JANET and its Computer Emergency Response Team CERT

1
JANET and its Computer Emergency Response Team
(CERT)

• Andy Bone
• Hd of JANET-CERT
• a.bone_at_ukerna.ac.uk

2
Agenda

• JANET Overview.
• JANET-CERT.
• What it is
• What it does
• What its going to do (Hopefully)

3
What is JANET

• The Joint Academic NETwork (JANET) is the
  academic and scientific research network operated
  and developed by UKERNA under a Service Level
  Agreement from the Joint Information Systems
  Committee (JISC) of the UK Higher and Further
  Education Funding Councils.
• JANET is connected to the equivalent academic
  networks in other countries and to many
  commercial networks in the UK and abroad forming
  part of the global internet and is now one of the
  largest private networks in Europe.
• The JANET Connection Policy defines which
  organisations are eligible to connect to the
  network and the JANET Acceptable Use Policy
  defines its use.

4
Who are UKERNA?

• UKERNA are a non profit organisation which manage
  the operation and development of the JANET
  network under a Service Level Agreement (SLA)
  from the Joint Information Systems Committee
  (JISC) of the UK Higher and Further Education
  Funding Councils
• UKERNA also administers .ac.uk and .gov.uk domain
  names and provides security services through
  JANET-CERT.
• www.ukerna.ac.uk

5
SuperJANET4 Topology

• Core Points of Presents (CPOP) locations

backbone links
regional network access links
6
What isJANET?

• 19 regional networks.
• 10 Gb core across UK.
• gt 20 Gb external connectivity.
• 1,000 sites.
• Potentially 12m users, raising
• to 20m over the next 3 years

7
Backbone
At the end of 2002, the backbone was successfully
upgraded from 2.5Gb to 10Gb.
8
JANET External Links

• Access to the London Internet Exchange (LINX)
  LINX Gigabit Ethernet General access to other
  Commercial ISPs.
• Access to CERNET CERNET 2MB China General access
• Access to European Networks GÉANT 2.5Gbit/s
  General access to European Academic
  Networks and other European based backbone
  networks.
• Access to the U.S.A Access to the USA and the
  rest of the internet is currently changing but is
  currently at 2.5Gbit/s

9
Regional Networks
10
Regional Networks

• Contractual arrangements updated
• simplified funding regime
• include funding for ancillary services and
• include ability to change for SuperJANET5.
• Regional network development forum established.
• Funding provided to improve reliability due to
  connection technology.

11
Regional Networks

• Current challenges
• increasing reliability to sites and
• preparing regional networks for SuperJANET5.
• Longer term challenges
• longer-term sustainability of funding and
• predictability of funding timing and amount.
• being considered as part of SuperJANET5.

12
Site and Bandwidth Growth
13
Growth History
14
JANET Usage
Summer breaks
TBytes
Month
15
Operational Services

• Computer Emergency Response Team.
• Videoconferencing Service.
• Video Technology Advisory Service.
• Usenet News (feeds and readers).
• Training.
• Fault reporting and management.
• Network Monitoring (stan, netsight)
• Mailer Shield

16
JANET-CERTJANET's Security Team
17
What is a CSIRT
CERT/CC defines a CSIRT as
An Organisation or team that provides services
and support for preventing and responding to
computer security incidents to a defined
constituency
18
Reasons for having a CSIRT

• Best practice
• In education, government and business
• At national, network and organisation level
• Effective response to growing threat to networks
• Essential support for growing reliance on
  networks
• JANET Security Policy requirement
• sites need to have an accessible central
  contact
• assist in the investigation of a breach of
  security.

19
What can a CSIRT give

• Reactive
• A more Focused response
• More rapid a standard response
• Dedicated trained staff
• A more coordinated response inside the security
  community
• Proactive
• A valued service to the business process
• Provision of Vulnerability checks and development
  of security policies
• Can input into product lifecycles and company
  network operations

20
History of JANET-CERT

• Once UKERNA had formed at the beginning of
  1994 it was recognised that there was a
  requirement for a computer security team to
  handle the growing number of incidents and
  computer based incursions. These were being
  initiated both Internally and Externally and had
  the potential to be very embarrassing for the
  higher education authorities. Not only from a
  data protection point of view, but many of its
  students were using the network for lets say
  dubious practices.
• It was therefore decided that a team
  initially of 3 should be created and it started
  business towards the end of 1994 making it one of
  the oldest CERTs in the UK and Europe.

21
Our Mission Statement

• The mission of JANET-CERT is to

Ensure the present and future security of JANET
and its customers

• Lead on JANET security

• Coordinate responses

• Develop security resources

• Maintain leading-edge skills.

22
The Constituency

• The JANET-CERT Constituency consists of all
  the members of the JANET Community and by
  contract to HEANet (Ireland). We also have an MOU
  with the the National Health service (NHSNet)
  signed last week for closer cooperation and the
  use of our services on related computer security
  issues. Potentially over 6 million users.
• All new sites of the community are required
  to sign an AUP and Security Policy as part of
  their connection procedures. This gives the CERT
  team their power base which can include blocking
  service or proceedings leading to expulsion in
  extreme cases.

23
JANET-CERT

• CSIRT for the JANET network
• To protect the network
• And help customer organisations
• Advertised security contact for .ac.uk
• Works with nominated site security contacts
• Services set by JISC Service Level Agreement
• Incident response, information, awareness, liaison

24
JANET-CERT

• Service Level Agreement through the JISC
• Response
• Receive and co-ordinate incident reports until
  completion.
• Offer advice to our constituents on corrective
  actions.
• Liaison with both internal/external
  sites/agencies including other CERTS and law
  enforcement to resolve differences.

• Protect the network
• Authorised to disconnect or block sites or
  equipment that pose a threat

25
The Incident Handling Process
1. Initial Analysis and data collection
2. Obtain Contact Information And notify others
Other Services
EMail
Triage
Other
Incident Report
Telephone
IDS or Local system
Other Services
3. Perform Technical Analysis
4. Coordinate Information and response
26
Types of Incidents reported by JANET customers

• Probe or Scan
• Root Compromise
• Denial of Service
• Trojan
• Virus
• Spam
• Abuse/AUP
• Liaison with law enforcement
• Web Defacement
• Warez (pirated software, music or video)
• With JANET sites as both the target and the
  source!

27
Incident Response

• Receive incident reports from sites and Internet
• E-mail 8am-6pm phone to midnight and weekends
• Some automated detection of network problems
• Hope to increase this in future
• Advise JANET sites on resolving problems
• Contact external sites (or CSIRTs) to complain
• Track every incident until closed

28
JANET-CERT

• Information
• We provide two mailing lists providing
  information (CERT Contacts)
• UK-Security-Announce (Read only external to CERT)
• CERT advisories of new threats/solutions or
  announcements
• UK-Security (Cert Contacts and related
  recommended constituents)
• Security related discussion and the information
  provided above.
• Technical, policy and minor legal Support.

• Web site http//www.ja.net/CERT/

• Papers, reports, articles, guides and notes.
• In Paper and digital form at http//www.ukerna.ac
  .uk

29
JANET-CERT

• Awareness
• Training courses
• Conferences Workshops
• Presentations

• Liaison
• Other CERTS (UK-CERT, TF-CSIRT and FIRST)
• Law enforcement and the security services.
• External network operators and ISPs
• Anyone else that asks to share mutual
  information.

30
Current JANET-CERT Resources

• Staffing
• Currently 8 personnel
• Manned
• From 0800 1800 Mon-Fri
• Oncall 1800 2359 weeknights and 0900 1700
  weekends excluding UK bank holidays, Xmas day,
  boxing day and Easter Sunday.
• Communications
• Email cert_at_cert.ja.net
• Telephone 44 (0)1235 822340
• Fax 44 (0)1235 822398

31
Recent Projects

• The new network has been in production since the
  8th Nov 03.
• BCP will be located at Leeds testing almost
  complete.
• RTIR has been in production since 01 Dec 2003,
  some internal tweaks have been carried out. A new
  working group through TF-CSIRT is looking at the
  specification for Version 2. http/www.bestpractic
  al.com/pub/rt/release/rtir.tg
• IPHS is now in place.
• Netflow, under SJ4 and SJ5, looking at different
  solutions.
• Website Update.
• Policy and Procedure Review.
• eCSIRT.NET https//www.ecsirt.net/

32
New CERT Structure andServices

• JISC Buy in (Security within JANET).
• Security policy framework
• Best practice guides.
• JANET Security Policy and AUP review.
• Proposed New Services
• Abuse and Triage.
• Investigations and Forensics.
• Security Health Check and consultation.
• Team Structure.

33
Proposed Structure
Hd of JANET-CERT
Sec Health Chk Team leader
Investigations team Leader
Abuse Team Leader
Approx 4/5 personnel
Approx 4 personnel
Approx 3 personnel
34
Services Time Line 2004

• JANET Security Enhancement Project agreed by JCN.
• JISC agreement to ERT Expansion proposal.
• End of November
• Complete and submit to the UKERNA executive and
  JISC the implementation plan for the new
  services.
• Complete all CERT ongoing projects.
• December.
• JISC Agreement to implementation plan.
• Begin recruitment of service team leaders.
• Initiate new service outlines.

35
Proposed JANET-CERT Resources

• Staffing 13 personnel
• MannedFrom 0800 1800 Mon-Fri (although team
  oriented)Oncall 1800 0800 weeknights and 0001
  2359 weekends, giving 24/7 coverage.
• CommunicationsPossibly abuse_at_ja.net
• Email cert_at_cert.ja.netTelephone 44 (0)1235
  822340Fax 44 (0)1235 822398\

36
Food for Thought

• What is the greatest threat to computer Security
  today ?
• malicious hackers, cyber criminals and
  terrorists.
• under-informed or badly trained administrators.
• lazy users.
• stingy and ill-informed senior managers.
• Vendors or technologists bad practice.

37
Questions