Ki-Sung Yu. Supercomputing Center, KISTI. Introduction of KREONET. Security Activities on KREONET CERT-KREONET. S&T-SEC Activities

Transcription

1 Freedom and Security in Computer s Contents CERT- and S&T- SEC Activities Ki-Sung Yu Supercomputing Center, KISTI Introduction of Security Activities on CERT- 1 2 Overview Korea s national science & research network Funded by MOST since Gbps backbone, 1- access networks 200 connected organizations/ 100,000 users GLORIAD for international connections Two s : KR to US (Transpacific), KR to CN (HK) KREONet2 Hybrid optical and packet switching facility Dark-fiber () and SONET/SDH ring Native IPv4, IPv6 and lightpath provisioning Routed path and lightpath over a single link Mbone IPv6 Gigabit KIX/NCA BIX/NCA DIX/DACOM KTIX/KT 6NGIX/NCA Enterprise Backbone Advanced R&D 20G KOREN USA / Dacom GLORIAD (USA, China) 155M Japan (APAN-JP) Europe (TIEN) 3 4 Hybrid Backbone s Packet Switched s 10 20Gbps Optical Circuit Switched s WDM 120G The first Stage of : , 7 members, regional testbed 1~10 Gbps link(wire) Link (wired) bps 54Mbps Link link(wireless) bps 54Mbps(wireless) ~1.5 Gbps link(fso) Link 10 40Gbps 5 10 Gbps bps (?? ) 54Mbps(wireless) ~1.5 ~1.2 Gbps (FSO) Jeju Jeju 5 6

2 KGN : 30 members (~) 6GN KMA Gyunggi (, ) Chungnam CNU GSR12406 Core OSR 7609 OSR 7609 Cisco 20G GSR12406 China/ CSTNET Gwangju Jeonbuk Gwangju ONS15600 Core KISTI US, Canada/ StarLight, PacWave, CA*net4, Etc. Media Lab 7 8 GLORIAD Participation GLORIAD (GLObal RIng for Advanced Applications Development) Global Ring topology for advanced science applications Started as the Little GLORIAD, funded by US, Russia, China 4 th core member participation on Sept Korean government(most) decided to fund for joining to GLORIAD consortium.. GLORIAD/IRNC was finally awarded by NSF, Jan Essential to support advanced application developments HEP, Astronomy, Atmospheric sciences, Optical network researches, security researches, etc. The Larger GLORIAD : ing (Canada)-US- (Netherlands)-Russia-China-Korea 9 GLORIAD-KR s 10 GLORIAD-KR s US Amsterdam Moscow Hong Kong, CN Russia (Novosibirsk) China (Beijing) (KR-US) KISTI, Korea () (KR-HK) Korea CNIC, China Hong Kong HKLight CSTNET Korea GOLE (KRLight ) 2*E Seattle, US CANARIE, Canada Calgary Toronto NYC Seattle EU Chicago KR/ CANARIE nodes (L1, L2) E StarLight PacificWave GLIF node (CANARIE, PW) Introduction of Security Activities on CERT

3 Security Activities on Security Activities into three levels Promotion of friendly relations - KrCERT, S&T-SEC - Green Sharing a incident information Cooperation with other organization Yellow CERT- Monitoring Detection CERT- Gathering info. Vulnerability info. Red Zpne Full Mesh Measurement Supporting Incident Response System * IRS * Virtual * HoneyNet * Virus info. Access Control * ACL * Inform/Report * E -mail * International ISP Other CERTs Detect & inform & consult Distribute a guide line for securing a system Inform the incident Activities in each level Cooperate with each manager Inform & alert the incident Introduction of Red Access Analyze traffic Gather event data & classify pattern Security Activities on Yellow Green Backbone Detect a anomaly on backbone Apply an ACL policy Secure & Reliable network -? Clean-? CERT- S&T-SEC Activities Overview of CERT- Mission Early Detection of Incidents of member institutes on Prevention of damages through the rapid response Assurance of Cooperative Incidents Response System Countermeasure against Hacking Organization (24 x 365Response System) Incident Response System Detect a trial of intrusion and analyze & report the inciden t Virtual HoneyNet - Access Control List Apply a access policy using access control list Inform & Report use an e- mail or telephone The process that detects & deal with the incident Router 1. Export a Netflow IRS IRS Collect a NetFlow Analyze a data Find a victim 3. Collect statistics 2. Notify the result To member Using or telephone Statistics Recode incident Take the statistics Make a document Notify Find a victim Trace attacker Take action Other ISP CERT-KR 17 18

4 Honey Net Virtual network for monitoring & analyzing the cyber attack Access Control Security on IX which is connected other ISP Input the traffic Flow Router DB Switch Interface Unix Wondpws Linu x Analyze an Event Black List ACL Exchange Point which enters initially after applying policy Security Policy Packet duplicate Drop Anomaly Filter Module Intrusion Detection Module Detect Add filtering rule Detect a anomaly Pattern DB Introduction of Security Activities on CERT- S&T-SEC Activities Mission Overview of S&T-SECSEC Early Detection of Incidents of research institutes in science & technology field Prevention of damages through the rapid response Assurance of Cooperative Incidents Response System Countermeasure against Hacking, especially in Science & Technology fields Background of establishing a S&T-SECSEC Increase the threat There were many worm- virus or backdoor Outbreak the important information There were some accident which drained the important information Attacked by international hacking group There were some record which attacked by international hacki ng group Rise a necessary of establishing the organization needs the national center for securing a national information S&T-SEC was officially opened in March, last year S&T-SEC SEC Operation Architecture How to collect a data (1) Detection Analysis Announcement Event Analysis Packet Analysis Report Management Rule definition ISP TMS IDS/Firewall Mails Vendors Monitoring End-Users Abnormal Vuln. Int l Trends Incident Reports MOST MOST S&T-SEC SEC Analysis Discuss Gathering Warning KrCERT Detection Notification Consulting Recovering Maill FAX SMS WEB Secure Messenger TRS Partners & Hot-lined Org. ISP/IDC Research Institutes National Center Vendors The Government Institutes End Users Sensor 1 1 Inform the result of analyzing anomaly traffic TMS server Gathering the pattern of anomaly traffic using sensor Sensor 3 Sensor

5 How to collect a data (2) Cooperation with other org. S&T SEC System security Patch Management Vulnerability Management Gather the traffic info. Log collector (Daemon) info. System log System info. Log Info. System info. - CPU Utilization - Memory Utilization Server Web DNS Mail Sensor S/W update Sensor update Module Vulnerability info. - OS - Application - Backdoor, etc PC Security PC PC Security S/W (PC firewall, vaccine) PC Security Software Research institutes funded by MOST Intrusion detection system Technical support Support the information of system vulnerability info. Vulnerability Info. CISCO Microsoft SUN collect the anomaly data Virus Info. Ahn lab HAUR) McAfee Serve the alarm information Serve the detected info. & guideline * Consult & serve the guideline S&T-SEC * Analyze & Support a trial of intrusion Support virus info. Establish cooperation channel Sharing a domestic & international security information Cooperation org. KrCERT - Korea Internet Security Center NCSC - National Cyber Security Center Consultation for securing The person in charge The representative of org. Consultation with representative Security center activities Expected Results Status Management Connectivity, Line-up Load management CPU, Memory Incident statistic system Secure and reliable R&D 24hrs Monitoring Continual(24 365) Response System Quantitative Objective Qualitative Objective Abnormality Detection within 20 min. with cross -border information sharing Emergency Notification within 10 min. by Hot-line and Others Improvement of judgment accuracy and rapidity based on monitoring results of anomaly indication Accurate estimation of damage statistics Data Analysis Flow, Session Mail filtering Anti-virus, spam Management Utilization, in/out amount Introduction of Security Activities on CERT- Conclusion What is? Korea s national science & research network 20Gbps backbone, 1~ access networks 4th core member participation on GLORIAD project CERT- Incident Response System Access Control List HoneyNet Activity of securing a mail S&T-SEC Activities S&T-SEC was officially opened in March, last year Because of rising a necessary of establishing the organization 29 30