Development of services for analysis and prevention of incidents in RENAM network

Alexandr Golubev (galex@renam.md) , Alexei Altuhov (alexx@renam.md)

RENAM Association

Warshawa workshop september 28, 2007

2

Secure and reliable network operation

Raising the level of RENAM network operation secure, system and users’ information protection:

Security technologies implementation

Organizational measures

3

CERT common services

Essential function to call yourself a CSIRT

May consist of any or all of:

• Incident prevention

• Incident detection

• Incident analysis

» Forensic evidence collection

» Tracing or tracking

• Incident post-processing

4

CERT Web Site

5

Components of CERT-MD

CERT Server

Monitoring System

CERTStatistics

TicketingSystem

Users FAQ

6

Ticketing system

We have installed and configured RT – Request Tracker

7

Ticketing system Problems

Mail dispatcher is not well configured

Incidents are inserted manually by CERT officers now

The design and user usability are too poor

8

For network monitoring are used different systems based on ICMP и SNMP protocols.

There are a lot of existing systems that can help monitor the network. Our CERT uses the following two systems:

• Nagios

• NetIIS

Monitoring

9

Nagios

The main problem is organization of dynamic collecting of the IP From RENAM network

10

NetIIS

In order that NetIIS requires much resources (more than 2 gb of RAM, more than 2 GHz.) it means that we in Moldova are not able to Install it on our CERT server

NetIIS is not so popular as Nagios and that’s why there is not so much Documentation

11

Statistics

• General statistic available for every user

• Statistics for incidents occurred by month grouped by types

• Statistics for incidents that were resolved (handled) by CERT officer, for analyzing the work of every CERT officer

There must be one another SOAP service that shows the daily and month statistics for publishing on another sites or Press and Newspapers

12

Statistics

13

RENAM Administrator services

• Forum

• Ticketing System

• Editing FAQ

• Incident form

• Full statistics

14

User Services

• FAQ

• Forum

• Links

• Contacts

• Statistics

• Simple Incident form

15

Collecting of the incidents

• Monitoring of the network and fixation of its suspicious parts or actions in the network .

• User will inform by himself about the incident on his part of the network and after this information is processed by CERT officer it will be considered as an incident.

• Information about the incident can be received from another CERT system. Because these systems and teams must exchange information about the incidents.

16

User or administrator can submit an incident by:

• Submitting the incident to MD-CERT web site– http://cert.renam.md; http://cert.acad.md; http://www.cert.md;

• Sending the query by fax or phone;

• Sending the query by email;

• Sending the information about incident using other means.

How to inform us about an incident?

17

Contact us PAGE

18

MD CERT Forum

19

Communication with other CERT

RENAM users and administrators have the main

priority in resolving and analyzing the incidents.

But all the Internet users from Moldova and from other

countries can use the CERT services of RENAM Association

for resolving the incidents in their network segments.

MD-CERT is open for communication and cooperation

with other CERT teams from Moldova and other countries

20

Conclusions and problems

CERT in Moldova collect the Incidents, but there are not real incidents

The organization measures for developing CERT in Moldova is too poor

There is not any backup system at MD-CERT at this time

21

What needs MD-CERT?

More practical trainings, for example it will be cool to have a training of advanced RT and RITR configuration and connecting one of the monitoring systems with RT

More software – monitoring systems, ticketing systems, etc

Some instructions/documentation for incident resolving