SlideShare una empresa de Scribd logo

TransPAC2 - Security (v8)

International Networking at Indiana University
International Networking at Indiana University
1 de 3
Version 7.0 3/13/2011 TransPAC2 Security Services Work Plan 2007-2009 Prepared by John Hicks Problem Statement Security is a critical element of any high-performance network deployed today. Appropriate levels of insuring the security and integrity of the network infrastructure and protecting connected cyberinfrastructures against threats that transit the network are required. Introduction TransPAC2 will provide high-performance advanced network interconnections between the US and Asian research and education networks at speeds up to 10Gbps. Initially the TransPAC2 connection will be a tradition IP-based service. Future network enhancements could include circuit based lambda technologies. In addition to providing transpacific networking infrastructure for scientific and research collaborations, TransPAC2 will support large ancillary populations such as students in university residence halls and K-12 sites. While providing high-performance resources for R&E experiments, these connections also have the potential to provide a high-performance access threat to US and global infrastructure. Given the high-speed nature of R&E networks, and their common provision of 100 and 1000 Mbps connections to the desktop, the R&E end-user community is a prime target for network intrusions designed to gather “zombie” machines to participate in high-volume Distributed Denial of Service (DDoS) attacks, steal identities, etc. Network security threats do not have national boundaries, and data shows that a substantial amount of active threats directed at U.S. cyberinfrastructure is sourced overseas. Compounding that problem is the absence of effective international coordination and enforcement mechanisms The two security areas addressed throughout this project are protecting the network infrastructure itself and analyzing the data that transits our network. Protecting the network infrastructure is accomplished by packet filters applied to the control plane of the TransPAC2 router, keeping up to date on the vulnerabilities that effect network components, and monitoring device event logs. The TransPAC2 router is managed through the (Global Research) GRNOC and has a similar software security policy as the Internet2 network routers. The TransPAC2 PCs are protected and monitored with Bro IDS and remotely with the Internet Security Systems product Internet scanner. These systems provide security audits and port scanning of TransPAC2 network devices. In order to examine transit TransPAC2 traffic, NetFlow, SNMP, and BGP data are sent to the Research and Education Networking - Information Sharing and Analysis Center (REN-ISAC) for detailed analysis. Hosted by Indiana University and with the support and cooperation of Internet2 and EDUCAUSE, the REN-ISAC1 is an integral part of higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response. REN-ISAC services and products are specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and support efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure. The REN-ISAC collects information through: network instrumentation such as NetFlow and router port traffic statistics, a REN-ISAC operated darknet that monitors for sources of worm and other threat scanning, the Global Research Network Operation Center (GRNOC) operational monitoring systems, daily cybersecurity status calls with other ISACs and US-CERT, vetted/closed security collaborations, network engineers, vendors, security mailing lists, and members. Analysis of information from these flows yields information that is provided to the REN- 1 http://www.transpac2.net http://www.ren-isac.net/
Version 7.0 3/13/2011 ISAC member community through daily “weather reports”, alerts, and private reports to individual institutions regarding threats observed sourced from their domain. In addition the REN-ISAC responds to requests for assistance by institutions for aid in tracking and identifying specific threat activity. The REN-ISAC operates a 24x7 Watch Desk, collocated with the Global NOC. Current status TransPAC2 security has evolved into an operational mode. Daily reports from the REN- ISAC and the Peakflow SP provide sufficient information to address network anomalies. The following items describe actions taken to ensure the security of the network infrastructure itself. • The TransPAC2 router is protected against intrusions by packet filters applied to the control plane. • The operating systems of all network components are up to date. • Know vulnerabilities are fixed where appropriate. • Using the RANCID system, the Global NOC monitors the TransPAC2 router’s event logs. The RANCID system automatically emails appropriate engineers. See the following for more details: http://www.shrubbery.net/rancid/ • The TransPAC2 network components are fully incorporated into the Global Research NOC (GRNOC) monitoring infrastructure. • The Bro IDS and Internet scanner (ISS) provide security auditing and port scanning of TransPAC2 network devices. The following items describe activities related to the analysis of data that transits the TransPAC2 network. • REN-ISAC provides a daily view of national cybersecurity threats and potential dangers. Analysis of data from the TransPAC2 router is aggregated with other REN data to provide this view. • The Transpac2 router is fully incorporated into the Arbor Networks Peakflow SP product (http://www.arbornetworks.com/) used by the REN-ISAC. The SP system collects, analyzes, and manages Netflow, SNMP, and BGP data to provide a comprehensive view into traffic traversing the Transpac2 network. o TransPAC2 is using the security and reporting capabilities of the Arbor Peakflow SP System to publish (private) security analysis through a SOAP (Simple Object Application Protocol) interface. The Peakflow SP system has a rich set of statistics and security analysis capability that provides detailed analysis of TransPAC2 security events. The SP system implementation is made possible through the REN-ISAC also supported by Indiana University. As of September 1st, these updates are in place. o Web portals provide a restricted (passwd protected) view into TransPAC2 activity to TransPAC2 peers. o email and web notification are provided to the GRNOC and others concerning network anomalies (i.e. DDOS, worm/virus profiling, and other network events). TransPAC2 continues to disseminate security related information through APAN and other conferences in the Asian Pacific region.
Version 7.0 3/13/2011 20075-20086 Work Plan The following list represents ongoing operational issues. The list will be augmented as procedures and techniques change. • Packet filters applied to the router control plane are updated when appropriate. • TransPAC2 network component operating systems are constantly upgraded to fix bugs and combat known vulnerabilities. • Firewall filter graphing will be used in association with SNMP counters to monitor traffic levels for various protocols and ports. See the following link for an example of this implementation: http://vixen.grnoc.iu.edu/jfirewall-viz/. • TransPAC2 engineers will continue to work with the REN-ISAC to develop custom data mining portals and reports for anomalous events and trend analysis. TransPAC2 will continue to disseminate information and participate in security related events in the US and Asian Pacific region. 20086-20097 Work Plan As networks evolve to higher speeds and greater complexity, security becomes more challenging. TransPAC2 engineers will collaborate with security groups in the US and Asian Pacific region to keep abreast of new technologies and new cyber threats

Recomendados

TransPAC2 Workplan - Measurement (v9)
TransPAC2 Workplan - Measurement (v9)TransPAC2 Workplan - Measurement (v9)
TransPAC2 Workplan - Measurement (v9)International Networking at Indiana University
 
TransPAC3/ACE Measurement & PerfSONAR Update
TransPAC3/ACE Measurement & PerfSONAR UpdateTransPAC3/ACE Measurement & PerfSONAR Update
TransPAC3/ACE Measurement & PerfSONAR UpdateInternational Networking at Indiana University
 
International R/E Routing (v1.0)
International R/E Routing (v1.0)International R/E Routing (v1.0)
International R/E Routing (v1.0)International Networking at Indiana University
 
ACE 2010 NSF Annual Report
ACE 2010 NSF Annual ReportACE 2010 NSF Annual Report
ACE 2010 NSF Annual ReportInternational Networking at Indiana University
 
APAN31 - ACE & TransPAC3 (update)
APAN31 - ACE & TransPAC3 (update)APAN31 - ACE & TransPAC3 (update)
APAN31 - ACE & TransPAC3 (update)International Networking at Indiana University
 
TransPAC2 Workplan - Engineering (v7.5)
TransPAC2 Workplan - Engineering (v7.5)TransPAC2 Workplan - Engineering (v7.5)
TransPAC2 Workplan - Engineering (v7.5)International Networking at Indiana University
 
A brief history of streaming video in the Internet
A brief history of streaming video in the InternetA brief history of streaming video in the Internet
A brief history of streaming video in the InternetStenio Fernandes
 
CARLETON_SrSysEng08.11.2015
CARLETON_SrSysEng08.11.2015CARLETON_SrSysEng08.11.2015
CARLETON_SrSysEng08.11.2015Rich Carleton
 

Recomendados

TransPAC2 Workplan - Measurement (v9)
TransPAC2 Workplan - Measurement (v9)TransPAC2 Workplan - Measurement (v9)
TransPAC2 Workplan - Measurement (v9)International Networking at Indiana University
 
TransPAC3/ACE Measurement & PerfSONAR Update
TransPAC3/ACE Measurement & PerfSONAR UpdateTransPAC3/ACE Measurement & PerfSONAR Update
TransPAC3/ACE Measurement & PerfSONAR UpdateInternational Networking at Indiana University
 
International R/E Routing (v1.0)
International R/E Routing (v1.0)International R/E Routing (v1.0)
International R/E Routing (v1.0)International Networking at Indiana University
 
ACE 2010 NSF Annual Report
ACE 2010 NSF Annual ReportACE 2010 NSF Annual Report
ACE 2010 NSF Annual ReportInternational Networking at Indiana University
 
APAN31 - ACE & TransPAC3 (update)
APAN31 - ACE & TransPAC3 (update)APAN31 - ACE & TransPAC3 (update)
APAN31 - ACE & TransPAC3 (update)International Networking at Indiana University
 
TransPAC2 Workplan - Engineering (v7.5)
TransPAC2 Workplan - Engineering (v7.5)TransPAC2 Workplan - Engineering (v7.5)
TransPAC2 Workplan - Engineering (v7.5)International Networking at Indiana University
 
A brief history of streaming video in the Internet
A brief history of streaming video in the InternetA brief history of streaming video in the Internet
A brief history of streaming video in the InternetStenio Fernandes
 
CARLETON_SrSysEng08.11.2015
CARLETON_SrSysEng08.11.2015CARLETON_SrSysEng08.11.2015
CARLETON_SrSysEng08.11.2015Rich Carleton
 
Lambda data grid: communications architecture in support of grid computing
Lambda data grid: communications architecture in support of grid computingLambda data grid: communications architecture in support of grid computing
Lambda data grid: communications architecture in support of grid computingTal Lavian Ph.D.
 
Next generation tech trend for global critical communication standard
Next generation tech trend for global critical communication standardNext generation tech trend for global critical communication standard
Next generation tech trend for global critical communication standardYi-Hsueh Tsai
 
Datacom module 2: Data Communication Architecture, Protocols, and Standards
Datacom module 2: Data Communication Architecture, Protocols, and StandardsDatacom module 2: Data Communication Architecture, Protocols, and Standards
Datacom module 2: Data Communication Architecture, Protocols, and StandardsJeffrey Des Binwag
 
Best strategy to control data on internet-of-robotic-things in heterogeneous ...
Best strategy to control data on internet-of-robotic-things in heterogeneous ...Best strategy to control data on internet-of-robotic-things in heterogeneous ...
Best strategy to control data on internet-of-robotic-things in heterogeneous ...IJECEIAES
 
2009 HEP Science Network Requirements Workshop Final Report
2009 HEP Science Network Requirements Workshop Final Report2009 HEP Science Network Requirements Workshop Final Report
2009 HEP Science Network Requirements Workshop Final Reportbutest
 
Georgia tech 2010
Georgia tech 2010Georgia tech 2010
Georgia tech 2010oeslle
 
[.ppt]
[.ppt][.ppt]
[.ppt]Videoguy
 
The Exascale Computing Project and the future of HPC
The Exascale Computing Project and the future of HPCThe Exascale Computing Project and the future of HPC
The Exascale Computing Project and the future of HPCinside-BigData.com
 
LTE Release 13 and SMARTER – Road Towards 5G
LTE Release 13 and SMARTER – Road Towards 5GLTE Release 13 and SMARTER – Road Towards 5G
LTE Release 13 and SMARTER – Road Towards 5GYi-Hsueh Tsai
 
PACE-IT: The OSI Networking Reference Model
PACE-IT: The OSI Networking Reference ModelPACE-IT: The OSI Networking Reference Model
PACE-IT: The OSI Networking Reference ModelPace IT at Edmonds Community College
 
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCS1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCYi-Hsueh Tsai
 
Curriculum Vitae
Curriculum VitaeCurriculum Vitae
Curriculum Vitaebutest
 
Curtis Resume
Curtis ResumeCurtis Resume
Curtis ResumeCurtis Royster
 
Building a Regional 100G Collaboration Infrastructure
Building a Regional 100G Collaboration InfrastructureBuilding a Regional 100G Collaboration Infrastructure
Building a Regional 100G Collaboration InfrastructureLarry Smarr
 
An extensible, programmable, commercial-grade platform for internet service a...
An extensible, programmable, commercial-grade platform for internet service a...An extensible, programmable, commercial-grade platform for internet service a...
An extensible, programmable, commercial-grade platform for internet service a...Tal Lavian Ph.D.
 
Experimental analysis of channel interference in ad hoc network
Experimental analysis of channel interference in ad hoc networkExperimental analysis of channel interference in ad hoc network
Experimental analysis of channel interference in ad hoc networkijcsa
 
Datacom module 1: Introduction to Data Communications
Datacom module 1: Introduction to Data CommunicationsDatacom module 1: Introduction to Data Communications
Datacom module 1: Introduction to Data CommunicationsJeffrey Des Binwag
 
Datacom module 3: Data Communications Circuits, Arrangements, and Networks
Datacom module 3: Data Communications Circuits, Arrangements, and NetworksDatacom module 3: Data Communications Circuits, Arrangements, and Networks
Datacom module 3: Data Communications Circuits, Arrangements, and NetworksJeffrey Des Binwag
 
Comparison of DOD and OSI Model in the Internet Communication
Comparison of DOD and OSI Model in the Internet CommunicationComparison of DOD and OSI Model in the Internet Communication
Comparison of DOD and OSI Model in the Internet Communicationijtsrd
 
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Gabriele Bozzi
 
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARKANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARKIJNSA Journal
 
An Analysis on Software Defined Wireless Network using Stride Model
An Analysis on Software Defined Wireless Network using Stride ModelAn Analysis on Software Defined Wireless Network using Stride Model
An Analysis on Software Defined Wireless Network using Stride ModelIRJET Journal
 

Más contenido relacionado

La actualidad más candente

Lambda data grid: communications architecture in support of grid computing
Lambda data grid: communications architecture in support of grid computingLambda data grid: communications architecture in support of grid computing
Lambda data grid: communications architecture in support of grid computingTal Lavian Ph.D.
 
Next generation tech trend for global critical communication standard
Next generation tech trend for global critical communication standardNext generation tech trend for global critical communication standard
Next generation tech trend for global critical communication standardYi-Hsueh Tsai
 
Datacom module 2: Data Communication Architecture, Protocols, and Standards
Datacom module 2: Data Communication Architecture, Protocols, and StandardsDatacom module 2: Data Communication Architecture, Protocols, and Standards
Datacom module 2: Data Communication Architecture, Protocols, and StandardsJeffrey Des Binwag
 
Best strategy to control data on internet-of-robotic-things in heterogeneous ...
Best strategy to control data on internet-of-robotic-things in heterogeneous ...Best strategy to control data on internet-of-robotic-things in heterogeneous ...
Best strategy to control data on internet-of-robotic-things in heterogeneous ...IJECEIAES
 
2009 HEP Science Network Requirements Workshop Final Report
2009 HEP Science Network Requirements Workshop Final Report2009 HEP Science Network Requirements Workshop Final Report
2009 HEP Science Network Requirements Workshop Final Reportbutest
 
Georgia tech 2010
Georgia tech 2010Georgia tech 2010
Georgia tech 2010oeslle
 
The Exascale Computing Project and the future of HPC
The Exascale Computing Project and the future of HPCThe Exascale Computing Project and the future of HPC
The Exascale Computing Project and the future of HPCinside-BigData.com
 
LTE Release 13 and SMARTER – Road Towards 5G
LTE Release 13 and SMARTER – Road Towards 5GLTE Release 13 and SMARTER – Road Towards 5G
LTE Release 13 and SMARTER – Road Towards 5GYi-Hsueh Tsai
 
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCS1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCYi-Hsueh Tsai
 
Curriculum Vitae
Curriculum VitaeCurriculum Vitae
Curriculum Vitaebutest
 
Building a Regional 100G Collaboration Infrastructure
Building a Regional 100G Collaboration InfrastructureBuilding a Regional 100G Collaboration Infrastructure
Building a Regional 100G Collaboration InfrastructureLarry Smarr
 
An extensible, programmable, commercial-grade platform for internet service a...
An extensible, programmable, commercial-grade platform for internet service a...An extensible, programmable, commercial-grade platform for internet service a...
An extensible, programmable, commercial-grade platform for internet service a...Tal Lavian Ph.D.
 
Experimental analysis of channel interference in ad hoc network
Experimental analysis of channel interference in ad hoc networkExperimental analysis of channel interference in ad hoc network
Experimental analysis of channel interference in ad hoc networkijcsa
 
Datacom module 1: Introduction to Data Communications
Datacom module 1: Introduction to Data CommunicationsDatacom module 1: Introduction to Data Communications
Datacom module 1: Introduction to Data CommunicationsJeffrey Des Binwag
 
Datacom module 3: Data Communications Circuits, Arrangements, and Networks
Datacom module 3: Data Communications Circuits, Arrangements, and NetworksDatacom module 3: Data Communications Circuits, Arrangements, and Networks
Datacom module 3: Data Communications Circuits, Arrangements, and NetworksJeffrey Des Binwag
 
Comparison of DOD and OSI Model in the Internet Communication
Comparison of DOD and OSI Model in the Internet CommunicationComparison of DOD and OSI Model in the Internet Communication
Comparison of DOD and OSI Model in the Internet Communicationijtsrd
 
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Gabriele Bozzi
 

La actualidad más candente (20)

Lambda data grid: communications architecture in support of grid computing
Lambda data grid: communications architecture in support of grid computingLambda data grid: communications architecture in support of grid computing
Lambda data grid: communications architecture in support of grid computing
 
Next generation tech trend for global critical communication standard
Next generation tech trend for global critical communication standardNext generation tech trend for global critical communication standard
Next generation tech trend for global critical communication standard
 
Datacom module 2: Data Communication Architecture, Protocols, and Standards
Datacom module 2: Data Communication Architecture, Protocols, and StandardsDatacom module 2: Data Communication Architecture, Protocols, and Standards
Datacom module 2: Data Communication Architecture, Protocols, and Standards
 
Best strategy to control data on internet-of-robotic-things in heterogeneous ...
Best strategy to control data on internet-of-robotic-things in heterogeneous ...Best strategy to control data on internet-of-robotic-things in heterogeneous ...
Best strategy to control data on internet-of-robotic-things in heterogeneous ...
 
2009 HEP Science Network Requirements Workshop Final Report
2009 HEP Science Network Requirements Workshop Final Report2009 HEP Science Network Requirements Workshop Final Report
2009 HEP Science Network Requirements Workshop Final Report
 
Georgia tech 2010
Georgia tech 2010Georgia tech 2010
Georgia tech 2010
 
[.ppt]
[.ppt][.ppt]
[.ppt]
 
The Exascale Computing Project and the future of HPC
The Exascale Computing Project and the future of HPCThe Exascale Computing Project and the future of HPC
The Exascale Computing Project and the future of HPC
 
LTE Release 13 and SMARTER – Road Towards 5G
LTE Release 13 and SMARTER – Road Towards 5GLTE Release 13 and SMARTER – Road Towards 5G
LTE Release 13 and SMARTER – Road Towards 5G
 
PACE-IT: The OSI Networking Reference Model
PACE-IT: The OSI Networking Reference ModelPACE-IT: The OSI Networking Reference Model
PACE-IT: The OSI Networking Reference Model
 
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCS1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
 
Curriculum Vitae
Curriculum VitaeCurriculum Vitae
Curriculum Vitae
 
Curtis Resume
Curtis ResumeCurtis Resume
Curtis Resume
 
Building a Regional 100G Collaboration Infrastructure
Building a Regional 100G Collaboration InfrastructureBuilding a Regional 100G Collaboration Infrastructure
Building a Regional 100G Collaboration Infrastructure
 
An extensible, programmable, commercial-grade platform for internet service a...
An extensible, programmable, commercial-grade platform for internet service a...An extensible, programmable, commercial-grade platform for internet service a...
An extensible, programmable, commercial-grade platform for internet service a...
 
Experimental analysis of channel interference in ad hoc network
Experimental analysis of channel interference in ad hoc networkExperimental analysis of channel interference in ad hoc network
Experimental analysis of channel interference in ad hoc network
 
Datacom module 1: Introduction to Data Communications
Datacom module 1: Introduction to Data CommunicationsDatacom module 1: Introduction to Data Communications
Datacom module 1: Introduction to Data Communications
 
Datacom module 3: Data Communications Circuits, Arrangements, and Networks
Datacom module 3: Data Communications Circuits, Arrangements, and NetworksDatacom module 3: Data Communications Circuits, Arrangements, and Networks
Datacom module 3: Data Communications Circuits, Arrangements, and Networks
 
Comparison of DOD and OSI Model in the Internet Communication
Comparison of DOD and OSI Model in the Internet CommunicationComparison of DOD and OSI Model in the Internet Communication
Comparison of DOD and OSI Model in the Internet Communication
 
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
Cloud Camp Milan 2K9 Telecom Italia: Where P2P?
 

Similar a TransPAC2 - Security (v8)

ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARKANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARKIJNSA Journal
 
An Analysis on Software Defined Wireless Network using Stride Model
An Analysis on Software Defined Wireless Network using Stride ModelAn Analysis on Software Defined Wireless Network using Stride Model
An Analysis on Software Defined Wireless Network using Stride ModelIRJET Journal
 
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...IJCNCJournal
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessDavid Sweigert
 
Performance Analysis of Wireless Trusted Software Defined Networks
Performance Analysis of Wireless Trusted Software Defined NetworksPerformance Analysis of Wireless Trusted Software Defined Networks
Performance Analysis of Wireless Trusted Software Defined NetworksIRJET Journal
 
Network Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISPNetwork Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISPCSCJournals
 
Enhancing Data Transmission and Protection in Wireless Sensor Node- A Review
Enhancing Data Transmission and Protection in Wireless Sensor Node- A ReviewEnhancing Data Transmission and Protection in Wireless Sensor Node- A Review
Enhancing Data Transmission and Protection in Wireless Sensor Node- A ReviewIRJET Journal
 
Collecting and analyzing network-based evidence
Collecting and analyzing network-based evidenceCollecting and analyzing network-based evidence
Collecting and analyzing network-based evidenceCSITiaesprime
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureFiras Alsayied
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laShainaBoling829
 
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via FirewallIRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via FirewallIRJET Journal
 
ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...
ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...
ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...IJNSA Journal
 
ICCIT_NSU_Comparative Security Analysis of Software Defined Wireless Networki...
ICCIT_NSU_Comparative Security Analysis of Software Defined Wireless Networki...ICCIT_NSU_Comparative Security Analysis of Software Defined Wireless Networki...
ICCIT_NSU_Comparative Security Analysis of Software Defined Wireless Networki...Asma Swapna
 
J_McConnell_LabReconnaissance
J_McConnell_LabReconnaissanceJ_McConnell_LabReconnaissance
J_McConnell_LabReconnaissanceJuanita McConnell
 
IRJET - Digital Forensics Analysis for Network Related Data
IRJET - Digital Forensics Analysis for Network Related DataIRJET - Digital Forensics Analysis for Network Related Data
IRJET - Digital Forensics Analysis for Network Related DataIRJET Journal
 
Sdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networksSdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networksahmad abdelhafeez
 
Study of campus network security
Study of campus network securityStudy of campus network security
Study of campus network securityTrishla Thakur
 
10 Criteria for Evaluating NPB, Security Architect Edition
10 Criteria for Evaluating NPB, Security Architect Edition10 Criteria for Evaluating NPB, Security Architect Edition
10 Criteria for Evaluating NPB, Security Architect EditionVSS Monitoring
 

Similar a TransPAC2 - Security (v8) (20)

ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARKANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
ANALYZING NETWORK PERFORMANCE PARAMETERS USING WIRESHARK
 
An Analysis on Software Defined Wireless Network using Stride Model
An Analysis on Software Defined Wireless Network using Stride ModelAn Analysis on Software Defined Wireless Network using Stride Model
An Analysis on Software Defined Wireless Network using Stride Model
 
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...
DEPLOYMENT OF INTRUSION PREVENTION SYSTEM ON MULTI-CORE PROCESSOR BASED SECUR...
 
Passive monitoring to build Situational Awareness
Passive monitoring to build Situational AwarenessPassive monitoring to build Situational Awareness
Passive monitoring to build Situational Awareness
 
Performance Analysis of Wireless Trusted Software Defined Networks
Performance Analysis of Wireless Trusted Software Defined NetworksPerformance Analysis of Wireless Trusted Software Defined Networks
Performance Analysis of Wireless Trusted Software Defined Networks
 
Ii2514901494
Ii2514901494Ii2514901494
Ii2514901494
 
Network Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISPNetwork Security: Experiment of Network Health Analysis At An ISP
Network Security: Experiment of Network Health Analysis At An ISP
 
Enhancing Data Transmission and Protection in Wireless Sensor Node- A Review
Enhancing Data Transmission and Protection in Wireless Sensor Node- A ReviewEnhancing Data Transmission and Protection in Wireless Sensor Node- A Review
Enhancing Data Transmission and Protection in Wireless Sensor Node- A Review
 
Collecting and analyzing network-based evidence
Collecting and analyzing network-based evidenceCollecting and analyzing network-based evidence
Collecting and analyzing network-based evidence
 
Security of software defined networks: evolution and challenges
Security of software defined networks: evolution and challengesSecurity of software defined networks: evolution and challenges
Security of software defined networks: evolution and challenges
 
Investigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a SecureInvestigation, Design and Implementation of a Secure
Investigation, Design and Implementation of a Secure
 
For your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and laFor your final step, you will synthesize the previous steps and la
For your final step, you will synthesize the previous steps and la
 
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via FirewallIRJET- SDN Simulation in Mininet to Provide Security Via Firewall
IRJET- SDN Simulation in Mininet to Provide Security Via Firewall
 
ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...
ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...
ADVANCED MULTIMEDIA PLATFORM BASED ON BIG DATA AND ARTIFICIAL INTELLIGENCE IM...
 
ICCIT_NSU_Comparative Security Analysis of Software Defined Wireless Networki...
ICCIT_NSU_Comparative Security Analysis of Software Defined Wireless Networki...ICCIT_NSU_Comparative Security Analysis of Software Defined Wireless Networki...
ICCIT_NSU_Comparative Security Analysis of Software Defined Wireless Networki...
 
J_McConnell_LabReconnaissance
J_McConnell_LabReconnaissanceJ_McConnell_LabReconnaissance
J_McConnell_LabReconnaissance
 
IRJET - Digital Forensics Analysis for Network Related Data
IRJET - Digital Forensics Analysis for Network Related DataIRJET - Digital Forensics Analysis for Network Related Data
IRJET - Digital Forensics Analysis for Network Related Data
 
Sdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networksSdn pres v2-Software-defined networks
Sdn pres v2-Software-defined networks
 
Study of campus network security
Study of campus network securityStudy of campus network security
Study of campus network security
 
10 Criteria for Evaluating NPB, Security Architect Edition
10 Criteria for Evaluating NPB, Security Architect Edition10 Criteria for Evaluating NPB, Security Architect Edition
10 Criteria for Evaluating NPB, Security Architect Edition
 

Más de International Networking at Indiana University

Más de International Networking at Indiana University (18)

ACE: Opportunities For African Connectivity To The USA
ACE: Opportunities For African Connectivity To The USAACE: Opportunities For African Connectivity To The USA
ACE: Opportunities For African Connectivity To The USA
 
IN@IU - Who We Are & Where We're At
IN@IU - Who We Are & Where We're AtIN@IU - Who We Are & Where We're At
IN@IU - Who We Are & Where We're At
 
Pakistan Network Connectivity via ACE-TP3
Pakistan Network Connectivity via ACE-TP3Pakistan Network Connectivity via ACE-TP3
Pakistan Network Connectivity via ACE-TP3
 
TransPAC3 2010 NSF Annual Report
TransPAC3 2010 NSF Annual ReportTransPAC3 2010 NSF Annual Report
TransPAC3 2010 NSF Annual Report
 
ACE 2011 NSF Annual Report
ACE 2011 NSF Annual ReportACE 2011 NSF Annual Report
ACE 2011 NSF Annual Report
 
ACE and TransPAC3 - Cooperative Partnerships to facilitate Global R/E Collabo...
ACE and TransPAC3 - Cooperative Partnerships to facilitate Global R/E Collabo...ACE and TransPAC3 - Cooperative Partnerships to facilitate Global R/E Collabo...
ACE and TransPAC3 - Cooperative Partnerships to facilitate Global R/E Collabo...
 
Catalysing inter-regional network-enabled collaboration through workshopping ...
Catalysing inter-regional network-enabled collaboration through workshopping ...Catalysing inter-regional network-enabled collaboration through workshopping ...
Catalysing inter-regional network-enabled collaboration through workshopping ...
 
Ace+tp3 smm sa sig
Ace+tp3 smm sa sigAce+tp3 smm sa sig
Ace+tp3 smm sa sig
 
TransPAC2 Workplan - IRNC Final Review
TransPAC2 Workplan - IRNC Final ReviewTransPAC2 Workplan - IRNC Final Review
TransPAC2 Workplan - IRNC Final Review
 
Us india workshop workshop program v 7.1
Us india workshop workshop program v 7.1Us india workshop workshop program v 7.1
Us india workshop workshop program v 7.1
 
US-India Workshop Report
US-India Workshop ReportUS-India Workshop Report
US-India Workshop Report
 
Tein3 safs talk
Tein3 safs talkTein3 safs talk
Tein3 safs talk
 
Research and Education Connectivity to Pakistan
Research and Education Connectivity to PakistanResearch and Education Connectivity to Pakistan
Research and Education Connectivity to Pakistan
 
Dedicated R&E Network Connects Pakistan And The US
Dedicated R&E Network Connects Pakistan And The USDedicated R&E Network Connects Pakistan And The US
Dedicated R&E Network Connects Pakistan And The US
 
International Networking @ Indiana University
International Networking @ Indiana UniversityInternational Networking @ Indiana University
International Networking @ Indiana University
 
Jet - ACE & TransPAC3
Jet - ACE & TransPAC3Jet - ACE & TransPAC3
Jet - ACE & TransPAC3
 
BP Talk - IN@IU
BP Talk - IN@IUBP Talk - IN@IU
BP Talk - IN@IU
 
GLIF Geneva - ACE & TransPAC3
GLIF Geneva - ACE & TransPAC3GLIF Geneva - ACE & TransPAC3
GLIF Geneva - ACE & TransPAC3
 

TransPAC2 - Security (v8)

  • 1. Version 7.0 3/13/2011 TransPAC2 Security Services Work Plan 2007-2009 Prepared by John Hicks Problem Statement Security is a critical element of any high-performance network deployed today. Appropriate levels of insuring the security and integrity of the network infrastructure and protecting connected cyberinfrastructures against threats that transit the network are required. Introduction TransPAC2 will provide high-performance advanced network interconnections between the US and Asian research and education networks at speeds up to 10Gbps. Initially the TransPAC2 connection will be a tradition IP-based service. Future network enhancements could include circuit based lambda technologies. In addition to providing transpacific networking infrastructure for scientific and research collaborations, TransPAC2 will support large ancillary populations such as students in university residence halls and K-12 sites. While providing high-performance resources for R&E experiments, these connections also have the potential to provide a high-performance access threat to US and global infrastructure. Given the high-speed nature of R&E networks, and their common provision of 100 and 1000 Mbps connections to the desktop, the R&E end-user community is a prime target for network intrusions designed to gather “zombie” machines to participate in high-volume Distributed Denial of Service (DDoS) attacks, steal identities, etc. Network security threats do not have national boundaries, and data shows that a substantial amount of active threats directed at U.S. cyberinfrastructure is sourced overseas. Compounding that problem is the absence of effective international coordination and enforcement mechanisms The two security areas addressed throughout this project are protecting the network infrastructure itself and analyzing the data that transits our network. Protecting the network infrastructure is accomplished by packet filters applied to the control plane of the TransPAC2 router, keeping up to date on the vulnerabilities that effect network components, and monitoring device event logs. The TransPAC2 router is managed through the (Global Research) GRNOC and has a similar software security policy as the Internet2 network routers. The TransPAC2 PCs are protected and monitored with Bro IDS and remotely with the Internet Security Systems product Internet scanner. These systems provide security audits and port scanning of TransPAC2 network devices. In order to examine transit TransPAC2 traffic, NetFlow, SNMP, and BGP data are sent to the Research and Education Networking - Information Sharing and Analysis Center (REN-ISAC) for detailed analysis. Hosted by Indiana University and with the support and cooperation of Internet2 and EDUCAUSE, the REN-ISAC1 is an integral part of higher education’s strategy to improve network security through information collection, analysis, dissemination, early warning, and response. REN-ISAC services and products are specifically designed to support the unique environment and needs of organizations connected to served higher education and research networks, and support efforts to protect the national cyber infrastructure by participating in the formal U.S. ISAC structure. The REN-ISAC collects information through: network instrumentation such as NetFlow and router port traffic statistics, a REN-ISAC operated darknet that monitors for sources of worm and other threat scanning, the Global Research Network Operation Center (GRNOC) operational monitoring systems, daily cybersecurity status calls with other ISACs and US-CERT, vetted/closed security collaborations, network engineers, vendors, security mailing lists, and members. Analysis of information from these flows yields information that is provided to the REN- 1 http://www.transpac2.net http://www.ren-isac.net/
  • 2. Version 7.0 3/13/2011 ISAC member community through daily “weather reports”, alerts, and private reports to individual institutions regarding threats observed sourced from their domain. In addition the REN-ISAC responds to requests for assistance by institutions for aid in tracking and identifying specific threat activity. The REN-ISAC operates a 24x7 Watch Desk, collocated with the Global NOC. Current status TransPAC2 security has evolved into an operational mode. Daily reports from the REN- ISAC and the Peakflow SP provide sufficient information to address network anomalies. The following items describe actions taken to ensure the security of the network infrastructure itself. • The TransPAC2 router is protected against intrusions by packet filters applied to the control plane. • The operating systems of all network components are up to date. • Know vulnerabilities are fixed where appropriate. • Using the RANCID system, the Global NOC monitors the TransPAC2 router’s event logs. The RANCID system automatically emails appropriate engineers. See the following for more details: http://www.shrubbery.net/rancid/ • The TransPAC2 network components are fully incorporated into the Global Research NOC (GRNOC) monitoring infrastructure. • The Bro IDS and Internet scanner (ISS) provide security auditing and port scanning of TransPAC2 network devices. The following items describe activities related to the analysis of data that transits the TransPAC2 network. • REN-ISAC provides a daily view of national cybersecurity threats and potential dangers. Analysis of data from the TransPAC2 router is aggregated with other REN data to provide this view. • The Transpac2 router is fully incorporated into the Arbor Networks Peakflow SP product (http://www.arbornetworks.com/) used by the REN-ISAC. The SP system collects, analyzes, and manages Netflow, SNMP, and BGP data to provide a comprehensive view into traffic traversing the Transpac2 network. o TransPAC2 is using the security and reporting capabilities of the Arbor Peakflow SP System to publish (private) security analysis through a SOAP (Simple Object Application Protocol) interface. The Peakflow SP system has a rich set of statistics and security analysis capability that provides detailed analysis of TransPAC2 security events. The SP system implementation is made possible through the REN-ISAC also supported by Indiana University. As of September 1st, these updates are in place. o Web portals provide a restricted (passwd protected) view into TransPAC2 activity to TransPAC2 peers. o email and web notification are provided to the GRNOC and others concerning network anomalies (i.e. DDOS, worm/virus profiling, and other network events). TransPAC2 continues to disseminate security related information through APAN and other conferences in the Asian Pacific region.
  • 3. Version 7.0 3/13/2011 20075-20086 Work Plan The following list represents ongoing operational issues. The list will be augmented as procedures and techniques change. • Packet filters applied to the router control plane are updated when appropriate. • TransPAC2 network component operating systems are constantly upgraded to fix bugs and combat known vulnerabilities. • Firewall filter graphing will be used in association with SNMP counters to monitor traffic levels for various protocols and ports. See the following link for an example of this implementation: http://vixen.grnoc.iu.edu/jfirewall-viz/. • TransPAC2 engineers will continue to work with the REN-ISAC to develop custom data mining portals and reports for anomalous events and trend analysis. TransPAC2 will continue to disseminate information and participate in security related events in the US and Asian Pacific region. 20086-20097 Work Plan As networks evolve to higher speeds and greater complexity, security becomes more challenging. TransPAC2 engineers will collaborate with security groups in the US and Asian Pacific region to keep abreast of new technologies and new cyber threats