Security Topics Update Christopher Misra Mark Poepping April 2007 Session outline • Salsa • Internet2/EDUCAUSE Security Task Force • Current Salsa activities • CSI2 working group • FWNA working group • Salsa-DR • Other topics • DNS/DNSSec • REN-ISAC Salsa • Salsa is an oversight group consisting of technical representatives from the higher education community • who will advise on leading edge technology issues, provide prioritization, and set directions in the security space. • Salsa works in collaboration with the EDUCAUSE/Internet2 Security Task Force Security Task Force • Internet2 and EDUCAUSE established the Computer and Network Security Task Force in July 2000. The task force works to improve cybersecurity across the higher education sector and actively promotes effective practices and solutions for the protection of information assets and critical infrastructures. Security Task Force • STF Resources • http://www.educause.edu/security • Security Professionals Conference • http://www.educause.edu/sec07 • Held April 10-12 2007 • May 4-6 2008 in Arlington, VA • Effective Practices Guide https://wiki.internet2.edu/confluence/display/secguide/ Salsa-CSI2 working group • Chartered to organize activities/create tools to identify security incidents • How they can be better identified • How information about the incidents can be shared • To improve the overall security of the network and the parties connected to the network. • Focusing on the shifting landscape problem Salsa-CSI2: RENOIR • Research and Education Networking Operational Information Repository • Design around the concept of ticket system handling security data • vast array of sources • Organizing the data into high-level cases • use for reporting on daily operational incidents. • Rely on a trusted third-party to facilitate communication RENOIR Design • Accept human input and structured data to form tickets • using IODEF in an appropriate format. • Allow input from users from a variety of roles • Reporting party, affected site, administrators • Researchers? RENOIR Design • Use, widely-accepted, encrypted transport mechanisms • In the transport layer • Encrypting message content. • Use a registry of contact information • Facilitate automated notifications of affected sites • REN-ISAC contacts? RENOIR Design • Extendable to include new security problems and reported incident types as they occur. • Accommodate dynamic threat environment • Interaction with campus-scoped ticketing • Incremental development of capabilities • Due to system and transaction complexity RENOIR Reporting Requirements • Flexibility in reporting/handling • We don’t want to replace local workflows! • Programming API (SOAP) • Facilitate easy communication and reporting • “Ok, but how do we do it well?” RENOIR Reporting Well • Reporting detailed information that others can use without asking for more information • Reporting in a timely manner • See above bullet • Streamlining report creation and handling process • Getting useful data from reports in aggregate • Responding to reports RENOIR Status • Functional code segments have been created by the working group • Still early in development cycle • Primarily by Phil Deneault from WPI • Activities coordinated with REN-ISAC • As eventual trusted third-party • Work continues • Please let us know if you are interested Salsa-CSI2: Darknets • A darknet collector listens to one or more blocks of routed, allocated, but unused IP address space. • Because the IP space is unused (hence "dark") there should be very little if any legitimate traffic entering the darknet • Team Cymru Darknet Project • http://www.cymru.com/Darknet/index.html Shared Darknet • Develop a wide-aperture, powerful network security sensor • directly serve higher-education and research institutions • indirectly serve Internet users at large. • Institutions who run local darknets send their collector data to REN-ISAC • Only hits from remote sources Shared Darknet • The data is analyzed to identify compromised machines by IP address, destination ports • The REN-ISAC compiles the darknet data contributions • Distributes notifications and reports. • Limited policy overhead • Low privacy requirements for this data Shared Darknet • REN-ISAC project with tools coordination provided by Salsa-CSI2 • Tools development done extensively by David Ripley from Indiana University Advanced Network Management Lab (ANML) • First participants (beyond IU) submitting data for analysis Salsa-CSI2 Workshop • Held in Cambridge, MA 5-6 March 2007 • First face to face meeting of working group • Made possible by DoJ grant funding CSI2 activities. • Refined use cases for RENOIR • Built consensus around tangible problems • Defined a series of outcomes Salsa-FWNA working group • Analysis and proposal toward a pilot and eventual implementation to support network access to visiting scholars among federated institutions • Engaged with the eduroam community • Operational server has tested interoperability • http://www.eduroam.org/ Salsa-FWNA: Current work • RADIUS and SAML • Integrating Network Authentication and Attribute Exchange • Work on a specification that defines a profile that includes messages and flows from both RADIUS [RFC2865] and SAML specifications (both v1.1 and 2.0). • Still in draft form • Continuing topic of discussion... Salsa-FWNA: RADIUS and SAML • In traditional Radius usage: • User's Home Site Radius server makes the access control decision, • tells the Radius server at the Network Provider site whether to grant the user access to its network. • When the two Radius servers are in different organizations • Additional SAML flows allows the Radius server at the Network Provider site to obtain trusted information describing the requesting user; • Can then make its own access control decision. Salsa-FWNA: RADIUS and SAML • The specification is taking advantage of SAML services • That are already defined and deployed for exactly this purpose. • Availability of these SAML attributes provides: • Network Provider RADIUS server with the option of implementing a more flexible access control policy than possible with standard RADIUS. • This specification describes a server communicating with SAML entities • No web browsers are involved. Salsa-FWNA: RADIUS and SAML Presenter’s Name Salsa-FWNA: Visitor Access • WLAN technologies are an expected technology for campus visitors • There are various solutions that campus network administrators use to try to reconcile visitor networks • Within a policy framework • Survey conducted • See 4:30 Visitor Access session today • Phillipe Hanset (UTK) and Mark Linton (PSU) Salsa-FWNA: Visitor Access • Working group meeting held this morning reflected a need for consensus across the community • We are all facing this problem • Many of us have solved this in similar ways • Do we need a document to help capture these thoughts? • And cast the context of visitor access against the visiting scholar problem • Guest access complementing federated network access deployments Disaster Recovery • Salsa-DR has been formed this spring • to explore and document recommended practices for disaster planning and recovery, • especially for Higher Ed if and as those needs are distinct from those of other large enterprises • liaising with other groups or organizations as appropriate Salsa-DR: Charter • contingency planning; • developing and testing recovery plans, policies, and procedures; • warm and hot site strengths, weaknesses, and potential pitfalls; • contractual and SLA models and guidance • reciprocal agreements with other organizations or campuses; • Mass notifications Salsa-DR • Already have over 80 people on the discussion list. • Interested parties can sign up to participate by going to the web site: • http://security.internet2.edu/dr/ • We are particularly interested in institutions that would like to collaborate in the investigation and implementation of possible DR solutions. Salsa-DR: Mailing list • Working Group Chair • Don MacLeod, Cornell University • To subscribe to the Salsa-DR list, send email to sympa at internet2 dot edu, with the subject line: subscribe <list name> FirstName LastName • For example: • subscribe salsa-dr Jane Doe EDUCAUSE Business Continuity Management Constituent Group • Forum for strategic and tactical discussions • To maintain or restore business and academic services when some circumstance disrupts normal operations. • Discussion topics may include: • risk and impact assessment • prioritization of business processes • restoring operations to a "new normal" after an event. http://www.educause.edu/groups/bc Other Topics: What we all think about • Protecting sensitive data • Not just the enterprise data, but the researcher data • Identity management • In higher-ed, there's a lot of business process and policy issues as well as technology • Malware (viruses, worms, spyware, etc.) • Distributed denial of service attacks Others Topics: What we may not all be thinking about • The strategic importance of DNS • The value of sector-based security operations and the REN-ISAC • {Spam, DDOS, etc} and its impact on the infrastructure • Evolving firewall management strategies to accommodate advanced applications • Firewall discussion Wednesday afternoon • Federated identity and leveraging it for access control Evolving Firewalls Management • Wednesday 1:15 session • Firewalls: Can't live with or without them • What are firewalls protecting us against? • Are they still effective? • What firewall architectures are people using these days? • Firewalls very close to the end host? • How does this relate to campus network architectures? Domain Name System (DNS) • DNS is the foundational service of the network; no service works without it. • DNS itself needs better security • Vulnerable to several attacks and can be exploited for other attacks • Remedial steps (e.g. DNSSec) face critical bootstrap and mass adoption value • DNS as the basis for many security enhancements • Spam control mechanisms will leverage it • Federated security services depend on it • EDUCAUSE oversees .edu; chance for higher-ed to lead Homework: DNS • Make sure the campus DNS operations are adequately supported; check out www.dnsreport.com • Campus DNS operations should plan to work with applications • LDAP/Kerberos RRs • SPF/DK/DKIM • Make sure that you’re not part of the problem – filter outgoing spoofed traffic, don't operate open recursive servers, etc... DNS: More to think about • Consider DNS monitoring • Using query logs to analyze malicious activity • How much priority is DNS given locally • Recent software, proper, secure configuration, change management • Name servers aren't just a *tool* for conducting distributed denial of service attacks, they're also a *target* for distributed denial of service attacks DNSsec advisory group • Goal: Experiment with DNSSEC and gain operational experience including • Does it solve anything? • Participants sign at least one of their zones; • Exchange keys (trust anchors) that will allow them to mutually validate DNS data • Setup security-aware resolvers • Configured with the trust anchors • Coordination - Internet2, Shinkuro • http://www.dnssec-deployment.org/ DNSSec • DNS Trust anchors for MAGPI • https://rosetta.upenn.edu/magpi/dnssec.html • SecSpider • http://secspider.cs.ucla.edu/ • DNSSec Internet2 Pilot • http://www.dnssec-deployment.org/internet2/ • Internet2 Security Weir https://spaces.internet2.edu/display/securityweir/DNSSEC Related Activities: REN-ISAC • A private trust community for R&E security protection and response • http://www.ren-isac.net • collect, derive, analyze, & disseminate threat information. Supports member understanding of threats, protection, and mitigation. • 24x7 Watch Desk (ren-isac@ren-isac.net, +1 317 274 6630) REN-ISAC • is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; • is specifically designed to support the unique environment and needs of higher education and research organizations; • and, supports efforts to protect national cyber infrastructure by participating in the formal U.S. ISAC structure. • Foremost, REN-ISAC is a member-driven trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection. REN-ISAC Milestones: Since the Internet2 FMM • REN-ISAC partnership with Microsoft for SCPe • New alliance marks the first time Microsoft has worked with higher education entities within the Security Cooperation Program (SCP), a worldwide program originally formed for government entities. The SCP provides a structured way for Microsoft to share information efficiently, improving responses to computer security incidents and decreasing the risk of system attacks at member organizations. • This unique trust relationship with Microsoft will provide an information source from which we can impart important security and product information to our membership, and through which Microsoft will get input from real-life product experiences from typically complex campus technology environments. • http://www.ren-isac.net/relationships/microsoft.html REN-ISAC Milestones: Since the Internet2 FMM • Formed the Microsoft Analysis Team • Serves as the information sharing interface, analysts, and relationship advisors for the REN-ISAC and Microsoft SCPe. • Team members are from University Colorado at Boulder, University of Illinois at Urban-Champaign, Indiana University, and New York University • Formed the Executive Advisory Group • Initial considerations of the group to be sustainability and membership models. EAG members are from EDUCAUSE, Internet2, Louisiana State University, University of Maryland Baltimore County, University of Montana, Oakland University, and Reed College • Formed additional information sharing relationships with private mitigation groups REN-ISAC Milestones: Since the Internet2 FMM • Held the first annual REN-ISAC Member Meeting • held in conjunction with the EDUCAUSE and Internet2 Security Professionals Conference. Recognition of the following Contributors • • • • • • • • • Berkeley Buffalo Brandeis Colorado Cornell IU LSU Oakland Oregon (TAG) • (systems) • (systems) • (MAT) • (TAG) • (host, EAG, TAG, MAT)• (resources, EAG) • (EAG) • (TAG) MOREnet NYU Reed UMass UMBC UMN UMT WPI (TAG, TechBursts) (MAT) (EAG) (TAG) (EAG) (TAG) (EAG) (TAG, systems) TAG = Technical Advisory Group EAG = Executive Advisory Group MAT = Microsoft Analysis Team Host = host site resources Resources = dedicated commitment of human resource Systems = systems, applications, and tools administration REN-ISAC: Growth of Membership Compromised System Notifications to .edu Botnet Command and Control Hosts 100 50 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Infected Hosts 15000 10000 5000 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Unique Institutions 1000 500 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Projects • Community Plumbing • Web-based community-building tools to support membercontributed project development, and member subgroups for specific interest topics • Malware Analysis Infrastructure for R&E • Malware sandbox and repository; working in cooperation and with contributions from CWSandbox. Talks in progress with Norman. • DNS Infrastructure Monitoring for R&E • Using standard queries, probe .edu DNS space for configuration and security issues. Working in cooperation with John Kristoff (Neustar) • Passive DNS Replication Server • R&E-specific view. Working in cooperation with John Kristoff (Neustar) Projects • CSI2 Shared Darknet Project • Information from dispersed, member-based darknet sensors is combined to a single community resource. Provides notifications of observed scanning sources, reports of aggregate port scanning statistics, with a more complete view of IPv4-based scanning activity than provided by a single, standalone darknet. Working in cooperation with the Internet2 SALSA CSI2 effort. • CSI2 RENOIR • Research and Education Networking Operational Incident Repository provides trust community-based sharing of incident information. Working in cooperation with the Internet2 SALSA CSI2 effort. REN-ISAC Priorities for the Coming Year • Not in any particular order • Membership growth • Facilitate various forms of member involvement and contribution • Develop additional and strengthen existing information sharing relationships, including the new REN-ISAC and Microsoft SCPe • Assessment of current services and member needs • Executive Advisory guidance to sustainability • Cybersecurity Registry • Services for the combined Internet2 and NLR entity (monitoring, sensors, and services; especially with consideration to the commercial transit and peering) • Tool/service Projects (listed on Projects page) 24x7 Watch Desk Information Sharing Collect, analyze, and disseminat e intelligence Information Products Members Served Networks Intel Relationship s Registry Tools Education Exercises REN-ISAC – Membership • Membership is open and free to: • • • • institutions of higher education, teaching hospitals, research and education network providers, and government-funded research organizations. • Membership guidelines are roughly: • must be permanent staff, • with organization-wide responsibilities for cybersecurity protection and response, and • be vouched-for by 2 existing members • http://www.ren-isac.net/membership.html REN-ISAC – Contacts http://www.ren-isac.net 24x7 Watch Desk: ren-isac@ren-isac.net +1(317)274-6630 Mark Bruhn, Executive Director, mbruhn@iu.edu Doug Pearson, Technical Director dodpears@ren-isac.net Dave Monnier, Principal Security Engineer dmonnier@ren-isac.net REN-ISAC Member Meeting • CSI2 and REN-ISAC Members met two weeks ago: • develop a set of strategies that will facilitate the development of new methodologies and technologies to better anticipate and resolve • evaluate current open source security tools and their uses • determine whether there is a need to create additional tools that do not currently exist. Includes web application assessment toolkits, event and incident management toolkits, • Investigate agent-based endpoint security tools.