Program CNMS2016

Invitation talks in the sessions of CNMS2016


8.45 – 9.00 Registration
9.00 – 9.20 Opening  Jari Miettinen – FUNET –  GN4-1 NA3T2 task leader


Chair: Jiří Navrátil – CESNET


9.20 – 9.40 A.Oslebo The challenges of deploying and operating a large scale distributed IDS in an academic network


9.40 – 10.00 A. Kropáčová Collecting and processing of data from security tools in CESNET


10.00 – 10.20 V.Bartoš Reputation Shield


10.20 – 10.40 Cafe break
10.40 – 11.00 L.Mwansa Monitoring security incidents versus Privacy Rights (remotely via VC)


11.00 – 11.20 M.Kukoleča Securing Linux servers


11.20 – 11.40 K.Okamura Cybersecurity Training with Cyber Range


11.40 – 12.00 V. Bidikov Integration of custom built services (firewall, monitoring, software deployment) in the FCSE network
12.00 – 13.00 Lunch
13.00 – 13.20 J.Benoit Forensics Analysis and incident handling


13.20 – 13.40 A. Kane Case study: Network Behavior Analysis as a Service at GÉANT – project NSHaR


13.40 – 14.00 M. Eremija Monitoring of RADIUS infrastructure


14.00 – 14.20 A. Oslebo Low cost WiFi monitoring probes


14.20 – 14.40 Cafe break
14.40 – 15.00 M.Grégr Basic L2, L3 Security at the Campus Network


15.00 – 15.20 T. Podermanski Tutorial to Build Own Application for Processing nfdump Data


15.20 – 15.40 P. Kislinger Building Open High-Speed Aggregation Router


15.40 – 16.00 V. Puš Monitoring at 100 Gbps, outlooks for 400 Gbps


19.00 – 21.00 Working Dinner (raut style in open air)


Methods and Concepts

“The challenges of deploying and operating a large scale distributed IDS in an academic network“

Arne Oslebo (Uninnet)

UNINETT has for many years operated a large scale passive monitoring infrastructure. 30 probes monitor the main access links into most Universities and Colleges in Norway. A new pilot service on some of these probes based on the Suricata network intrusion detection systém and the service will soon be put into full production. In this presentation we will give an overview of the technical solutions behind the new service.

“Collecting and processing of data from security tools in CESNET“

Andrea Kropáčová (CESNET)

CESNET does a lot to secure its e-infrastructure, especially in area of network monitoring and detecting security events and anomalies. This presentation will show how it is possible to efficiently work with a large amount of information generated from many security tools. We introduce systems Warden and Mentat, systems for the efficient collection, processing and sharing information on detected security incidents in the CESNET2 network.

“Reputation Shield”

Václav Bartoš (CESNET)

Network operators often operate various monitoring tools which are able to detect diverse security incidents. Project Reputation Shield aims at gathering reports from large amount of such detectors deployed in different networks.

“Securing Linux servers”

Miloš Kukoleča (AMRES)
Linux is popular choice for an operating system in a server environment. The granularity and flexibility of settings, high performance, reliability and security are some of its comparative advantages over other operating systems. The vast majority of services that academic institutions provide to their users are hosted on servers running the Linux operating system. Due to infrastructure limitations, one sever often hosts several services, which adds to the challenge of protecting the Linux server. System administrators are expected to protect the server from potentially malicious activities that could jeopardise or compromise the provision of services. However, the protection of a Linux server is not a one-time effort, but a lasting process that continues as long as the server is in use.

“Cybersecuriy Training with Cyber Range”

Koji Okamura (Kyushu University)
Kyushu university will start the class using Cyber Range from the autumn 2016. The system has developed in Sypris Solutions in USA. In this talk, the system and training using Cyber Range are introduced.

“Monitoring security incidents versus Privacy Rights”

Laban Mwansa Jorge Carrillo, Cape Peninsula University of Technology

Network monitoring of security events and incidents is essential in or order to maintain network security. Intrusion detection is the process of monitoring the events occurring in a computer system or network and analysing them for signs of possible incidents, which are violations or imminent threats of violation of computer security policies, acceptable use policies, or standard security practices.

In this presentation we will discuss the challenges faced by many organizations to mitigate when monitoring security incidents crosses individual or users privacy rights as in most countries the right to privacy is constitutionally guaranteed as a human right.


Tools, applications and experiences

“Building Open High-Speed Aggregation Router”

Pavel Kislinger, CVIS – BUT Brno

The aggregation router is one of the essential component of the network. It provides connection between Internet network and campus network and typically also provides additional services like firewall, network address translation of traffic engineering. In the presentation the approach to build 10Gb/s or 40Gb/s router on the commodity hardware and opensource software.

“Tutorial to Build Own Application for Processing nfdump Data” 

Tomas Podermanski, BUT Brno

The presentation describes and shows step by step how to build own application for processing nfdump netflow data using library. During the presentation the simple DDoS detector will be coded and tested on the real network traffic.

“Monitoring of RADIUS infrastructure”

Marko Eremija, AMRES

The solution presented has been developed within the eduroam service of the Academic Network of Republic of Serbia (AMRES). The eduroam authentication infrastructure requires a suitable monitoring system, which enables testing the functionalities of all the RADIUS servers this service comprises. The monitoring system has been designed to provide a sufficiently detailed insight into the state of the RADIUS infrastructure, while not infringing upon user privacy as required under the eduroam policy. The monitoring of the infrastructure of the RADIUS-based server on the AMRES network is conducted to check the availability of RADIUS servers through the network, as well as to establish whether the RADIUS servers are processing client authentication requests in the appropriate manner.

“Integration of custom built services (firewall, monitoring, software deployment) in the FCSE network”
Vladislav Bidikov, St.Cyril and Methodius University Skopje

In this presentation, we will show how we have integrated several of our services (firewall, monitoring of students computers, students workstation deployment) into a single system.
The practical example will show some of the implementation challenges as well as some of the problems with regular usage of the services from faculty staff.
Some of these experiences will present how services need to change and adapt in order to better suite the end users.
Traffic Analysis, Reporting of Anomalies or Incidents

 “Forensics Analysis and incident handling”

Jean BENOIT, Strasburg University & Aleš PADRTA, CESNET

The presentation is focused on forensic analysis utilisation in the incident response procedure. The basic principles and practical issues will be discussed. The provided information is based on daily practice at CERT OSIRIS from Strasbourg University and CESNET forensic laboratory (FLAB) as a part of CESNET-CERTS. More details will be available in a Campus Best Practice document.

“Case study: Network Behavior Analysys as a Service at GÉANT – project NSHaRP”

Artur Kane, Flowmon evangelist

Attacks lead over academic organizations with an aim to cut the off the internet, infiltrate into protected systems or malware earning money for their creators – these are the current cyber threats. Many of these malicious activities can be detected and responded to on a level of ISP/Carrier who has the necessary knowledge to protect their customers centrally. Network Behavior Analysis as a service for European NREN’s ran by GÉANT as a part of project NSHaRP is a service, based on technologies of Flowmon Networks, which automatically reports to GÉANT’s customers on organizations that spread malware, attacks or SPAM.

“Basic L2, L3 Security at the Campus Network”

Matěj Grégr, FIT BUT Brno

Talk describes the basic security concepts and techniques that should never be avoided when the campus network security is implemented.


Monitoring on new generation of networks

“Monitoring at 100 Gbps, outlooks for 400 Gbps”

Viktor Puš, CESNET

The presentation will outline technical challenges of network security monitoring in the world of 100 Gbps Ethernet. New challenges associated to the upcoming 400 Gbps Ethernet standard will be presented as well, with some suggested approaches.

“Low cost WiFi monitoring probes”

Arne Oslebo, Uninnet

WiFi is now the most common method for end users to connect to the Internet. UNINETT has experimented with cheap probes based on Raspberry Pi that costs around 80 EUR. The probes can monitor many different metrics for easy detection and troubleshooting of different wireless problems. In this presentation we will give a description of the hardware and the software that runs on the probes. We will show some measurements results and discuss future work.

Tools for Security Analysis of Traffic on L7 – Practical course


The workshop will be divided into three parts – hands-on tutorial and practical exercise.

The course takes place at the CTU in Prague, Faculty of Architecture, 3. floor, Room: T9:350

Detailed information about practical course

9:00 – 11:30 Introductory lessons and hands-on tutorial on flow-based detection of current threats
11:30 – 12:30 Lunch
12:30 – 14:45 Practical analysis of real traffic traces to find DDoS and other attacks
14:45 – 15:00 Break
15:00 – 16:20 Creating your own flow data analyzer

Introductory lessons and hands-on tutorial on flow-based detection of current threats

The morning session will present theoretical background of network traffic monitoring and introduce tools for both classic as well as L7-extedned flow data analysis. The session will be held as a hands-on tutorial. Attendees will be guided through all phases of network monitoring – export, storage and processing of flow data, with focus on processing aimed at detection of various kinds of security incidents, such as (D)DOS attacks, port scanning, or attacks on VOIP infrastructure. Main tools used include open-source collector IPFIXcol, accompanied tool for processing stored flow data fbitdump, and a framework for stream-wise flow data analysis NEMEA. Attendees will learn to install, configure and use all these tools.


Practical analysis of real traffic traces to find DDoS and other attacks

In the afternoon session, attendees will use the skills from the morning session in more practical way. The session will be focused on data analysis using two different ways – manual ex-post analysis of stored flow data using fbitdump and configuration of automatic online analysis using the NEMEA system. The tasks will include detection and analysis of a DDoS attack, finding hosts communicating with a botnet C&C server, detect dictionary attacks on SSH, etc. There will also be some tasks related to analysis of L7 data, e.g. detection of SQL injection attempts or DNS tunneling.


Creating your own flow data analyzer

The last session will teach attendees how to extend the NEMEA system with new analysis modules, e.g. to detect a new threat. Using the NEMEA framework with prepared source code templates in C and Python, it is fast and easy to create a new module and to insert it into the running system. This session is recommended for attendees with at least basic programming skills.

Last change: 4.5.2016