSE/Internet2 Security Task Force

4
Security Task Force

• Internet2 and EDUCAUSE established the Computer
  and Network Security Task Force in July 2000. The
  task force works to improve cybersecurity across
  the higher education sector and actively promotes
  effective practices and solutions for the
  protection of information assets and critical
  infrastructures.

5
Security Task Force

• STF Resources
• http//www.educause.edu/security
• Security Professionals Conference
• http//www.educause.edu/sec07
• Held April 10-12 2007
• May 4-6 2008 in Arlington, VA
• Effective Practices Guide
• https//wiki.internet2.edu/confluence/display/secg
  uide/

6
Salsa-CSI2 working group

• Chartered to organize activities/create tools to
  identify security incidents
• How they can be better identified
• How information about the incidents can be shared
  
• To improve the overall security of the network
  and the parties connected to the network.
• Focusing on the shifting landscape problem

7
Salsa-CSI2 RENOIR

• Research and Education Networking Operational
  Information Repository
• Design around the concept of ticket system
  handling security data
• vast array of sources
• Organizing the data into high-level cases
• use for reporting on daily operational incidents.
  
• Rely on a trusted third-party to facilitate
  communication

8
RENOIR Design

• Accept human input and structured data to form
  tickets
• using IODEF in an appropriate format.
• Allow input from users from a variety of roles
• Reporting party, affected site, administrators
• Researchers?

9
RENOIR Design

• Use, widely-accepted, encrypted transport
  mechanisms
• In the transport layer
• Encrypting message content.
• Use a registry of contact information
• Facilitate automated notifications of affected
  sites
• REN-ISAC contacts?

10
RENOIR Design

• Extendable to include new security problems and
  reported incident types as they occur.
• Accommodate dynamic threat environment
• Interaction with campus-scoped ticketing
• Incremental development of capabilities
• Due to system and transaction complexity

11
RENOIRReporting Requirements

• Flexibility in reporting/handling
• We dont want to replace local workflows!
• Programming API (SOAP)
• Facilitate easy communication and reporting
• Ok, but how do we do it well?

12
RENOIRReporting Well

• Reporting detailed information that others can
  use without asking for more information
• Reporting in a timely manner
• See above bullet
• Streamlining report creation and handling process
• Getting useful data from reports in aggregate
• Responding to reports

13
RENOIR Status

• Functional code segments have been created by the
  working group
• Still early in development cycle
• Primarily by Phil Deneault from WPI
• Activities coordinated with REN-ISAC
• As eventual trusted third-party
• Work continues
• Please let us know if you are interested

14
Salsa-CSI2 Darknets

• A darknet collector listens to one or more blocks
  of routed, allocated, but unused IP address
  space.
• Because the IP space is unused (hence "dark")
  there should be very little if any legitimate
  traffic entering the darknet
• Team Cymru Darknet Project
• http//www.cymru.com/Darknet/index.html

15
Shared Darknet

• Develop a wide-aperture, powerful network
  security sensor
• directly serve higher-education and research
  institutions
• indirectly serve Internet users at large.
• Institutions who run local darknets send their
  collector data to REN-ISAC
• Only hits from remote sources

16
Shared Darknet

• The data is analyzed to identify compromised
  machines by IP address, destination ports
• The REN-ISAC compiles the darknet data
  contributions
• Distributes notifications and reports.
• Limited policy overhead
• Low privacy requirements for this data

17
Shared Darknet

• REN-ISAC project with tools coordination provided
  by Salsa-CSI2
• Tools development done extensively by David
  Ripley from Indiana University Advanced Network
  Management Lab (ANML)
• First participants (beyond IU) submitting data
  for analysis

18
Salsa-CSI2 Workshop

• Held in Cambridge, MA 5-6 March 2007
• First face to face meeting of working group
• Made possible by DoJ grant funding CSI2
  activities.
• Refined use cases for RENOIR
• Built consensus around tangible problems
• Defined a series of outcomes

19
Salsa-FWNA working group

• Analysis and proposal toward a pilot and eventual
  implementation to support network access to
  visiting scholars among federated institutions
• Engaged with the eduroam community
• Operational server has tested interoperability
• http//www.eduroam.org/

20
Salsa-FWNA Current work

• RADIUS and SAML
• Integrating Network Authentication and Attribute
  Exchange
• Work on a specification that defines a profile
  that includes messages and flows from both RADIUS
  RFC2865 and SAML specifications (both v1.1 and
  2.0).
• Still in draft form
• Continuing topic of discussion...

21
Salsa-FWNA RADIUS and SAML

• In traditional Radius usage
• User's Home Site Radius server makes the access
  control decision,
• tells the Radius server at the Network Provider
  site whether to grant the user access to its
  network.
• When the two Radius servers are in different
  organizations
• Additional SAML flows allows the Radius server at
  the Network Provider site to obtain trusted
  information describing the requesting user
• Can then make its own access control decision.

22
Salsa-FWNA RADIUS and SAML

• The specification is taking advantage of SAML
  services
• That are already defined and deployed for exactly
  this purpose.
• Availability of these SAML attributes provides
• Network Provider RADIUS server with the option of
  implementing a more flexible access control
  policy than possible with standard RADIUS.
• This specification describes a server
  communicating with SAML entities
• No web browsers are involved.

23
Salsa-FWNA RADIUS and SAML
Presenters Name
24
Salsa-FWNA Visitor Access

• WLAN technologies are an expected technology for
  campus visitors
• There are various solutions that campus network
  administrators use to try to reconcile visitor
  networks
• Within a policy framework
• Survey conducted
• See 430 Visitor Access session today
• Phillipe Hanset (UTK) and Mark Linton (PSU)

25
Salsa-FWNA Visitor Access

• Working group meeting held this morning reflected
  a need for consensus across the community
• We are all facing this problem
• Many of us have solved this in similar ways
• Do we need a document to help capture these
  thoughts?
• And cast the context of visitor access against
  the visiting scholar problem
• Guest access complementing federated network
  access deployments

26
Disaster Recovery

• Salsa-DR has been formed this spring
• to explore and document recommended practices for
  disaster planning and recovery,
• especially for Higher Ed if and as those needs
  are distinct from those of other large
  enterprises
• liaising with other groups or organizations as
  appropriate

27
Salsa-DR Charter

• contingency planning
• developing and testing recovery plans, policies,
  and procedures
• warm and hot site strengths, weaknesses, and
  potential pitfalls
• contractual and SLA models and guidance
• reciprocal agreements with other organizations or
  campuses
• Mass notifications

28
Salsa-DR

• Already have over 80 people on the discussion
  list.
• Interested parties can sign up to participate by
  going to the web site
• http//security.internet2.edu/dr/
• We are particularly interested in institutions
  that would like to collaborate in the
  investigation and implementation of possible DR
  solutions.

29
Salsa-DR Mailing list

• Working Group Chair
• Don MacLeod, Cornell University
• To subscribe to the Salsa-DR list, send email to
  sympa at internet2 dot edu, with the subject
  line
• subscribe ltlist namegt FirstName LastName
• For example
• subscribe salsa-dr Jane Doe

30
EDUCAUSE Business Continuity Management
Constituent Group

• Forum for strategic and tactical discussions
• To maintain or restore business and academic
  services when some circumstance disrupts normal
  operations.
• Discussion topics may include
• risk and impact assessment
• prioritization of business processes
• restoring operations to a "new normal" after an
  event.
• http//www.educause.edu/groups/bc

31
Other Topics What we all think about

• Protecting sensitive data
• Not just the enterprise data, but the researcher
  data
• Identity management
• In higher-ed, there's a lot of business process
  and policy issues as well as technology
• Malware (viruses, worms, spyware, etc.)
• Distributed denial of service attacks

32
Others Topics What we may not all be thinking
about

• The strategic importance of DNS
• The value of sector-based security operations and
  the REN-ISAC
• Spam, DDOS, etc and its impact on the
  infrastructure
• Evolving firewall management strategies to
  accommodate advanced applications
• Firewall discussion Wednesday afternoon
• Federated identity and leveraging it for access
  control

33
Evolving Firewalls Management

• Wednesday 115 session
• Firewalls Can't live with or without them
• What are firewalls protecting us against?
• Are they still effective?
• What firewall architectures are people using
  these days?
• Firewalls very close to the end host?
• How does this relate to campus network
  architectures?

34
Domain Name System (DNS)

• DNS is the foundational service of the network
  no service works without it.
• DNS itself needs better security
• Vulnerable to several attacks and can be
  exploited for other attacks
• Remedial steps (e.g. DNSSec) face critical
  bootstrap and mass adoption value
• DNS as the basis for many security enhancements
• Spam control mechanisms will leverage it
• Federated security services depend on it
• EDUCAUSE oversees .edu chance for higher-ed to
  lead

35
Homework DNS

• Make sure the campus DNS operations are
  adequately supported check out www.dnsreport.com
• Campus DNS operations should plan to work with
  applications
• LDAP/Kerberos RRs
• SPF/DK/DKIM
• Make sure that youre not part of the problem
  filter outgoing spoofed traffic, don't operate
  open recursive servers, etc...

36
DNS More to think about

• Consider DNS monitoring
• Using query logs to analyze malicious activity
• How much priority is DNS given locally
• Recent software, proper, secure configuration,
  change management
• Name servers aren't just a tool for conducting
  distributed denial of service attacks, they're
  also a target for distributed denial of service
  attacks

37
DNSsec advisory group

• Goal Experiment with DNSSEC and gain
  operational experience including
• Does it solve anything?
• Participants sign at least one of their zones
• Exchange keys (trust anchors) that will allow
  them to mutually validate DNS data
• Setup security-aware resolvers
• Configured with the trust anchors
• Coordination - Internet2, Shinkuro
• http//www.dnssec-deployment.org/

38
DNSSec

• DNS Trust anchors for MAGPI
• https//rosetta.upenn.edu/magpi/dnssec.html
• SecSpider
• http//secspider.cs.ucla.edu/
• DNSSec Internet2 Pilot
• http//www.dnssec-deployment.org/internet2/
• Internet2 Security Weir
• https//spaces.internet2.edu/display/securityweir
  /DNSSEC

39
Related Activities REN-ISAC

• A private trust community for RE security
  protection and response
• http//www.ren-isac.net
• collect, derive, analyze, disseminate threat
  information. Supports member understanding of
  threats, protection, and mitigation.
• 24x7 Watch Desk (ren-isac_at_ren-isac.net, 1 317
  274 6630)

40
REN-ISAC

• is an integral part of U.S. higher educations
  strategy to improve network security through
  information collection, analysis, dissemination,
  early warning, and response
• is specifically designed to support the unique
  environment and needs of higher education and
  research organizations
• and, supports efforts to protect national cyber
  infrastructure by participating in the formal
  U.S. ISAC structure.
• Foremost, REN-ISAC is a member-driven trusted
  community for sharing sensitive information
  regarding cybersecurity threat, incidents,
  response, and protection.

41
REN-ISAC Milestones Since the Internet2 FMM

• REN-ISAC partnership with Microsoft for SCPe
• New alliance marks the first time Microsoft has
  worked with higher education entities within the
  Security Cooperation Program (SCP), a worldwide
  program originally formed for government
  entities. The SCP provides a structured way for
  Microsoft to share information efficiently,
  improving responses to computer security
  incidents and decreasing the risk of system
  attacks at member organizations.
• This unique trust relationship with Microsoft
  will provide an information source from which we
  can impart important security and product
  information to our membership, and through which
  Microsoft will get input from real-life product
  experiences from typically complex campus
  technology environments.
• http//www.ren-isac.net/relationships/microsoft.ht
  ml

42
REN-ISAC Milestones Since the Internet2 FMM

• Formed the Microsoft Analysis Team
• Serves as the information sharing interface,
  analysts, and relationship advisors for the
  REN-ISAC and Microsoft SCPe.
• Team members are from University Colorado at
  Boulder, University of Illinois at
  Urban-Champaign, Indiana University, and New York
  University
• Formed the Executive Advisory Group
• Initial considerations of the group to be
  sustainability and membership models. EAG members
  are from EDUCAUSE, Internet2, Louisiana State
  University, University of Maryland Baltimore
  County, University of Montana, Oakland
  University, and Reed College
• Formed additional information sharing
  relationships with private mitigation groups

43
REN-ISAC Milestones Since the Internet2 FMM

• Held the first annual REN-ISAC Member Meeting
• held in conjunction with the EDUCAUSE and
  Internet2 Security Professionals Conference.

44
Recognition of the following Contributors

• Berkeley (TAG)
• Buffalo (systems)
• Brandeis (systems)
• Colorado (MAT)
• Cornell (TAG)
• IU (host, EAG, TAG, MAT)
• LSU (resources, EAG)
• Oakland (EAG)
• Oregon (TAG)

• MOREnet (TAG, TechBursts)
• NYU (MAT)
• Reed (EAG)
• UMass (TAG)
• UMBC (EAG)
• UMN (TAG)
• UMT (EAG)
• WPI (TAG, systems)

TAG Technical Advisory Group EAG Executive
Advisory Group MAT Microsoft Analysis Team Host
host site resources Resources dedicated
commitment of human resource Systems systems,
applications, and tools administration
45
REN-ISAC Growth of Membership
46
Compromised System Notifications to .edu
47
Projects

• Community Plumbing
• Web-based community-building tools to support
  member-contributed project development, and
  member subgroups for specific interest topics
• Malware Analysis Infrastructure for RE
• Malware sandbox and repository working in
  cooperation and with contributions from
  CWSandbox. Talks in progress with Norman.
• DNS Infrastructure Monitoring for RE
• Using standard queries, probe .edu DNS space for
  configuration and security issues. Working in
  cooperation with John Kristoff (Neustar)
• Passive DNS Replication Server
• RE-specific view. Working in cooperation with
  John Kristoff (Neustar)

48
Projects

• CSI2 Shared Darknet Project
• Information from dispersed, member-based darknet
  sensors is combined to a single community
  resource. Provides notifications of observed
  scanning sources, reports of aggregate port
  scanning statistics, with a more complete view of
  IPv4-based scanning activity than provided by a
  single, standalone darknet. Working in
  cooperation with the Internet2 SALSA CSI2 effort.
• CSI2 RENOIR
• Research and Education Networking Operational
  Incident Repository provides trust
  community-based sharing of incident information.
  Working in cooperation with the Internet2 SALSA
  CSI2 effort.

49
REN-ISACPriorities for the Coming Year

• Not in any particular order
• Membership growth
• Facilitate various forms of member involvement
  and contribution
• Develop additional and strengthen existing
  information sharing relationships, including the
  new REN-ISAC and Microsoft SCPe
• Assessment of current services and member needs
• Executive Advisory guidance to sustainability
• Cybersecurity Registry
• Services for the combined Internet2 and NLR
  entity (monitoring, sensors, and services
  especially with consideration to the commercial
  transit and peering)
• Tool/service Projects (listed on Projects page)

50
Information Sharing
24x7Watch Desk
Members
Information Products
Collect,analyze, and disseminateintelligence
Served Networks
Education
Intel Relationships
Exercises
51
REN-ISAC Membership

• Membership is open and free to
• institutions of higher education,
• teaching hospitals,
• research and education network providers, and
• government-funded research organizations.
• Membership guidelines are roughly
• must be permanent staff,
• with organization-wide responsibilities for
  cybersecurity protection and response, and
• be vouched-for by 2 existing members
• http//www.ren-isac.net/membership.html

52
REN-ISAC Contacts

• http//www.ren-isac.net
• 24x7 Watch Desk
• ren-isac_at_ren-isac.net
• 1(317)274-6630
• Mark Bruhn, Executive Director,
• mbruhn_at_iu.edu
• Doug Pearson, Technical Director
• dodpears_at_ren-isac.net
• Dave Monnier, Principal Security Engineer
• dmonnier_at_ren-isac.net

53
REN-ISAC Member Meeting

• CSI2 and REN-ISAC Members met two weeks ago
• develop a set of strategies that will facilitate
  the development of new methodologies and
  technologies to better anticipate and resolve
• evaluate current open source security tools and
  their uses
• determine whether there is a need to create
  additional tools that do not currently exist.
  Includes web application assessment toolkits,
  event and incident management toolkits,
• Investigate agent-based endpoint security tools.

54
(No Transcript)