100 likes | 286 Vues
IRT Co-ordination in Europe. Brian Gilmore The University of Edinburgh. Co-ordination History. Growing number of IRT teams in Europe Doubts over CERT-CC continuing activities outside of the USA.
E N D
IRT Co-ordination in Europe Brian Gilmore The University of Edinburgh
Co-ordination History • Growing number of IRT teams in Europe • Doubts over CERT-CC continuing activities outside of the USA. • A strong need seen for an organisation in Europe to co-ordinate and handle multi-country incidents • TERENA put out a tender and: • May 1997 - Start of EuroCERT Service, provided by DANTE and UKERNA • 1998 - Service provided by UKERNA alone • Sep 1999 - Service was closed.
Lessons Learnt • The Service was seen as valuable • But, the cost of handling incidents was too high. • A team of 5 is needed as a minimum to retain a reasonable response • IRTs would prefer to invest in themselves • BUT, other co-ordination activities are seen as worthwhile.
Follow-on to the Service • IRT Community was keen to keep the bits that worked! • So, TERENA hosted a meeting of the interested parties to work though the original Task Force report to establish which tasks should be kept and which could be dropped • The result was the following list:
IRT Co-ordination • Trusted Introducer Proposal • Classification of Security Related Incidents • Regular European Meetings & Workshops • Web Information on Existing IRTs • Help for New (or to-be-formed) IRTs • Security Entry in the RIPE database • Clearing House for Tools • Survey of Legal Requirements
Trusted Introducer • As the number of IRTs grow it becomes increasingly difficult to maintain the ‘Web of Trust’ • IfTeam A trusts Team B, and Team C trusts Team B. Then can Team C trust Team B ? • A process is needed whereby a documented set of procedures can be used to introduce a new team • An existing team can then decide its attitude after inspecting this process • A Trusted Introducer is needed to do this
Trusted Introducer - 2 • TERENA put out a call to get the process described and documented. • Don Stikvoort and Klaus-Peter Kossakowski (M&I/Stelvio) won the bid and produced a very detailed document describing how a new team could be taken through a process, described as levels 0, 1 and finally 2, to validate a team • The IRT community accepted the process description and TERENA then put out a call to establish the Introducer • M&I/Stelvio (Don) have successfully bid • Negotiations are in process
Costs of the Service • The validation of a team at Level 1 involves a cost. • Level 2 teams need an on-going re-validation to ensure that information remains correct • So, the service needs to be funded. It has been decided: • Charge a fee of 450 Euros to validate a team • Charge an annual fee of 600 Euros for each team at L2 • TERENA will propose to old EuroCERT partners that remaining funds be used to bootstrap the process • Needs to be reviewed after 1 year
Incident Classification • IRTs would like to be able to exchange statistics • For trend analysis and comparison functions • Significant difficulties as there is no ‘common language’ • For example, what is ‘an’ incident - Some teams count as one incident what others would describe as multiple incidents • Sub-group established (with a charter) to progress this and test out the solutions
TERENA’s Role • Assist in the co-ordination activities • TERENA has already hosted 3 meetings • Put out a call for tender for the Trusted Introducer • Negotiating final agreement with M&I/Stelvio • Next Steps: • Formed a TF-CSIRT for IRT Co-ordination • Chaired by Gorazd Bozic of ARNES • Agreed list of deliverables & milestones • Formed a sub-group to drive the Incident Classification