Cisco CSIRT Mobile Networking and Monitoring for FIRST 2016 Conference
Cisco's Computer Security Incident Response Team (CSIRT) has developed a mobile monitoring and networking solution for providing on-site network and computer security monitoring during conferences and events. The first use of the solution at FIRST 2007 was showcased in a Cisco-on-Cisco article. In 2012, Cisco CSIRT had a deployment at the Cisco House of the London Olympics. The CSIRT team monitors 2-3 events per year with this kit, and usually sends 1-2 people to each event to provide security monitoring and a follow-up report.
Purpose of On-Site Monitoring
- Showcase security event monitoring and technology.
- Provide secure on-site networking for conference attendees.
- Provide on-site computer and network security to prevent disruption and loss of intellectual property.
What Cisco CSIRT Provides
Along with security engineers, CSIRT provides a mobile, shippable rack containing everything needed to host a secure wireless network for conference attendees. The rack contains the following:
- Cisco 3850-X & 3560 series POE+ switches to provide access layer switching
- Cisco Next-Gen Intrusion Prevention System (FirePOWER 7125)
- Cisco CSIRT will also provide secured wireless access with: - Cisco 5508 Wireless Controllers
- Cisco Aironet 3700 Access Points (802.11ac)
- Cisco 5550 series Adaptive Security Appliance (ASA)
- Cisco Virtual Web Security Appliance (WSA) to automatically block malicious web traffic via Cisco's SenderBase.
- Lancope StealthWatch Virtual Edition for collecting and analyzing netflow
- Splunk for parsing and indexing security events and logo
- Cisco UCS C220 running: - Virtualized appliances
- Additional logging and network services
CSIRT will document the results of the event monitoring in a report similar to the report for FIRST 2008, which will detail:
- types of traffic seen
- site configuration
- false positives
- security incidents identified
- actions taken
Your privacy will be protected throughout the duration of Cisco CSIRT's security monitoring effort. Be assured that Cisco CSIRT analyzes only aggregate traffic; traffic will not be attributed to specific individuals in the course of normal monitoring nor in reporting. Cisco CSIRT will monitor for disruptive security incidents in order to contain them. Some additional notes:
- Netflow collection, DNS logging, and packet capture is performed and used for aggregate statistics and in the event of a security incident.
- Attendee Internet traffic will pass through an inline deployment of Cisco Sourcefire NG-IPS.
- The Cisco WSA will transparently proxy all port 80 (non-SSL) web traffic for the purpose of blocking malicious software from infiltrating the FIRST conference network.
- Encrypted traffic (HTTPS, SSH, VPN, etc.) will not be inspected or recorded by the monitoring equipment.
You may direct questions about this setup, such as the network, security, or privacy assurances, to the Cisco team by emailing firstname.lastname@example.org.