GÉANT: A Defense in Depth Approach

Similar documents
Case study: NBA as a Service at GÉANT

GÉANT IP Service Description. High Performance IP Services to Support Advanced Research

GÉANT : e-infrastructure connectivity for the data deluge

Security

Connectivity Services, Autobahn and New Services

GÉANT and other projects Update

GÉANT: Supporting R&E Collaboration

Multi-Domain VPN service, a seamless infrastructure for Regional Network, NRENs and GEANT

GÉANT2 Security: Year 1 (aka JRA2)

Options for Joining edugain. Lukas Hämmerle, SWITCH DARIAH Workshop, Köln 18 October 2013

Compare Security Analytics Solutions

GDPR Update and ENISA guidelines

Cyber Security Technologies

EUMEDCONNECT3 and European R&E Developments

locuz.com SOC Services

Federated E-infrastructure Dedicated to European Researchers Innovating in Computing network Architectures

GÉANT Community Programme

e-infrastructures in FP7 INFO DAY - Paris

GÉANT Open Service Description. High Performance Interconnectivity to Support Advanced Research

Networks

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Supply Chain Integrity and Security Assurance for ICT. Mats Nilsson

It s Flow Time! The Role and Importance of Flow Monitoring in Network Operations and Security

Advancing European R&E through collaboration

Network Disaggregation

TALK. agalaxy FOR THUNDER TPS REAL-TIME GLOBAL DDOS DEFENSE MANAGEMENT WITH A10 DATA SHEET DDOS DEFENSE MONITORING AND MANAGEMENT

Intro to Niara. no compromise behavioral analytics. Tomas Muliuolis HPE Aruba Baltics Lead

Crises Control Cloud Security Principles. Transputec provides ICT Services and Solutions to leading organisations around the globe.

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

Security Aspects of Trust Services Providers

WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:

FEDERICA Federated E-infrastructure Dedicated to European Researchers Innovating in Computing network Architectures

GÉANT network and applications PENS workshop J-L Dorel European Commission

Innovation policy for Industry 4.0

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

NETWORK THREATS DEMAN

Subscriber Data Correlation

Designing and Building a Cybersecurity Program

ARBOR DDoS PRODUCTS IN A GDPR COMPLIANT ENVIRONMENT. Guidelines and Frequently Asked Questions

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

ENISA EU Threat Landscape

Digital Health Cyber Security Centre

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

GÉANT Time Compendium Project and Service Updates

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

IPv6 deployment, European Commission involvement. RIPE 60 Prague 4May Per Blixt

AMRES Combining national, regional and & EU efforts

Security by Default: Enabling Transformation Through Cyber Resilience

Deutsches Forschungsnetz

Flow-based Traffic Visibility

SAFEGUARDING YOUR VIRTUALIZED RESOURCES ON THE CLOUD. May 2012

Network Virtualization for Future Internet Research

to protect the well-being of citizens. Fairfax is also home to some Fortune 500 and large

Second Online Workshop Report Study of the readiness of Member States for a common pan-european network infrastructure for public services

Securing Europe's Information Society

GN3 Plus NA3-T3 Greening of ICT Services. Andrew Mackarel GN3+ NA3 T3 15th September 2014 Workshop Budapest

Open Exchange Policy

10 FOCUS AREAS FOR BREACH PREVENTION

Security Operations & Analytics Services

Defense in Depth. Constructing Your Walls for Your Enterprise. Mike D Arezzo Director of Security April 21, 2016

GARR-CERT. Update. Simona Venuti TF-CSIRT, Rome,

Sharing Best Security Practices with your Peers - on an International Level

EU General Data Protection Regulation (GDPR) Achieving compliance

Cybersecurity Overview

Trisul Network Analytics - Traffic Analyzer

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

Cyber security tips and self-assessment for business

WELCOME. to the 1 st online DG CONNECT NIPS Study workshop. July 25, 2013

Interconnected NRENs in Europe & GÉANT: Mission & Governance Issues

e-infrastructure: objectives and strategy in FP7

Research and Education Networking Ecosystem and NSRC Assistance

Initiative. Copyright Techdemocracy, 2017

ngenius Products in a GDPR Compliant Environment

DDoS Protection in Backbone Networks

Cisco Tetration Analytics

Trustworthy ICT. FP7-ICT Objective 1.5 WP 2013

SentryWire Next generation packet capture and network security.

SentryWire Next generation packet capture and network security.

Data Security and Privacy : Compliance to Stewardship. Jignesh Patel Solution Consultant,Oracle

GÉANT Open Service Description. High Performance Interconnectivity to Support Advanced Research

Outline. Infrastructure and operations architecture. Operations. Services Monitoring and management tools

Network Security Platform Overview

Challenges 3. HAWK Introduction 4. Key Benefits 6. About Gavin Technologies 7. Our Security Practice 8. Security Services Approach 9

First Session of the Asia Pacific Information Superhighway Steering Committee, 1 2 November 2017, Dhaka, Bangladesh.

Cybersecurity Auditing in an Unsecure World

Twilio cloud communications SECURITY

Google Cloud & the General Data Protection Regulation (GDPR)

Imperva Incapsula Website Security

Call for Expressions of Interest

IT Security Mandatory Solutions. Andris Soroka 2nd of July, RIGA

NEXT GENERATION SECURITY OPERATIONS CENTER

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

SIEM: Five Requirements that Solve the Bigger Business Issues

SOLUTION BRIEF HELPING BREACH RESPONSE FOR GDPR WITH RSA SECURITY ADDRESSING THE TICKING CLOCK OF GDPR COMPLIANCE

NETWORKING &SECURITY SOLUTIONSPORTFOLIO

Auditing Bring Your Own Devices (BYOD) Risks. Shannon Buckley

EISAS Enhanced Roadmap 2012

Gain Control Over Your Cloud Use with Cisco Cloud Consumption Professional Services

The Oracle Trust Fabric Securing the Cloud Journey

Transcription:

GÉANT: A Defense in Depth Approach Wayne Routly Security Manager DANTE SURFcert Utrecht.nl Febuary 2014

Agenda GEANT Network Technology and forward thinking Defence In Depth: Today A Layered Approach NSHaRP Technologies Security Audits Changes NREN & ISP Security Working Group Demonstrate Leadership Challenges: Tomorrow Raining Cats & DDoS Snowden Effect

The GÉANT Network 30 European PoPs 13,500 km of dark fibre on 18 routes 50,000 km network infrastructure on 44 routes Diversified footprint Serves 50 million users 10,000 institutions Across 43 European countries GÉANT is co-funded by Europe s NRENs and the European Commission (EC) under the Seventh Framework Programme (FP7) 34 Project Partners: DANTE, TERENA, 31 European NRENs and NORDUnet 158 FTEs annual effort (> 350 individuals) working in GÉANT across Europe Objectives Achievements Challenges Conclusions GN3 Overall Q&A

GÉANT : Who What How State of the Art Pan-European Network..Transit Network.ISP 30 Physical Pops 100Gb/s PB of Data shifted 10 Million+ IPs 100+ Workstations Unusual Traffic Truly Global Interconnects NRENs - 38 Commercial & Commodity Traffic 4 #

A Layered Approach Overview NSHaRP Security Toolset Building Future Security Netreflex Security Audit Changes Procedures & Training for Future Security NfSen Splunk ISO27001 NAC Policies Visibility NREN & ISP Security WG Planning for Future Security Future Threats Hardening Infrastructure

Who, Where, Why and Definitely What

Defence in Depth - A Layered Approach Independent Layers Greater Control Avoid Eggs in Basket Approach - Mix of Technologies 1 st layer NSHaRP - Netreflex: Anomaly Detection / Alerting 2 nd Layer NfSen - Alerts / Profiling & Intelligence 3 rd layer Splunk LM - Logging (Granular Visibility for Alerts) 4 th Layer Network - Segmentation / Authentication 5 th Layer Revision Planning - Policies & Audits

Layer 1 Alerting Controls

NSHaRP Mechanism to Quickly and Effectively inform affected users Adds Value - Serves as an extension to NRENs CERT An Automated Incident Notification & Handling System Extends NRENs detection and mitigation capability to GEANT borders Innovative and Unique - Caters for different types of requirements Supported with GEANT NOC TTS

NSHaRP - Netreflex Netreflex 2.9 BGP, IS-IS & Netflow Mashup Path Through Network Anomaly Detection & Alerting Diverse Pallet Ability to create profiles..lots of profiles New Peering's Expandable Anomaly Type capability New Event Types Can also be used by the NOC Traffic Analysis

Netreflex Anomaly Detection

Netreflex Anomaly Analysis

Layer 2 Investigative Controls

NfSen Netflow Sensor Easily navigate through the netflow data. Process the netflow data within the specified time span. Set alerts, based on various conditions.

NfSen Graphing Netflow Graph Flows from Multiple Routers View Time Slice / Window Protocol / Packet / Flows Analyse Flows (Incidents) Dimensional Near Zero Day Analysis

NfSen Drill Down AS Number Subnet Country Zone Data Source Date Registered Total Bytes Final AS 5607 151.224.0.0/13 GB ripencc 2012-08-09 42319700000 BROADBAND-AS 30633 162.210.192.0/21 US arin 2013-04-26 38765500000 LEASEWEB-US 36040 64.15.113.0/24 US arin 2006-05-23 36200000000 YOUTUBE 15169 173.194.112.0/24 US arin 2009-08-17 34067500000 GOOGLE 6830 176.61.64.0/18 IE ripencc 2011-06-07 28319100000 4134 113.105.160.0/20 CN apnic 2008-11-03 21413100000 5089 217.137.0.0/16 GB ripencc 2001-01-30 20848300000 BSKYB- LGI-UPC Liberty Global Operations CHINANET- BACKBONE NTL Virgin Media Limited #

NfSen Alerting

Layer 3 Analytical Controls

Splunk Log Level Analytics Provide Visibility of Low Noise Events Non Netflow Trends Consolidate Logging Across Departments Across Roles Reporting Aspects Big Picture Today vs. Yesterday

Splunk Detailed Alerts #

Layer 4 Physical Controls

Network Layer Protections IP Network Segmentation Zones (IPv4 & IPv6) PENETRATION TESTING Standardised Firewall Filters Rapid Deployment Security Baseline Day 1 GEANT Access Control Radius-Based Authentication Restrict Protocols (Management) PORT 443 PORT 22 PORT 139 Penetration Testing DANTE Confirm Best Practice

Layer 5 Soft Controls

Those Two Magic Words Trust Me Lets Talk I'm Pregnant Greek Default Been Hacked SECURITY AUDIT 24

Security Audits #

Security Audits Resolved Issues Logical changes: Audit physical security measures of Cambridge locations Critical systems are targeted by penetration tests All programmers attended Secure Code Training Implemented Technical Training Programme for NOC Technical Changes: Email signatures used for all correspondence #

NREN & ISP Security Working Group EC Review Recommendation 32 Requirements: A high-level management review of the security measures in place Share knowledge of current threats experienced in large networks List the recommended physical security approaches for listed threats Define areas of co-operation for research and incident mitigation activities

Working Group Members NREN & ISP Security Working Group Commercial ISP Security Specialists EU Security Agency Sister R&E Networks GÉANT Operator GÉANT NRENs #

Security WG Report Process & Technology Findings Policy Develop a Service Approach Policy for BYOD Threat and Risk Assessment Perform Stress Test on Security Systems Perform Annual Security Exercises Technology Solutions One-Time Password Solution for Critical Systems #

Security WG Report People & Physical Security Findings Organisation Review Staffing Levels Implement Privacy Officer Role Identify Management Digitally Sign PDFs Produced for Dissemination Physical Security of Operational Facilities Place Web Cameras in GÉANT Racks (PoPs) #

CHALLENGES IMPLICATIONS FOR TOMORROW Logical changes Align controls with ISO 27001 Train the Trainer Course Mobile encryption Full disk encryption Technical changes Investigate and implement NAC (WG) Investigate controls and restrictions based on location #

CHALLENGES WHO IS THE REAL THREAT? I wish I would ve known about this meeting. Now, I don t have time to pick up any lunch and I m starving. How the NSA could start slowly making it up to us Excuse me sir. Here is your favourite sandwich and a side of potato salad just like you like it. http://thedoghousediaries.com #

CHALLENGES TOMORROW S THREATS Nation State Snowden Effect Controlling access to the infrastructure Monitoring (Links / Webcams) Procedures Access to information Encryption, rights management Cloud Security Requirements* Access control? Encryption as a standard Privacy (legal obligations)* Risk-based approach* #

In Conclusion GÉANT : What is Why Defence in Depth? A Layered Approach Layer 1 NSHaRP & Netreflex Layer 2 NfSen Layer 3 Splunk Layer 4 Network Layer Protections Layer 5 Policies & Guides

Questions & Answers

Thank you! Connect Communicate Collaborate www.geant.net www.twitter.com/geantnews www.facebook.com/geantnetwork www.youtube.com/geanttv

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback