Cisco CSIRT Mobile Networking and Monitoring for FIRST 2009 Conference
We Cisco's Computer Security Incident Response Team (CSIRT) has developed a mobile monitoring and networking solution for providing on-site network and computer security monitoring during conferences and events. The first use of the gear at FIRST 2007 was showcased in a Cisco-on-Cisco article. The CSIRT team monitors 2-3 events per year with this kit, and usually sends 1-2 people to each event to provide monitoring along with a follow-up report.
Purpose of On-Site Monitoring
- Showcase security event monitoring and technology.
- Provide secure on-site networking for conference attendees.
- Provide on-site computer and network security to prevent disruption and loss of intellectual property.
What Cisco CSIRT Provides
Along with monitoring staff, CSIRT provides a mobile shippable rack containing everything needed to provide a secure wireless network for conference attendees. The rack contains the following:
- Cisco 3750 Series switches to provide access layer switching.
- ASA 5510 with an IPS SSM, this is normally used only where CSIRT provides both monitoring and network connectivity.
- CS-IPS 4260 network intrusion prevention, used to detect network security events.
- CS-MARS 110 security information manager appliance to correlate and provide interface to security events from all devices.
- Ironport S650 Web Security Appliance (WSA) to automatically block malicious web traffic via Cisco's SenderBase.
To provide secure wireless access, Cisco will aso provide WPA-secured wireless access via Cisco Aironet 1100 and 1200 series 802.11a/b/g access points. The diagrams below detail the monitoring gear and their functions.
Monitoring Results
CSIRT will document the results of the event monitoring in a report similar to the report for FIRST 2008, which will detail:
- types of traffic seen
- site configuration
- false positives
- security incidents identified
- actions taken
Your Privacy
Your privacy will be protected during Cisco CSIRT security monitoring. Be assured that Cisco CSIRT analyzes only aggregate traffic; traffic will not be attributed to individuals in monitoring nor in reporting. Cisco CSIRT will monitor for disruptive security incidents in order to contain them, but will not analyze the types of traffic used by any individual. Some additional notes:
- Network intrusion prevention devices will analyze all traffic but only record events that match hacking or malware activity.
- The IronPort WSA will transparently proxy all plain-text web traffic for the purpose of blocking malicious software from reaching the FIRST conference network. The WSA will only record events where traffic is blocked, all other traffic will flow without any logging.
- Encrypted traffic (HTTPS, SSH, VPN, etc.) will not be inspected or recorded by the monitoring equipment.
Support
You may direct questions about this setup, such as the network, security, or privacy assurances, to the Cisco team by emailing cisco-csirt-first-2009-support@cisco.com.
