Logo of the European Computer Security Incident Response Team Network (eCSIRT.net)

Policy for the IDS Sensor Network

     
eCSIRT.net > Service > Policy for the IDS Sensor Network  

This policy was adopted by the new - volunteer driven - eCSIRT.net project and based on the formal document "WP4 Clearinghouse Policy - Release 1.1".

Topics

 

Introduction

One of the goals of the eCSIRT.net project still is to raise the awareness and understanding of the work of CSIRTs in the general public and among the CSIRTs. Therefore statistical and quantitative results will be made available to the public in a generalized and sanitized way not compromising participating volunteers. These statistics provide valuable information about attacks and anomalies detected by the participating volunteers. These results can be used to gauge the general hazard level of internet connected systems.

The exchange of data needs to meet the requirements of the participating volunteers concerning the privacy and confidentiality of the exchanged data.

Purpose of this Document

This policy defines the binding frame for the exchange and publishing of statistical and quantitative results founded on the eCSIRT.net Code of Conduct. Rules for providing and accessing the collected data and the statistics are established and the necessary procedures for publishing sanitized statistical and quantitative results to the public are defined.

Document Structure

The basic requirements and technical means to participate in the eCSIRT.net IDS Sensor Network are presented in the next chapter.

Chapter 3 describes the level of detail of the collected data and the procedures of collection and publishing the data.

 

Basic Requirements

Because of the sensitivity of the exchanged data some general requirements were defined for the eCSIRT.net IDS Sensor Network. These are mostly concerned with the protection of integrity, authenticity and confidentiality.

Participation

Participation in the eCSIRT.net IDS Sensor Network is restricted to volunteers that either were:

or are either:

All participants must sign the eCSIRT.net Code-of-Conduct. The public statistical and quantitative results are publicly accessible. Participants submitting data get access to the internal statistical, qualitative and quantitative results of this type. The raw submitted data will not be made available.

Required contact information

For the participation in the eCSIRT.net IDS Sensor Network, the provision of detailed information about an applicant is required. The correctness of the most important contact information is ensured either by the TI accreditation framework, by the FIRST accreditation framework or by the eCSIRT.net project itself. Since the eCSIRT.net IDS Sensor Network has additional requirements which are not necessarily met by any of the accreditation frameworks used, each participant will be asked to provide an extended set of contact information. All information that is needed for the eCSIRT.net IDS Sensor Network is listed in appendix A. Each participant, however, must ensure the correctness of his contact information in his own interest, as otherwise the successful submission of statistical data and access to the processed results cannot be guaranteed.

Communication and Communication Security

To generate the proposed types of statistics the collection of data from each participant is necessary. The collection and processing of the data will be carried out on the eCSIRT.net server so the data has to be transferred using internet based communication.

The accuracy of the transferred information is crucial for the statistics so confidentiality, integrity and authenticity must be guaranteed using cryptographic techniques.

The eCSIRT.net Sensors deployed by the volunteers are configured to automatically report events of interest to a central data collector using established formats and protocols. This transfer is authenticated with public key cryptography based on a specific public key pair assigned to the sensor at the time of the roll-out.

Each participant must support cryptographic techniques based on the SSL/TLS standards. A detailed description of the used cryptographic techniques can be gathered from the appendix B.1. This covers the use of certificates as well.

Management of Cryptographic Keys and Access Tokens

The management of certificates as well as other access tokens like PINs and/or passwords are handled by the eCSIRT.net project management. Each participant must ensure the correctness of its public keys / certificates and assist in the key management efforts including key certification based on direct communication with the eCSIRT.net project team. If no actual public keys / certificates are available, the successful participation cannot be guaranteed. A detailed description of public keys and certificates used by the eCSIRT.net project team are available in appendix B.2.

 

Information Exchange

This chapter specifies the necessary data to be exchanged and the technical mechanisms to achieve this.

Information

The data of probes and attacks is recorded and evaluated automatically using IDS sensors deployed in the networks of participants. Such IDS sensors are usually located on otherwise not operationally used systems with individual IP addresses not used for any operation either. Therefore all network traffic designated to these IP addresses and IDS sensors can be considered with a high degree of certainty as an attempted attack.

Information available about attacks will be according to the IDMEF format, providing data about IP addresses of source and destination, port numbers and the contents of the according network packets.

Verification

Given the sensitiveness of the collected data and the implications to the reputation of the participants and the eCSIRT.net project the data has to be collected using authenticated and encrypted channels to prevent abuse of the system. The submission of data and the access to any internal results is restricted to participants.

Privacy and Disclosure

The exchange of data needs to meet the requirements of the participants concerning the privacy and confidentiality of the exchanged data. That means that all legal or organizational issues by submitting data to the eCSIRT.net Data Collector has to be considered before by the volunteer. If data is in fact send to the Collector, it is therefore assumed that this data is transmitted legally without carrying any other liability then the conditions defined in this policy.

For the automatically collected data for the eCSIRT.net Sensor Network different methods of data collection can be used to increase the amount and/or usefulness of the data available.

The level of detail a volunteer is willing to submit (e.g. argus data with all information about IP headers or only information detected as malicious by a network IDS like prelude) depends only on its own decision.

Additional agreements for the submission of additional data are not subject of this policy. If a volunteer agrees to send more data to the eCSIRT.net Data Collector, it also agrees that all participating volunteers get access to this data without further differentiation or filtering.

Further disclosure of the data collected requires explicit permission from the submitting participant(s).

 

Appendix A - Contact Information

For the participation in the eCSIRT.net IDS Sensor Network, the provision of detailed information about a participant is required. The basic set of information a participant without a TI accreditation has to submit the mandatory information set of the TI accreditation framework to the eCSIRT.net project team.

The submission of and access to the statistical data is managed using X.509-certificates and SSL/TLS-encrypted and authenticated connections. The management of X.509-certificates (e.g. distribution of certificates, accepting of revocation requests) will be based on the data already collected in the TI or FIRST accreditation framework. Therefore, the following information is needed for taking part in the statistics:

This information must be sent to the eCSIRT.net project team in a secure manner. In each case the responsible person receives as an answer a signed and encrypted e-mail with the following information:

 

Appendix B - Communication Security

B.1 - Security Techniques

In order to guarantee confidentiality, integrity and authenticity of Internet based communication the support of e-mail security services is absolutely necessary. In practical operation the use of the following security services is mandatory:

The management and transport of cryptographic material (e.g. distribution of keys, submission of revocation requests) for the eCSIRT.net IDS Sensor Network is based on e-mail using OpenPGP and S/MIME standards. These two standards have gained broad acceptance and should cover the needs of each participant.

The submission of the statistical data and the access to the generated statistics are secured using SSL/TLS encryption and authentication. The submission of data of the IDS sensors is secured using a client certificate for each sensor. The required keys are generated by the eCSIRT.net project team and distributed to the participant. The access to the collected data and the non-public statistics is restricted to the participants. Authentication is done using a client certificate. An according certificate is generated by the eCSIRT.net project team.

B.2 - Cryptographic keys and their certification

OpenPGP / GnuPG

For PGP, eCSIRT.net will accept every key which has been signed by TI or FIRST. The keys from a participant, who neither has the TI accredited status nor the FIRST Full Member confirmed status nor the FIRST Liaison confirmed status, will be signed by one or more of the eCSIRT.net project team members. The following conditions apply:

In the case of a team, it is recommended that the signing of individual team member's keys should be done by the team representative in order to establish a link of trust.

If no key is available which satisfies the boundary conditions, a new key must be produced1. After key generation make a printout on paper of your key's data (the usual: user-id, key-id, key-type, key-size, created and expiry data and its fingerprint in hexadecimal format) and take it with you to a meeting with eCSIRT.net staff. Please make sure that the public key is accessible via a PGP keyserver or take along a copy on a mobile data medium (USB sticks are fine).

For the personal identification a valid national passport or EU ID-card is needed. While the printouts (with the keys data) are signed in presence of eCSIRT.net staff, the passport or the ID-card will be checked. This is the way to authenticate a personal key or a team key or both.

After this the key(s) and the printout(s) will be checked. If everything is in order, the printout(s) will be signed by hand by eCSIRT.net staff. As soon as possible the keys will be signed, then updated on a PGP keyserver and on the eCSIRT.net restricted website.

For encryption only cryptographic techniques may be used which have a minimal key length of 128 bits (3DES, IDEA, AES).

X.509

For use of S/MIME and SSL/TLS for secure communication the eCSIRT.net CA issues X.509 client certificates to the partners. Each participant gets a X.509 certificate (participant certificate) for access to the private parts of the eCSIRT.net website (including the forms for submission of data as well as the collected data and the generated non-public statistics). The certificate and the secret key will be generated by the eCSIRT.net-CA and submitted to the participants using OpenPGP encryption and authentication. The certificate and secret key have to be integrated into the browsers by the participants. Keylengths, algorithms and validity periods of the certificates will be chosen according to the actual needs. Revocation of a certificate requires the participant to send a PGP signed message to the project management.

B.3 - Management and distribution of cryptographic material

The application for participation in the eCSIRT.net IDS Sensor Network can be carried out by e-mail. The information mentioned in appendix A must be transmitted to the project management. The access information is sent out in the same way.

Because the application for participation and the accessed information are confidential, the use of the eCSIRT.net IDS Sensor Network is possible only after the certification of the communication keys has taken place.

If the application for an access token isn't made by the representative of the team, then the eCSIRT.net project management has to be informed by the representative before. Should it be necessary to provide access information for other services, the application and delivery of the necessary information will be done according to this method. Additional requests as for revocation of certificates require a valid signed message from the responsible person to the project management.

The key material for the IDS sensors is provided on a preconfigured medium that enables the distributed software to transmit data in an authenticated and encrypted way. Distribution of this medium requires authentication by the according participant certificate. Additional requests as for revocation of certificates require a valid signed message from the responsible person to the project management. A new medium will then be created and distributed.

B.4 - Public keys and certificates used by the eCSIRT.net project team

OpenPGP / GnuPG

X.509 Certification Authority

The certification authorities used for our services are signed by our ROOT certificate:

Fingerprint Information for the SSL Server Certificate is listed here for convenience, not security. Make sure to proper authenticate the SSL Server Certificate based on your security requirements!

[1] Please, take all usual precautions when doing so (e.g. offline creation of key, chose secure passphrase, store key in a safe place preferably not online and make sure you have a backup of the keyrings).

   

Appendix C - Revision History

 

eCSIRT.net > Service > Policy for the IDS Sensor Network  
     
eCSIRT.net eCSIRT.net
The European Computer Security Incident Response Team Network
News | Sitemap | Impress | Contact | Top
Last changed: February 27, 2006 / TD
Copyright © 2002-2006 by PRESECURE Consulting GmbH, Germany
Signed with PGP!This page is digitally signed with PGP! eCSIRT.net