Network IDS/IPS =============== Bro Snort Tipping Point ~1.2gbps (UW) Flow based tools ================ Netflow Argus Sampling issues with flow analysis. Lots of custom flow analysis tools Flow data handling tools (data management) nfdump/nfsen inMon / RNA (host network profiling) Host Based Systems ================== Tripwire Osiris Centralized log servers Configuration checkers tcpwrappers Eddie - host data correlation Prelude - log correlation Checking of permissions on files BlackIce syslog monitoring Others ====== Border Firewalls ACLs Self scan portal (UW) Wireless monitoring Darknet information sharing Scanning ========= Nessus nmap Advise weaknesses (no big brother) Incident Response ================= Cross-agency boundary IR. Tabletop exercises between different sites Teragrid contact information for IR Profiling of users. Ignoring scans in general Templates for IR Levels of trust for different sites. "Safe" responses to incidents. (Automated incident response) Who do you contact? Just the user, or the admins at the remote site. No centralized reporting, correlation within NSF. Probably would work on VO's, i.e. Teragrid effort. Tend to work within Various organizations and communities that site knows. Ticketing systems (i.e. RT) Secure Jabber server Twiki Freeform vs security incident ticketing format During a major incident, i.e. Abilene, who else should they contact? Range of sites, from dedicted sites, to project oriented sites, i.e. universities, labs. Centralized vs. non-centralized. Site, VO, project. Formalized procedures for IR (about 1/2 of the group) Documentation and preservation of data for evidence collection Can't do evidence collection on every incident. Varies by incident. Consider checksuming or MD5 data collected. Lots of resources available for data collecting and forensics Sites not necessarily held to same "chain of custody" stds as LE Consider site evidence issues. Requirements sites are under. Research Problems Suggestions ============================= Distributed IDS across Teragrid - 30/40G backbones Correlation of multiple sensors Virtual IDS for overlay networks - handling VO's Prevention of source spoofing Accountability IPv6 and NIDS Naming and context of naming, assurance and scoping of names Maintain anonymity enforcing consistent state in connections - different window sizes, etc. Resiliancy and realibility How a system fails. High speed IDS. Placement of IDS and security in depth. IDS privacy and legal issues ============================ Collecting of data susceptible to Freedom of Information Act HIPAA related data issues Subpeona bait DMCA Log keeping. How long does a site keep logs? Data handling within projects. What data is within projects, and what requirements do they fall under. Issues ====== Dealing with IPv6 Missing IDS traffic Correlating IDS with host related data Network flow and IDS correlation. Correlating information from remote sites. Attackers encrypting traffic What's appropriate for smaller labs. Don't control remote hosts. How to provide a more secure service for collaboration. How to provide access for guests. Enabling users to protect themselves. Reactive vs proactive International issues with IR (blackholes/language barriers) Establishing cross site trust relationships Are IDS's worth it? Performance issues Failure mode Worthwhile for NSF to require membership of security related IR reporting groups? Requirement for security related component for NSF grants? Ensuring infrastructure configurations - Rancid Two factor authentication Jump off server for accessing a site Third party monitoring organizations Outsourcing monitoring capabilities Key Points ========= IDS is one tool in a bag of tools No one size fits all All sites different, different priorities, mix of tools Flow tools are useful as a complement to IDS Syslog is useful as a HID, especially with correlation with IDS Data correlation is proving to be a valuable tool. - Sites just starting to look into data correlation. Still a lot of open research topics. Know thy network is still valid. Know requirements site is under. Know researchers and resources. Have an Incident Response plan and procedure. Sites have developed out of band communications and found them useful. i.e. encrypted email, Jabber servers, etc. Links ===== Darknet/Internet Motion Sensor webpages ======================================== http://www.cymmu.com/Darknet/index.html http://ims.eecs.umich.edu (FIRST) Forum for Incident Response and Security Teams ============================================== http://www.first.org NSP-SEC Email List ================== http://puck.nether.net/mailman/listinfo/nsp-security SGUIL ===== http://sguil.sourceforge.net/ Security Conferences ==================== www.educase.edu/security Defcon SANS Joint-Techs USENIX Priorities ========== IPS IDS/flows/syslog/host based IDS/vulnerability/syslog/host based