To secure the network at Argonne National Laboratory, Scott Pinkerton, network services manager for the lab, uses a mix of NetFlow traffic analysis and customized device scripting to tie together different Cisco-based security products, such as firewalls, VPN gear and intrusion detection/prevention system (IDS/IPS) hardware.
"We're data mining NetFlow very aggressively for what we think are zero-day attack traffic patterns," Pinkerton says, who manages a network of 2,600 users, about half of which are scientists at the lab's DuPage County, Ill. facility, operated by the University of Chicago.
NetFlow is a Cisco technology for storing traffic flow histories on routers and switches. Pulling NetFlow data and analyzing the flows with tools from Cisco and third party vendors can reveal network trends such as bandwidth utilization, protocol usage and end-user traffic patterns.
The network staff at Argonne pulls NetFlow data from all of its edge and core switches and routers every 60 seconds. Data pulled from the devices is centralized on a single server then and analyzed for unusual, or outright illegal, behavior.
"We can see how often machines on our network talk to other machines outside the network," and vie versa, Pinkerton says. For instance, he says, "desktops are not normally sending e-mails to 1,000 different IP addresses across the Internet."
When strange traffic behavior is detected in the NetFlow data, firewalls are reconfigured to limit or block such traffic. Pinkerton says firewall configurations are re-read, or tweaked, every hour to keep the perimeter devices up to date on the latest activity going on inside and outside the network.
Argonne National Labs does is not an island; it peers with over a dozen other Department of Energy national laboratories, such as Lawrence Livermore in Berkeley, Calif., Sandia in New Mexico and the Stanford Particle Accelerator. With many of these labs interconnected with university networks, security is a larger issue for the entire group.
Pinkerton is looking to take security best practices from his lab and come up with "what I would call this a federated model of cyber security." This would involve a standards-based way where a the DOE national laboratories would share a list of IP addresses that have "behaved badly." Pinkerton and other laboratories are considering using an XML-based standard messaging scheme for delving and sharing this data among the labs. Since Cisco IDS gear understands XML messaging, this larger sharing of security data could be used to automate network gear across all DOE labs.
"You can't block an IP address for life," Pinkerton says. "It just doesn’t work like that, but it seems worthy to ask what we can do with knowledge of recidivism. What can we do with apriori knowledge of someone being hostile at one laboratory, which would allow everyone to be more sensitive and to react faster if that user become hostile to another network."
Having this shared knowledge of what certain machines or users did I the past could help shape security policies.
"The decision on how long to block a user could be based on this corporate memory," Pinkerton says. "If you've harassed me ten time this month, it's likely I'll block that user for a longer period of time, than if it was a first offense."