Networks ∙ Services ∙ People Fotis Gagadis WISE Workshop, Barcelona.ES Security in Europe’s...
-
Upload
kenneth-rose -
Category
Documents
-
view
227 -
download
0
Transcript of Networks ∙ Services ∙ People Fotis Gagadis WISE Workshop, Barcelona.ES Security in Europe’s...
Networks Services People ∙ ∙ www.geant.org
Fotis Gagadis
WISE Workshop, Barcelona.ES
Security in Europe’s Research and Education NetworkGÉANT - Implementing Security at Terabit Speed
20 October 2015
Security OfficerWayne Routly
Head of Information & Infrastructure Security
Networks Services People ∙ ∙ www.geant.org
2
Diverse Environment:
• Multiple Pressure Points
• Understand where to focus
• What the NRENS actually needs
Not Just Another tool:
• Must deliver value to NRENs
• Must enhance capabilities and not workload
• Automate, threshold, trigger
No Crystal Ball is Ever Clear:
• Planning for an uncertain future
• Scalable, solve achievable problems
The New Security Reality
Networks Services People ∙ ∙ www.geant.org
3
Networks Services People ∙ ∙ www.geant.org
4
Dedicated Security Officer
Policy Creation & Enforcement (Acceptable Use, Patch Management)
Yearly Peer Security Audit (Community Involvement)
Measurable Security for Physical Infrastructure
Risk Assess Co Locations
Web Camera’s
Access Control & Network Segmentation
Triggers & Alerts
TRUST In The Integrity of the NetworkSecurity of the Network
Networks Services People ∙ ∙ www.geant.org
5
Asset Discovery
Vulnerability Detection
Configuration Auditing
Risk Assessment and Suggested fixes
…more in depth view of vulnerabilities and any other kind of
misconfiguration … at risk GÉANT infrastructure
TRUST In The Integrity of the Networks SystemsRisk & Vulnerability Assessment
Networks Services People ∙ ∙ www.geant.org
Security Services - Create encompassing security solution - NSHaRP
Risk Posture - Monitor to ensure management controls are in place
Anomaly Detection – Scalable mechanisms to report on Denial of Service trends
Firewall on Demand – Technologies to grow with and defend the network
A Modular Approach Towards Security
Networks Services People ∙ ∙ www.geant.org
NSHaRP – Security Service For UsersA GÉANT Solution
• Complete Security Solution
• Provides mechanism to quickly and effectively inform parties
• Adds Value - Serves as an extension to NRENs CERTs
• An Automated Incident Notification & Handling System
• Extends NRENs detection and mitigation capability to GÉANT borders
• Innovative and Unique - Caters for different types of requirements
Networks Services People ∙ ∙ www.geant.org
8
• Understand the nature of the risks the organisation faces
• Become aware of the extent of risks
• Recognize our ability to control and reduce risk
• Report the risk status at any point in time
• Have in place risk event "early warning" factors and upward
reporting thresholds
Effective Risk Management The GÉANT Approach
Networks Services People ∙ ∙ www.geant.org
9
Example Risk Register
Networks Services People ∙ ∙ www.geant.org
10
Proactive Risk ManagementVulnerability & Patch Management Control
Weekly Scans
• Backbone + Corporate
• Sent to Teams Directly
• Is it Improving?
• Drill-Down Capabilities
Proactive Approach
• Respond to New Threats
• Create Triggers, Thresholds
• Cleary Define & Identify Risk Areas
• Risk Register Approach
Networks Services People ∙ ∙ www.geant.org 11
Proactive Risk ManagementHost Identification
What is on the Network?
• Weekly Scan of Backbone
• Does it belong to a Defined Zone?
• Have I seen it before?
• Differential Scans
Goes to core of controlling your network
• Ensures New Devices are Identified
• Ensures Devices are owned!
• Central to effective Risk Management
Networks Services People ∙ ∙ www.geant.org
12
Proactive Risk ManagementAccess Management
What accounts are active?
• Control over script overload
• Misconfiguration?
• Notify someone – Reduce Noise
Who are the real bad IP’s?
• See the forest for the trees….
• Look for Trends
• Blacklist correlated & confirmed bad actors.
Networks Services People ∙ ∙ www.geant.org
13
Proactive Risk ManagementRemote Management
What accounts are active?
• Control over script overload
• Misconfiguration?
• Notify someone – Reduce Noise
GeoIP
• Why is the NOC engineer in China?
• ….especially since he called me from
the office
Networks Services People ∙ ∙ www.geant.org
14
Multi-Faceted DDoS Detection SystemAlerting to Events
Networks Services People ∙ ∙ www.geant.org
15
Structured Alerting MechanismRequire Clear & Rapid Notification
<ID>: num;<Category>: ANOMALY;<Type>: Behavior anomaly;<Perspective>: NREN;<Severity>: Critical;<Time>: 2015-05-13 09:55:00;<Protocol>: ;<Source IP>: x.y.z.t;<Target IPs>: a.b.c.d;<Ports involved>: ;<Flows sample>:Source IP;Source port;Destination IP;Destination port;Protocol;Timestamp;Duration;Transferred;Packets;Flags; Source AS;Destination ASx.y.z.t;42096;a.b.c.d;24384;TCP;2015-05-13 10:54:31.770;3.43900012969971;208000;4000;.A....;786;2108
Dear NREN, We have detected a CAT. event affecting your network. All the information pertaining to it can be found below: ============= #Start Time: 2015-05-14 01:56:04 UTC#Protocol: UDP#Source IP: x.y.z.t#Target IPs: a.b.c.d#Ports: 60312 #Evidence: Source IP;Source port;Destination IP;Destination port;Protocol;Timestamp;Duration;Transferred;Packets;Flags;Source AS;Destination ASx.y.z.t;a.b.c.d;60312;UDP;2015-05-14 02:56:04.566;0;84500;500;......;36351;766 ============= If you wish to reply to this email please leave the subject unaltered so the ticket can be updated accordingly. If no response is received, this ticket will be automatically closed after 5 working days. Regards, GEANT [email protected] (PGP Key ID: 99833085 / Fingerprint: 3CBF F211 8305 635D 5839 BB27 BA6B F34A 9983 3085)Phone no.: +44 (0)1223 866 140
One event per mail for the most critical eventsDaily report for the less critical and/or “noisy” ones:
- Text or HTML that can be parsed by the NREN
Networks Services People ∙ ∙ www.geant.org
What actions can NRENs request
• Filter / Block• You can request the Security Team to Filter / Block traffic from and or to a
specific IP and or prefix. Specific port ranges can be included in this block. The OC Security Team will apply this block for a period of time after which you will be given the option to remove the block or have it kept in place.
• Monitor• You can request the OC Security Team to monitor this incident for a specific
period of time. After the time has elapsed and you request the ticket to be closed, the Security team will inform you of all incidents linked to the original ticket if any have been alerted.
• Investigate• You can request the OC Security Team to provide additional information
about the incident. For example, you may require additional flow records for a larger time window.
• Nothing• Ticket closes automatically after 5 working days
Networks Services People ∙ ∙ www.geant.org
Firewall on Demand - Next Generation Firewall FilteringDesigned and Developed by GRnet
BGP Flowspec defined in RFC 5575Layer 4 (TCP and UDP) firewall filters distributed in BGP on both a intra-domain and inter-domain basis
• Benefits• Gives users flexibility; Alternative Use Cases?• AAI
• NREN Credentials to login and stop attacks• Limit Accidental & Damaging blocks
• “Better” in terms of
• Granularity: Per-flow level (Source/Dest IP/Ports, TCP flag)
• Action: Drop, rate-limit, redirect
• Speed: More responsive
• Efficiency: Closer to the source, Multi Domain
• Automation: Integration with other systems (NSHaRP)
Networks Services People ∙ ∙ www.geant.org
18
Firewall on DemandInterface
Networks Services People ∙ ∙ www.geant.org
1. Take a holistic approach towards defending your network• Understand the risks the organisation faces• Collate, correlate, and automate your capabilities
2. Make changes that have significant impacts• Use tools that radically improve your capabilities• Use tools that provide flexibility
ConclusionsDelivering a Comprehensive & Future-Driven Security Eco-System benefiting the GÉANT Community
Networks Services People ∙ ∙ www.geant.org
20
Thank you
Networks Services People ∙ ∙www.geant.org
Questions