12   CESNET CSIRT

12.1   Introduction

The aim of the CESNET CSIRT project is to achieve a better internal organization of the CESNET2 network security and services provided, as well as improved handling of security incidents reported to the administrators of affected networks/hosts, or discovered by detection systems running here. Another objective is to continue the co-operation with existing international projects in the field of network and services security, such as: TERENA, UKERNA, FIRST.

12.2   Project solution

In 2004, we focused in particular on finding a sensible and feasible programme - identifying the most important insufficiencies of the security incident handling in the CESNET2 network, communication defficiencies between the administrators from individual participating institutions connected to CESNET2 network, and defining the most suitable plan for the upcoming period.

During the year, the activities of the first official CSIRT (Computer Security Incident Response Team) team of the CESNET association showed as the most important ones. By the end of 2003, the cornerstones of the security team were laid down. The team was officially approved by the TERENA Trusted Introducer project at the beginning of 2004 and the CESNET-CERTS team has been added to the list of known security teams (http://www.ti.terena.nl/teams/teams-c.html). Contact e-mail address of the team is certs@cesnet.cz, fingerprint of the CESNET-CERTS team PGP key is:

341D 3EB0 0160 941F 6A06 4401 F9BF C741 9CAA 8579

At present, the CESNET-CERTS team consists of three members but it should expand in the future. Before this happens, the three existing members of the team guarantee its operation five days a week. Should this team work 24 hours a day in the future, its capacity would require a significant reinforcement.

While establishing the CESNET-CERTS team, the following steps were taken:

The following areas and activities were dealt with by the CESNET-CERTS team during the year:

  1. Searching for and testing appropriate system for the reception, effective administration and archiving of reported incidents. As the CESNET-CERTS team has only three members at present and should expand in the near future, we are considering launching a support system for the reception and effective administration of reportable incidents. Given the number and nature of the solutions, a support system which would for example be able to clearly differentiate incidents according to their stage of processing would be very helpful. This year, we tested several suitable systems - RTIR, Bugzilla, Mantis. So far, the Mantis system seems to be the most suitable for our purposes.
  2. Contact information of institutions connected to the CESNET2 network - at present, it is difficult to find the right contact person once a security incident from some IP address (belonging to our autonomous system AS2852) is reported as no reliable database of contact information exists. At first, we considered using the existing RIPE database for this purpose and adding more data into it, then we considered creating our own contact database using the existing LDAP structure. Having mapped the solutions and activities that had been undertaken in this respect in previous years and their results, we have rejected both options as unsuitable and we keep them only as back-up options. (The first difficulties occurred when trying to obtain the primary data, their maintenance, update, accountability ...). We decided to adopt a set of security policy documents that should induce the participating institutions to establish (not necessarily formal) teams similar to the CESNET-CERTS team. Our aim is to create a hierarchical structure of security teams and to enable these teams to get to know each other and to be able to ask for help when looking for a solution.
  3. In 2004, the development of two other systems was included in the project. These two had been separate projects in the past - IDS (Intrusion Detection System) and Auditing system. As regards IDS, it has been fully automated and suggestions of individual administrators have been incorporated (administrators have different views about when, in what for and how often they should receive reports from IDS). The system was set so that the individual requirements could be fulfilled flexibly. As regards Auditing system, local administrators of the CESNET association defined the requirements for its functionality and relevant changes should be implemented during 2005.

We have linked up with some other European projects dealing with security of computer networks; in particular with the TRANSITS project operated by the TERENA and UKERNA associations. We took part in organising the successful 5th TRANSITS Workshop which was held in Prague-Pruhonice from November 10 to 12, 2004. Several employees of the CESNET Association took part in this workshop. It is an intensive three-day workshop which is held twice a year and whose aim is to introducej security issues to new and potential members of security teams.

12.3   Plans for 2005

Taking up on what we did in 2004, we would like to define rules for the communication among institutions connected to the CESNET2 network when dealing with security incident. We plan to provide these institutions with guidelines, information, rules and incentives for establishing the security teams. We would also like to focus on improving awareness and knowledge of employees, in particular of the CESNET Monitoring Centre, and on development of other support tools for detecting potential security risks and their prevention (Intrusion Detection System and Auditing System). Furthermore, we would like to develop and expand the activities of the CESNET-CERTS team and deepen co-operation with international projects.

previous
contents 		next
metacentrum elearning liberouter live shows videoserver eduroam