1. Security Topics Update Christopher Misra Mark Poepping April 2007

2. Session outline Salsa Internet2/EDUCAUSE Security Task Force Current Salsa activities CSI2 working group FWNA working group Salsa-DR Other topics DNS/DNSSec REN-ISAC

3. Salsa Salsa is an oversight group consisting of technical representatives from the higher education community who will advise on leading edge technology issues, provide prioritization, and set directions in the security space. Salsa works in collaboration with the EDUCAUSE/Internet2 Security Task Force

4. Security Task Force Internet2 and EDUCAUSE established the Computer and Network Security Task Force in July 2000. The task force works to improve cybersecurity across the higher education sector and actively promotes effective practices and solutions for the protection of information assets and critical infrastructures.

5. Security Task Force STF Resources http://www.educause.edu/security Security Professionals Conference http://www.educause.edu/sec07 Held April 10-12 2007 May 4-6 2008 in Arlington, VA Effective Practices Guide https://wiki.internet2.edu/confluence/display/secguide/

6. Salsa-CSI2 working group Chartered to organize activities/create tools to identify security incidents How they can be better identified How information about the incidents can be shared To improve the overall security of the network and the parties connected to the network. Focusing on the shifting landscape problem

7. Salsa-CSI2: RENOIR Research and Education Networking Operational Information Repository Design around the concept of ticket system handling security data vast array of sources Organizing the data into high-level cases use for reporting on daily operational incidents. Rely on a trusted third-party to facilitate communication

8. RENOIR Design Accept human input and structured data to form tickets using IODEF in an appropriate format. Allow input from users from a variety of roles Reporting party, affected site, administrators Researchers?

9. RENOIR Design Use, widely-accepted, encrypted transport mechanisms In the transport layer Encrypting message content. Use a registry of contact information Facilitate automated notifications of affected sites REN-ISAC contacts?

10. RENOIR Design Extendable to include new security problems and reported incident types as they occur. Accommodate dynamic threat environment Interaction with campus-scoped ticketing Incremental development of capabilities Due to system and transaction complexity

11. RENOIR Reporting Requirements Flexibility in reporting/handling We don’t want to replace local workflows! Programming API (SOAP) Facilitate easy communication and reporting “Ok, but how do we do it well?”

12. RENOIR Reporting Well Reporting detailed information that others can use without asking for more information Reporting in a timely manner See above bullet Streamlining report creation and handling process Getting useful data from reports in aggregate Responding to reports

13. RENOIR Status Functional code segments have been created by the working group Still early in development cycle Primarily by Phil Deneault from WPI Activities coordinated with REN-ISAC As eventual trusted third-party Work continues Please let us know if you are interested

14. Salsa-CSI2: Darknets A darknet collector listens to one or more blocks of routed, allocated, but unused IP address space. Because the IP space is unused (hence "dark") there should be very little if any legitimate traffic entering the darknet Team Cymru Darknet Project http://www.cymru.com/Darknet/index.html

15. Shared Darknet Develop a wide-aperture, powerful network security sensor directly serve higher-education and research institutions indirectly serve Internet users at large. Institutions who run local darknets send their collector data to REN-ISAC Only hits from remote sources

16. Shared Darknet The data is analyzed to identify compromised machines by IP address, destination ports The REN-ISAC compiles the darknet data contributions Distributes notifications and reports. Limited policy overhead Low privacy requirements for this data

17. Shared Darknet REN-ISAC project with tools coordination provided by Salsa-CSI2 Tools development done extensively by David Ripley from Indiana University Advanced Network Management Lab (ANML) First participants (beyond IU) submitting data for analysis

18. Salsa-CSI2 Workshop Held in Cambridge, MA 5-6 March 2007 First face to face meeting of working group Made possible by DoJ grant funding CSI2 activities. Refined use cases for RENOIR Built consensus around tangible problems Defined a series of outcomes

19. Salsa-FWNA working group Analysis and proposal toward a pilot and eventual implementation to support network access to visiting scholars among federated institutions Engaged with the eduroam community Operational server has tested interoperability http://www.eduroam.org/

20. Salsa-FWNA: Current work RADIUS and SAML Integrating Network Authentication and Attribute Exchange Work on a specification that defines a profile that includes messages and flows from both RADIUS [RFC2865] and SAML specifications (both v1.1 and 2.0). Still in draft form Continuing topic of discussion...

21. Salsa-FWNA: RADIUS and SAML In traditional Radius usage: User's Home Site Radius server makes the access control decision, tells the Radius server at the Network Provider site whether to grant the user access to its network. When the two Radius servers are in different organizations Additional SAML flows allows the Radius server at the Network Provider site to obtain trusted information describing the requesting user; Can then make its own access control decision.

22. Salsa-FWNA: RADIUS and SAML The specification is taking advantage of SAML services That are already defined and deployed for exactly this purpose. Availability of these SAML attributes provides: Network Provider RADIUS server with the option of implementing a more flexible access control policy than possible with standard RADIUS. This specification describes a server communicating with SAML entities No web browsers are involved.

23. Presenter’s Name Salsa-FWNA: RADIUS and SAML

24. Salsa-FWNA: Visitor Access WLAN technologies are an expected technology for campus visitors There are various solutions that campus network administrators use to try to reconcile visitor networks Within a policy framework Survey conducted See 4:30 Visitor Access session today Phillipe Hanset (UTK) and Mark Linton (PSU)

25. Salsa-FWNA: Visitor Access Working group meeting held this morning reflected a need for consensus across the community We are all facing this problem Many of us have solved this in similar ways Do we need a document to help capture these thoughts? And cast the context of visitor access against the visiting scholar problem Guest access complementing federated network access deployments

26. Disaster Recovery Salsa-DR has been formed this spring to explore and document recommended practices for disaster planning and recovery, especially for Higher Ed if and as those needs are distinct from those of other large enterprises liaising with other groups or organizations as appropriate

27. Salsa-DR: Charter contingency planning; developing and testing recovery plans, policies, and procedures; warm and hot site strengths, weaknesses, and potential pitfalls; contractual and SLA models and guidance reciprocal agreements with other organizations or campuses; Mass notifications

28. Salsa-DR Already have over 80 people on the discussion list. Interested parties can sign up to participate by going to the web site: http://security.internet2.edu/dr/ We are particularly interested in institutions that would like to collaborate in the investigation and implementation of possible DR solutions.

29. Salsa-DR: Mailing list Working Group Chair Don MacLeod, Cornell University To subscribe to the Salsa-DR list, send email to sympa at internet2 dot edu, with the subject line: subscribe FirstName LastName For example: subscribe salsa-dr Jane Doe

30. EDUCAUSE Business Continuity Management Constituent Group Forum for strategic and tactical discussions To maintain or restore business and academic services when some circumstance disrupts normal operations. Discussion topics may include: risk and impact assessment prioritization of business processes restoring operations to a "new normal" after an event. http://www.educause.edu/groups/bc

31. Other Topics: What we all think about Protecting sensitive data Not just the enterprise data, but the researcher data Identity management In higher-ed, there's a lot of business process and policy issues as well as technology Malware (viruses, worms, spyware, etc.) Distributed denial of service attacks

32. Others Topics: What we may not all be thinking about The strategic importance of DNS The value of sector-based security operations and the REN-ISAC {Spam, DDOS, etc} and its impact on the infrastructure Evolving firewall management strategies to accommodate advanced applications Firewall discussion Wednesday afternoon Federated identity and leveraging it for access control

33. Evolving Firewalls Management Wednesday 1:15 session Firewalls: Can't live with or without them What are firewalls protecting us against? Are they still effective? What firewall architectures are people using these days? Firewalls very close to the end host? How does this relate to campus network architectures?

34. Domain Name System (DNS) DNS is the foundational service of the network; no service works without it. DNS itself needs better security Vulnerable to several attacks and can be exploited for other attacks Remedial steps (e.g. DNSSec) face critical bootstrap and mass adoption value DNS as the basis for many security enhancements Spam control mechanisms will leverage it Federated security services depend on it EDUCAUSE oversees.edu; chance for higher-ed to lead

35. Homework: DNS Make sure the campus DNS operations are adequately supported; check out www.dnsreport.com Campus DNS operations should plan to work with applications LDAP/Kerberos RRs SPF/DK/DKIM Make sure that you’re not part of the problem – filter outgoing spoofed traffic, don't operate open recursive servers, etc...

36. DNS: More to think about Consider DNS monitoring Using query logs to analyze malicious activity How much priority is DNS given locally Recent software, proper, secure configuration, change management Name servers aren't just a *tool* for conducting distributed denial of service attacks, they're also a *target* for distributed denial of service attacks

37. DNSsec advisory group Goal: Experiment with DNSSEC and gain operational experience including Does it solve anything? Participants sign at least one of their zones; Exchange keys (trust anchors) that will allow them to mutually validate DNS data Setup security-aware resolvers Configured with the trust anchors Coordination - Internet2, Shinkuro http://www.dnssec-deployment.org/

38. DNSSec DNS Trust anchors for MAGPI https://rosetta.upenn.edu/magpi/dnssec.html SecSpider http://secspider.cs.ucla.edu/ DNSSec Internet2 Pilot http://www.dnssec-deployment.org/internet2/ Internet2 Security Weir https://spaces.internet2.edu/display/securityweir/DNSSEC

39. Related Activities: REN-ISAC A private trust community for R&E security protection and response http://www.ren-isac.net collect, derive, analyze, & disseminate threat information. Supports member understanding of threats, protection, and mitigation. 24x7 Watch Desk (ren-isac@ren-isac.net, +1 317 274 6630)

40. REN-ISAC is an integral part of U.S. higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; is specifically designed to support the unique environment and needs of higher education and research organizations; and, supports efforts to protect national cyber infrastructure by participating in the formal U.S. ISAC structure. Foremost, REN-ISAC is a member-driven trusted community for sharing sensitive information regarding cybersecurity threat, incidents, response, and protection.

41. REN-ISAC Milestones: Since the Internet2 FMM REN-ISAC partnership with Microsoft for SCPe New alliance marks the first time Microsoft has worked with higher education entities within the Security Cooperation Program (SCP), a worldwide program originally formed for government entities. The SCP provides a structured way for Microsoft to share information efficiently, improving responses to computer security incidents and decreasing the risk of system attacks at member organizations. This unique trust relationship with Microsoft will provide an information source from which we can impart important security and product information to our membership, and through which Microsoft will get input from real-life product experiences from typically complex campus technology environments. http://www.ren-isac.net/relationships/microsoft.html

42. REN-ISAC Milestones: Since the Internet2 FMM Formed the Microsoft Analysis Team Serves as the information sharing interface, analysts, and relationship advisors for the REN-ISAC and Microsoft SCPe. Team members are from University Colorado at Boulder, University of Illinois at Urban-Champaign, Indiana University, and New York University Formed the Executive Advisory Group Initial considerations of the group to be sustainability and membership models. EAG members are from EDUCAUSE, Internet2, Louisiana State University, University of Maryland Baltimore County, University of Montana, Oakland University, and Reed College Formed additional information sharing relationships with private mitigation groups

43. REN-ISAC Milestones: Since the Internet2 FMM Held the first annual REN-ISAC Member Meeting held in conjunction with the EDUCAUSE and Internet2 Security Professionals Conference.

44. Recognition of the following Contributors Berkeley (TAG) Buffalo(systems) Brandeis (systems) Colorado (MAT) Cornell (TAG) IU(host, EAG, TAG, MAT) LSU (resources, EAG) Oakland (EAG) Oregon (TAG) MOREnet (TAG, TechBursts) NYU (MAT) Reed (EAG) UMass (TAG) UMBC (EAG) UMN (TAG) UMT (EAG) WPI (TAG, systems) TAG = Technical Advisory GroupEAG = Executive Advisory Group MAT = Microsoft Analysis TeamHost = host site resources Resources = dedicated commitment of human resource Systems = systems, applications, and tools administration

45. REN-ISAC: Growth of Membership

46. Compromised System Notifications to.edu

47. Projects Community Plumbing Web-based community-building tools to support member- contributed project development, and member subgroups for specific interest topics Malware Analysis Infrastructure for R&E Malware sandbox and repository; working in cooperation and with contributions from CWSandbox. Talks in progress with Norman. DNS Infrastructure Monitoring for R&E Using standard queries, probe.edu DNS space for configuration and security issues. Working in cooperation with John Kristoff (Neustar) Passive DNS Replication Server R&E-specific view. Working in cooperation with John Kristoff (Neustar)

48. Projects CSI2 Shared Darknet Project Information from dispersed, member-based darknet sensors is combined to a single community resource. Provides notifications of observed scanning sources, reports of aggregate port scanning statistics, with a more complete view of IPv4-based scanning activity than provided by a single, standalone darknet. Working in cooperation with the Internet2 SALSA CSI2 effort. CSI2 RENOIR Research and Education Networking Operational Incident Repository provides trust community-based sharing of incident information. Working in cooperation with the Internet2 SALSA CSI2 effort.

49. REN-ISAC Priorities for the Coming Year Not in any particular order Membership growth Facilitate various forms of member involvement and contribution Develop additional and strengthen existing information sharing relationships, including the new REN-ISAC and Microsoft SCPe Assessment of current services and member needs Executive Advisory guidance to sustainability Cybersecurity Registry Services for the combined Internet2 and NLR entity (monitoring, sensors, and services; especially with consideration to the commercial transit and peering) Tool/service Projects (listed on Projects page)

50. RegistryTools Served Networks Members Intel Relationship s Intel Relationship s Collect, analyze, and disseminat e intelligence 24x7 Watch Desk Information Sharing Information Products Education Exercises

51. REN-ISAC – Membership Membership is open and free to: institutions of higher education, teaching hospitals, research and education network providers, and government-funded research organizations. Membership guidelines are roughly: must be permanent staff, with organization-wide responsibilities for cybersecurity protection and response, and be vouched-for by 2 existing members http://www.ren-isac.net/membership.html

52. REN-ISAC – Contacts http://www.ren-isac.net 24x7 Watch Desk: ren-isac@ren-isac.net +1(317)274-6630 Mark Bruhn, Executive Director, mbruhn@iu.edu Doug Pearson, Technical Director dodpears@ren-isac.net Dave Monnier, Principal Security Engineer dmonnier@ren-isac.net

53. REN-ISAC Member Meeting CSI2 and REN-ISAC Members met two weeks ago: develop a set of strategies that will facilitate the development of new methodologies and technologies to better anticipate and resolve evaluate current open source security tools and their uses determine whether there is a need to create additional tools that do not currently exist. Includes web application assessment toolkits, event and incident management toolkits, Investigate agent-based endpoint security tools.