On Fri, 21 Feb 2003, Martin Hannigan wrote:
But what would you do with the information?
Let the noc know what's up so they can be more vigilant based on the the threat level.
I'm not trying to be sarcastic, because lots of people have been going through these same conversations. "Threat level" is different from an attack. Isn't your NOC normally vigilant? If the DHS lowered the threat level to "Green" would you stop monitoring your network just because the government says there is no more threat? Do you have more or fewer people on duty in your NOC as the government threat level goes up or down watching the big TV screens?
Perhaps even use different sets of ACL's on the edge, etc. It could also be used to explain an unexpected surge in traffic, calls, or other things. Ever look at some traffic stats and see a major surge and want to make sure you understand why?
Again wouldn't you also do all of these things "normally?" If an ACL is a good idea at "Orange" wouldn't you protect your network with those ACL's when the level is "Yellow." Or would you remove those ACL's when the threat level is reduced. How do would you explain to your management when you are hacked at level "Yellow" you had better ACL's, but you only used the good ACL's at level "Orange."
I'd take it serious and consider NBC as well as "cyberAttacks".
Secretary Ridge has said to keep the plastic sheets and duct tape in storage. Don't start sealing your house (or NOC) yet. The FEMA/Red Cross prepardness recommendations are a good idea irregardless of the alert level.
Okay, I'll bite... --- Sean Donelan <sean@donelan.com> wrote:
On Fri, 21 Feb 2003, Martin Hannigan wrote:
Isn't your NOC normally vigilant?
Of course.
Perhaps even use different sets of ACL's on the edge, etc. It could also be used to explain an unexpected surge in traffic, calls, or other things. Ever look at some traffic stats and see a major surge and want to make sure you understand why?
Again wouldn't you also do all of these things "normally?" If an ACL is a good idea at "Orange" wouldn't you protect your network with those ACL's when the level is "Yellow." Or would you remove those ACL's when the threat level is reduced. How do would you explain to your management when you are hacked at level "Yellow" you had better ACL's, but you only used the good ACL's at level "Orange."
Well, an example could be "if threat level is yellow, permit traffic from $foreign_country_x, but if it goes to orange, deny all from $foreign_country_x, or perhaps log all from there. I know that there are certain ISPs which deny all mail traffic from certain ASes, because of the volume of Spam. The same principle could be at work here: if (threat_level++) then deny(unknown_from_Source[nasty]) else permit. -David Barak fully RFC 1925 compliant __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
David, what does "from" mean in your "rules"? with .cc at the end? But there are very many places with addresses in TLDs and ccTLDs other than the geographical location. passing through an AS known to be in a given location? Peter
Peter, I didn't say that I did that, only that I know that there are networks which deny all mail traffic from certain ASes and/or TLDs on a fairly regular basis. Personally I don't have a problem with .cc I would say that for a US operator to respond to a threat by enabling additional, temporary logging/monitoring of specific ports would not be unreasonable. Denying all traffic is a bit harsh, especially from a paying customer, but I could understand watching them really closely. Public peers, on the other hand, might get a different sort of treatment entirely... The only reason this makes any sense at all is that most networks are basically OK most of the time, so the rest of your network can probably spare a little bit of attention for a short period of time. If it were forever, then that solution wouldn't work. -David Barak fully RFC 1925 compliant --- Peter Salus <peter@matrix.net> wrote:
David, what does "from" mean in your "rules"?
with .cc at the end? But there are very many places with addresses in TLDs and ccTLDs other than the geographical location.
passing through an AS known to be in a given location?
Peter
__________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of David Barak
Well, an example could be "if threat level is yellow, permit traffic from $foreign_country_x, but if it goes to orange, deny all from $foreign_country_x, or perhaps log all from there.
Um, you're not really serious, are you? Are you worried about some cell being activated by sending a packet through your servers? I can't think of one useful purpose to do something like that. Jeff
On Fri, Feb 21, 2003 at 12:21:04PM -0500, Sean Donelan wrote:
On Fri, 21 Feb 2003, Martin Hannigan wrote:
But what would you do with the information?
Let the noc know what's up so they can be more vigilant based on the the threat level.
I'm not trying to be sarcastic, because lots of people have been going through these same conversations.
Not a problem.
"Threat level" is different from an attack.
Pearl Harbor.
Isn't your NOC normally vigilant? If the DHS lowered the threat level to "Green" would you stop monitoring your network just because the government says there is no more threat? Do you have more or fewer people on duty in your NOC as the government threat level goes up or down watching the big TV screens?
The NOC is always vigilant. Based on different threat levels I think it's prudent and realistic to examine different staffing strategies, different views of alarms and datas, potentially different reactions, engaging LEA's on issues you may not normally engage on, etc. Example: DHS sets RED level. Reaction: Move some third level engineers into the SOC. Audit the DR plan if it's not on schedule to be audited. Audit the backup plans if not on schedule to be audited. Light the medium warm NOC to HOT NOC level.
Perhaps even use different sets of ACL's on the edge, etc. It could also be used to explain an unexpected surge in traffic, calls, or other things. Ever look at some traffic stats and see a major surge and want to make sure you understand why?
Again wouldn't you also do all of these things "normally?" If an ACL is a good idea at "Orange" wouldn't you protect your network with those ACL's when the level is "Yellow." Or would you remove those ACL's when the threat level is reduced. How do would you explain to your management when you are hacked at level "Yellow" you had better ACL's, but you only used the good ACL's at level "Orange."
I'd like to have a more standard application to risk analysis. As you know, security policy is always reviewed and risk analysis applied to determine how and what you are going to protect. Or not protect. I think these risk analysis' are now affected by these "new" threats, or in a lot of cases, threates that noone really paid much attention to before.
I'd take it serious and consider NBC as well as "cyberAttacks".
Secretary Ridge has said to keep the plastic sheets and duct tape in storage. Don't start sealing your house (or NOC) yet. The FEMA/Red Cross prepardness recommendations are a good idea irregardless of the alert level.
Secretary Ridge hasn't really established a credibility level. Not yet anyways. I respect what they are doing and understand they need time, but we all have businesses to run. If he says "Buy plastic and duct tape" I take that as he knows something we don't and it's reasonable to evaluate and re apply the risk analysis. I have my duct tape and plastic, but haven't applied it to the windows.
conf t router> warning you cannot configure a router with this one....
Martin Hannigan wrote:
I have my duct tape and plastic, but haven't applied it to the windows.
I hear it is more effective, if you wrap the plastic around your head, and seal it with the duck tape.... Never had a -single- complaint, from users of this methodology..... as long as they don't cheat. :P Nothing gets through ... (of course, including air..) But this -=is=- a time of WAR, we MUST be willing to make sacrifices.... :* FACT: Did you know that Government studies show 100% of terrorists, participating in fatal terrorist attacks, were shown to have been breathing -=air=-, right prior to the accident. That's right, AIR! =-All=- of them do it. Well, We've got them NOW! :\ "There are liars, damned liars, and statiticians." :O :* ;) .Richard. ======================================================================= Famous President Bush words: Bush 1: "Read my lips, -NO- ... -NEW- ... -TAXES-!" Bush 2: "There can -ONLY- ... -BE- ... -=ONE=- ... -POSSIBLE- ... -OUTCOME-!" Next time, cough up money for the -real- acting class guys, the "William Shatner" class is too cheap, and everyone graduates sounding alike. * shrug * ;)
On Fri, 21 Feb 2003 14:41:05 EST, Martin Hannigan said:
Example: DHS sets RED level. Reaction: Move some third level engineers into the SOC. Audit the DR plan if it's not on schedule to be audited. Audit the backup plans if not on schedule to be audited. Light the medium warm NOC to HOT NOC level.
Do you buy fire extinguishers when there's no fire, or do you do it when the smoke alarm is already going off? Or is this the converse, where a leaky roof doesn't get fixed because you can't work on it on rainy days, and on sunny days it doesn't leak? If your DR/backup plan isn't already squared away, RED is a *very* bad time to be screwing with it. Anybody who's read this list for a while has seen enough examples of "attempt to fix broken network only makes it worse". If you audit your backup plan, and discover you're low on tapes to send off-site, what are the chances that we'll still be at RED when the tapes actually arrive from the vendor? -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
On Fri, Feb 21, 2003 at 03:32:12PM -0500, Valdis.Kletnieks@vt.edu wrote:
On Fri, 21 Feb 2003 14:41:05 EST, Martin Hannigan said:
Example: DHS sets RED level. Reaction: Move some third level engineers into the SOC. Audit the DR plan if it's not on schedule to be audited. Audit the backup plans if not on schedule to be audited. Light the medium warm NOC to HOT NOC level.
Do you buy fire extinguishers when there's no fire, or do you do it when the smoke alarm is already going off? Or is this the converse, where a leaky roof doesn't get fixed because you can't work on it on rainy days, and on sunny days it doesn't leak?
DR is a continous loop. It's not the kind of thing you develop and then toss on a shelf. Right now is always a good time to audit your DR planning, or your disaster prevention planning. [ SNIP ]
If you audit your backup plan, and discover you're low on tapes to send off-site, what are the chances that we'll still be at RED when the tapes actually arrive from the vendor?
If I didn't audit the backup plan, I wouldn't discover I was low on tapes. The state of the alert is irrelevant when related to the DR plan. It's the event itself. I believe there is no bad time to conduct a drill or audit a DR plan. In fact, confusing or non-standard conditions would be optimal for such a test or audit. -M
I'm certain the government folks working to protect us 24x7 are doing everything they can, but the fact of the matter is the public alert systems in the US suck. Some just suck less. http://www.nj.com/news/gloucester/index.ssf?/base/news-0/104590500555170.xml "Butts said he often finds out about things like the change in the national threat level on CNN hours before the Communications Center receives a teletype about it." Butts is the Gloucester County Emergency Response Coordinator including the county 9-1-1 communications center. ISPs and other communication providers should be prepared to share information directly and quickly with each other. If you wait to hear from government officials to decide what sanitized information to share, it will be hours later. If ever.
ISPs and other communication providers should be prepared to share information directly and quickly with each other. If you wait to hear from government officials to decide what sanitized information to share, it will be hours later. If ever.
If anybody is interested here, I did put together a small group to experiment with a simple system to exchange and distribute PGP signed messages quickly. The basic 'working' of the system is contained within a yet to be written perl script that will poll a couple of 'master' servers for updated messages, validate the signatures and post the messages to a particular URL. Any server pulling these messages can become a master for other servers, which makes this kind of a 'P2P network' among web servers. Gateway to usernet/email/pagers/ instant messengers would be possible. New pgp keys would be distributed as signed control messages within the system. Each PGP key has a certain number of 'points' assigned, and a message becomes 'valid' as soon as it has enough signatures to make it past a threshold. Anyway. Depending on how the water in my basement develops, I may actually get a first alpha of this out later this weekend. (if not next weekend). At that point, some testers / coders would be welcome to work on things like gateways and such. The overall goal: Make this system fast enough to reach 'everyone' within an hour. Of course, the system will not work once the internet is down, but its P2P like structure should provide for some anti-DDOS robustness. -- -------------------------------------------------------------------- jullrich@euclidian.com Collaborative Intrusion Detection join http://www.dshield.org
----- Original Message ----- From: "Sean Donelan" <sean@donelan.com> To: <nanog@merit.edu> Sent: Saturday, February 22, 2003 1:47 PM Subject: Re: Homeland Security Alert System
I'm certain the government folks working to protect us 24x7 are doing everything they can, but the fact of the matter is the public alert systems in the US suck. Some just suck less.
http://www.nj.com/news/gloucester/index.ssf?/base/news-0/104590500555170.xml
"Butts said he often finds out about things like the change in the national threat level on CNN hours before the Communications Center receives a teletype about it."
Butts is the Gloucester County Emergency Response Coordinator including the county 9-1-1 communications center.
ISPs and other communication providers should be prepared to share information directly and quickly with each other. If you wait to hear from government officials to decide what sanitized information to share, it will be hours later. If ever.
Yesterday I was asked to install a DISH Network system for the Transportation Security Administration so their folks at the Airport can get "the news".<s> --Michael
participants (9)
-
David Barak
-
Jeffrey Meltzer
-
Johannes Ullrich
-
Martin Hannigan
-
Michael Painter
-
Peter Salus
-
Richard Irving
-
Sean Donelan
-
Valdis.Kletnieks@vt.edu