Security Topics Update

Christopher MisraDoug PearsonApril 2008

Session outline

• Salsa• Internet2/EDUCAUSE Security Task

Force• Current Salsa activities

• Working group updates• CSI2, DR, FWNA, DNSsec

• REN-ISAC

Salsa

• Salsa is an oversight group consisting oftechnical representatives from the highereducation community

• who will advise on leading edge technologyissues, provide prioritization, and setdirections in the security space.

• Salsa works in collaboration with theEDUCAUSE/Internet2 Security TaskForce

Security Task Force

• Internet2 and EDUCAUSE established theComputer and Network Security Task Forcein July 2000. The task force works to improveinformation security and privacy across thehigher education sector by activelydeveloping and promoting effective practicesand solutions for the protection of critical ITassets and infrastructures.

Security Task Force

• STF Resources• http://www.educause.edu/security

• Security Professionals Conference• http://www.educause.edu/sec08

• May 4-6 2008 in Arlington, VA• Security Discussion List

http://www.educause.edu/SecurityDiscussionGroup/979• Effective Practices Guide

https://wiki.internet2.edu/confluence/display/secguide/

REN-ISAC

• A private trust community for R&E securityprotection and response

• http://www.ren-isac.net• collect, derive, analyze, & disseminate threat

information. Supports member understanding ofthreats, protection, and mitigation.

• 24x7 Watch Desk (ren-isac@ren-isac.net, +1 317274 6630)

• More on this shortly…

REN-ISAC and other Communities

• REN-ISAC augments existing security effortson Higher Education• REN-ISAC list is a place for:

• Sharing sensitive, operational information• Leveraging a trusted community

• EDUCAUSE Discussion Group is a place for:• Asking general questions• Sharing resources/effective practices & solutions

Security Architecture

• Information Security is composed:• Policies• Procedures• Technologies/Tools

• But what provides a coherent plan toensure that we meet our IT securitygoals?

Security Architecture Drivers

• Security systems are complex• The interrelation between components

is not obvious• The technical details of security

systems can obscure perspective withrespect to other critical systems

• Tools are not always completelycompatible with the desired outcome

Security Architectures

What do we mean by informationsecurity architecture?

Architecture: n. Orderly arrangement of parts;structure

“Creating organized structures, using tools,techniques, and procedures, to cohesively mitigateinformation security risk consistent with policy.”

CAMP: Bridging Security and IdentityManagement

• Explored issues surrounding the three themes:• privacy and compliance• threat and risk mitigation• Scalability

• Each of which requires a bridge betweensecurity and identity management.

http://www.educause.edu/camp081• February 13–15, 2008• Tempe Mission Palms, Tempe, Arizona

CAMP: Bridging Security and IdentityManagement

• Consistent themes which emerged• Middleware and Security share common goals if

not necessarily a common heritage• Federation pose unique strengths and pose

particular security challenges• Organizational structures impart less influence

than shared mission

CAMP: Themes and conclusions

• Security and Middleware staff need to beengaged with IdM design andimplementations• Working with them now may both prevent bad

things and even facilitate good things• We are probably trying to solve some of the same

problems• Educating your user community about

realigned middleware drivers is in ourcollective interest• Preventing data leakage from poorly managed

applications and authorizations

Salsa-CSI2 working group

• Chartered to organize activities/create tools toidentify security incidents• How they can be better identified• How information about the incidents can be

shared• To improve the overall security of the network and

the parties connected to the network.• Focusing on the shifting landscape problem

Salsa-CSI2: Recent activities

• The Shifting Landscape problem• APHIDS

Salsa-CSI2: RENOIR

• Research and Education NetworkingOperational Information Repository

• Design around the concept of ticket systemhandling security data

• vast array of sources• Organizing the data into high-level cases

• use for reporting on daily operational incidents.• Rely on a trusted third-party to facilitate

communication

Salsa-CSI2: The Shifting Landscape

• The IT security community has seen twomajor paradigm shifts over several years.• IT vendors have finally begun shipping products

secure by default.• Attackers have become financially motivated and

increased their operational sophistication.• These shifts require a major rethinking of how

we manage security in the enterprise.

Salsa-CSI2: The Shifting Landscape

• The threat environment facing highereducation remains highly dynamic

• Some tools do not quite have theimpact it once did• Many warrant less time/money/energy.

• Not a new term but reflects the currentstate well

Salsa-CSI2: The Shifting Landscape

• The context of the tool is critical tounderstand its value.• E.g. While Nessus as a tool for assessing security

posture for network registration has lost a bit of itsluster, Nessus as a general vulnerabilityassessment tool *remains* useful.

• Several presentations at EDUCAUSEregional• Half-day seminar coming up at security

professionals conference in two weeks

Salsa-CSI2: The Shifting Landscape

• List of the effectively used advanced securitytools

• Two cases of tool evaluation• When you have a clear technical requirement

• need to know what best/most widely• pointers to a functional tool taxonomy

• What's the most efficient/effective way to allocateresources for tools?

• Engagements with the STF EffectivePractices working group

Salsa-CSI2: APHIDS

• APHIDS is a non-traditional intrustiondetection system (IDS).• Most IDSes monitor network traffic or activity on

an individual host, while APHIDS monitors theresults returned by search engines.

• The project's goal is to provide• an easy, automated method for security

professionals to find problematic content on websites in their domains.

Salsa-CSI2: APHIDS

• Automated finding of problematic contentincludes• vulnerable web applications• evidence of intrusions/exposed sensitive data

• A web searching IDS is important because itis increasingly difficult to stay fully aware ofan organization's web presence.• New sites, pages, documents may be added on a

daily basis without the knowledge or approval• Attackers are also increasingly reliant on search

engines toidentify vulnerable targets and performreconnaissance.

Salsa-FWNA working group

• Engaged with the eduroam community• http://www.eduroam.org/

• Recently less progress, but interestcontinues

• Evolving engagement with TNC

Salsa-FWNA: Current work

• RADIUS and SAML• Integrating Network Authentication and Attribute

Exchange• Work on a specification that defines a profile that

includes messages and flows from both RADIUS[RFC2865] and SAML specifications (both v1.1and 2.0).

• Still in draft form• Engagement with IETF NEA and TNC

• Continuing topic of discussion...

Salsa-FWNA: RADIUS and SAML

• The specification is taking advantage ofSAML services• That are already defined and deployed for exactly

this purpose.• Availability of these SAML attributes provides:

• Network Provider RADIUS server with the optionof implementing a more flexible access controlpolicy than possible with standard RADIUS.

• This specification describes a servercommunicating with SAML entities• No web browsers are involved.

Presenter’s Name

Salsa-FWNA: RADIUS and SAML

Salsa-DR

• Disaster Recovery working group formedApril 2007• to explore and document recommended practices

for disaster planning and recovery,• especially for Higher Ed if and as those needs are

distinct from those of other large enterprises• liaising with other groups or organizations as

appropriatehttp://security.internet2.edu/dr/

Salsa-DR: Charter

• contingency planning;• developing and testing recovery plans, policies,

and procedures;• warm and hot site strengths, weaknesses,

and potential pitfalls;• contractual and SLA models and guidance

• See:http://security.internet2.edu/dr/docs/Sample-Interschool-Agreement.pdf

• Mass notifications

Salsa-DR: Mailing list

• Working Group Chair• Don MacLeod, Cornell University

• To subscribe to the Salsa-DR list, send emailto sympa at internet2 dot edu, with thesubject line:

subscribe <list name> FirstName LastName• For example:

• subscribe salsa-dr Jane Doe

Cyberinfrastructure Architectures,Security and Advanced Applications• When talking with users about

cyberinfrastructure and advancedapplications, security is a topic which oftencomes up -- but not for the right reasons.More often than should be the case, somesecurity practices and some security-orientednetwork architectures hinder rather than helpusers to do their work. What can be done toavoid this? How can we have both securecyberinfrastructure and an application-friendlyonline environment at the same time?

Other Topics: What we all think about

• Protecting sensitive data• Not just the enterprise data, but the researcher data• Whole disk encryption• Tools like CU-Spider and others

• Identity management• In higher-ed, there's a lot of business process and policy

issues as well as technology• Malware (viruses, worms, spyware, etc.)

• Signatures are not sufficient• Distributed denial of service attacks

• E.g. CastleCops

Others Topics: What we may not all bethinking about• The strategic importance of DNS• The value of sector-based security operations and the

REN-ISAC• {Spam, DDOS, etc} and its impact on the

infrastructure• Evolving firewall management strategies to

accommodate advanced applications• Federated identity and leveraging it for access control• These havenʼt changed much since our last meeting

DNS: More to think about

• Consider DNS monitoring• Using query logs to analyze malicious activity

• How much priority is DNS given locally• Recent software, proper, secure configuration,

change management• Name servers aren't just a *tool* for

conducting distributed denial of serviceattacks, they're also a *target* for distributeddenial of service attacks

DNSSec

• DNSSec Internet2 Pilothttp://www.dnssec-deployment.org/internet2/

• Internet2 DNSSEC pilot (funded byDHS and facilitated by Shinkuro)

• Each campus should evaluate theirplans• What are you doing? Not doing?• Do you care? should you?

What is not in these slides?

• While not comprehensive, these slidesrepresent current thoughts aroundactivities of interest• We are more interested in what is NOT

here and should be• Send a note to Joe St Sauver

• joe@internet2.edu