Networks ∙ Services ∙ People Fotis Gagadis WISE Workshop, Barcelona.ES Security in Europe’s Research and Education Network GÉANT - Implementing

Networks Services People ∙ ∙ www.geant.org

Fotis Gagadis

WISE Workshop, Barcelona.ES

Security in Europe’s Research and Education NetworkGÉANT - Implementing Security at Terabit Speed

20 October 2015

Security OfficerWayne Routly

Head of Information & Infrastructure Security


2

Diverse Environment:

• Multiple Pressure Points

• Understand where to focus

• What the NRENS actually needs

Not Just Another tool:

• Must deliver value to NRENs

• Must enhance capabilities and not workload

• Automate, threshold, trigger

No Crystal Ball is Ever Clear:

• Planning for an uncertain future

• Scalable, solve achievable problems

The New Security Reality


3


4

Dedicated Security Officer

Policy Creation & Enforcement (Acceptable Use, Patch Management)

Yearly Peer Security Audit (Community Involvement)

Measurable Security for Physical Infrastructure

Risk Assess Co Locations

Web Camera’s

Access Control & Network Segmentation

Triggers & Alerts

TRUST In The Integrity of the NetworkSecurity of the Network


5

Asset Discovery

Vulnerability Detection

Configuration Auditing

Risk Assessment and Suggested fixes

…more in depth view of vulnerabilities and any other kind of

misconfiguration … at risk GÉANT infrastructure

TRUST In The Integrity of the Networks SystemsRisk & Vulnerability Assessment


Security Services - Create encompassing security solution - NSHaRP

Risk Posture - Monitor to ensure management controls are in place

Anomaly Detection – Scalable mechanisms to report on Denial of Service trends

Firewall on Demand – Technologies to grow with and defend the network

A Modular Approach Towards Security


NSHaRP – Security Service For UsersA GÉANT Solution

• Complete Security Solution

• Provides mechanism to quickly and effectively inform parties

• Adds Value - Serves as an extension to NRENs CERTs

• An Automated Incident Notification & Handling System

• Extends NRENs detection and mitigation capability to GÉANT borders

• Innovative and Unique - Caters for different types of requirements


8

• Understand the nature of the risks the organisation faces

• Become aware of the extent of risks

• Recognize our ability to control and reduce risk

• Report the risk status at any point in time

• Have in place risk event "early warning" factors and upward

reporting thresholds

Effective Risk Management The GÉANT Approach


9

Example Risk Register


10

Proactive Risk ManagementVulnerability & Patch Management Control

Weekly Scans

• Backbone + Corporate

• Sent to Teams Directly

• Is it Improving?

• Drill-Down Capabilities

Proactive Approach

• Respond to New Threats

• Create Triggers, Thresholds

• Cleary Define & Identify Risk Areas

• Risk Register Approach

Networks Services People ∙ ∙ www.geant.org 11

Proactive Risk ManagementHost Identification

What is on the Network?

• Weekly Scan of Backbone

• Does it belong to a Defined Zone?

• Have I seen it before?

• Differential Scans

Goes to core of controlling your network

• Ensures New Devices are Identified

• Ensures Devices are owned!

• Central to effective Risk Management


12

Proactive Risk ManagementAccess Management

What accounts are active?

• Control over script overload

• Misconfiguration?

• Notify someone – Reduce Noise

Who are the real bad IP’s?

• See the forest for the trees….

• Look for Trends

• Blacklist correlated & confirmed bad actors.


13

Proactive Risk ManagementRemote Management

What accounts are active?

• Control over script overload

• Misconfiguration?

• Notify someone – Reduce Noise

GeoIP

• Why is the NOC engineer in China?

• ….especially since he called me from

the office


14

Multi-Faceted DDoS Detection SystemAlerting to Events


15

Structured Alerting MechanismRequire Clear & Rapid Notification

<ID>: num;<Category>: ANOMALY;<Type>: Behavior anomaly;<Perspective>: NREN;<Severity>: Critical;<Time>: 2015-05-13 09:55:00;<Protocol>: ;<Source IP>: x.y.z.t;<Target IPs>: a.b.c.d;<Ports involved>: ;<Flows sample>:Source IP;Source port;Destination IP;Destination port;Protocol;Timestamp;Duration;Transferred;Packets;Flags; Source AS;Destination ASx.y.z.t;42096;a.b.c.d;24384;TCP;2015-05-13 10:54:31.770;3.43900012969971;208000;4000;.A....;786;2108

Dear NREN, We have detected a CAT. event affecting your network. All the information pertaining to it can be found below: ============= #Start Time: 2015-05-14 01:56:04 UTC#Protocol: UDP#Source IP: x.y.z.t#Target IPs: a.b.c.d#Ports: 60312 #Evidence: Source IP;Source port;Destination IP;Destination port;Protocol;Timestamp;Duration;Transferred;Packets;Flags;Source AS;Destination ASx.y.z.t;a.b.c.d;60312;UDP;2015-05-14 02:56:04.566;0;84500;500;......;36351;766 ============= If you wish to reply to this email please leave the subject unaltered so the ticket can be updated accordingly. If no response is received, this ticket will be automatically closed after 5 working days. Regards, GEANT [email protected] (PGP Key ID: 99833085 / Fingerprint: 3CBF F211 8305 635D 5839 BB27 BA6B F34A 9983 3085)Phone no.: +44 (0)1223 866 140

One event per mail for the most critical eventsDaily report for the less critical and/or “noisy” ones:

- Text or HTML that can be parsed by the NREN

mailto:[email protected]


What actions can NRENs request

• Filter / Block• You can request the Security Team to Filter / Block traffic from and or to a

specific IP and or prefix. Specific port ranges can be included in this block. The OC Security Team will apply this block for a period of time after which you will be given the option to remove the block or have it kept in place.

• Monitor• You can request the OC Security Team to monitor this incident for a specific

period of time. After the time has elapsed and you request the ticket to be closed, the Security team will inform you of all incidents linked to the original ticket if any have been alerted.

• Investigate• You can request the OC Security Team to provide additional information

about the incident. For example, you may require additional flow records for a larger time window.

• Nothing• Ticket closes automatically after 5 working days


Firewall on Demand - Next Generation Firewall FilteringDesigned and Developed by GRnet

BGP Flowspec defined in RFC 5575Layer 4 (TCP and UDP) firewall filters distributed in BGP on both a intra-domain and inter-domain basis

• Benefits• Gives users flexibility; Alternative Use Cases?• AAI

• NREN Credentials to login and stop attacks• Limit Accidental & Damaging blocks

• “Better” in terms of

• Granularity: Per-flow level (Source/Dest IP/Ports, TCP flag)

• Action: Drop, rate-limit, redirect

• Speed: More responsive

• Efficiency: Closer to the source, Multi Domain

• Automation: Integration with other systems (NSHaRP)


18

Firewall on DemandInterface


1. Take a holistic approach towards defending your network• Understand the risks the organisation faces• Collate, correlate, and automate your capabilities

2. Make changes that have significant impacts• Use tools that radically improve your capabilities• Use tools that provide flexibility

ConclusionsDelivering a Comprehensive & Future-Driven Security Eco-System benefiting the GÉANT Community


20

Thank you

Networks Services People ∙ ∙www.geant.org

[email protected]

[email protected]

Questions



Documents

Networks ∙ Services ∙ People Fotis Gagadis WISE Workshop, Barcelona.ES Security in Europe’s Research and Education Network GÉANT - Implementing