Presentation is loading. Please wait.

Presentation is loading. Please wait.

Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC

Published bySharon Sanders Modified over 8 years ago

Similar presentations

Presentation on theme: "Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC"— Presentation transcript:

1 Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC dodpears@indiana.edu ren-isac@iu.edu 24x7 Watch Desk: +1-317-278-6630 Copyright Trustees of Indiana University 2003. Permission is granted for this material to be shared for non-commercial educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of Indiana University. To disseminate otherwise or to republish requires written permission from Indiana University (via email to ren-isac@iu.edu)

2 2 Background Supported by Indiana University and through relationship with EDUCAUSE and Internet2, the REN-ISAC: is an integral part of higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response; specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and supports efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure.

3 3 Community Served Phase I (current): –Internet2 membership Phase II (soon to be entering): –Internet2 and EDUCAUSE membership Phase III (to come) –Reach out to all of higher education through staged approaches, e.g. state networks, associations of small colleges, etc.

4 4 an integral part of higher education’s strategy… Relationships REN-ISAC has core complimentary relationships with: –EDUCAUSE –Internet2 –EDUCAUSE and Internet2 Security Task Force –IU Global NOC and Abilene network engineering –IU Advanced Network Management Lab –IU Information Technology Security Office –US Department of Homeland Security & US-CERT –IT-ISAC –ISAC Council

5 5 an integral part of higher education’s strategy… Relationships Complimentary organizations and efforts –SALSA –Internet2 / CANARIE / GEANT2

6 6 information collection, analysis, dissemination, … Information is derived from: Network instrumentation Abilene NetFlow data Abilene router ACL counters Arbor PeakFlow analysis of NetFlow data Abilene NOC operational monitoring systems Members – related to incidents on local networks Network engineers – national & int’l R&E backbones Daily Status calls with ISACs, US-CERT & DHS Network security collaborations, e.g. closed lists Vendors

7 7 information collection, analysis, dissemination, … Abilene NetFlow Analysis Through partnership with Internet2 and the IU Abilene NOC, the REN-ISAC has access to Abilene NetFlow data. In conjunction with the IU Advanced Network Management Lab the NetFlow data is analyzed to characterize general network security threat activity, and to identify specific threats. flowtools and custom analysis tools, and Arbor Networks Peakflow

8 8 information collection, analysis, dissemination, … Abilene NetFlow Analysis Custom analysis –Aggregate reports –Detailed reports Data anonymized to /21

9 9 information collection, analysis, dissemination, … Abilene NetFlow Port Reporter

10 10 information collection, analysis, dissemination, … Abilene NetFlow Analysis REN-ISAC & Internet2 NetFlow data policy agreement, highlights: –Publicly reported information is restricted to aggregate views of the network. Information that identifies specific institutions or individuals cannot be reported publicly. –Detailed and sensitive information must be communicated with designated representatives of the affected institutions and refer only to local activity, unless otherwise authorized.

11 11 information collection, analysis, dissemination, … Abilene NetFlow Analysis Developments in process: –Enhanced analysis methods to reduce processing times. –Ad hoc queries. –/32 (per host) reporting on approval of an institution for “owned” data; permissions backed by the REN- ISAC Cyber Security Registry of authorized contacts. –Is it possible to provide served institutions with real- time, segmented views into this information?

12 12 information collection, analysis, dissemination, … Abilene Router ACL Statistics Access Control Lists (ACL) on Abilene router connector interfaces count traffic on specific IP destination ports – those ports known to be threat vectors and common service ports. Current data view is backbone aggregate http://ren-isac.net/monitoring.cgi Soon will deploy views by Abilene router.

13 13

14 14

15 15

16 16 information collection, analysis, dissemination, … Abilene Router ACL Statistics Data views at the per “connector” level on the Abilene routers are possible, but for interfaces that serve single organizations, is that too much public information?

17 17 information collection, analysis, dissemination, … Arbor PeakFlow Analysis on Abilene Processes Abilene NetFlow data Intelligent identification of anomalies Abilene is by nature an anomalous network, e.g. bursts of high bandwidth flows. Need to: –Tune the PeakFlow system to reduce bogies. –Incorporate into standard watch desk procedure. How to effectively share the information gained via Arbor?

18 18

19 19

20 20 early warning, and response … Warning and Response REN-ISAC Watch Desk –24 x 7 –Co-located and staffed with the Abilene NOC –+1 (317) 278-6630 –ren-isac@iu.eduren-isac@iu.edu Public reports to US higher education community regarding analysis of aggregate views. Private reports to specific institutions regarding active threat. Reports contain only “owned” information.

21 21 early warning, and response… Example: Response to Blaster/Nachi Disseminated reports 1 regarding the nature of the worm threats along with successful defense measures. Disseminated reports 1 regarding ongoing aggregate infection rates. Sent reports directly to many institutions regarding their specific infection rates, and counts per subnet (/21). Reports resulted in measurable reductions in infection rates. 1 Reports were sent to EDUCAUSE Security, Internet2 Security Working Group, and Abilene Operators listservs

22 22 Response to Blaster initial warning to community Worm traffic on Abilene is high, peaking at 7% of all packets on the network. Recommendations for network border filtering … Filters should be defined as input and output … … a worm exploit of the Microsoft DCOM RPC vulnerability, W32/Blaster, was unleashed … References …

23 23 Response to Blaster notifications to Top 20 … your network AS was among the top twenty sources of port 135 scans … Worm propagation can be mitigated by … A breakdown of port 135 scans sourced from your AS, to Abilene, is provided …

24 24 Response to Blaster status regarding windowsupdate.com … conferred with lead technical representatives of Microsoft regarding the anticipated, Saturday August 16, DDoS attack against windowsupdate.com, coming from W32/Blaster. Based on current understanding of the worm, Microsoft has a sound and effective approach to mitigate the attack.

25 25 Response to Blaster status reports to community … continuing to perform analysis… Identify top network AS sources of port 135 scans on Abilene… E-mail notifications… … infection attempts on Abilene, while still high, are down by at least half. A graph, produced … Worm propagation can be mitigated by …

26 26 early warning, and response… Response to Blaster and Nachi http://www.ren-isac.net/library.html

27 27 early warning, and response… Example: Port 53 (DNS) Precipitous Rise What is it? 1-1, 1-few, 1-many, many-… DOS? Scanning for vulnerable DNS servers?

28 28 early warning, and response… Example: Port 53 (DNS) Precipitous Rise Analysis and Response: –Verified not associated with standard DNS behavior –From per-router interface statistics determined that source was an international connection to Abilene –Notified OARC (ISC Operations, Analysis, and Research Center) –Determined from flow data that a single foreign source was transiting Abilene to a couple of destinations in another country. –Notified NOC of the national network on source side

29 29 early warning, and response… Communications Challenge Early warning and response to threat requires the communication of timely and sensitive information to designated contacts. The proper contact is one who can act immediately, with knowledge and authority upon conveyed information, and who is cleared to handle potentially sensitive information. Publicly published contact points rarely serve those requirements. Privacy considerations prevent deep and rich contact information from being publicly published.

30 30 REN-ISAC Cyber Security Registry To provide contact information for cyber security matters in US higher education, the REN-ISAC is developing a cyber security registry. The goal is to have deep and rich contact information for US colleges and universities. The primary registrant is the CIO, IT Security Officer, organizational equivalent, or superior. All registrations will be vetted for authenticity. Primary registrant assigns delegates. Delegates can be functional accounts.

31 31 REN-ISAC Cyber Security Registry Aiming for 24 x 7 contact, with deep reach – a decision maker, primary actor, with clearance for sensitive information. Optional permissions for REN-ISAC to send reports regarding threat activity seen sourced from or directed at the institution – reports may identify specific machines. Related Registry information to serve network security management and response: –address blocks –routing registry –network connections (e.g. Abilene, NLR)

32 32 REN-ISAC Cyber Security Registry Registry information will be: –utilized by the REN-ISAC for response, such as response to threat activity identified in Abilene NetFlow, –utilized by the REN-ISAC for early warning, –open to the members of the trusted circle established by the Registry, and –with permission, proxied by the REN-ISAC to outside trusted entities, e.g. ISP’s and law enforcement.

33 33

34 34

35 35

36 36

37 37

38 38

39 39 REN-ISAC Cyber Security Registry Phase two of the Registry development will lead to incorporation into the InCommon structure.

40 40 Summary: REN-ISAC Short-term Needs for Federation Detailed and sensitive information must be communicated with properly designated representatives of institutions. Standing and one-time permissions are required, e.g. observing and reporting to an institution regarding information at /32 within their organization. Provide served institutions real-time access to segmented views of sensitive datasets, e.g. netflow and traffic-on-port data. Share information gained via advanced tools such as the Arbor Peakflow DOS. Providing early warning and response to threat requires the communication of timely and sensitive information to individuals who can act immediately, with knowledge and authority upon conveyed information, and who are cleared for sensitive information. Incorporate of some of these components into the InCommon structure.

Download ppt "Research and Education Networking Information Sharing and Analysis Center REN-ISAC Doug Pearson Director, REN-ISAC"

Similar presentations

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.

Network Monitoring System In CSTNET Long Chun China Science & Technology Network.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 8: Monitoring the Network Connecting Networks.
REN-ISAC Research and Education Networking Information Sharing and Analysis Center AMSAC Update July 10, 2008 1.

REN-ISAC Research and Education Networking Information Sharing and Analysis Center AMSAC Update July 10,
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Doug Pearson Director, REN-ISAC
Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, 2007. This work is the intellectual property rights of the author.

Lynn Ray ISO Towson University Strategic Planning for IT Security Copyright Lynn Ray, This work is the intellectual property rights of the author.
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,

Abilene Transit Security Policy Joint Techs Summer ’05 Vancouver, BC, CA Steve Cotter Director, Network Services Steve Cotter Director,
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
DHS, National Cyber Security Division Overview

DHS, National Cyber Security Division Overview
Copyright Jill M. Forrester 2008. This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,

Copyright Jill M. Forrester This work is the intellectual property of the author. Permission is granted for this material to be shared for non- commercial,
Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.

Research and Educational Networking Information Analysis and Sharing Center (REN-ISAC) Mark S. Bruhn, Interim Director University Copyright.
Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.

Network Isolation Using Group Policy and IPSec Paula Kiernan Senior Consultant Ward Solutions.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece 1.

REN-ISAC Update Doug Pearson, REN-ISAC Technical Director DICE 12 February 2008 Athens, Greece 1.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.

1 REN-ISAC Research and Education Networking Information Sharing and Analysis Center Internet2 Member’s Meeting Chicago 5 December 2006.
Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.

Distributed Intrusion Detection Systems (dIDS) 2/10 CIS 610.
(Geneva, Switzerland, September 2014)

(Geneva, Switzerland, September 2014)
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Arbor Multi-Layer Cloud DDoS Protection

Arbor Multi-Layer Cloud DDoS Protection

Similar presentations

Ads by Google