Security Towards a coherent portfolio Walter van Dijk TF-MSP - 27 November 2014.

Slides:



Advertisements
Similar presentations
NORDUnet Nordic Infrastructure for Research & Education DDoS Mitigation at NORDUnet Lars Fischer (w/ big thanks to Martin Aldrin) TF-MSP Meeting Malta,
Advertisements

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
FIREWALLS Chapter 11.
1 Telstra in Confidence Managing Security for our Mobile Technology.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
Firewalls and Intrusion Detection Systems
Controlling access with packet filters and firewalls.
CS682 Session 6 Prof. Katz. Firewalls An intelligent router? Used as a traffic control mechanism Based on information in the Layer 3 and 4 headers Administrator.
(Geneva, Switzerland, September 2014)
Controls for Information Security
COEN 252: Computer Forensics Router Investigation.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Ferst Center Incident Incident Identification – Border Intrusion Detection System Incident Response – Campus Executive Incident Response Team Incident.
VoIP Security Assessment Service Mark D. Collier Chief Technology Officer
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Responsibility Working at a Small-to-Medium Business or ISP – Chapter 8.
INFORMATION SECURITY GOVERNANCE (ISG) Relates to the security of information systems Is an element of corporate governance.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Distributed Denial of Service Attacks Dennis Galinsky, Brandon Mikelaitis, Michael Stanley Brandon Williams, Ryan Williams.
Part 2  Access Control 1 CAPTCHA Part 2  Access Control 2 Turing Test Proposed by Alan Turing in 1950 Human asks questions to another human and a computer,
Agenda Review route summarization Cisco acquire Sourcefire Review Final Exam.
Security Services Agenda Overview of HEAnet security services HEAnet CERT (Computer Emergency Response) Anti-Spam RBL (Real time blacklist service) HEAnet.
Asif Jinnah Microsoft IT – United Kingdom. Security Challenges in an ever changing landscape Evolution of Security Controls: Microsoft’s Secure Anywhere.
Lecture 7 Network & ISP security. Firewall Simple packet-filters Simple packet-filters evaluate packets based solely on IP headers. Source-IP spoofing.
Firewalls Nathan Long Computer Science 481. What is a firewall? A firewall is a system or group of systems that enforces an access control policy between.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
IS Network and Telecommunications Risks Chapter Six.
DDOS. Methods – Syn flood – Icmp flood – udp Common amplification vectors – NTP 557 – CharGen 359 – DNS 179 – QOTD 140 – Quake 64 – SSDP 31 – Portmap28.
Module 14: Securing Windows Server Overview Introduction to Securing Servers Implementing Core Server Security Hardening Servers Microsoft Baseline.
Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.
Module 11: Designing Security for Network Perimeters.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Cloud Connectivity Walter van Dijk TF-MSP 27 September 2012 Connecting Cloud Providers to the SURFnet network.
5/18/2006 Department of Technology Services Security Architecture.
Security fundamentals Topic 10 Securing the network perimeter.
Chapter 4: Implementing Firewall Technologies
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.
Firewall – Survey  Purpose of a Firewall  To allow ‘proper’ traffic and discard all other traffic  Characteristic of a firewall  All traffic must go.
Filtering Spoofed Packets Network Ingress Filtering (BCP 38) What are spoofed or forged packets? Why are they bad? How to keep them out.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
SECURITY REQUIREMENTS AND MANAGEMENT: Presentation By: Guillermo Dijk.
Open DNS resolvers have to be closed ● Open resolvers respond to recursive queries from any host on the Internet ● Amplification DNS attack 2.
Cyber Security for the real world Tim Brown Dell Fellow and CTO Dell Security Solutions.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Risk Assessments in Many Flavors George J. Dolicker, CISA, CISSP.
Security fundamentals
Original slides prepared by Theo Benson
Fortinet NSE8 Exam Do You Want To Pass In First Attempt.
Cybersecurity - What’s Next? June 2017
Working at a Small-to-Medium Business or ISP – Chapter 8
Critical Security Controls
Computer Data Security & Privacy
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
Firewalls.
* Essential Network Security Book Slides.
Firewalls Types of Firewalls Inspection Methods Firewall Architecture
Firewalls Jiang Long Spring 2002.
(With Hybrid Network Support)
Session 20 INST 346 Technologies, Infrastructure and Architecture
Contract Management Software from ContraxAware Simplify Your Contract Management Process.
Cloud Computing for Wireless Networks
Presentation transcript:

Security Towards a coherent portfolio Walter van Dijk TF-MSP - 27 November 2014

Our playing field  HE&R institutions are more and more connected. ICT facilitates and plays an instrumental role  The ICT infrastructure becomes ever more critical for both education and research  This connectedness and ‘indispensability’ increases the impact of security incidents  Attacks get more complex and thereby the associated security measures just as well: should we expect that institutions have all the required knowledge and manpower in-house available? Hence: how can institutions offer an open and safe campus environment?

Security Privacy & Trust: role of SURFnet

Existing security services(1) SURFcert –Operational security for the SURFnet constituency 24x7 service in close coop with local security teams – Members from connected institutions and SURFnet –Oldes emergency response team in the Netherlands SCIRT –Community-of-practice incident response teams –Share operational experience within trusted community –Discussions on security issues –Facilitated by SURFnet

Existing security services(2) Cybersave Yourself –Awareness campaign around security issues –Joint program with connected institutions SURFibo –Community of practice for information security –Collaboration on policy in the fields of security en privacy SURFaudit –Compliance with information security (ISO 27001) –Standards framework and software tooling –Self-auditing, peer-auditing & 3rd party auditing

New since 2014: Security, Privacy & Trust Further development of existing security services and scouting of new services Applied research in the field of Security, Privacy en Trust Enlarge visibility of services, sharing of best practices & knowledge dissemination

Service development SURFnet currently explores different options for new services:  Security Diagnosis toolset:  Vulnerability scanning (Outpost24 has been contracted)  Penetration testing (first experience gathered with tooling)  Protection-as-a-Service Facilitate institutions to set filters in the SURFnet-network as a protection against DDoS attacks  Firewall-as-a-Service

Security Diagnosis toolset Starting point: lots of tools (vulnerability scanning, penetration testing etc) available on the market. How can an NREN add value to all that? Differentiating factor: working closely with the community  Support selection process of institutes by:  Creating checklists for tools  SCIRT certified: recommended products per type  Products should be easy to acquire via SURFmarket  Facilitate sharing of information:  Reporting templates: SURFaudit, external auditers etc.  Common vulnerabilities including solutions for HE&R systems  Develop workflows for scans/pentests Currently considering  Specialised penetration testing team for:  Deep testing ICT systems on campus  Tests on cloud services contracted by customers

Protection-as-a-Service Why? –Number and intensity of denial-of-service attacks in general (and in our constituency) grows significantly –2014: ‘heaviest’ denial-of-service attack ever noticed (400Gbit/s) Goal: –Control the vulnerability of our constituency What? –Exploration of “protection-as-a-service” –Investigate denial-of-service detection with academia (‘applied research’) –Close collaboration with THTC/National Police

Current solution: Incident Response as a Service SURFcert: helping hand ‘in the line of fire’

DDoS: two types ‘Flooding’ of an application or a server (or firewall!) -E.g. TCP SYN flood -Typically: lots of requests ‘Flooding’ of the connection (or firewall!) - reflection/amplification attacks -DNS, SNMP, NTP amplification (UDP) -Typically: lots of volume

Finding the best place to mitigate  Firewall (institutions)  Not always the right solution  Not a remedy for flooded connections  Can help in case of SYN flooding and attacks on applications and servers (rate limiting)  Upstream (us)  Standard security measures on customer connection  The “washing-machine” for first aid  Filters (rate limiters) on the core routers  Protection-as-a-Service  Firewall-as-a-Service

Security on customer connection Customer network SURFnet Security base Input packet filter BGP Prefix filter Output policer (contracted bandwidth) Incident ACL (inbound/outbound) on request

Sidestep: ‘it’s not always technology”  The (D)DoS ‘source’ is often an internal factor (person)  Match timestamps of attacks with exam schedules  Collaborate with the education people  Report findings to the police

SURFnet washing-machine SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet SURFcert

SURFnet washing-machine – Denial-of-Service SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet SURFcert

SURFnet washing-machine – Detection SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet Telephone Alarm SURFcert

SURFnet washing-machine – Activate washprogram SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet SURFcert

SURFnet washing-machine – DDoS in the washing-machine SURFnet AS1103 connected institute connected institute connected institute connected institute connected institute connected institute Research networks & Internet SURFcert

Pre-wash & main wash

Curently considering: Protection-as-a Service  Idea: develop a service to service institutions in a less ad-hoc way  Self-service interface for DIY network configurations  Currently testing GRnet’s “Firewall on demand”  No replacement of the corporate firewall

Protection-as-a-Service versus Firewall-as-a-Service Protection-as-a-Service: a service which offers network protection based on rule based filters, rate limiting, IP-address range-, protocol- and port blocking. Protection filters are set on the SURFnet core side and are typically used to prevent saturated links to the customer (i.e. DDoS protection). Does not replace firewall of institutions but offers additional protection. FaaS: centralised offering of a fully intelligent, deep packet inspection, intrusion detection and prevention service, which is state/session based and application aware. Could replace a firewall which is typically on the institutional side of the network.

Main questions  Where do we as NREN’s see the most potential for collaboration?  Are NREN’s looking at ‘application based firewalling’ (e.g. Cloudflare, Fortinet etc) and would ‘demand bundling’ be useful?  Should we collaborate by means of organizing joint (TRANSITS) trainings on vulnerability testing, pentesting etc  Is cooperation on service development sufficiently facilitated by GN3+/GN4 or do we need more?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.