Security Topics Update

Christopher Misra

Mark Poepping

April 2007

Session outline

• Salsa• Internet2/EDUCAUSE Security Task Force• Current Salsa activities• CSI2 working group• FWNA working group• Salsa-DR

• Other topics• DNS/DNSSec• REN-ISAC

Salsa

• Salsa is an oversight group consisting of technical representatives from the higher education community• who will advise on leading edge technology

issues, provide prioritization, and set directions in the security space.

• Salsa works in collaboration with the EDUCAUSE/Internet2 Security Task Force

Security Task Force

• Internet2 and EDUCAUSE established the Computer and Network Security Task Force in July 2000. The task force works to improve cybersecurity across the higher education sector and actively promotes effective practices and solutions for the protection of information assets and critical infrastructures.

Security Task Force

• STF Resources• http://www.educause.edu/security

• Security Professionals Conference• http://www.educause.edu/sec07

• Held April 10-12 2007• May 4-6 2008 in Arlington, VA

• Effective Practices Guidehttps://wiki.internet2.edu/confluence/display/secguide/

Salsa-CSI2 working group

• Chartered to organize activities/create tools to identify security incidents • How they can be better identified • How information about the incidents can be

shared • To improve the overall security of the

network and the parties connected to the network.

• Focusing on the shifting landscape problem

Salsa-CSI2: RENOIR

• Research and Education Networking Operational Information Repository

• Design around the concept of ticket system handling security data • vast array of sources

• Organizing the data into high-level cases • use for reporting on daily operational incidents.

• Rely on a trusted third-party to facilitate communication

RENOIR Design

• Accept human input and structured data to form tickets • using IODEF in an appropriate format.

• Allow input from users from a variety of roles• Reporting party, affected site,

administrators• Researchers?

RENOIR Design

• Use, widely-accepted, encrypted transport mechanisms• In the transport layer• Encrypting message content.

• Use a registry of contact information • Facilitate automated notifications of

affected sites• REN-ISAC contacts?

RENOIR Design

• Extendable to include new security problems and reported incident types as they occur.• Accommodate dynamic threat environment

• Interaction with campus-scoped ticketing

• Incremental development of capabilities• Due to system and transaction complexity

RENOIRReporting Requirements

• Flexibility in reporting/handling• We don’t want to replace local workflows!• Programming API (SOAP)

• Facilitate easy communication and reporting• “Ok, but how do we do it well?”

RENOIRReporting Well

• Reporting detailed information that others can use without asking for more information

• Reporting in a timely manner• See above bullet• Streamlining report creation and handling process

• Getting useful data from reports in aggregate• Responding to reports

RENOIR Status

• Functional code segments have been created by the working group• Still early in development cycle• Primarily by Phil Deneault from WPI

• Activities coordinated with REN-ISAC• As eventual trusted third-party

• Work continues• Please let us know if you are interested

Salsa-CSI2: Darknets

• A darknet collector listens to one or more blocks of routed, allocated, but unused IP address space.

• Because the IP space is unused (hence "dark") there should be very little if any legitimate traffic entering the darknet

• Team Cymru Darknet Project• http://www.cymru.com/Darknet/index.html

Shared Darknet

• Develop a wide-aperture, powerful network security sensor• directly serve higher-education and

research institutions• indirectly serve Internet users at large.

• Institutions who run local darknets send their collector data to REN-ISAC• Only hits from remote sources

Shared Darknet

• The data is analyzed to identify compromised machines by IP address, destination ports

• The REN-ISAC compiles the darknet data contributions • Distributes notifications and reports.

• Limited policy overhead• Low privacy requirements for this data

Shared Darknet

• REN-ISAC project with tools coordination provided by Salsa-CSI2

• Tools development done extensively by David Ripley from Indiana University Advanced Network Management Lab (ANML)

• First participants (beyond IU) submitting data for analysis

Salsa-CSI2 Workshop

• Held in Cambridge, MA 5-6 March 2007• First face to face meeting of working

group• Made possible by DoJ grant funding CSI2

activities.• Refined use cases for RENOIR• Built consensus around tangible problems• Defined a series of outcomes

Salsa-FWNA working group

• Analysis and proposal toward a pilot and eventual implementation to support network access to visiting scholars among federated institutions

• Engaged with the eduroam community• Operational server has tested

interoperability• http://www.eduroam.org/

Salsa-FWNA: Current work

• RADIUS and SAML• Integrating Network Authentication and Attribute

Exchange• Work on a specification that defines a profile that

includes messages and flows from both RADIUS [RFC2865] and SAML specifications (both v1.1 and 2.0).• Still in draft form• Continuing topic of discussion...

Salsa-FWNA: RADIUS and SAML

• In traditional Radius usage: • User's Home Site Radius server makes the

access control decision,• tells the Radius server at the Network Provider site

whether to grant the user access to its network. • When the two Radius servers are in different

organizations• Additional SAML flows allows the Radius server at

the Network Provider site to obtain trusted information describing the requesting user;

• Can then make its own access control decision.

Salsa-FWNA: RADIUS and SAML

• The specification is taking advantage of SAML services• That are already defined and deployed for exactly

this purpose. • Availability of these SAML attributes provides:• Network Provider RADIUS server with the option

of implementing a more flexible access control policy than possible with standard RADIUS.

• This specification describes a server communicating with SAML entities• No web browsers are involved.

Presenter’s Name

Salsa-FWNA: RADIUS and SAML

Salsa-FWNA: Visitor Access

• WLAN technologies are an expected technology for campus visitors

• There are various solutions that campus network administrators use to try to reconcile visitor networks • Within a policy framework• Survey conducted

• See 4:30 Visitor Access session today• Phillipe Hanset (UTK) and Mark Linton (PSU)

Salsa-FWNA: Visitor Access

• Working group meeting held this morning reflected a need for consensus across the community• We are all facing this problem• Many of us have solved this in similar ways

• Do we need a document to help capture these thoughts?• And cast the context of visitor access against the

visiting scholar problem• Guest access complementing federated network

access deployments

Disaster Recovery

• Salsa-DR has been formed this spring• to explore and document recommended

practices for disaster planning and recovery,

• especially for Higher Ed if and as those needs are distinct from those of other large enterprises

• liaising with other groups or organizations as appropriate

Salsa-DR: Charter

• contingency planning;• developing and testing recovery plans, policies,

and procedures;

• warm and hot site strengths, weaknesses, and potential pitfalls;

• contractual and SLA models and guidance • reciprocal agreements with other organizations or

campuses;

• Mass notifications

Salsa-DR

• Already have over 80 people on the discussion list.

• Interested parties can sign up to participate by going to the web site:• http://security.internet2.edu/dr/

• We are particularly interested in institutions that would like to collaborate in the investigation and implementation of possible DR solutions.

Salsa-DR: Mailing list

• Working Group Chair• Don MacLeod, Cornell University

• To subscribe to the Salsa-DR list, send email to sympa at internet2 dot edu, with the subject line:

subscribe <list name> FirstName LastName • For example: • subscribe salsa-dr Jane Doe

EDUCAUSE Business Continuity Management Constituent Group

• Forum for strategic and tactical discussions• To maintain or restore business and academic

services when some circumstance disrupts normal operations.

• Discussion topics may include: • risk and impact assessment• prioritization of business processes• restoring operations to a "new normal" after an

event.

http://www.educause.edu/groups/bc

Other Topics: What we all think about

• Protecting sensitive data• Not just the enterprise data, but the researcher data

• Identity management• In higher-ed, there's a lot of business process and policy

issues as well as technology

• Malware (viruses, worms, spyware, etc.)• Distributed denial of service attacks

Others Topics: What we may not all be thinking about

• The strategic importance of DNS• The value of sector-based security operations and the

REN-ISAC• {Spam, DDOS, etc} and its impact on the

infrastructure• Evolving firewall management strategies to

accommodate advanced applications• Firewall discussion Wednesday afternoon

• Federated identity and leveraging it for access control

Evolving Firewalls Management

• Wednesday 1:15 session• Firewalls: Can't live with or without them

• What are firewalls protecting us against? • Are they still effective?

• What firewall architectures are people using these days?

• Firewalls very close to the end host?• How does this relate to campus network

architectures?

Domain Name System (DNS)

• DNS is the foundational service of the network; no service works without it.

• DNS itself needs better security• Vulnerable to several attacks and can be exploited

for other attacks• Remedial steps (e.g. DNSSec) face critical

bootstrap and mass adoption value• DNS as the basis for many security enhancements• Spam control mechanisms will leverage it• Federated security services depend on it• EDUCAUSE oversees .edu; chance for higher-ed

to lead

Homework: DNS

• Make sure the campus DNS operations are adequately supported; check out www.dnsreport.com

• Campus DNS operations should plan to work with applications• LDAP/Kerberos RRs• SPF/DK/DKIM

• Make sure that you’re not part of the problem – filter outgoing spoofed traffic, don't operate open recursive servers, etc...

DNS: More to think about

• Consider DNS monitoring• Using query logs to analyze malicious activity

• How much priority is DNS given locally• Recent software, proper, secure configuration, change

management

• Name servers aren't just a *tool* for conducting distributed denial of service attacks, they're also a *target* for distributed denial of service attacks

DNSsec advisory group

• Goal: Experiment with DNSSEC and gain operational experience including • Does it solve anything?

• Participants sign at least one of their zones;• Exchange keys (trust anchors) that will allow

them to mutually validate DNS data• Setup security-aware resolvers• Configured with the trust anchors

• Coordination - Internet2, Shinkuro• http://www.dnssec-deployment.org/

DNSSec

• DNS Trust anchors for MAGPI• https://rosetta.upenn.edu/magpi/dnssec.html

• SecSpider• http://secspider.cs.ucla.edu/

• DNSSec Internet2 Pilot• http://www.dnssec-deployment.org/internet2/

• Internet2 Security Weirhttps://spaces.internet2.edu/display/securityweir/DNSSEC

Related Activities: REN-ISAC

• A private trust community for R&E security protection and response

• http://www.ren-isac.net• collect, derive, analyze, & disseminate

threat information. Supports member understanding of threats, protection, and mitigation. • 24x7 Watch Desk (ren-isac@ren-isac.net,

+1 317 274 6630)

REN-ISAC

• is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response;

• is specifically designed to support the unique environment and needs of higher education and research organizations;

• and, supports efforts to protect national cyber infrastructure by participating in the formal U.S. ISAC structure.

• Foremost, REN-ISAC is a member-driven trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection.

REN-ISAC Milestones: Since the Internet2 FMM

• REN-ISAC partnership with Microsoft for SCPe• New alliance marks the first time Microsoft has worked with

higher education entities within the Security Cooperation Program (SCP), a worldwide program originally formed for government entities. The SCP provides a structured way for Microsoft to share information efficiently, improving responses to computer security incidents and decreasing the risk of system attacks at member organizations.

• This unique trust relationship with Microsoft will provide an information source from which we can impart important security and product information to our membership, and through which Microsoft will get input from real-life product experiences from typically complex campus technology environments.

• http://www.ren-isac.net/relationships/microsoft.html

REN-ISAC Milestones: Since the Internet2 FMM

• Formed the Microsoft Analysis Team• Serves as the information sharing interface, analysts, and

relationship advisors for the REN-ISAC and Microsoft SCPe.• Team members are from University Colorado at Boulder,

University of Illinois at Urban-Champaign, Indiana University, and New York University

• Formed the Executive Advisory Group• Initial considerations of the group to be sustainability and

membership models. EAG members are from EDUCAUSE, Internet2, Louisiana State University, University of Maryland Baltimore County, University of Montana, Oakland University, and Reed College

• Formed additional information sharing relationships with private mitigation groups

REN-ISAC Milestones: Since the Internet2 FMM

• Held the first annual REN-ISAC Member Meeting • held in conjunction with the EDUCAUSE and Internet2 Security

Professionals Conference.

Recognition of the following Contributors

• Berkeley (TAG)• Buffalo (systems)• Brandeis (systems)• Colorado (MAT)• Cornell (TAG)• IU (host, EAG, TAG,

MAT)• LSU (resources, EAG)• Oakland (EAG)• Oregon (TAG)

• MOREnet (TAG, TechBursts)

• NYU (MAT)• Reed (EAG)• UMass (TAG)• UMBC (EAG)• UMN (TAG)• UMT (EAG)• WPI (TAG, systems)

TAG = Technical Advisory Group EAG = Executive Advisory GroupMAT = Microsoft Analysis Team Host = host site resourcesResources = dedicated commitment of human resourceSystems = systems, applications, and tools administration

REN-ISAC: Growth of Membership

Compromised System Notifications to .edu

Projects

• Community Plumbing• Web-based community-building tools to support member-

contributed project development, and member subgroups for specific interest topics

• Malware Analysis Infrastructure for R&E• Malware sandbox and repository; working in cooperation and with

contributions from CWSandbox. Talks in progress with Norman.

• DNS Infrastructure Monitoring for R&E• Using standard queries, probe .edu DNS space for configuration

and security issues. Working in cooperation with John Kristoff (Neustar)

• Passive DNS Replication Server• R&E-specific view. Working in cooperation with John Kristoff

(Neustar)

Projects

• CSI2 Shared Darknet Project• Information from dispersed, member-based darknet sensors is

combined to a single community resource. Provides notifications of observed scanning sources, reports of aggregate port scanning statistics, with a more complete view of IPv4-based scanning activity than provided by a single, standalone darknet. Working in cooperation with the Internet2 SALSA CSI2 effort.

• CSI2 RENOIR• Research and Education Networking Operational Incident

Repository provides trust community-based sharing of incident information. Working in cooperation with the Internet2 SALSA CSI2 effort.

REN-ISACPriorities for the Coming Year

• Not in any particular order• Membership growth• Facilitate various forms of member involvement and contribution• Develop additional and strengthen existing information sharing

relationships, including the new REN-ISAC and Microsoft SCPe• Assessment of current services and member needs• Executive Advisory guidance to sustainability• Cybersecurity Registry• Services for the combined Internet2 and NLR entity (monitoring,

sensors, and services; especially with consideration to the commercial transit and peering)

• Tool/service Projects (listed on Projects page)

Registry Tools

Served Networks

Members

IntelRelationships

Collect,analyze, and disseminateintelligence

24x7Watch Desk

Information Sharing

Information Products

Education

Exercises

REN-ISAC – Membership

• Membership is open and free to:• institutions of higher education, • teaching hospitals, • research and education network providers, and • government-funded research organizations.

• Membership guidelines are roughly:• must be permanent staff,• with organization-wide responsibilities for cybersecurity

protection and response, and• be vouched-for by 2 existing members

• http://www.ren-isac.net/membership.html

REN-ISAC – Contacts

http://www.ren-isac.net

24x7 Watch Desk:

ren-isac@ren-isac.net

+1(317)274-6630

Mark Bruhn, Executive Director,mbruhn@iu.edu

Doug Pearson, Technical Directordodpears@ren-isac.net

Dave Monnier, Principal Security Engineerdmonnier@ren-isac.net

REN-ISAC Member Meeting

• CSI2 and REN-ISAC Members met two weeks ago:• develop a set of strategies that will facilitate the

development of new methodologies and technologies to better anticipate and resolve

• evaluate current open source security tools and their uses

• determine whether there is a need to create additional tools that do not currently exist. Includes web application assessment toolkits, event and incident management toolkits,

• Investigate agent-based endpoint security tools.