GÉANT: A Defense in Depth Approach

Transcription

1 GÉANT: A Defense in Depth Approach Wayne Routly Security Manager DANTE SURFcert Utrecht.nl Febuary 2014

2 Agenda GEANT Network Technology and forward thinking Defence In Depth: Today A Layered Approach NSHaRP Technologies Security Audits Changes NREN & ISP Security Working Group Demonstrate Leadership Challenges: Tomorrow Raining Cats & DDoS Snowden Effect

3 The GÉANT Network 30 European PoPs 13,500 km of dark fibre on 18 routes 50,000 km network infrastructure on 44 routes Diversified footprint Serves 50 million users 10,000 institutions Across 43 European countries GÉANT is co-funded by Europe s NRENs and the European Commission (EC) under the Seventh Framework Programme (FP7) 34 Project Partners: DANTE, TERENA, 31 European NRENs and NORDUnet 158 FTEs annual effort (> 350 individuals) working in GÉANT across Europe Objectives Achievements Challenges Conclusions GN3 Overall Q&A

4 GÉANT : Who What How State of the Art Pan-European Network..Transit Network.ISP 30 Physical Pops 100Gb/s PB of Data shifted 10 Million+ IPs 100+ Workstations Unusual Traffic Truly Global Interconnects NRENs - 38 Commercial & Commodity Traffic 4 #

5 A Layered Approach Overview NSHaRP Security Toolset Building Future Security Netreflex Security Audit Changes Procedures & Training for Future Security NfSen Splunk ISO27001 NAC Policies Visibility NREN & ISP Security WG Planning for Future Security Future Threats Hardening Infrastructure

6 Who, Where, Why and Definitely What

7 Defence in Depth - A Layered Approach Independent Layers Greater Control Avoid Eggs in Basket Approach - Mix of Technologies 1 st layer NSHaRP - Netreflex: Anomaly Detection / Alerting 2 nd Layer NfSen - Alerts / Profiling & Intelligence 3 rd layer Splunk LM - Logging (Granular Visibility for Alerts) 4 th Layer Network - Segmentation / Authentication 5 th Layer Revision Planning - Policies & Audits

8 Layer 1 Alerting Controls

9 NSHaRP Mechanism to Quickly and Effectively inform affected users Adds Value - Serves as an extension to NRENs CERT An Automated Incident Notification & Handling System Extends NRENs detection and mitigation capability to GEANT borders Innovative and Unique - Caters for different types of requirements Supported with GEANT NOC TTS

10 NSHaRP - Netreflex Netreflex 2.9 BGP, IS-IS & Netflow Mashup Path Through Network Anomaly Detection & Alerting Diverse Pallet Ability to create profiles..lots of profiles New Peering's Expandable Anomaly Type capability New Event Types Can also be used by the NOC Traffic Analysis

11 Netreflex Anomaly Detection

12 Netreflex Anomaly Analysis

13 Layer 2 Investigative Controls

14 NfSen Netflow Sensor Easily navigate through the netflow data. Process the netflow data within the specified time span. Set alerts, based on various conditions.

15 NfSen Graphing Netflow Graph Flows from Multiple Routers View Time Slice / Window Protocol / Packet / Flows Analyse Flows (Incidents) Dimensional Near Zero Day Analysis

16 NfSen Drill Down AS Number Subnet Country Zone Data Source Date Registered Total Bytes Final AS /13 GB ripencc BROADBAND-AS /21 US arin LEASEWEB-US /24 US arin YOUTUBE /24 US arin GOOGLE /18 IE ripencc /20 CN apnic /16 GB ripencc BSKYB- LGI-UPC Liberty Global Operations CHINANET- BACKBONE NTL Virgin Media Limited #

17 NfSen Alerting

18 Layer 3 Analytical Controls

19 Splunk Log Level Analytics Provide Visibility of Low Noise Events Non Netflow Trends Consolidate Logging Across Departments Across Roles Reporting Aspects Big Picture Today vs. Yesterday

20 Splunk Detailed Alerts #

21 Layer 4 Physical Controls

22 Network Layer Protections IP Network Segmentation Zones (IPv4 & IPv6) PENETRATION TESTING Standardised Firewall Filters Rapid Deployment Security Baseline Day 1 GEANT Access Control Radius-Based Authentication Restrict Protocols (Management) PORT 443 PORT 22 PORT 139 Penetration Testing DANTE Confirm Best Practice

23 Layer 5 Soft Controls

24 Those Two Magic Words Trust Me Lets Talk I'm Pregnant Greek Default Been Hacked SECURITY AUDIT 24

25

26 Security Audits #

27 Security Audits Resolved Issues Logical changes: Audit physical security measures of Cambridge locations Critical systems are targeted by penetration tests All programmers attended Secure Code Training Implemented Technical Training Programme for NOC Technical Changes: signatures used for all correspondence #

28 NREN & ISP Security Working Group EC Review Recommendation 32 Requirements: A high-level management review of the security measures in place Share knowledge of current threats experienced in large networks List the recommended physical security approaches for listed threats Define areas of co-operation for research and incident mitigation activities

29 Working Group Members NREN & ISP Security Working Group Commercial ISP Security Specialists EU Security Agency Sister R&E Networks GÉANT Operator GÉANT NRENs #

30 Security WG Report Process & Technology Findings Policy Develop a Service Approach Policy for BYOD Threat and Risk Assessment Perform Stress Test on Security Systems Perform Annual Security Exercises Technology Solutions One-Time Password Solution for Critical Systems #

31 Security WG Report People & Physical Security Findings Organisation Review Staffing Levels Implement Privacy Officer Role Identify Management Digitally Sign PDFs Produced for Dissemination Physical Security of Operational Facilities Place Web Cameras in GÉANT Racks (PoPs) #

32 CHALLENGES IMPLICATIONS FOR TOMORROW Logical changes Align controls with ISO Train the Trainer Course Mobile encryption Full disk encryption Technical changes Investigate and implement NAC (WG) Investigate controls and restrictions based on location #

33 CHALLENGES WHO IS THE REAL THREAT? I wish I would ve known about this meeting. Now, I don t have time to pick up any lunch and I m starving. How the NSA could start slowly making it up to us Excuse me sir. Here is your favourite sandwich and a side of potato salad just like you like it. #

34 CHALLENGES TOMORROW S THREATS Nation State Snowden Effect Controlling access to the infrastructure Monitoring (Links / Webcams) Procedures Access to information Encryption, rights management Cloud Security Requirements* Access control? Encryption as a standard Privacy (legal obligations)* Risk-based approach* #

35 In Conclusion GÉANT : What is Why Defence in Depth? A Layered Approach Layer 1 NSHaRP & Netreflex Layer 2 NfSen Layer 3 Splunk Layer 4 Network Layer Protections Layer 5 Policies & Guides

36 Questions & Answers

37 Thank you! Connect Communicate Collaborate