12   CESNET CSIRT

The increasing number of users with access to the Internet brings along the increase in security incidents, be they caused by neglect or ignorance or commited deliberately. At the same time, requirements on network and services security keep growing along with with the development of the Internet, communication applications and variety of data being transferred. Therefore, it is necessary to continuously address the issues of IT security, respond to security incidents and try to prevent them. In the connected organisations, this is the task of the IT security teams. In the CESNET association, the CESNET-CERTS security team has been operating since 2004.

12.1   Activities of the CESNET-CERTS team

The CESNET-CERTS team was established by the end of 2003 and has been officially operating since January 2004 under the name CSIRT (Computer Security Incident Response Team), when it was also formally incorporated into the TF-CSIRT activity of TERENA. The aim of TF-CSIRT is to create a European network of national and institutional security teams closely cooperating in the field of prevention and response to security incidents. The emphasis is on personal contacts with other teams' members and sharing of information.

In 2004, the CESNET-CERTS team included three CESNET staff members whose previous work was closely related to security. The key activities of the team are as follows:

CESNET-CERTS strives to apply gained knowledge for the benefit of the entire CESNET2 network and ultimately to establish an effective framework for responding to security issues in the CESNET2 network.

After two years of existence, the capacities of the CESNET-CERTS team no longer suffice to cover all the activities. Receiving and processing reports on security incidents and alerts takes up most of their time, although this, in most cases, does not require any specific knowledge besides common sense and awareness of basic Internet principles (IP addresses, domains).

In 2005, the CESNET-CERTS team, being the primary recipient of security-related reports for the entire CESNET2 network (AS 2852), received about 800 reports that had to be forwarded to downstream administrators together with a request to respond.

One may ask why these incidents are not reported directly to the local administrators. There is no easy answer to this question. In part it is due to the historical development of the Internet - many incident reporting systems are are not properly kept and do not reflect in a timely way contact information changes in the databases of the address and domain registrars. It is quite common that these systems contain obsolete contact information for assigned IP scopes for many years. And it is also done on purpose - incident reports are sent to the key contact for security incidents in the corresponding autonomous system. For the CESNET2 network, the contact address is abuse@cesnet.cz which is administered and dealt with by the CESNET-CERTS team.

In order to maintain the quality of our work and have capacity for further development, we decided to expand the CESNET-CERTS team by incorporating the employees of the CESNET Monitoring Centre (CMC). This centre performs 24/7 monitoring of the CESNET2 network and coordinates the response to any network and service failures. Our plan is to involve CMC in receiving incident reports, doing the basic analysis and processing them accordingly.

To that end, we have been looking into the options offered by ticketing systems. These are used for receiving the incident reports, processing them and keeping track of the procedures and steps taken. While informal email communication seemed acceptable for the original CESNET-CERTS team consisting of three closely cooperating specialists, a larger team certainly requires a more dependable system that is also easy to use. Last but not least, it is crucial that all actions and communications be authenticated and authorised.

In 2005, we tested about ten ticketing systems and did not identify any clear favourite. Those with most attractive functions lacked support for S/MIME and PGP, which are indispensable for protecting identity and content integrity. We considered deploying a webmail interface or adding necessary functions to the Thunderbird mail client. Finally, we decided to use the OTRS (Open Ticket Report System). Its development has been gaining momentum and the S/MIME and PGP support was implemented in it recently. Currently, we run the OTRS system in a test mode and plan to use it together with the CMC. The transfer of the responsibility for receiving and handling incident reports to the CMC staff has another advantage: the downstream administrators will be notified earlier as the CMC operates night and day.

12.1.1   Development of the security strategy for the CESNET2 network

In the first half of 2005, we gained experience in solving security incidents that helped to improve our work and define fundamental rules and procedures. This later served as a basis for the internal policy of the CESNET-CERTS team. In addition, we learnt a lot during the workshop that we organised for network and IT administrators of the CESNET2 network and professionals dealing with network and service security. The Network Security workshop took place on 14 November 2005 in the Conference Centre in Prague-Dejvice. Altogether, more than 40 representatives of institutions connected to the CESNET2 network participated in this event.

The structure and content of the lectures was chosen so as to give the participants a basic overview of the issues related to network and service security, show ways for preventing security incidents and promote the creation of security teams in our customer institutions. The agenda also included the lecture "Legal aspects connected with network security and security of network services". This was motivated by our previous experience with site administrators that indicated serious knowledge gaps and misconceptions related to legal aspects of network security.

Further, we also drafted documents defining the security policy of the CESNET2 network. As it is an academic network, we decided to involve the member organisations in creating the policies and implementing them in practice. In the last quarter of 2005, we formed a panel composed of selected CESNET professionals that will represent their home institutions and comment on the proposed policies and other plans in the area of security incident handling. Security policies should be implemented during the year 2006.

12.1.2   IDS and Audit System

In 2005, we continued the development of programs that analyse data from the LaBrea server related to the CESNET local networks in Dejvice. The LaBrea server records and prevents attacks into the unallocated address space. Records about the attacks are processed twice a day (workdays only). Afterwards, the system sends notifications to the administrators of the CESNET2 sites from which the attacks came. The usefulness of this service can be demonstrated on the decreasing number of attacks: whereas during the last 5 months of 2004 we registered attacks from 590 stations, it was only 202 stations during the first 5 months of 2005 and 204 stations during the last 6.5 months (1 June - 13 December 2005) - all this despite the increasing number of security incidents in the global Internet and also the fact that the frequency of automated notifications has been doubled since the end of October. We will continue to develop and expand the system for automated detection of unauthorised network activities in 2006.

We also focused on the development of a system for the security audit of CESNET equipment and on the secured mail interface to the NESSUS server. We started trial operation of the secured mail interface for the CESNET network in Dejvice. This mail interface enables any user to easily detect potential security problems without having to install any clients or even the NESSUS server. Through the interface, users can ask for the audit of their workstation and thus test its security. Advanced users may continue to use the graphical or command line client on any of their computers. We expect the system will develop further to reflect users' needs and include the gained experience.

previous
contents 		next
metacentrum elearning liberouter live shows videoserver eduroam