grid security incident handling...paris, 3rd terena nren-grids workshop/27-28th april 2006 3/16...
TRANSCRIPT
Carlos Fuentes Bermejo <[email protected]>
GRID Security Incident Handling
3rd TERENA NREN-Grids WorkShopParis, 27-28th April 2006
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 2/16
Index
Incident Handling
How we do with GRID incidents
Future
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 3/16
Incident Handling - Services
Provide technical support
•• Through coordination with others Through coordination with others CSIRTsCSIRTs
•• Forensic analysisForensic analysis
•• Information to detect, prevent, and recover from Information to detect, prevent, and recover from vulnerabilities, attacksvulnerabilities, attacks
Security AuditSecurity toolsDocumentation
Provide a center for incident handling support to system and network administrators and systems user in our community.
Coordinate with other internal/external CSIRTs to analize the basic source of the incidents.
GOAL --> Ensure the security of the network infrastructure
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 4/16
Incident Handling at IRIS-CERT
Incident Life Cycle
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 5/16
Incident Handling at IRIS-CERT (2)
Using RTIR (Request Tracker for Incident Respond)Own whois database
•• Each IP belong to Institution with a verified contact Each IP belong to Institution with a verified contact pointpoint
•• FineFine--grained mapping mechanismsgrained mapping mechanismsComplaints come into RTIR
•• By mail/fax/telephone from other By mail/fax/telephone from other CSIRTsCSIRTs/external /external individualsindividuals
•• By our IDS sensorsBy our IDS sensorsLook through our network flows to verify if possible the complaintRedirect the complaint to the customer
•• Mainly IT staffMainly IT staff•• Work with them to fix the problemWork with them to fix the problem•• Get, if possible, feedbackGet, if possible, feedback
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 6/16
Incident Handling at IRIS-CERT (3)
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 7/16
Incident Handling at IRIS-CERT (4)
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 8/16
Incident Handling at IRIS-CERT (5)
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 9/16
Grid Incident Handling - 1st Approach
Incidents are GRID neutralGRID doesn’t need a special treatment for IH
•• IRISIRIS--CERT will follow/use the same procedure for CERT will follow/use the same procedure for IHIH
IRIS-CERT won’t care about GRID Infrastructure•• An IP belongs to an institutionAn IP belongs to an institution•• Each part of the GRID is under a regular institutionEach part of the GRID is under a regular institution•• Complaints are sent to IT Complaints are sent to IT centerscenters and they are and they are
redirected.redirected.Problems:
•• Slow answer to the problemSlow answer to the problem•• Most IT group treat GRID machines as normalMost IT group treat GRID machines as normal•• Bad feelings between IT Staff and GRID peopleBad feelings between IT Staff and GRID people
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 10/16
Grid Incident Handling - 2nd Approach
IH workflow is still the same
•• Including little exceptionsIncluding little exceptionsA new game zone
•• Institution changes its meaningInstitution changes its meaning
•• A GRID is a superA GRID is a super--institution running over several institution running over several institutionsinstitutions
•• New kind of security problemsNew kind of security problemsMajor coordination
•• A compromised machine affects more users & A compromised machine affects more users & institutionsinstitutions
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 11/16
Grid Incident Handling - 2nd Approach
GRID Institution
•• Security point of contactSecurity point of contact
•• Define the infrastructureDefine the infrastructureGRID Incident MUST require
•• A shorter response time from A shorter response time from GRIDGRID’’ss CERTCERT
•• A deeper analysis of the compromiseA deeper analysis of the compromise
•• A deeper follow upA deeper follow up
•• An answerAn answer
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 12/16
Future
Closer relation between CERT’s NREN and GRID Community
•• IRISIRIS--GRIDGRID
•• EGEE IIEGEE II
Two fields
•• PoliciesPoliciesProposal at e-IRG (e-Infrastructure Reflection Group) about IH Coordination
•• TechnologicalTechnological
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 13/16
Future (2)
Two fields
•• PoliciesPolicies
•• TechnologicalTechnological
Information retrieval (Whois, …)
Specific vulnerabilities
Interchange format (IODEF?, …)
Mutual trust(PKIs, AAIs, …)
Handling tool harmonization (RTIR, …)
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 14/16
RTIR Working Group
Running under TERENA’s task force TF-CSIRTThe aim of this working group
•• Extend the current applicationExtend the current applicationNew functionalities
•• Make it more adaptable for general use of new, as Make it more adaptable for general use of new, as well as established well as established CSIRTsCSIRTs
Members of the project:
•• ACOnetACOnet--CERTCERT•• CERT CERT PolskaPolska•• CERT.PTCERT.PT•• GovCERT.NLGovCERT.NL
•• IRISIRIS--CERTCERT•• JANETJANET--CERTCERT•• LITNETLITNET--CERTCERT•• SUNETSUNET--CERTCERT••SWITCHSWITCH--CERTCERT
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 15/16
RTIR Working Group (2)
Project Status•• Duration is about a year and a halfDuration is about a year and a half•• Cost is $95.350Cost is $95.350•• Contract signed between TERENA and Contract signed between TERENA and
Bestpractical on 6th SeptemberBestpractical on 6th September•• Started on 6th OctoberStarted on 6th October•• First milestone is almost over, under testing periodFirst milestone is almost over, under testing period
New functionalities•• RT Interaction/IntegrationRT Interaction/Integration•• Multiple ConstituencyMultiple Constituency•• Full GPG integrationFull GPG integration•• New reporting toolNew reporting tool•• RTFM (RT FAQ Manager) integrationRTFM (RT FAQ Manager) integration•• Cleaning and Incident Aging toollCleaning and Incident Aging tooll•• DocumentationDocumentation
Considering functionalities•• IODEF integrationIODEF integration
Paris, 3rd TERENA NREN-Grids WorkShop/27-28th April 2006 16/16
Questions?