NSHaRP

Network Security Handling and Response Process allows customised security notifications

NSHaRP provides a mechanism to quickly and effectively inform affected users by allowing CERTs to tailor how and for what they want their notifications to be triggered. The system adds value to the community as it serves as an extension to the NRENs CERTs if they do not have either the human resources or the technical resources to monitor for security incidents.

NSHaRP allows for the extension of the NRENs' detection and mitigation capability to GÉANT borders, therefore enabling the attack to be prevented from transiting GÉANT. This is highly innovative and unique in that it caters for different requirements from each NREN, putting customisation of their alerts in their hands.

What is NSHaRP?
NSHaRP is at its core a security notification system. It is also a ticketing system that is backed up by the GÉANT NOC (Network Operations Centre), therefore it is a notification system that will create a trouble ticket for your incident, but will also provide support in dealing with your security incidents. This could range from further investigations to mitigation.

Why is it so important?
In an age of ever increasing capacities on backbone networks, it is becoming imperative to ensure that these networks are not used for malicious activities. These large networks are the common point for many Research and Education Networks. GÉANT in its role as the pan-European network provides not only connectivity between NRENs but also beyond Europe to sister networks such as Internet2 in the US, CLARA in Latin America & TEIN in Asia-Pacific.

It is therefore extremely important that security information affecting these networks can be exchanged efficiently and quickly. GÉANT is in the process of deploying NSHaRP - a complete alerting, notification and resolution system. NSHaRP leverages the power of Netreflex that uses netflow from the GÉANT network to detect and report on incidents. This has been coupled with a largely automated ticketing component enabling a large number of incident tickets to be dealt with without engineer intervention.

Incident information is sourced from multiple partners, internal systems, CERT partners & external project security sources. All information is stored in a structured format enabling aggregation and fusion of multiple incidents for single bad actors.

The Security Team in DANCERT also has additional sources of information relating to malware such as spam, bots and worms that it is able to collate with Netreflex incident data to highlight hosts that are involved in multiple malicious events.

Closing the security loop
Using an automated system enables larger volumes of incidents to be processed and investigated. As a trouble ticketing system is used in notifications, it provides the ability to track the lifecycle on incidents from notification through to closure thereby completing the process and ensuring that there is a handoff from those that notify of incidents to the appropriate parties who will deal with the affected systems.