Weitere ähnliche Inhalte Ähnlich wie Securing the Hastily Formed Network: Infosec for Disaster Relief and Emergency Response (20) Kürzlich hochgeladen (20) Securing the Hastily Formed Network: Infosec for Disaster Relief and Emergency Response1. Securing the Hastily Formed Network
Cisco Tactical Operations
www.cisco.com/go/tacops
@CiscoTACOPS
April 2015
Infosec for Disaster Relief and Emergency Response
3. Cisco Public 3© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Introductions
4. Cisco Public 44© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Emergency Response – Cisco TACOPS
Dedicated crisis response team that establishes emergency networks after a disaster
TacOps personnel skills include:
Technical Expertise
Planning, Logistics and Operations
Trained First Responders (Fire, EMS)
Military Service
5. Cisco Public 55© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Tactical Operations: Emergency Responses
• 2005 – Hurricane Katrina (LA)
• 2007 – Harris Fire (San Diego, CA) *
• 2008 – Evans Road Fire (NC) *
• 2008 – Cedar Rapids Floods (IA) *
• 2008 – Hurricane Gustav (LA) *
• 2008 – Hurricane Ike (TX) *
• 2009 – Morgan Hill Fiber Cut (CA) *
• 2010 – Earthquake (Haiti)
• 2010 – Plane Crash (Palo Alto, CA) *
• 2010 – Four Mile Canyon Fire (CO)
• 2010 – Operation Verdict (Oakland, CA) *
• 2010 – Earthquake (Christchurch, NZ)
• 2010 – Gas Pipeline Explosion (San Bruno, CA) *
• 2011 – Flooding (Queensland, AU)
• 2011 – Tornados (Raleigh, NC) *
• 2011 – Tornados (AL) *
• 2011 – Tornado (Joplin, MO)
• 2011 – Tornado (Goderich, Ontario)
• 2011 – Flooding (Brazil)
• 2011 – Earthquake and Tsunami (Japan)
• 2012 – Dadaab Refugee Camp (Kenya)
• 2012 – Waldo Canyon Fire (CO) *
• 2012 – Hurricane Sandy (NY / NJ) *
• 2013 – Boston Marathon Explosion (MA)
• 2013 – Fertilizer Plant Explosion (West, TX) *
• 2013 – Tornado (Moore, OK) *
• 2013 – St. Mary’s College Fire (Leyland, UK)
• 2013 – Navy Yard Shooting (Washington, DC)
• 2013 – Typhoon Haiyan / Yolanda (Philippines)
• 2014 – Carlton Complex Fire (WA) *
• 2014 – King Fire (CA)
• 2014 – Ebola virus crisis (West Africa)
• 2015 – Cyclone Pam (Vanuatu)
* = NERV / ECU Deployed
6. Cisco Public 6© 2013-2014 Cisco and/or its affiliates. All rights reserved.
The Hastily Formed
Network
7. Cisco Public 77© 2013-2014 Cisco and/or its affiliates. All rights reserved.
All Crisis Responders Share the Same Problem
Public Safety
7
How to deliver the right
information in the right
format to the right person
at the right time on the
right device?
Defense
National, State &
Local Government
HealthcareCritical Infrastructure
Transportation
NGOs/VOADs/
International Orgs
8. Cisco Public 88© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Radio, phone Radio + Integrated Data
Single device Any Device (BYOD)
Voice only Voice, Video, Data
Closed teams Open collaboration
Command centric In the field, social media, everyone
Fixed locations Deployable anywhere
The Need for Technology in Disaster is Increasing
Goal: Mission workflow
and productivity
benefits to save lives
and speed recovery.
9. Cisco Public 99© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Typical ICT Challenges In Disaster
 Information and Computing Technologies (ICT) are
needed but overwhelmed…
– Lack of power
– Degraded telephony infrastructure
– Degraded Push-to-Talk Radio,
Lack of interoperability
– Oversubscribed services
– Limited Internet access
– Few IT resources
– Lack of trained staff
– Lack of Information security & management
10. Cisco Public 1010© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Solution: Hastily Formed Networks (HFN)
 “Instant Emergency Networks”
 HFNs are portable, IP-based networks
that are deployed in emergencies
when normal communications
has been disabled or destroyed.
 Enable on-scene and remote responders
to share situational awareness, coordinate
operations, establish command and control.
 Communicate within the affected
area as well as to the outside world.
11. Cisco Public 1111© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Portable: mobile, rolling kit, easily moved
with few personnel
Rapidly deployable: pre-configured, set up
with minimal training
Interim: Once pre-event communications
is restored typically decommissioned.
Based on: WiFi/VSAT/WiMAX/etc.
HFNs: What They Are
12. Cisco Public 12© 2013-2014 Cisco and/or its affiliates. All rights reserved.
HFN Examples
13. Cisco Public 1313© 2013-2014 Cisco and/or its affiliates. All rights reserved.
HFN Example: 2010 Haiti Quake
USNS COMFORT
Airport
VSAT/BGAN Satellite
WiMAX Point-to-Point
WiFi Mesh
NPS HFN TEAM HAITI NETWORK
WiFi Access Point
14. Cisco Public 1414© 2013-2014 Cisco and/or its affiliates. All rights reserved.
DMVPN/F
W
Router
3925
Core
Router
3945
Wireless
Controller
IPICS
HF
UHF
VHF
IP Phone
7970/9971
Video
Conferencing
(C40)
Wireless
Mesh APs
1550
Inside
Wireless AP
3600
Wireless
IP Phone
Video
Surveillance
Cameras
Internet
Cisco
San Jose, CA
Raleigh, NC
Ku-
band
VSAT
Satellite
Modem Access
Switch
Cisco NERV Architecture
Ironport
WSA
15. Cisco Public 1515© 2013-2014 Cisco and/or its affiliates. All rights reserved.
HFN Example: 2014-2015 Ebola Crisis
Deploying cloud-managed security at the satellite hub in Europe created effective
security without having local infosec in remote areas!
Hundreds of unmanaged, poorly patched hosts, risks mitigated (BYODD)
20x Remote
locations…
Sierra Leone
Liberia
(ETUs, clinics, etc)
Primary
Secondary
Meraki MX80
Internet
Upstream HSRP
Juniper FW
16. Cisco Public 16© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Infosec and HFNs
17. Cisco Public 1717© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Protect the mission
Keep bad things out.
Keep critical services running
Know what’s happening
on the network and devices
Balance security and access
Get it right every time.
Security: What are We Really Trying to Do?
Inside Outside
18. Cisco Public 1818© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Assumption: “In a crisis network, I need to get deployed
quickly. I don’t have time or the
resources to secure the network!”
Reality: All HFN networks
should be pre-planned – plan
and build your security into
your infrastructure!
Myth Busting: Information Security in a Disaster
19. Cisco Public 1919© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Least-privilege access: Users, devices, systems are given minimal
access given the crisis environment (advanced AAA solutions, etc.
may not be available!)
Threats may come from anywhere in the network.
Simplicity: Once initially configured, the security architecture should
establish itself without requiring any additional work from personnel
who already have too much to do.
Defense-in-Depth: No single security feature or technology can
mitigate the range of possible threats.
On-scene staff may have little/no security background.
Acceptable Use Policies, Incident Response may be undefined.
HFNs Use the Same Basic Infosec Assumptions
20. Cisco Public 2020© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Hastily formed networks (HFN) often overlook security –
no such thing as a CSO in a disaster.
A huge risk for first responders.
TACOPS capabilities have integrated security at
multiple levels to protect supported orgs:
firewall, VPN, IDS/IPS, etc.
Important to have buy in from COML/agency support!
Managing Infosec In Emergencies
21. Cisco Public 2121© 2013-2014 Cisco and/or its affiliates. All rights reserved.
You’re going into a disaster zone!
“Force Protection”
Physical security of equipment
Logistics
Intelligence
Health and Safety
HFN Security Starts With the Physical
22. Cisco Public 2222© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Ironport or Meraki for Layer 7 inspection,
blacklisting/whitelisting, QoS, b/w management
Enhances BYODD security, preserves
satellite bandwidth.
“Enable Facebook (because social media
is important in a disaster!) but not P2P.”
Throttle software updates!
Layer 7 Inspection / Deep Packet
Inspection For Granular Control
23. Cisco Public 2323© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Satellite is often the only way to get
broadband data in a disaster.
The “thin sippy straw” – b/w from
128kbps – 5mbps (typical Ku VSAT system)
Protect your satellite bandwidth at all costs!
Malicious traffic
• Botnets, Zombies, proxies, DDoS flooding
traffic.
Inappropriate use …?
• YouTube
• BitTorrent / P2P
• Adult content
DoS is the Primary Security Concern with Satellite
24. Cisco Public 2424© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Example: NetHope Ebola Response Network
25. Cisco Public 2525© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Once upon a time… the NERV had a
flat, open network.
Evans Road Fire in North Carolina.
Firefighter’s laptop came onto
the NERV pre-infected – DDoS
zombie w/spoofed SRC IP.
Created DoS condition on the satellite
uplink.
A Real World Security Incident…
26. Cisco Public 2626© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Designed for differentiated access in a
easy-to-deploy fashion.
“Untrusted” VLANs: open WiFi,
certain networks such as those
external to the NERV or kits
(patch panel) – access to the
Internet only.
“Trusted” VLANs have open access to
servers, vehicle-based resources, etc.
Requires you to have physical access to vehicle/kit
…Had Us Reevaluate Access.
Optical & Copper
patch panel allow
only limited access
28. Cisco Public 2828© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Each “unit” is responsible
for its own firewall
Each policy is the same
Inbound IOS firewall,
BOGON filters
Egress Internet-only from
“untrusted” networks
Egress “sanity checking”
filters for spoofed outbound
traffic
Layer 7 inspection + Layer 3
Our HFN Firewall Strategy – One Policy, Everywhere
Internet
ASA Firewall
ASA Firewall
Field
Units
San Jose,
CA
Raleigh, NC
29. Cisco Public 2929© 2013-2014 Cisco and/or its affiliates. All rights reserved.
FEMA: “This was the first documented cyberattack against a first responder attack surface”
Real-time reporting enables real-time response
Carlton Complex Fire, WA 2014
Supported 673 devices on a mesh network supporting fire operations.
30. Cisco Public 30© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Wrapping up…
31. Cisco Public 3131© 2013-2014 Cisco and/or its affiliates. All rights reserved.
You will be (or already have been!) attacked. (Not a surprise to security people, but responders)
We’ve not yet seen targeted attacks, but certainly possible (see Missouri State Hwy Patrol
Command truck incident, Ferguson MO, 2014, Syrian Electronic Army etc.)
Infosec in disaster relief and humanitarian operations is underappreciated.
If you use data, you must consider security. Best practice recommendations submitted to FEMA and
United Nations
Who establishes infosec policies, investigates incidents, etc?
What about mutual aid scenarios where you have multiple agencies sharing the same network?
It can be done.
This is a responder safety issue.
Failing to secure HFNs leaves already vulnerable people exposed.
Security and HFNs Aren’t Mutually Exclusive
32. Cisco Public 3232© 2013-2014 Cisco and/or its affiliates. All rights reserved.
On Cisco.com – www.cisco.com/go/tacops
Cisco CSR Reporting: csr.cisco.com ->
“Critical human needs”
Facebook: facebook.com/cisco.tacops
Slideshare: slideshare.net/CiscoTACOPS
Twitter: @CiscoTACOPS
Connect With Us!