Computer Incident Response Team as Integral Part of Campus Security

Jan Soukal, Pavel Čeleda, Jan Vykopal (Masaryk University Brno)

The purpose of this presentation is to provide an insight into operation of Computer Incident Response Team (CSIRT) that implements and manages the ICT security in campuses. A long way leading from the very beginning to an advanced operational CSIRT team is illustrated on a 5-year evolution of CSIRT-MU, the team accredited by the Trusted Introducer and responsible for large campus network in the Czech Republic. The presentation covers lessons learned, best practices that has been adopted (or abandoned), real-life experience and recommendations important for all who think about establishing their own CSIRT team.

From traditional to alternative approach to storage and analysis of flow data

Martin Žádník (Brno University of Technology)

Flow data storage and analysis greatly contributes to network administration and security. Data are usually stored either in binary files or into relational databases. The subsequent analysis operates over the stored chunks of data. The traditional store-and-analyze approach poses certain limits. We present our toolset based on alternative approaches to address these limits. The toolset consists of a flow collector, IPFIXcol, enabling the storage of received flows into a column-oriented and bitmap indexed database (FastBit), and a modular analysis framework, Nemea, enabling stream-wise data analysis. The presentation also provides the results on performance as well as our experience obtained during the deployment in the large NREN network. Finally, we discuss the next generation flow data analysis in the view of Big Data concept.

Extended netflow processing with LibNf

Tomáš Podermanski (Brno University of Technology)

The presentation discusses the perl API interface for processing the netflow data stored by nfdump collector. The practical use cases of the library are presented together with speed evaluation and comparison with other available tools.

Monitoring of Application protocols in 40/100Gb Networks

Viktor Puš (CESNET)

We propose a new concept of 100 Gb/s hardware acceleration for flexible flow-based application level monitoring which we call Software Defined Monitoring. The concept relies on smart monitoring tasks implemented in the software in conjunction with a configurable hardware accelerator. The hardware accelerator is an application-specific processor tailored to stateful flow processing. The monitoring tasks reside in the software and can easily control the level of detail retained by the hardware for each flow. This way the measurement of bulk/uninteresting traffic is offloaded to the hardware while the advanced monitoring over the interesting traffic is performed in the software. The proposed concept allows one to create flexible monitoring systems capable of deep packet inspection at high throughput. Our pilot implementation in FPGA is able to perform a 100 Gb/s flow traffic measurement augmented by a selected application-level protocol parsing.

Measuring Quality and Penetration of IPv6 Services

Matej Gregr (Brno University of Technology)

The aim of this talk is to present our methodology to measure penetration and quality of IPv6 adoption amongst web, mail and DNS service providers. The comparison with similar projects will be presented as well.

Harvesting Logs and Events Using MetaCentrum Virtualization Services

Radoslav Bodó, Daniel Kouřil, Jiří ́Sitera, Miloš Mulač, Pavel Vondruška (University of West Bohemia)

The talk describes the design and implementation of MetaCentrum’s (Czech NGI’s) new security infrastructure service. To implement its everyday procedures, a demand emerged for a central and flexible tool to gather and analyze system logs from hundreds of nodes spread across multiple institutions in the Czech Republic. The selected solution is built on top of existing tools to gather, transfer, store and analyze logs. But we have identified several areas that the current tools do not properly cover. The new service is able to work not only in an automated mode (predefined patterns and alarms) but also in a generic mode. It allows to perform interactive queries to harvest the logs based on actual needs of operators or security officers. The whole storage, indexing and querying infrastructure is operated on top of MetaCentrum virtualization service. The resources are not decicated but allocated on-demand from the NGI resource pool.

NIX.CZ platform and SECURE VLAN

Ondřej Filip (CZ.NIC)

Czech Internet community experienced series of attacks on its significant information resources in 2013. These attacks were transferred through the infrastructure of Neutral Internet Exchange in the Czech Republic – NIX.CZ. Community (at the NIX.CZ platform) immediately decided to start to prepare a set of both technical and organizational arrangements to help and support NIX.CZ members and customers in case of massive infrastructure based attacks. The talk will give an overview on this process and tools that are prepared.

Customized anomaly detection and analysis tools as a service

Tomáš Košňar (CESNET)

Complex monitoring tools are the key points that allow us to react fast and effective and help us to keep the infrastructure under controll even under the pressure of massive network attacks. The talk will give a brief overview on methods and tools based on both large scale network infrastructure and IP flow-based systematic measurements that are used in Large Infrastructure CESNET (NREN in the Czech Republic) and are available to the user community. With respect to the user community we are moving to user driven and service based strategy of specific anomaly detection deployment (in cooperation with local administrators) which focuses local network and services architecture, administration priorities and local policies.

FPGA accelerated application monitoring in 40 and 100G networks

Petr Kaštovský (INVEA)

The motivation to monitor network traffic on application level will be presented to describe current security challenges in nowadays computer networks. Capacity, complexity and flexibility of applications and services delivered over the networks represents a problem that will be addressed in the second part of the presentation. The key concept is a novel monitoring approach based on FPGA technology with the focus on deployment in 40G and 100G high-speed, back bone networks.

Network traffic monitoring & security – from academic project to commercial product

Petr Špringl (INVEA)

The motivation of the presentation is to briefly introduce way from academic project focused on hardware acceleration (included in GEANT2 project) to successful commercial product used for network traffic monitoring and security in lot of organizations worldwide.

Large scale passive monitoring at 10Gbps on commodity hardware

Arne Oslebo (UNINETT)

UNINETT has for many years operated a large scale passive and active monitoring infrastructure. The first generation of probes used specialized hardware for capturing traffic and most of them operated on 1Gbps. We are now almost finished upgrading the probes so that they can all handle 10Gbps traffic using only commodity hardware.The probes are used for doing  IPFIX monitoring including DPI for application categorization. To be able to scale this to 10Gbps and a large number of probes, we had to do a thorough evaluation of different open source tools as well as develop some software our selves. In this presentation we want to give an overview of our solution, show some performance numbers and share the lessons learned in getting it operational.

pncweblib: A library for rapid development of web interfaces for use with the perfSONAR NC framework

Arne Oslebo (UNINETT)

perfSONAR NC is an implementation of the perfSONAR framework. In perfSONAR, historic data is stored in measurement archives. The main advantage of perfSONAR NC compared to regular perfSONAR is that it defines a common data model that is used by all different types of measurement archives. This makes it possible to create generic tools for querying and retrieving data. pncweblib is a javascript library that makes it easy to implement user interfaces for data available trough the
perfSONAR NC framework. In this presentation we will give an overview of pncweblib and how developers can use it to create relatively advanced interfaces with very little code. We will also do a live demonstration of several web interfaces based on pncweblib that are in production.

Monitoring IPv4 address utilization/depletion in UNINETT

Morten Brekkevold (UNINETT)

At UNINETT, we have been monitoring the rate of campus IPv6 deployment in our research network, using data from our customers’ NAV installations, for several years already. On the other hand, IPv4 addresses are becoming a scarce resource, and we have a limited supply for our customers.

This talk will show how NAV (Network Administration Visualized) provides subnet allocation and utilization information on each campus, and how we have created a NAV API to enable us to collect this information and correlate it with our central registry of IP address delegations. It will also show how the presentation portal we have built helps us gain insight into whether our address delegations are being properly utilized or squandered.

Wifi service in university campuses, performance status and statistics

Koji Okamura (Kyushu University)

Kyushu Univesity, Japan have 20,000 students and 10,000 faculty and official staffs in 5 main campuses and provides very fast and stable campus network infrastructure and Wifi service at whole campuses by more than 1,000 Wifi Access Points. We have Single Sign-On system and every member of Kyushu University can access campus network and the guest person can use Internet service via Wifi by 802.1x and Wifi AP’s dynamic VLAN feature.

802.1x authentication is carried by the radius server and all of the authentication data has been recorded since 2007 when the service was started. The logdata size of 2012 is about 30GB and 2013 is about 35GB by text. In my presentation, I will introduce this campus wide wifi service system and show the various analysis of the radius data.

The perfSONAR Project at 10 Years: Status and Trajectory

Jason Zurawski (ESnet)

The perfSONAR project was formed to solve the vexing problem of coordinating end-to-end network measurements across different domains.  Now 10 years into this effort, there are 1000s of deployed instances, on nearly 250 domains around the world, and references to the technology in countless funding announcements and scientific writings.  This presentation will review the current state of perfSONAR, including highlighting real world use cases, and will outline future directions.

Configurable device discovery based on SNMP

Slavko Gajin: (University of Belgrade)

Device database is the core element of the any network monitoring and management tool.  Automatic discovery of network devices using SNMP is a widely accepted technique which saves initial setup time and increase data accuracy and consistency. However, most tools, either free or commercial, populates the database with predefined set of device attributes, such as device name, interface name, description, IP address, MAC address etc. Only vendor specific commercial software are able to collect other details based on vendor specific SNMP OIDs, such as hardware modules, cards, CPU, memory, sensors and so.

The presentation will demonstrate a novel approach in network device discovery, which allows users to configure their own device model (by device and sub-device types, and its attributes) and rules to automatically discover and populate the inventory database. The advantage of this approach will be demonstrated through several use case scenarios and integration with other network monitoring modules – MIB browser, Syslog and NetFlow analyzer.

Teaming network operation complexity with change detection, inventory and automated deployment

Jean Benoit (University of Strasbourg)

Network administrators often have to cope with consistency and stability problems in operating a network campus-wide. A structured approached is required to organize the smooth running and maximal availability of network infrastructures. Implementing three specific practices in a combined way brings decisive quality improvement on the network: Change monitoring increases visibility to network administrators, allows them to understand the origin network malfunctions, and to notice any unplanned configuration change. A minimalist approach of referential data store management provides essential building-blocks, on top of which a large range of monitoring and task automation applications can be built. Finally, being able to deploy network components on bare-bones equipment in a reproducible and automated way makes testing easier and increase the confidence administrators have into their network infrastructure.

New Approach to Recognition of VoIP Attacks from Honeypots

Miroslav Vozňák, Jakub Šafařík (CESNET)

The paper deals with a proposed algorithm which is used as a classifier of attacks in a distributed monitoring network of independent honeypot probes. Information about attacks on these honeypots is collected on a centralized server and then classified in multilayer perceptron neural network. The article describes inner structure of used neural network and also information about implementation of this network. The learning set for this neural network is based on real attack data collected from honeypot Dionaea.

Log Analysis using Open Source Scalable Systems

Gurvinder Singh (UNINETT)

At UNINETT we have log data coming from different sources such as SIP communications, DNS records, Feide (single sign on), Mail servers. Until recently to analyze the data from different sources was really hard and not scalable. Therefore we start to look into current open source software to analyze logs. We required a system which can scale horizontally to terabytes of logs. We found logstash, elasticsearch and kibana as a viable solution. The results are looking promising and we are now putting the system in production. This talk will include the log system architecture various components and a short demo of some concrete use-cases for log analysis.


Jochen Schoenfelder (DFN-CERT)

In response to the high impact and attention of DDoS-attacks, an open source detection and analyzing tool has been in constant development at DFN over the last years. In opposition to other existing tools, NeMo-DDoS has been developed with the special needs of a large NREN in mind. Key features are: automatic network modeling, semi-automatic configuration, maintaining data privacy of the users, using limited measurement and sampled NetFlow data as well as SNMP data as input, automatic alerting in attack-cases, low maintenance under normal conditions, providing extensive analysis tools in the case of an attack. The presentation provides a short overview of the software base. On interest more in-depth details and demonstrations may be shown.

Last change: 23.4.2014