1 / 15

Managing Network Threat Information

Managing Network Threat Information. Giri Raichur, Network Services Team Jim Clifford, TL, Network Services Team Current implementation, future directions and opportunities for inter-laboratory collaboration. Managing Network Threat Information.

frederick
Download Presentation

Managing Network Threat Information

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Managing Network Threat Information Giri Raichur, Network Services Team Jim Clifford, TL, Network Services Team Current implementation, future directions and opportunities for inter-laboratory collaboration.

  2. Managing Network Threat Information Network threats - viruses, phishing attacks, malware etc. Availability of alert information Incorporating information into network control points

  3. How CSIRT manages threat information • Uses mySQL database with a web front end. • Host IP addresses and domains names of attack sites are propagated to DNS servers, firewalls and proxies and blocked within minutes. • The central repository and automatic updates allow CSIRT staff to manage blocking information without relying on system and network administration experts • Web requests to blocked sites are redirected to an informative web page. • The database helps support staff troubleshoot connectivity problems.

  4. Sources of threat information • US-CERT, DOE-CIRC • Local intelligence • http://malwaredomains.com • http://isc.sans.org • http://shadowserver.org/wiki • http://blog.trendmicro.com • http://www.dynamoo.com/blog • http://www.f-secure.com • http://www.threatexpert.com • http://safeweb.norton.com

  5. Current Implementation

  6. Black Hole Interface • Uses a python API written to be shared by several different blocking mechanisms. • The API tracks the change history. • History Reads of the rule list can be done without the API . • Blocks automatically expire.

  7. DNS BlackHole Interface

  8. Firewall Interface

  9. Advantages of using LANL’s approach • The authoritative data resides in one central database • The access control lists are pushed/pulled into various control points • Access information is “standardized” • Easy to use user interface • Authorized user can add/delete without knowing formats for specific applications like DNS and IPtables • Changes are near real time • New control points can be added easily to use existing access information • Access information is available to help desks and other support staff • Access information can be audited and tested

  10. Future direction • Federated access policies using "TNC IF-MAP protocol"

  11. What is IF-MAP? • IF-MAP describes a database that contains metadata about systems and users currently connected to a network. • Uses a publish/subscribe model, where all the network and security applications can participate in updating and querying the IF-MAP server • XML-based protocol that uses SOAP (Simple Object Access Protocol) specification as defined ty the W3C • Published in May 2008 by the Trusted Computing Group • Freely available for anyone to implement • Growing base of vendor and product support • Aggregates real-time information from various sources. Uses both standard data types and vendor-specific extensions

  12. IF-MAP Makes it Easy for Devices and Systems to Share Data

  13. Further discussions • Fast response to immediate threats is not unique to LANL • What do other sites do? • How can we minimize redundant access lists based on inter-site intelligence instead of each site maintaining that list? • How can we share data that is useful and timely? • Any interest in a collaborative effort?

More Related