GÉANT: A Defense in Depth Approach Wayne Routly Security Manager DANTE SURFcert Utrecht.nl Febuary 2014
Agenda GEANT Network Technology and forward thinking Defence In Depth: Today A Layered Approach NSHaRP Technologies Security Audits Changes NREN & ISP Security Working Group Demonstrate Leadership Challenges: Tomorrow Raining Cats & DDoS Snowden Effect
The GÉANT Network 30 European PoPs 13,500 km of dark fibre on 18 routes 50,000 km network infrastructure on 44 routes Diversified footprint Serves 50 million users 10,000 institutions Across 43 European countries GÉANT is co-funded by Europe s NRENs and the European Commission (EC) under the Seventh Framework Programme (FP7) 34 Project Partners: DANTE, TERENA, 31 European NRENs and NORDUnet 158 FTEs annual effort (> 350 individuals) working in GÉANT across Europe Objectives Achievements Challenges Conclusions GN3 Overall Q&A
GÉANT : Who What How State of the Art Pan-European Network..Transit Network.ISP 30 Physical Pops 100Gb/s PB of Data shifted 10 Million+ IPs 100+ Workstations Unusual Traffic Truly Global Interconnects NRENs - 38 Commercial & Commodity Traffic 4 #
A Layered Approach Overview NSHaRP Security Toolset Building Future Security Netreflex Security Audit Changes Procedures & Training for Future Security NfSen Splunk ISO27001 NAC Policies Visibility NREN & ISP Security WG Planning for Future Security Future Threats Hardening Infrastructure
Who, Where, Why and Definitely What
Defence in Depth - A Layered Approach Independent Layers Greater Control Avoid Eggs in Basket Approach - Mix of Technologies 1 st layer NSHaRP - Netreflex: Anomaly Detection / Alerting 2 nd Layer NfSen - Alerts / Profiling & Intelligence 3 rd layer Splunk LM - Logging (Granular Visibility for Alerts) 4 th Layer Network - Segmentation / Authentication 5 th Layer Revision Planning - Policies & Audits
Layer 1 Alerting Controls
NSHaRP Mechanism to Quickly and Effectively inform affected users Adds Value - Serves as an extension to NRENs CERT An Automated Incident Notification & Handling System Extends NRENs detection and mitigation capability to GEANT borders Innovative and Unique - Caters for different types of requirements Supported with GEANT NOC TTS
NSHaRP - Netreflex Netreflex 2.9 BGP, IS-IS & Netflow Mashup Path Through Network Anomaly Detection & Alerting Diverse Pallet Ability to create profiles..lots of profiles New Peering's Expandable Anomaly Type capability New Event Types Can also be used by the NOC Traffic Analysis
Netreflex Anomaly Detection
Netreflex Anomaly Analysis
Layer 2 Investigative Controls
NfSen Netflow Sensor Easily navigate through the netflow data. Process the netflow data within the specified time span. Set alerts, based on various conditions.
NfSen Graphing Netflow Graph Flows from Multiple Routers View Time Slice / Window Protocol / Packet / Flows Analyse Flows (Incidents) Dimensional Near Zero Day Analysis
NfSen Drill Down AS Number Subnet Country Zone Data Source Date Registered Total Bytes Final AS 5607 151.224.0.0/13 GB ripencc 2012-08-09 42319700000 BROADBAND-AS 30633 162.210.192.0/21 US arin 2013-04-26 38765500000 LEASEWEB-US 36040 64.15.113.0/24 US arin 2006-05-23 36200000000 YOUTUBE 15169 173.194.112.0/24 US arin 2009-08-17 34067500000 GOOGLE 6830 176.61.64.0/18 IE ripencc 2011-06-07 28319100000 4134 113.105.160.0/20 CN apnic 2008-11-03 21413100000 5089 217.137.0.0/16 GB ripencc 2001-01-30 20848300000 BSKYB- LGI-UPC Liberty Global Operations CHINANET- BACKBONE NTL Virgin Media Limited #
NfSen Alerting
Layer 3 Analytical Controls
Splunk Log Level Analytics Provide Visibility of Low Noise Events Non Netflow Trends Consolidate Logging Across Departments Across Roles Reporting Aspects Big Picture Today vs. Yesterday
Splunk Detailed Alerts #
Layer 4 Physical Controls
Network Layer Protections IP Network Segmentation Zones (IPv4 & IPv6) PENETRATION TESTING Standardised Firewall Filters Rapid Deployment Security Baseline Day 1 GEANT Access Control Radius-Based Authentication Restrict Protocols (Management) PORT 443 PORT 22 PORT 139 Penetration Testing DANTE Confirm Best Practice
Layer 5 Soft Controls
Those Two Magic Words Trust Me Lets Talk I'm Pregnant Greek Default Been Hacked SECURITY AUDIT 24
Security Audits #
Security Audits Resolved Issues Logical changes: Audit physical security measures of Cambridge locations Critical systems are targeted by penetration tests All programmers attended Secure Code Training Implemented Technical Training Programme for NOC Technical Changes: Email signatures used for all correspondence #
NREN & ISP Security Working Group EC Review Recommendation 32 Requirements: A high-level management review of the security measures in place Share knowledge of current threats experienced in large networks List the recommended physical security approaches for listed threats Define areas of co-operation for research and incident mitigation activities
Working Group Members NREN & ISP Security Working Group Commercial ISP Security Specialists EU Security Agency Sister R&E Networks GÉANT Operator GÉANT NRENs #
Security WG Report Process & Technology Findings Policy Develop a Service Approach Policy for BYOD Threat and Risk Assessment Perform Stress Test on Security Systems Perform Annual Security Exercises Technology Solutions One-Time Password Solution for Critical Systems #
Security WG Report People & Physical Security Findings Organisation Review Staffing Levels Implement Privacy Officer Role Identify Management Digitally Sign PDFs Produced for Dissemination Physical Security of Operational Facilities Place Web Cameras in GÉANT Racks (PoPs) #
CHALLENGES IMPLICATIONS FOR TOMORROW Logical changes Align controls with ISO 27001 Train the Trainer Course Mobile encryption Full disk encryption Technical changes Investigate and implement NAC (WG) Investigate controls and restrictions based on location #
CHALLENGES WHO IS THE REAL THREAT? I wish I would ve known about this meeting. Now, I don t have time to pick up any lunch and I m starving. How the NSA could start slowly making it up to us Excuse me sir. Here is your favourite sandwich and a side of potato salad just like you like it. http://thedoghousediaries.com #
CHALLENGES TOMORROW S THREATS Nation State Snowden Effect Controlling access to the infrastructure Monitoring (Links / Webcams) Procedures Access to information Encryption, rights management Cloud Security Requirements* Access control? Encryption as a standard Privacy (legal obligations)* Risk-based approach* #
In Conclusion GÉANT : What is Why Defence in Depth? A Layered Approach Layer 1 NSHaRP & Netreflex Layer 2 NfSen Layer 3 Splunk Layer 4 Network Layer Protections Layer 5 Policies & Guides
Questions & Answers
Thank you! Connect Communicate Collaborate www.geant.net www.twitter.com/geantnews www.facebook.com/geantnetwork www.youtube.com/geanttv