SubCERTs
The JANET Approach
RESUMEN
Garaidh Cochrane
Senior CERT Member
JANET-CERT
JANET, the Education and Research network in the United Kingdom has a user base of approximately 16,000,000 people spread over 2000 primary connected sites, incorporating all universities, colleges, research institutions and many UK government departments. In addition all the schools in Scotland are on JANET and all the schools in England and Wales will be on JANET by the end of the year 2004. This has resulted in in excess of 20,000 organisations being directly or indirectly connected to the JANET backbone, a number far too great for a single CERT to deal with. For this reason JANET-CERT restrict themselves to security for the JANET backbone, and to incident co-ordination and advice for the customer organisations, and rely on subordinate CERT teams (SubCERTs) and incident response facilities to be their on-site hands, eyes and ears.
Many JANET sites have long established CERT teams. University teams such as Oxford University's Ox-CERT, Cambridge University's CAM-CERT and Edinburgh University's IRT have been around almost as long as JANET-CERT itself. These teams have full time security staff and a large amount of expertise and experience, with the likes of Ox-CERT holding the chair of FIRST in 2003. Other customer organisations have no dedicated security staff, nor even skilled technical staff. For those sites who do not have a full time CSIRT, a virtual CERT or individual who fulfils that role on demand is normal, but where the customer site does not have the relevant technical skills there are other support structures in place. Within JANET Regional Support Centres can provide the necessary technical expertise to deal with an incident, providing a virtual CERT capability to customer organisations who may have no technical staff. Furthermore due to the way JANET is organised, the links between the backbone and the organisations' network are run by Regional Networking Organisations, who can also provide security incident response capabilities through their security contacts.
All JANET connected organisations have a contractual responsibility to assist JANET-CERT in investigations into security incidents, and for this reason must have some incident response capability. This is mandated in the JANET Security Policy, and customers must provide a nominated contact person before they are allowed connection. The contractual obligations on the RNOs and RSCs to provide assistance also allows for a broad incident response capability, where the most appropriate person for the task should be available to JANET-CERT in its incident response coordination function.
In order to maintain and improve the CSIRT capabilities of JANET-CERT actively support and encourage the formation of CERT teams at customer sites, both by management discussion and training. This has led to a proliferation of subCERTs on JANET, enhancing both the security incident investigation capability and the network monitoring capability. With the subCERT model JANET-CERT can manage a potentially large number of security incidents daily, as well as devolving the resolution of incidents to capable customer CERTs. The skill base of the subCERTs also allows for a distributed monitoring environment, where subCERTs can feed directly into the probe alerting system for JANET-CERT, again off-loading tasks from the main network response team.