Freedom and Security in Computer Networks Contents · • Korea’s national science & research...
Transcript of Freedom and Security in Computer Networks Contents · • Korea’s national science & research...
1
1
CERTCERT--KREONET and S&TKREONET and S&T--SEC ActivitiesSEC Activities
2006. 01. 14
Ki-Sung Yu
Supercomputing Center, KISTI
Freedom and Security in Computer NetworksFreedom and Security in Computer Networks
2
ContentsContents
CERT-KREONET
S&T-SEC Activities
Conclusion
Ⅰ
Ⅴ
Introduction of KREONET
Security Activities on KREONETⅡ
Ⅲ
Ⅳ
3
KREONET OverviewKREONET Overview• Korea’s national science & research network
– Funded by MOST since 1988• 20Gbps backbone, 1-10Gbps access networks• 200 connected organizations/ 100,000 users• GLORIAD for international connections
– Two 10Gs : KR to US (Transpacific), KR to CN (HK)• KREONet2
– Hybrid optical and packet switching facility– Dark-fiber (SuperSIReN) and SONET/SDH ring– Native IPv4, IPv6 and lightpath provisioning
• Routed path and lightpath over a single link• Mbone• IPv6 Gigabit Network
4
KREONET BackboneKREONET Backbone
SuwonSuwonSeoulSeoul
IncheonIncheon
CheonanCheonan
KwangjuKwangju
JeonjuJeonjuChangwonChangwon
BusanBusan
PohangPohang
DaeguDaegu
20G20G
10G10G10G10G
10G10G
5G5G5G5G
5G5G
5G5G 5G5G
5G5G
OchangOchang
5G5G
KIX/NCA
2G
BIX/NCA1G
DIX/DACOM1G
6NGIX/NCA 1G
2G
KTIX/KT 1G
1G
1G
10G
1G 10G
Advanced Advanced R&D NetworkR&D Network
SuperSIReNSuperSIReN
Daejeon
EnterpriseNetwork
KOREN
USA / Dacom
GLORIAD
2G
155M
(USA, China)
Japan(APAN- JP)
Europe(TIEN)
5
Hybrid Backbone NetworksHybrid Backbone Networks
10à 40Gbps
Kwangju
Changwon Busan
Pohang
Daegu
Cheonan
Suwon
Incheon
Daejeon
Jeonju 5à10 Gbps
SuperSIReN
Seoul
Packet Switched Networks Optical Circuit Switched Networks
10à 20Gbps WDM 120GWDM 120G
Incheon Seoul
Suwon
Cheonan Daejeon
Pohang
Daegu
BusanChangwonKwangju
Jeonju
Jeju
Ochang Ochang
Jeju6
q The first Stage of SuperSIReN : 2002-2004, 7 members, 10Gbps regional testbed
1 0 Gbps
1 0Gbps
1 0 Gbps
1 Gbps
1 0Gbps
1 0Gbps
1 Gbps
1 0Gbps
1 0Gbps
5 4 Mbps(wireless)
5 4Mbps(wireless)
1~10 Gbps link(wire)
54Mbps link(wireless)
1 Gbps(? ? )
SuperSIReN
~1.5 Gbps link(FSO)
Gbps(FSO)
1 0Gbps
1 0Gbps
1 Gbps
10Gbps
1 0Gbps
5 4 Mbps(wireless)
5 4Mbps(wireless)
1~10 Gbps Link (wired)
54Mbps Link (wireless)
10Gbps
SuperSIReN
~1.5 Gbps Link (FSO)
~1.5~1.2 Gbps(FSO)
1 0 G b p s
10Gbps
10Gbps
10Gbps
10Gbps
10Gbps10Gbps
SuperSIReNSuperSIReN
2
7
KGN : 30 members KGN : 30 members (1G~10G)(1G~10G)
Media Lab
Chungnam
Seoul
Gyunggi(Suwon, Incheon)
Daejeon
Jeonbuk
GwangjuChangwon
Pohang
Daegu
Busan
8
KREONET 6GNKREONET 6GN
China/CSTNET
Daejeon Core US, Canada/
StarLight, PacWave,CA*net4,
Etc.
DaeguGwangju KISTIKISTI
Seoul Core
ONS15454
Cisco ONS15454
ONS15454
1G
1G 1G
1G 10G
10G
OSR 7609GSR12406
ONS15600
GSR12406
20G
5G5G
CNU 1G
KMA1G
OSR 7609
9
GLORIAD ParticipationGLORIAD Participationq GLORIAD (GLObal RIng Network for Advanced
Applications Development)–“Global Ring” topology for advanced science applications
• Started as the Little GLORIAD, funded by US, Russia, China
–4th core member participation on Sept. 2004• Korean government(MOST) decided to fund for joining to
GLORIAD consortium. .• GLORIAD/IRNC was finally awarded by NSF, Jan. 2005.
–Essential to support advanced application developments• HEP, Astronomy, Atmospheric sciences, Optical network researches,
Network security researches, etc.
–
q The Larger GLORIAD : 10Gbps Networking
(Canada)-US- (Netherlands)-Russia-China-Korea10
GLORIADGLORIAD--KR 10G NetworksKR 10G Networks
11
GLORIADGLORIAD--KR 10G NetworksKR 10G Networks
KISTI, Korea KISTI, Korea (Daejeon)(Daejeon)
CNIC, ChinaHong Kong
China (Beijing)
Russia (Novosibirsk)
Amsterdam
MoscowUS Seattle
CANARIE, Canada
ChicagoEU
NYC
10G(KR-US)
10G(KR-HK)
Calgary Toronto
HKLight
CSTNET
Korea
OC192
OC192OC192 GOLE
(KRLight )
Hong Kong, CN 2*10GE
KREONET
Seattle, US
GLIF node(CANARIE,
PW)
KR/CANARIE
nodes(L1, L2)
PacificWave
OC192
10GE
OC192
Korea
StarLight
12
CERT-KREONET
S&T-SEC Activities
Conclusion
Ⅰ
Ⅴ
Ⅲ
Introduction of KREONET
Security Activities on KREONETⅡ
Ⅳ
3
13
Security Activities on KREONETSecurity Activities on KREONET
Promotion of friendly relations- KrCERT, S&T-SEC -
Incident Response System* IRS *
Virtual Network
* HoneyNet *
Inform/Report
* E -mail *Access Control
* ACL *
International ISP
Other CERTs
CERT-KREONET
•Sharing a incident information•Cooperation with other organization
Inform the incident
Gathering info.
• Monitoring• Detection
• Supporting
•Detect & inform & consult •Distribute a guide line for securing a system
Vulnerability info.Vulnerability info.
Virus info.Virus info.
14
Busan
JeonjuCheonanSuwon
KREONET
Full Mesh Measurement
PohangSeoul
CERT-KREONET
Green Zone
Yellow Zone
Red Zpne
Security Activities into three levelsSecurity Activities into three levels
15
Activities in each levelActivities in each level
GreenZone
MemberNetwork
Cooperate with each manager
Inform & alertthe incident
AccessNetwork
Analyze traffic Gather event data& classify pattern
BackboneNetwork
Detect a anomalyon backbone
Apply an ACL policy
Secure & Reliable network - ? Clean-KREONET?
YellowZone
RedZone
16
CERT-KREONET
S&T-SEC Activities
Conclusion
Ⅰ
Ⅴ
Ⅲ
Introduction of KREONET
Security Activities on KREONETⅡ
Ⅳ
17
Overview of CERTOverview of CERT--KREONETKREONET
§ Early Detection of Incidents of member institutes on KREONET§ Prevention of damages through the rapid response § Assurance of Cooperative Incidents Response System§ Countermeasure against Hacking
MissionMission
§ Incident Response System
Detect a trial of intrusion and analyze & report the inciden t§ Virtual Network
HoneyNet -§ Access Control List
Apply a access policy using access control list§ Inform & Report
use an e- mail or telephone
Organization (24 x 365Organization (24 x 365Response System)Response System)
18
1. Export a Netflow
Daegu
Incheon
Changwon Busan
Cheonan
Kwangju
Daejeon
Seoul
KREONET Router
KREONET Router IRSIRS
2. Notify the result To member Using
e-mail or telephone
NotifyNotify
StatisticsStatistics
3. Collect statistics• KREONET Member• Other ISP• CERT-KR
The process that detects & deal with the incident
IRSIRS
•• Collect a Collect a NetFlowNetFlow•• Analyze a dataAnalyze a data•• Find a victimFind a victim
•• Find a victimFind a victim•• Trace attackerTrace attacker•• Take action Take action
•• Recode incidentRecode incident•• Take the statisticsTake the statistics•• Make a documentMake a document
4
19
Honey NetHoney Net
Virtual network for monitoring & analyzing the cyber attack
Input theInput thetraffictraffic
RouterRouter SwitchSwitchUnixUnix
WondpwsWondpws
LinuLinuxx
FlowFlow TrafficTraffic DB DB InterfaceInterface
Analyze an EventAnalyze an Event
20
Network Access ControlNetwork Access Control
Anomaly Packet
Normal packet
Anomaly Packetwhich enters initially
Anomaly Packet
after applying policy
KREONET
Normal packet
Normal packet
Exchange Point
PatternDB
PatternPatternDBDB
IntrusionIntrusionDetectionDetectionModuleModule Detect
AnomalyAnomalyTrafficTrafficFilterFilter
ModuleModule
Detect a anomaly
Add filtering rule
Drop
Packetduplicate
Black ListBlack List
ACLACL
SecurityPolicy
Network Security on IX which is connected other ISP
21
CERT-KREONET
S&T-SEC Activities
Conclusion
Ⅰ
Ⅴ
Introduction of KREONET
Security Activities on KREONETⅡ
Ⅲ
Ⅳ
22
§ S&T-SEC was officially opened in March, last year
Overview of S&TOverview of S&T--SECSEC
§ Early Detection of Incidents of research institutes in science & technology field§ Prevention of damages through the rapid response § Assurance of Cooperative Incidents Response System§ Countermeasure against Hacking, especially in Science & Technology fields
MissionMission
§ Increase the threat
There were many worm- virus or backdoor§ Outbreak the important information
There were some accident which drained the important information § Attacked by international hacking group
There were some record which attacked by international hacki ng group§ Rise a necessary of establishing the organization
needs the national center for securing a national information
Background of establishing a S&TBackground of establishing a S&T--SECSEC
23
TMS
Mails
IDS/Firewall
End-Users
Vendors
Monitoring
ISP
Vuln.
AbnormalTraffic
Int’ l
Trends
Incide
nt Re
ports
MOSTMOSTMOSTMaill
WEB
SMS
SecureMessenger
FAX
TRS
Partners &Hot-lined Org.
Partners &Partners &HotHot--lined Org.lined Org.
• ISP/IDC• Research Institutes• National Center• Vendors• The Government
• ISP/IDC• Research Institutes• National Center• Vendors• The Government
InstitutesInstitutesInstitutes
End UsersEnd UsersEnd Users
AnnouncementAnnouncementAnnouncementDetectionDetectionDetection AnalysisAnalysisAnalysis
S&TS&T--SEC Operation ArchitectureSEC Operation Architecture
KrCERT
AnalysisDiscuss
WarningNotification
ConsultingRecovering
S&T-SECS&TS&T--SECSEC
Gathering Detection
24
How to collect a data (1)How to collect a data (1)
Member 1
KREONET
Member 3
Sensor 3
Member 2
Sensor 2
TMS server
Rule definitionReport ManagementEvent Analysis Packet Analysis
Gathering the pattern of anomaly traffic using sensor
Inform the result of analyzing anomaly traffic
Sensor 1
5
25
How to collect a data (2)How to collect a data (2)
System security Patch Management Vulnerability Management
Server
···
Web DNS Mail
PC
······ ···
Gather the traffic info.
Log collector(Daemon)
• Log Info.• System info.- CPU Utilization- Memory Utilization
S&TSEC
Member
Sensor updateModule
• Traffic info.• System log• System info.
PC Security
• PC Security S/W(PC firewall, vaccine)• Vulnerability info.
- OS - Application- Backdoor , etc
• Sensor S/Wupdate
PC SecuritySoftware
26
Cooperation with other org.Cooperation with other org.
S&T-SEC
* Consult & servethe guideline
* Analyze & Supporta trial of intrusion
•Establish cooperation channel
Member
v Research institutesfunded by MOST
v CISCOv Microsoftv SUN
v Ahn labv HAUR)v McAfee
Vulnerability Info. Virus Info.•KrCERT- Korea Internet Security Center
•NCSC- National Cyber Security Center
Cooperation org.
•Sharing a domestic & internationalsecurity information
•Support the informationof system vulnerability info.
•Support virus info.
• Intrusion detection system
•Technical support
•collect the anomaly data
•Serve the alarm information
•Serve the detected info. & guideline
Consultation for securing
•The person in charge•The representative of org.
•Consultation with representative
27
Security center activitiesSecurity center activities
Status ManagementConnectivity, Line-up
Load managementCPU, Memory
Traffic ManagementUtilization, in/out amount
Data AnalysisFlow, Session
Incident statisticsystem
Mail filteringAnti-virus, spam
28
§ Abnormality Detection within 20 min.
with cross -border information sharing
§ Emergency Notification within 10 min.
by Hot-line and Others
Secure and reliable R&D NetworkSecure and reliable R&D Network
24hrs Network Monitoring Continual(24Ï365) Response System
Quantitative ObjectiveQuantitative Objective
Expected ResultsExpected Results
§ Improvement of judgment accuracy and rapidity based on monitoring results of anomaly indication
§ Accurate estimation of damage statistics
Qualitative Objective Qualitative Objective
29
CERT-KREONET
S&T-SEC Activities
Conclusion
Ⅰ
Ⅴ
Ⅲ
Introduction of KREONET
Security Activities on KREONETⅡ
Ⅳ
30
ConclusionConclusion• What is KREONET?
– Korea’s national science & research network– 20Gbps backbone, 1~10Gbps access networks– 4th core member participation on GLORIAD project
• CERT-KREONET– Incident Response System– Access Control List– HoneyNet– Activity of securing a mail
• S&T-SEC Activities– S&T-SEC was officially opened in March, last year– Because of rising a necessary of establishing the organization