en:about_project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

en:about_project [28.11.2014 14:15]
trestikv@cesnet.cz created
en:about_project [28.11.2014 15:07]
trestikv@cesnet.cz [The Project]
Line 3: Line 3:
 //The Warden, system for sharing information about detected security incidents was conceived upon the needs of two accredited CSIRT teams within the CESNET2 network – the [[http://​csirt.cesnet.cz/​|CESNET-CERTS]] team (security team for the CESNET2 network) and the [[http://​www.muni.cz/​csirt|CSIRT-MU]] team (security team for the network of the Masaryk University in Brno). The CESNET-CERTS team was looking for further sources of information about security incidents relating to the CESNET2 network while the CSIRT-MU team had information about such incidents from detection tools run in the MU network but had no use for data not related to the MU network.// //The Warden, system for sharing information about detected security incidents was conceived upon the needs of two accredited CSIRT teams within the CESNET2 network – the [[http://​csirt.cesnet.cz/​|CESNET-CERTS]] team (security team for the CESNET2 network) and the [[http://​www.muni.cz/​csirt|CSIRT-MU]] team (security team for the network of the Masaryk University in Brno). The CESNET-CERTS team was looking for further sources of information about security incidents relating to the CESNET2 network while the CSIRT-MU team had information about such incidents from detection tools run in the MU network but had no use for data not related to the MU network.//
  
-||<​tablestyle="​tablewidth:​100%;​ width:​100%"​ style="​background-color:​ #FFFFFF; text-align: center"> ​{{attachment:​cesnet-certs-logo.png|CESNET-CERTS|width=125}} |||| {{attachment:​csirt-mu-logo.png|CSIRT-MU|width=125}} ||+{{ :en:​cesnet-certs-logo.png?​nolink&​125 ​|CESNET-CERTS}}
  
 +{{ :​en:​csirt-mu-logo.png?​nolink&​125 |CSIRT-MU}}
 +
 +
 +\\
 This is where the idea to create a simple system operating on the “send data” and “receive data” principle was conceived. Many CERT/CSIRT teams dedicate their efforts to developing and operating useful tools and systems for monitoring network traffic and services and detecting traffic anomalies – based on netflow, IDS, honeypots, log analysis, etc. The CSIRT team uses the output of these detection systems for its own purposes and for the sake of the network it supervises. The data could be useful to other teams operating in different networks. However, the data is not accessible and the teams do not make them available as no simple mechanism for their efficient and secure sharing is at hand. Thus, the teams face unpleasant dilemma – whether to provide the data to the administrators of (security /CSIRT teams) networks concerned or whether to “dispose” of it, or rather to send it to large collection points such as Shadowserver,​ Mynetwatchman,​ Team Cymru etc. The former approach – to provide them to administrators of networks concerned – is laborious and may generate more work which the team may be unable to perform. The latter approach – to dispose of data – is inefficient waste of useful data. The alternative approach – a collection point – is a provisional solution with many negative implications. The teams should carefully consider what data can be stored in such points as there is no guarantee as to how the data will be treated. Moreover, needless delay and sometimes even distortion may occur. ​ This is where the idea to create a simple system operating on the “send data” and “receive data” principle was conceived. Many CERT/CSIRT teams dedicate their efforts to developing and operating useful tools and systems for monitoring network traffic and services and detecting traffic anomalies – based on netflow, IDS, honeypots, log analysis, etc. The CSIRT team uses the output of these detection systems for its own purposes and for the sake of the network it supervises. The data could be useful to other teams operating in different networks. However, the data is not accessible and the teams do not make them available as no simple mechanism for their efficient and secure sharing is at hand. Thus, the teams face unpleasant dilemma – whether to provide the data to the administrators of (security /CSIRT teams) networks concerned or whether to “dispose” of it, or rather to send it to large collection points such as Shadowserver,​ Mynetwatchman,​ Team Cymru etc. The former approach – to provide them to administrators of networks concerned – is laborious and may generate more work which the team may be unable to perform. The latter approach – to dispose of data – is inefficient waste of useful data. The alternative approach – a collection point – is a provisional solution with many negative implications. The teams should carefully consider what data can be stored in such points as there is no guarantee as to how the data will be treated. Moreover, needless delay and sometimes even distortion may occur. ​
  
Last modified: 28.11.2014 15:07