Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC

Slides:



Advertisements
Similar presentations
Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
Advertisements

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center AMSAC Update July 10,
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
DHS, National Cyber Security Division Overview
Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece 1.
Firewalls and Intrusion Detection Systems
1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
(Geneva, Switzerland, September 2014)
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Arbor Multi-Layer Cloud DDoS Protection
REN-ISAC Research and Education Networking Information Sharing and Analysis Center.
INDIANAUNIVERSITYINDIANAUNIVERSITY Automated Network Isolation at Indiana University David A. Greenberg Information Technology Security and Policy Office.
Security Issues on Campus: Government Initiatives Rodney J. Petersen University of Maryland Educause/Internet2 Security Task Force Copyright Rodney J.
Game-based Analysis of Denial-of- Service Prevention Protocols Ajay Mahimkar Class Project: CS 395T.
Information Security Governance in Higher Education Policy2004 The EDUCAUSE Policy Conference Gordon Wishon EDUCAUSE/Internet 2 Security Task Force This.
Understanding Active Directory
EDUCAUSE April 25, 2006Enforcing Compliance with Security Policies … Enforcing Compliance of Campus Security Policies Through a Secure Identity Management.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Norman SecureSurf Protect your users when surfing the Internet.
FIREWALL Mạng máy tính nâng cao-V1.
Security Professionals Conference May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within.
TUTORIAL # 2 INFORMATION SECURITY 493. LAB # 4 (ROUTING TABLE & FIREWALLS) Routing tables is an electronic table (file) or database type object It is.
BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.
Office of Information Technology Balancing Technology and Privacy – the Directory Conundrum January 2007 Copyright Barbara Hope and Lori Kasamatsu 2007.
TCOM 515 Lecture 6.
Rhode Island Network for Educational Technology, Inc Update Sharon Hussey Executive Director Copyright Sharon L. Hussey, This work is the intellectual.
Security: New Trends, New Issues Internet2 Fall Member Meeting 2004 Doug Pearson Indiana University Research and Education Networking ISAC
INDIANAUNIVERSITYINDIANAUNIVERSITY TransPAC2 Security John Hicks TransPAC2 Indiana University 22nd APAN Conference – Singapore 20-July-2006.
Alberto Rivai Teknologi pemantauan jaringan internet untuk pendeteksian dini terhadap ancaman dan gangguan Alberto Rivai
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
Information Sharing Challenges, Trends and Opportunities
© Copyright 2007 Arbinet-thexchange, Inc. All Rights Reserved. VoIP Peering Pilot Using the Internet2 Backbone.
Shared Darknet Project Internet2 Spring 2006 Member Meeting Doug Pearson Technical Director, REN-ISAC.
Salsa Bits: A few things that the analysts aren't talking about... December 2006.
Connect. Communicate. Collaborate Experiences with tools for network anomaly detection in the GÉANT2 core Maurizio Molina, DANTE COST TMA tech. Seminar.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.
INDIANAUNIVERSITYINDIANAUNIVERSITY 23rd APAN Meeting Manila, Philippines January REN-ISAC and Peakflow SP John Hicks Indiana University TransPAC2.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC John Hicks TransPAC2/Indiana University
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
EDUCAUSE LIVE EDUCAUSE/Internet2 Computer and Network Security Task Force Update Jack Suess January 21, 2004.
© 2006 Property of Lancope. Proprietary and Confidential. Lancope and Emory University: Illuminating (and Securing) the Network Andy Wilson Senior Systems.
NSF Cybersecuity Summit May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher.
Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC Copyright.
Security Management Process 1. six-stage security operations model 2 In large networks, the potential for attacks exists at multiple points. It is suggested.
Information Security 493. Lab # 4 (Routing table & firewalls) Routing tables is an electronic table (file) or database type object that is stored in a.
1 Effective Incident Response Presented by Greg Hedrick, Manager of Security Services Copyright Purdue University This work is the intellectual property.
IT Security Challenges In Higher Education Steve Schuster Cornell University Copyright Steve Schuster This work is the intellectual property of.
1 REN-ISAC Update Research and Education Networking Information Sharing and Analysis Center Joint Techs Madison WI July 2006.
What’s Happening at Internet2 Renee Woodten Frost Associate Director Middleware and Security 8 March 2005.
Internet2 Abilene & REN-ISAC Arbor Networks Peakflow SP Identification and Response to DoS Joint Techs Winter 2006 Albuquerque Doug Pearson.
Quickly Establishing A Workable IT Security Program EDUCAUSE Mid-Atlantic Regional Conference January 10-12, 2006 Copyright Robert E. Neale This.
Spring 2004 Internet2 Member Meeting NLR Service Center Update Dave Jent Indiana University.
NMI-EDIT and Rice University Federated Identity Management: Managing Access to Resources in Texas Barry Ribbeck Director System Architecture and Infrastructure.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center Doug Pearson REN-ISAC Director Internet2 Security WG BoF October 14,
Juniper Networks Mobile Security Solution Nosipho Masilela COSC 356.
Educause/Internet 2 Computer and Network Security Task Force
Firewalls.
Chapter 8: Monitoring the Network
Corporate Forum Presented by
Presentation transcript:

Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC 24x7 Watch Desk: Copyright Trustees of Indiana University Permission is granted for this material to be shared for non-commercial educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Indiana University. To disseminate otherwise or to republish requires written permission from Indiana University (via to

2 Background Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC: is an integral part of higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

3 Community Served Phase I (current): –Internet2 membership Phase II (soon to be entering): –Internet2 and EDUCAUSE membership Phase III (to come) –Reach out to all of higher education through staged approaches, e.g. state networks, associations of small colleges, etc.

4 an integral part of higher education’s strategy… Relationships REN-ISAC has core complimentary relationships with: –EDUCAUSE –Internet2 –EDUCAUSE and Internet2 Security Task Force –IU Global NOC and Abilene network engineering –IU Advanced Network Management Lab –IU Information Technology Security Office –US Department of Homeland Security & US-CERT –IT-ISAC –ISAC Council

5 an integral part of higher education’s strategy… Relationships Complimentary organizations and efforts –SALSA –Internet2 / CANARIE / GEANT2

6 information collection, analysis, dissemination, … Information is derived from: Network instrumentation Abilene NetFlow data Abilene router ACL counters Arbor PeakFlow analysis of NetFlow data Abilene NOC operational monitoring systems Members – related to incidents on local networks Network engineers – national & int’l R&E backbones Daily Status calls with ISACs, US-CERT & DHS Network security collaborations, e.g. closed lists Vendors

7 information collection, analysis, dissemination, … Abilene NetFlow Analysis Through partnership with Internet2 and the IU Abilene NOC, the REN-ISAC has access to Abilene NetFlow data. In conjunction with the IU Advanced Network Management Lab the NetFlow data is analyzed to characterize general network security threat activity, and to identify specific threats. flowtools and custom analysis tools, and Arbor Networks Peakflow

8 information collection, analysis, dissemination, … Abilene NetFlow Analysis Custom analysis –Aggregate reports –Detailed reports Data anonymized to /21

9 information collection, analysis, dissemination, … Abilene NetFlow Port Reporter

10 information collection, analysis, dissemination, … Abilene NetFlow Analysis REN-ISAC & Internet2 NetFlow data policy agreement, highlights: –Publicly reported information is restricted to aggregate views of the network. Information that identifies specific institutions or individuals cannot be reported publicly. –Detailed and sensitive information must be communicated with designated representatives of the affected institutions and refer only to local activity, unless otherwise authorized.

11 information collection, analysis, dissemination, … Abilene NetFlow Analysis Developments in process: –Enhanced analysis methods to reduce processing times. –Ad hoc queries. –/32 (per host) reporting on approval of an institution for “owned” data; permissions backed by the REN- ISAC Cyber Security Registry of authorized contacts. –Is it possible to provide served institutions with real- time, segmented views into this information?

12 information collection, analysis, dissemination, … Abilene Router ACL Statistics Access Control Lists (ACL) on Abilene router connector interfaces count traffic on specific IP destination ports – those ports known to be threat vectors and common service ports. Current data view is backbone aggregate Soon will deploy views by Abilene router.

13

14

15

16 information collection, analysis, dissemination, … Abilene Router ACL Statistics Data views at the per “connector” level on the Abilene routers are possible, but for interfaces that serve single organizations, is that too much public information?

17 information collection, analysis, dissemination, … Arbor PeakFlow Analysis on Abilene Processes Abilene NetFlow data Intelligent identification of anomalies Abilene is by nature an anomalous network, e.g. bursts of high bandwidth flows. Need to: –Tune the PeakFlow system to reduce bogies. –Incorporate into standard watch desk procedure. How to effectively share the information gained via Arbor?

18

19

20 early warning, and response … Warning and Response REN-ISAC Watch Desk –24 x 7 –Co-located and staffed with the Abilene NOC –+1 (317) Public reports to US higher education community regarding analysis of aggregate views. Private reports to specific institutions regarding active threat. Reports contain only “owned” information.

21 early warning, and response… Example: Response to Blaster/Nachi Disseminated reports 1 regarding the nature of the worm threats along with successful defense measures. Disseminated reports 1 regarding ongoing aggregate infection rates. Sent reports directly to many institutions regarding their specific infection rates, and counts per subnet (/21). Reports resulted in measurable reductions in infection rates. 1 Reports were sent to EDUCAUSE Security, Internet2 Security Working Group, and Abilene Operators listservs

22 Response to Blaster initial warning to community Worm traffic on Abilene is high, peaking at 7% of all packets on the network. Recommendations for network border filtering … Filters should be defined as input and output … … a worm exploit of the Microsoft DCOM RPC vulnerability, W32/Blaster, was unleashed … References …

23 Response to Blaster notifications to Top 20 … your network AS was among the top twenty sources of port 135 scans … Worm propagation can be mitigated by … A breakdown of port 135 scans sourced from your AS, to Abilene, is provided …

24 Response to Blaster status regarding windowsupdate.com … conferred with lead technical representatives of Microsoft regarding the anticipated, Saturday August 16, DDoS attack against windowsupdate.com, coming from W32/Blaster. Based on current understanding of the worm, Microsoft has a sound and effective approach to mitigate the attack.

25 Response to Blaster status reports to community … continuing to perform analysis… Identify top network AS sources of port 135 scans on Abilene… notifications… … infection attempts on Abilene, while still high, are down by at least half. A graph, produced … Worm propagation can be mitigated by …

26 early warning, and response… Response to Blaster and Nachi

27 early warning, and response… Example: Port 53 (DNS) Precipitous Rise What is it? 1-1, 1-few, 1-many, many-… DOS? Scanning for vulnerable DNS servers?

28 early warning, and response… Example: Port 53 (DNS) Precipitous Rise Analysis and Response: –Verified not associated with standard DNS behavior –From per-router interface statistics determined that source was an international connection to Abilene –Notified OARC (ISC Operations, Analysis, and Research Center) –Determined from flow data that a single foreign source was transiting Abilene to a couple of destinations in another country. –Notified NOC of the national network on source side

29 early warning, and response… Communications Challenge Early warning and response to threat requires the communication of timely and sensitive information to designated contacts. The proper contact is one who can act immediately, with knowledge and authority upon conveyed information, and who is cleared to handle potentially sensitive information. Publicly published contact points rarely serve those requirements. Privacy considerations prevent deep and rich contact information from being publicly published.

30 REN-ISAC Cyber Security Registry To provide contact information for cyber security matters in US higher education, the REN-ISAC is developing a cyber security registry. The goal is to have deep and rich contact information for US colleges and universities. The primary registrant is the CIO, IT Security Officer, organizational equivalent, or superior. All registrations will be vetted for authenticity. Primary registrant assigns delegates. Delegates can be functional accounts.

31 REN-ISAC Cyber Security Registry Aiming for 24 x 7 contact, with deep reach – a decision maker, primary actor, with clearance for sensitive information. Optional permissions for REN-ISAC to send reports regarding threat activity seen sourced from or directed at the institution – reports may identify specific machines. Related Registry information to serve network security management and response: –address blocks –routing registry –network connections (e.g. Abilene, NLR)

32 REN-ISAC Cyber Security Registry Registry information will be: –utilized by the REN-ISAC for response, such as response to threat activity identified in Abilene NetFlow, –utilized by the REN-ISAC for early warning, –open to the members of the trusted circle established by the Registry, and –with permission, proxied by the REN-ISAC to outside trusted entities, e.g. ISP’s and law enforcement.

33

34

35

36

37

38

39 REN-ISAC Cyber Security Registry Phase two of the Registry development will lead to incorporation into the InCommon structure.

40 Summary: REN-ISAC Short-term Needs for Federation Detailed and sensitive information must be communicated with properly designated representatives of institutions. Standing and one-time permissions are required, e.g. observing and reporting to an institution regarding information at /32 within their organization. Provide served institutions real-time access to segmented views of sensitive datasets, e.g. netflow and traffic-on-port data. Share information gained via advanced tools such as the Arbor Peakflow DOS. Providing early warning and response to threat requires the communication of timely and sensitive information to individuals who can act immediately, with knowledge and authority upon conveyed information, and who are cleared for sensitive information. Incorporate of some of these components into the InCommon structure.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.