Notes
Coordinating Committee for Intercontinental Research Networking (CCIRN)
Security Working Group

December 12, 1996
Fairmont Hotel - San Jose, CA

I. PARTICIPANTS:

Steven Bakker, DANTE-UK, steven@dante.org.uk
Vincent Berkhart, DANTE-UK, vincent@dante.net
Kilnam Chon, KAIST-Korea, chon@cosmos.kaist.ac.kr
John Dyer, Terena-EC, dyer@terena.nl
Uwe Ellermann, DFN-CERT-Germany, ellermann@cert.dfn.de
Mark Graff, Sun Microsystems, graff@eng.sun.com
Peter Jurg, SURFnet-CERT-NL, jurg@surfnet.nl
Peter Kirstein, Univ. College London-UK, kirstein@cs.ucl.ac.uk
Thomas Lenggenhager, Switch-Switzerland, lenggenhager@switch.ch
John Martin, Terena-EC, martin@terena.nl
Tracie Monk, DynCorp/FNC-US, tmonk@snap.org
Sandy Sparks, CIAC/FedCIRC-W, ssparks@llnl.gov
Walter Wiebe, Federal Networking Council-US, wwiebe@nsf.gov

II. RECOMMENDATION

CCIRN Chairs recommend that all CCIRN R&E networks explore membership in the FIRST – for details about this organization, see http://www.first.org.

III. ACTION ITEMS

A representative from FIRST will be invited to participate in the CCIRN meeting in Kuala Lumpur, Malaysia on June 28th. (Kilnam Chon)

Tracie Monk will distribute NIST’s draft standards for PKI to the CCIRN mailer.

Chon will follow up with Mark Graff on issues relating to Asian R&E networks submitting applications for FIRST membership. Chon will also serve as the POC and coordinate with CCIRN R&E networks from developing countries in Latin America and Africa.

Peter Kirstein will take the lead in coordinating with CAIRN and FNC/CIS members concerning adding secure multicast (SMIME) to their efforts.

A new mail list for the CCIRN Security Working Group will be set up. (Tracie Monk)

IV. DISCUSSIONS

a. FIRST

Mark Graff and Sandy Sparks provided an overview of the FIRST organization and its relevance for R&E networks. The Forum of Incident Response and Security Teams (FIRST) is an international consortium of computer incident response and security teams who work together to handle computer security incidents and to promote preventive activities. Its mission is to: provide members with technical information, tools, methods, assistance, and guidance; coordinate proactive liaison activities and analytical support; encourage the development of quality products and services; and improve national and international information security for government, private industry, academia and the individual.

FIRST was started in 1989 by CERT, CIAC and NASIRC (U.S. Federal agencies) in response to the Morris Worm and similar Internet security threats. Today there are upwards of 48 teams in two dozen countries – including two for-profit incidence response teams. FIRST has also incorporated this year as a non-profit institution. Requirements for membership include:

Activities that FIRST does NOT do include:

The key challenges it is facing today include:

The FIRST’s 9th Computer Security Incident Handling Workshop will be held in Bristol, England, 22-26 June 1997. CCIRN members are invited to participate in this meeting. The group also discussed the possibility of having a FIRST representative present at the CCIRN meeting in Kuala Lumpur, June 28, 1996. Chon agreed to follow up with several Asian networks about their inquiries concerning FIRST (Chon will work directly with Mark Graff on these items).

b. EUROPE

Thomas Lenggenhager provided an overview of Terena’s Internet security efforts. Terena produced a task force paper on incidence response requirements for Europe in August 1996. The technical advisory team put forth a proposal for continent-wide coordination of the CERTs based on this paper. Thomas provided details on the proposed SIRCE -- Security Incidence Response Coordination for Europe, also see the Terena web site at http://www.terena.nl.

Shortly following this CCIRN meeting, the establishment of SIRCE was announced by Terena. The following text describes SIRCE – it is an elaboration on the details provided at the CCIRN meeting.

        DANTE/UKERNA PARTNERSHIP TO SET UP SIRCE SERVICE

        The TERENA Executive Committee has announced its intention 
        to award the set-up of a pilot European Security Incident 
        Response Coordination Service to a partnership consisting of 
        DANTE and UKERNA.  UKERNA is the UK organization responsible 
        for the operation and development of JANET and SuperJANET.

        The establishment of a European Security Incident Response
        Coordination Service was discussed and requested by the 
        European IRTs (Incident Response Teams) to solve a number of 
        coordination problems.  These include dependence of European 
        IRTs on the US funded CERT/CC, as well as those arising from 
        cultural, legal and language differences, and different time 
        zones.

        In consultation with its CERT Task Force, the TERENA Executive
        Committee set up a Technical Advisory Group (TAG) to advise 
        TERENA on a suitable organization to lead a two and a half year 
        pilot service.  At the beginning of October 1996, TERENA issued 
        a call for proposals to a limited number of organizations for 
        the operation of the SIRCE (Security Incident Response Coordination 
        for Europe) pilot.

        DANTE and UKERNA decided to respond to the call by establishing 
        a partnership which brings together the complementary skills of 
        the two organizations. UKERNA has the technical expertise of the 
        well-established JANET-CERT, while DANTE has the commercial and
        administrative experience in the management of coordinated pan-
        European services.

        The pilot service is planned to be launched in the first quarter 
        of 1997. DANTE and UKERNA, in consultation with TERENA, will 
        immediately start preparing the service implementation, one 
        element of which is the drafting of a detailed service 
        specification.  As required in the specification of the TERENA 
        CERT Task Force the service will develop gradually. In the 
        initial phase a coordination function will be offered, which 
        includes organization of meetings, help for the establishment 
        of new IRTs, and the provision of information services. In the 
        second phase of the pilot incident coordination will be included, 
        and SIRCE will be involved in the process of responding to 
        individual incidents. After the pilot phase it is intended that 
        an operational service will provide full incident coordination, 
        24 hours/7 days a week.

The pilot referred to above would be a 2-1/2 year project starting at the beginning of the year. After the start-up period, Terena envisions a full integrated incidence response capability available to European networks. Each R&E network in Europe are required to provide some funding for SIRCE. The key areas include getting the information service up and running and providing incidence response coordination.

Other efforts discussed included the European Commission’s ICETELL project which seeks to develop a public key infrastructure for Europe (see http://www.terena.nl) and the need for integrating security hooks into new software / hardware (particularly web browsers and servers).

c. United States

Sandy Sparks provided an overview of the new Federal Computer Incident Response Capability (FedCIRC) – as a model for consideration by other countries. The FedCIRC is a new initiative undertaken by the U.S.’s National Institute of Standards and Technology (NIST), the Department of Energy's Computer Incident Advisory Capability (CIAC), and the Carnegie Mellon, Software Engineering Institute's CERT/CC. These computer security organizations have banded together to offer the Federal civilian community assistance and guidance in handling computer security related incidents. The FedCIRC has received funding for 18 months through the National Performance Review Innovative Pilot Fund award of $3 million. At the end of this period, FedCIRC anticipates funding provided through participating federal agencies. Details on the FedCIRC are available at http://ciac.llnl.gov/fedcirc/.

Walter Wiebe provided an overview of the Federal Networking Council (FNC) Collaborations in Internet Security (CIS) project. Eight federal agencies are participating in the effort, including: DARPA, DoD, DOE, NASA, NIH, NIST, NSF, and NSA. This phase of the CIS is from October 1, 1996 through September 30, 1997. The effort emphasizes testing and deployment of emerging COTS technologies. Participation from academia and industry is being encouraged.

Project goals include:

Key CIS testbeds are described below. Additional information on the CIS effort and specific initiatives can be found at http://www.fnc.gov/cis_page.html.

Kerberos Testbed - The Department of Energy (DOE) has the lead in exploring the Kerberos v. 5.0 technology. Areas that are being addressed in this effort include: inter-realm authentication; scalability; and interoperability across different platforms as well as different applications.

Advanced Authentication - The Army Research Laboratory (ARL) has the lead on this testbed, including exploration of one time passwords and their incorporation into single sign-on systems. Other methods of biometric authentication may also be considered. The one time passwords can be software based, e.g., s/key, or based on hardware token generators, e.g., SecurID and Fortezza. The single sign-on focus will be to incorporate one time password schemes with Kerberos.

Secure Web - ARL also has the in exploring a variety of schemes available for securing web transactions, for authenticating the client and server, ensuring the integrity of the information, and the privacy of the user.

Privacy - This testbed is intended to be used for federal agencies to gain valuable experience in the use, management, and maintenance of a system of private keys and certificates for authentication and privacy. It will result in the development of a consistent, coherent strategy for protecting data and managing and maintaining public keys and certificates for privacy and authentication across multiple agencies . It will also clarify government requirements for interoperability of public keys and certificates among different systems and vendors. The National Aeronautics and Space Administration (NASA) has the lead on this testbed.

Fortezza - The National Security Agency (NSA) is supporting CIS participants who are evaluating Multilevel Information Systems Security Initiative (MISSI) products. The applicability of MISSI technology when used with other Internet security technologies, e.g., digital signatures, cryptographic application program interfaces (API), and public key infrastructure (PKI), are also being evaluated.

Digital Signatures - Through this testbed, NASA is assisting agencies to gain valuable experience in the use, management, and maintenance of a system of public certificates for authentication, privacy, and security.

Secure Messaging - NASA also has the lead in a testbed designed to help agencies gain experience in the use, management, and maintenance of a secure messaging system based on the use of public keys and digital signatures.

PKI - The NIST-led PKI effort is seeking to provide federal users with the means to interact securely with non-federal entities throughout the globe.

National Voluntary Labs - NIST is also extending their NV Lab efforts through the CIS and will seek to develop a mechanism to test, accredit, and rank security measures against various standards.

Participants discussed the importance of secure multicast and SMIME, and the possibility of exploring alternatives under the CIS and/or CAIRN efforts (see http://www.isi.edu/CAIRN). Peter Kirstein agreed to follow-up with Tice DeYoung (NASA) or Phil Dykstra (ARL) about the CIS effort and with Hilarie Orman (DARPA) about testing secure multicast technologies under the CAIRN project.

Last updated on 23 January 1997