CSTNET Security Considerations

Transcription

1 CSTNET Security Considerations Ling Wang Computer Network Information Center Chinese Academy of Sciences

2 Agenda CSTNET topology and applications Current CSTNET Security State The Threaten of security About CSTCERT Our work about Network security Our network security monitor research Future plan

3 Computer Network Information Center, Chinese Academy of Sciences The Computer Network Information Center, Chinese Academy of Sciences (CNIC, CAS) is a subsidiary research institute of the Chinese Academy of Sciences (CAS), engaged mainly in the construction, operation and supporting service of informatization of CAS, R&D of computer network technology, database technology as well as scientific engineering computation.

4 CSTNET Base on the NCFC and the network of CAS Opened the first Internet link of China 1994 One of the top large scale networks in China.cn top domain service Cover more than 20 provinces, 100 institutes, and 1,000,000 end users Large scale upgrade in Efforts on: Upgrading IT Infrastructure Constructing Scientific Research Environment Developing Key IT Technologies Demonstrating Science Applications A better platform to support advanced science applications A good test bed for research on next generation Internet

5 Nodes of CSTNET 2005 YANGBAJING HONG KONG

6 CSTNET Network Architecture

7 Current Status Of CSTNET Connections

8 Valued Asset in CSTNET Network device Science database Web site Information and research result

9 Science Activities in CSTNET

10 Valued Web Site in CSTNET

11 Current CSTNET Security State Security become more and more important Network Under Regular Attack No Large scale worm breakout worm still be a basically harm Security device and train are needed

12 security vulnerabilities Since Jan.1, 2005,Microsoft had announced 52 security bulletins, 27 were Critical US CERT Technical Cyber Security Alert ( TA05 292A Oracle Products Contain Multiple Vulnerabilities TA05 291A Snort Back Orifice Preprocessor Buffer Overflow TA05 229A Apple Mac Products are Affected by Multiple Vulnerabilities TA05 224A VERITAS Backup Exec Uses Hard Coded Authentication Credentials TA05 221A Microsoft Windows and Internet Explorer Vulnerabilities TA05 210A Cisco IOS IPv6 Vulnerability

13 Security Threaten To the bone network: DDOS Large scale Worm breakout Attack to core device To our user: Probe or Scan Worm Root Compromise Trojan Virus Spam Denial of Service

14 Security Threaten to Users Probe or Scan Worm Self Propagate via or network Make PC hang, intermittent, and/orreboot Root Compromise Trojan Hide in your computer, keystrokes logger, password stealer, mass mailing worm, backdoor, joke, Launch attacks such as DOS (denial of service) on other computers hacking Virus infect files, Corrupt files, Delete directories, hard disk Damage motherboard..

15 Security Threaten to Users (2) Spam Adware Usually load with your permission Watch your surfing habit Pop up advertisement when you surf Spyware Tracks your actions and/or your Internet use. Capture what you type on your keyword, including passwords, and send it to the spyware creator Can allow control of PC by remote party. fishing use ʹspoofedʹ e mails and fraudulent websites designed to fool recipients into divulging personal financial data such as credit card details, account usernames, passwords, ATM PIN, etc.

16 Worm in the network SQL Slammer worm, released in January, 2003

17 Worm in the network The Blaster worm hit the Internet on August 11, 2003

18 What Should We do? secure: Internet routers DNS / other critical services Internet infrastructure protect: Ourusers from the Internet The Internet from our users research Network Security research Tools development

19 CSTCERT (China Science and Technology Network Computer Emergency Response Team)

20 What we do with Network security Reactive Services Proactive Services Other work Alerts and Warnings Incident Handling Vulnerability Handling Configuration & Maintance of Security Tools, Application & Infratructures Development of Security Tools Intrusion Detection Security related Information Dissemination security Consulting Education/Training

21 The ways we Detect an Incident Technical: Netflow, syslogs, Application monitoring,... Intrusion Detection Systems Network monitoring CPU Load on Router looking for specific triggers (CPU and input buffer drops) Non Technical User report Information from Device vender Exchange security with other CERT organize Alert from Security Company Security mailing lists

22 Important device syslog monitor

23 Network traffic monitor

24 Applications Monitor

25 HTTP server bandwidth and session number 每日网页浏览 session 数量统计 0 20,000 40,000 60,000 80, , ,000 0:00 0:30 1:00 1:30 2:00 2:30 3:00 3:30 4:00 4:30 5:00 5:30 6:00 6:30 7:00 7:30 8:00 8:30 9:00 9:30 10:00 10:30 11:00 11:30 12:00 12:30 13:00 13:30 14:00 14:30 15:00 15:30 16:00 16:30 17:00 17:30 18:00 18:30 19:00 19:30 20:00 20:30 21:00 21:30 22:00 22:30 23:00 23:30 每日双向网页浏览流量统计 ( 最大 最小 平均 ) 0 100, , , , , , ,000 0:00 0:30 1:00 1:30 2:00 2:30 3:00 3:30 4:00 4:30 5:00 5:30 6:00 6:30 7:00 7:30 8:00 8:30 9:00 9:30 10:00 10:30 11:00 11:30 12:00 12:30 13:00 13:30 14:00 14:30 15:00 15:30 16:00 16:30 17:00 17:30 18:00 18:30 19:00 19:30 20:00 20:30 21:00 21:30 22:00 22:30 23:00 23:30 kbit/s

26 Abnormal signals Port Server Hit_Count 80 HTTP Browsing 985,585, SMTP 16,428, PPLive 15,223, QQ 13,150, ,340, ,191, FTP 6,484, ms-sql-s 6,163, https 4,691, POP3 3,740,741

27 What We Do in an Incident Alarm(customers, other CERTs, ) Block the attack (if possible) Access lists gather evidence routing, syslog, netflow, IDS information Network device and server recover

28 Future plan CSTNET security Policy Software Patch management Bone net IDS/IPS system Network Security Tools development Network Security Event correlation research

29 The end Thank you!