connect • communicate • collaborate
Wayne Routly, DANTE 44th TF-CSIRT Meeting
19 September 2014
Rome
NREN & ISP Security Working Group
2014 Review
2
connect • communicate • collaborate
GÉANT : Who What How
• State of the Art Pan-European Network
– …..Transit Network….ISP
– 31 Collection Devices (Juniper MX)
– 50 Million End Users (65 Countries)
• Tb/s Network
– 100s PB of Data
– 15+Millions IPs
– 1000 Devices
– Unusual Traffic – Quasi R&E DoS
• Truly Global
– Interconnects (I2, TEIN, Ubuntunet)
– NRENs - 43
– Commercial & Commodity Traffic
3
connect • communicate • collaborate
Agenda
• Objectives:
– Background to Working Group
• Achievements: Today (2014)
– NSHaRP security toolset upgrade
– Response to 2013 Audit
• Challenges: Tomorrow (GEANT4)
– Outcomes from 2014 Audit
– New Systems, New Challenges
Demonstrate Leadership
4
connect • communicate • collaborate
Security Working Group Objectives
List
Recommended
Physical
Security
Approaches
Share
Knowledge of
Current
Threats
High Level
Management
Review
5
connect • communicate • collaborate
Wilfried Wöber Serge Droz
[email protected] [email protected]
Doug Pearson Wayne Routly
[email protected] [email protected]
Lionel Ferette Dave Monnier
[email protected] [email protected]
Jacques Schuurman Andrew Cormack
[email protected] [email protected]
Working Group Members
connect • communicate • collaborate
Achievements: Today (2014)
7
connect • communicate • collaborate
• NSHaRP Infrastructure
• Nessus
• Web Camera’s in PoPs
• Firewall on Demand
• Dedicated Security Officer
Achievements: Today (2014)
8
connect • communicate • collaborate
• Sampling Rate 1/100
• v5 – v9
NSHaRP Changes
• Redundant Fan-out Servers • Increased Net Flow Demand
<<< New Trouble Ticketing System; New Anomaly Detection Tools; New Anomaly Type Pallet >>>
9
connect • communicate • collaborate
Vulnerability Assessment – Finding that Weakest Link
10
connect • communicate • collaborate
Understanding Your Network…. Nessus
• Understand where Vulnerabilities Lie
• Target Key Areas – Juniper
• Is the situation improving?
• How many vulnerabilities are there?
• Which systems must we prioritise
11
connect • communicate • collaborate
Controlling Your Network…. Nessus
• When last did we see this host?
• Has it had a vulnerability scan?
• Which zones are vulnerable?
• External Zones must be prioritised
12
connect • communicate • collaborate
There are other factors that should be
evaluated as well..
Web Camera’s In PoPs
13
connect • communicate • collaborate
Web Camera’s In PoPs – Prioritise Locations
14
connect • communicate • collaborate
Firewall on Demand – Who, What, Why?
AKAMAI
FoD
NREN B
LEVEL 3
CUSTOMER
UNIVERSITY
DORM
…… better tools to mitigate transitory attacks
and anomalies
• “Better” in terms of
– Granularity: Per-flow level
– SRC/DST IP/Ports, protocol type, DSCP,
TCP flag……
– Action:
– Drop, rate-limit, redirect
– Speed: More responsive
– (Seconds / Minutes vs. Hours / Days)
– Efficiency:
– Closer to the source, Multi Domain
– Automation:
– Integration with other systems (NSHaRP)
NREN A
15
connect • communicate • collaborate
Firewall on Demand – Intuitive Interface
• Integrated into
NSHaRP
• Dynamic Auto
Creation &
Expiration
• Federated Logon
16
connect • communicate • collaborate
Security Officer
connect • communicate • collaborate
Challenges: Tomorrow (GEANT4)
18
connect • communicate • collaborate
Stress Testing - Targeted Ingress and Egress Scans
Security WG Report Process & Technology Findings
Walled Gardens: Vulnerable Systems Management
Net Flow Data Anonymisation
Ownership of Virtual Machines (Life Cycle)
19
connect • communicate • collaborate
Security WG Report Process & Technology Findings
Implement IDS: Verify all certificates in the organisation
DANTE & TERENA – “Sanity Checks”
Appetite for # Vulnerabilities: CVSS Length of exploitability
20
connect • communicate • collaborate
Change Your View, Change Your Approach
We must inspire a
commitment to security
rather than merely
describing it
– Mich Kabay
connect • communicate • collaborate
Thank you
Any questions…even the funny ones?