Security Topics Update
Christopher MisraDoug PearsonApril 2008
Session outline
• Salsa• Internet2/EDUCAUSE Security Task
Force• Current Salsa activities
• Working group updates• CSI2, DR, FWNA, DNSsec
• REN-ISAC
Salsa
• Salsa is an oversight group consisting oftechnical representatives from the highereducation community
• who will advise on leading edge technologyissues, provide prioritization, and setdirections in the security space.
• Salsa works in collaboration with theEDUCAUSE/Internet2 Security TaskForce
Security Task Force
• Internet2 and EDUCAUSE established theComputer and Network Security Task Forcein July 2000. The task force works to improveinformation security and privacy across thehigher education sector by activelydeveloping and promoting effective practicesand solutions for the protection of critical ITassets and infrastructures.
Security Task Force
• STF Resources• http://www.educause.edu/security
• Security Professionals Conference• http://www.educause.edu/sec08
• May 4-6 2008 in Arlington, VA• Security Discussion List
http://www.educause.edu/SecurityDiscussionGroup/979• Effective Practices Guide
https://wiki.internet2.edu/confluence/display/secguide/
REN-ISAC
• A private trust community for R&E securityprotection and response
• http://www.ren-isac.net• collect, derive, analyze, & disseminate threat
information. Supports member understanding ofthreats, protection, and mitigation.
• 24x7 Watch Desk ([email protected], +1 317274 6630)
• More on this shortly…
REN-ISAC and other Communities
• REN-ISAC augments existing security effortson Higher Education• REN-ISAC list is a place for:
• Sharing sensitive, operational information• Leveraging a trusted community
• EDUCAUSE Discussion Group is a place for:• Asking general questions• Sharing resources/effective practices & solutions
Security Architecture
• Information Security is composed:• Policies• Procedures• Technologies/Tools
• But what provides a coherent plan toensure that we meet our IT securitygoals?
Security Architecture Drivers
• Security systems are complex• The interrelation between components
is not obvious• The technical details of security
systems can obscure perspective withrespect to other critical systems
• Tools are not always completelycompatible with the desired outcome
Security Architectures
What do we mean by informationsecurity architecture?
Architecture: n. Orderly arrangement of parts;structure
“Creating organized structures, using tools,techniques, and procedures, to cohesively mitigateinformation security risk consistent with policy.”
CAMP: Bridging Security and IdentityManagement
• Explored issues surrounding the three themes:• privacy and compliance• threat and risk mitigation• Scalability
• Each of which requires a bridge betweensecurity and identity management.
http://www.educause.edu/camp081• February 13–15, 2008• Tempe Mission Palms, Tempe, Arizona
CAMP: Bridging Security and IdentityManagement
• Consistent themes which emerged• Middleware and Security share common goals if
not necessarily a common heritage• Federation pose unique strengths and pose
particular security challenges• Organizational structures impart less influence
than shared mission
CAMP: Themes and conclusions
• Security and Middleware staff need to beengaged with IdM design andimplementations• Working with them now may both prevent bad
things and even facilitate good things• We are probably trying to solve some of the same
problems• Educating your user community about
realigned middleware drivers is in ourcollective interest• Preventing data leakage from poorly managed
applications and authorizations
Salsa-CSI2 working group
• Chartered to organize activities/create tools toidentify security incidents• How they can be better identified• How information about the incidents can be
shared• To improve the overall security of the network and
the parties connected to the network.• Focusing on the shifting landscape problem
Salsa-CSI2: Recent activities
• The Shifting Landscape problem• APHIDS
Salsa-CSI2: RENOIR
• Research and Education NetworkingOperational Information Repository
• Design around the concept of ticket systemhandling security data
• vast array of sources• Organizing the data into high-level cases
• use for reporting on daily operational incidents.• Rely on a trusted third-party to facilitate
communication
Salsa-CSI2: The Shifting Landscape
• The IT security community has seen twomajor paradigm shifts over several years.• IT vendors have finally begun shipping products
secure by default.• Attackers have become financially motivated and
increased their operational sophistication.• These shifts require a major rethinking of how
we manage security in the enterprise.
Salsa-CSI2: The Shifting Landscape
• The threat environment facing highereducation remains highly dynamic
• Some tools do not quite have theimpact it once did• Many warrant less time/money/energy.
• Not a new term but reflects the currentstate well
Salsa-CSI2: The Shifting Landscape
• The context of the tool is critical tounderstand its value.• E.g. While Nessus as a tool for assessing security
posture for network registration has lost a bit of itsluster, Nessus as a general vulnerabilityassessment tool *remains* useful.
• Several presentations at EDUCAUSEregional• Half-day seminar coming up at security
professionals conference in two weeks
Salsa-CSI2: The Shifting Landscape
• List of the effectively used advanced securitytools
• Two cases of tool evaluation• When you have a clear technical requirement
• need to know what best/most widely• pointers to a functional tool taxonomy
• What's the most efficient/effective way to allocateresources for tools?
• Engagements with the STF EffectivePractices working group
Salsa-CSI2: APHIDS
• APHIDS is a non-traditional intrustiondetection system (IDS).• Most IDSes monitor network traffic or activity on
an individual host, while APHIDS monitors theresults returned by search engines.
• The project's goal is to provide• an easy, automated method for security
professionals to find problematic content on websites in their domains.
Salsa-CSI2: APHIDS
• Automated finding of problematic contentincludes• vulnerable web applications• evidence of intrusions/exposed sensitive data
• A web searching IDS is important because itis increasingly difficult to stay fully aware ofan organization's web presence.• New sites, pages, documents may be added on a
daily basis without the knowledge or approval• Attackers are also increasingly reliant on search
engines toidentify vulnerable targets and performreconnaissance.
Salsa-FWNA working group
• Engaged with the eduroam community• http://www.eduroam.org/
• Recently less progress, but interestcontinues
• Evolving engagement with TNC
Salsa-FWNA: Current work
• RADIUS and SAML• Integrating Network Authentication and Attribute
Exchange• Work on a specification that defines a profile that
includes messages and flows from both RADIUS[RFC2865] and SAML specifications (both v1.1and 2.0).
• Still in draft form• Engagement with IETF NEA and TNC
• Continuing topic of discussion...
Salsa-FWNA: RADIUS and SAML
• The specification is taking advantage ofSAML services• That are already defined and deployed for exactly
this purpose.• Availability of these SAML attributes provides:
• Network Provider RADIUS server with the optionof implementing a more flexible access controlpolicy than possible with standard RADIUS.
• This specification describes a servercommunicating with SAML entities• No web browsers are involved.
Presenter’s Name
Salsa-FWNA: RADIUS and SAML
Salsa-DR
• Disaster Recovery working group formedApril 2007• to explore and document recommended practices
for disaster planning and recovery,• especially for Higher Ed if and as those needs are
distinct from those of other large enterprises• liaising with other groups or organizations as
appropriatehttp://security.internet2.edu/dr/
Salsa-DR: Charter
• contingency planning;• developing and testing recovery plans, policies,
and procedures;• warm and hot site strengths, weaknesses,
and potential pitfalls;• contractual and SLA models and guidance
• See:http://security.internet2.edu/dr/docs/Sample-Interschool-Agreement.pdf
• Mass notifications
Salsa-DR: Mailing list
• Working Group Chair• Don MacLeod, Cornell University
• To subscribe to the Salsa-DR list, send emailto sympa at internet2 dot edu, with thesubject line:
subscribe <list name> FirstName LastName• For example:
• subscribe salsa-dr Jane Doe
Cyberinfrastructure Architectures,Security and Advanced Applications• When talking with users about
cyberinfrastructure and advancedapplications, security is a topic which oftencomes up -- but not for the right reasons.More often than should be the case, somesecurity practices and some security-orientednetwork architectures hinder rather than helpusers to do their work. What can be done toavoid this? How can we have both securecyberinfrastructure and an application-friendlyonline environment at the same time?
Other Topics: What we all think about
• Protecting sensitive data• Not just the enterprise data, but the researcher data• Whole disk encryption• Tools like CU-Spider and others
• Identity management• In higher-ed, there's a lot of business process and policy
issues as well as technology• Malware (viruses, worms, spyware, etc.)
• Signatures are not sufficient• Distributed denial of service attacks
• E.g. CastleCops
Others Topics: What we may not all bethinking about• The strategic importance of DNS• The value of sector-based security operations and the
REN-ISAC• {Spam, DDOS, etc} and its impact on the
infrastructure• Evolving firewall management strategies to
accommodate advanced applications• Federated identity and leveraging it for access control• These havenʼt changed much since our last meeting
DNS: More to think about
• Consider DNS monitoring• Using query logs to analyze malicious activity
• How much priority is DNS given locally• Recent software, proper, secure configuration,
change management• Name servers aren't just a *tool* for
conducting distributed denial of serviceattacks, they're also a *target* for distributeddenial of service attacks
DNSSec
• DNSSec Internet2 Pilothttp://www.dnssec-deployment.org/internet2/
• Internet2 DNSSEC pilot (funded byDHS and facilitated by Shinkuro)
• Each campus should evaluate theirplans• What are you doing? Not doing?• Do you care? should you?
What is not in these slides?
• While not comprehensive, these slidesrepresent current thoughts aroundactivities of interest• We are more interested in what is NOT
here and should be• Send a note to Joe St Sauver
Top Related