Joshua Beeman University Information Security Officer October 17, 2011

Transcription

1 Joshua Beeman University Information Security Officer October 17,

2 June, NPTF Security Presentation on FY 12 InfoSec goals: Two Factor Authentication Levels of Assurance Shibboleth InCommon Network Intrusion Detection Systems 2

3 June, NPTF IDS plan described in June was: Recommended a Border IDS solution and develop the associated project plan Representatives from ISC N&T and Information Security evaluate possible border/core IDS vendor solutions and associated network enhancements or modifications Recommend specific border/core product in written report that includes plan for implementation (including funding requirements). 3

4 Review of IDS Benefits A network intrusion detection system is a critical part of the risk assessment and incident response process. An IDS would enable passive monitoring of campus traffic for the purpose of identifying, reporting and alerting on network based attacks and/or policy violations (i.e., bad traffic) Depending on the implementation, monitoring would include the ability to observe attacks originating from within the organization, as well as from the outside. Would result in better visibility and metrics on quantity of attacks, number of compromised systems, and types of attacks. 4

5 IDS Benefits (continued) Ability to better leverage threat data from trusted sources and peers in support of automated alerting Better reporting should reduce compromises (which should reduce risk and cost) The critical nature of this project and significance for minimizing risk has prompted preliminary review of vendors and services. 5

6 IDS Strategy Strategy is being informed by: Peer review and discussion Product Research (including Gartner) Vendor presentations Product evaluation and testing 6

7 Peer Benchmarking Organization Columbia Dartmouth Yale Brown Using an IDS? Y Y Y Y (local only) If yes, what product and how is it deployed? (at the edge, at the core, selectively on specific subnets or networks, etc) The PAIRS system was developed at Columbia University. It is an anomalybased intrusion detection system. PAIRS operates by processing all NETFLOW data generated at the borders of the University network. This data represents all traffic going into or leaving the University. Tipping Point (signature-based IPS) & Stealth Watch (anomaly IPS), as well as Snort for custom signatures. Snort IDS used for monitoring traffic at the perimeter of campus network. Stealth Watch (Anomaly IPS) used "throughout the network" (presumably this means on local network segments) Currently "targeted" use only: Snort IDS in front of critical assets and subnets. Expanding its use. Are you using any other network based security tools that you feel like mentioning (filtering, firewall, IPS, etc.)? * GULP - GULP was also developed at Columbia University. Used to process all authenticated log information. It correlates with DHCP to tie authenticated logins to campus systmes to an individual computer system. * Blocking netbios, 1443, 1444 * Port anostic bandwidth limits * Noted firewalls are in use, but details not provided Investigating next-generation firewalls (NGFW): They are in the process of installing a Palo Alto layer 7 firewall that also has some IPS capability. "We recently did an eval of a number of products as our Tipping Point and Stealthwatch devices were up for renewal this year. We ended up keeping them both and purchasing the Palo Alto in addition." * Router filters (light filtering) on Yale's Internet routers * internal (data center, departmental) network firewalls, * WebSense web proxy server for "secure" managed workstations. * Blocking netbios and cisco ports * Recently redesigned network using Virtual Routing and Forwarding (VRF), a method of network segregation, and built several security zones. * Investigating Palo Alto (NGFW) * Noted firewalls are in use, but details not provided * Router Access Control Lists at the perimeter. * Juniper Netscreen firewalls at the core. * RSA envision for log collection and analysis. Tippingpoint IPS is sitting in "front" of Snort. "Tried using Tippingpoint IPS as an IDS, and quickly discovered that would not work." Princeton Y McAfee Intrushield (IPS) Snort at the perimeter Duke Y Snort in-between VRF's Harvard Y No details provided No details provided MIT Y No details provided * Currently evaluating firewall solutions Cornell Y No details provided No details provided Virginia Tech Penn Y Snort IDS at border (Previously had ISS Preventia, but dissatisfied). Y (local only Some schools and centers deploying locally. Using Argus as one of the data aggregation tools. Also have access to NetFlow. Purchasing FireEye ("malware protection" system) to install at the border in monitor mode. Currently evaluating StoneSoft for additional border protectio, again in monitor-only mode. Developing segregated network for devices hosting sensitive data (e.g., PII) * Arbor used for capturing campus NetFlow data. * Juniper firewalls individually deployed and managed at the local (building and subnet) level, not at core. 7

8 Product Review Arbor an in-place network monitoring tool that could be expanded to include more IDS like features. SourceFire a commercial solution based on the popular open-source Snort tool. TippingPoint an Intrusion Prevention System (IPS) capable of running in monitor mode 8

9 Arbor PeakFlow SP with TMS (Threat Management System) detects and mitigates threats leveraging our existing Peakflow collectors. Peakflow X is a distributed controller-collector system. It has deep packet inspection and built-in network behavioral analysis for real-time threat identification. 9

10 Arbor Comments/Details: Emphasis placed on preserving availability (e.g., monitoring and prevention of ddos attacks) Tools and data for networking operations as much as information security ISC has prior experience with tool and vendor Some limitations exist in console API being investigated 10

11 SourceFire The Sourcefire 3D System is based on the opensource Snort intrusion detection engine, but is provided as a commercially supported solution. It includes the ability to manage and correlate data from multiple sensors in a single location. 11

12 SourceFire Comments/Details: Powerful signature scripting capabilities in use by many peers, allowing for custom signatures and leveraging peer tools and feeds. The Snort engine is an industry leader for IDS. Central management console, extensibility, additional processing and correlation features, all highly desirable. 12

13 TippingPoint TippingPoint s solutions are designed to provide inline, signature-based, protection from network-based attacks. However, they can be run in monitor-only mode. As more features are added they may be evolving into UTM solutions. Now an HP company. 13

14 TippingPoint Comments/Details: Going with an IPS solution could provide us a leg up if we wanted to implement automated prevention down the road. TippingPoint is an industry leader in this space. Evidence (from the vendor and a peer) seems to indicate that this solution is best deployed in line, increasing complexity and posing risks to network availability. It is not yet clear what impact purchase by HP will have on product. 14

15 Architecture Border versus Core: 4 x 10 Gig at border providing visibility into traffic coming in and out of Penn 10 x 10 Gig (and possibly 100 Gig) at core providing visibility into traffic within Penn 15

16 Looking Ahead Other items on the roadmap: Central logging service Evaluation of Next Generation Firewall (NGFW) and/or UTM solutions. Security Information and Event Management (SIEM) and event correlation Tools and strategies for IPv6 related malware and attacks. 16

17 Final Meeting November 7 (Rate setting) We are doing the complete lines of business analysis to determine what Central Infrastructure Bundle cost would be for baseline and known growth services (NGP, Internet, etc.) FY 12 request was for $5,205,607 from the schools and centers Other monies are received by our full rate customers (ResNet, GreekNet, UPHS, Wistar, etc.) 17

18 November 7 (Rate setting) Determine new initiatives for FY 13 and associated costs Full campus wireless Will seek central funding and not additional Central Service Fee monies, since issue appears to be in public areas-inside and out and administrative and shared buildings Funding model impact-decision delayed until FY 14 Likely 100% headcount model option 18

19 November 7 (Rate setting) Determine new initiatives for FY 13 and associated costs Enhancements to Guest Wireless Network IDS Shibboleth integration work 19