Upload
alexandr-golubev
View
218
Download
1
Tags:
Embed Size (px)
DESCRIPTION
Warsaw Conference and training at September 25-29.
Citation preview
Development of services for analysis and prevention of incidents in RENAM network
Alexandr Golubev ([email protected]) , Alexei Altuhov ([email protected])
RENAM Association
Warshawa workshop september 28, 2007
2
Secure and reliable network operation
Raising the level of RENAM network operation secure, system and users’ information protection:
Security technologies implementation
Organizational measures
3
CERT common services
Essential function to call yourself a CSIRT
May consist of any or all of:
• Incident prevention
• Incident detection
• Incident analysis
» Forensic evidence collection
» Tracing or tracking
• Incident post-processing
7
Ticketing system Problems
Mail dispatcher is not well configured
Incidents are inserted manually by CERT officers now
The design and user usability are too poor
8
For network monitoring are used different systems based on ICMP и SNMP protocols.
There are a lot of existing systems that can help monitor the network. Our CERT uses the following two systems:
• Nagios
• NetIIS
Monitoring
10
NetIIS
In order that NetIIS requires much resources (more than 2 gb of RAM, more than 2 GHz.) it means that we in Moldova are not able to Install it on our CERT server
NetIIS is not so popular as Nagios and that’s why there is not so much Documentation
11
Statistics
• General statistic available for every user
• Statistics for incidents occurred by month grouped by types
• Statistics for incidents that were resolved (handled) by CERT officer, for analyzing the work of every CERT officer
There must be one another SOAP service that shows the daily and month statistics for publishing on another sites or Press and Newspapers
13
RENAM Administrator services
• Forum
• Ticketing System
• Editing FAQ
• Incident form
• Full statistics
15
Collecting of the incidents
• Monitoring of the network and fixation of its suspicious parts or actions in the network .
• User will inform by himself about the incident on his part of the network and after this information is processed by CERT officer it will be considered as an incident.
• Information about the incident can be received from another CERT system. Because these systems and teams must exchange information about the incidents.
16
User or administrator can submit an incident by:
• Submitting the incident to MD-CERT web site– http://cert.renam.md; http://cert.acad.md; http://www.cert.md;
• Sending the query by fax or phone;
• Sending the query by email;
• Sending the information about incident using other means.
How to inform us about an incident?
19
Communication with other CERT
RENAM users and administrators have the main
priority in resolving and analyzing the incidents.
But all the Internet users from Moldova and from other
countries can use the CERT services of RENAM Association
for resolving the incidents in their network segments.
MD-CERT is open for communication and cooperation
with other CERT teams from Moldova and other countries
20
Conclusions and problems
CERT in Moldova collect the Incidents, but there are not real incidents
The organization measures for developing CERT in Moldova is too poor
There is not any backup system at MD-CERT at this time
21
What needs MD-CERT?
More practical trainings, for example it will be cool to have a training of advanced RT and RITR configuration and connecting one of the monitoring systems with RT
More software – monitoring systems, ticketing systems, etc
Some instructions/documentation for incident resolving