Minutes Salsa-CSI2 Conference Call
March 15, 2007
*Attending*
Chris Misra, U. Mass (Chair)
Doug Pearson, Indiana/REN-ISAC
Phil Denault, WPI
Kevin Amorin, Harvard
Brian Smith-Sweeney, NYU
Joe St. Sauver, Oregon/Internet2
Steve Olshansky, Internet2
Lisa Haanpaa, Internet2
Dean Woodbeck, Internet2 (scribe)
**Action Items**
[AI] {Doug and Brian} and possibly David Ripley will discuss proposed participation guidelines for the shared darknet.
[AI] {Dean} and {SteveO} will prepare a draft report from the Cambridge Face2Face and distribute a draft to the list for review by March 23.
[AI] {Phil} has a number of action items in the RENOIR section.
[AI] {Joe} is compiling information about available open source tools in this area and will email to the CSI2 list.
*Carryover Action Items*
[AI] {Chris} Add WCLSCAN (a Japanese network monitoring project) to agenda.
[AI] {Doug} Organize a call to have a discussion with those who want to actively participate in getting data from their institution to the shared darknet.
[AI] {Chris and Doug} Connect with NoX GigaPOP folks for Arbor information.
[AI] {Chris} Create project plan on using UMass for first data source for shared darknet.
[AI] {TBD} Normalizing data and noise reduction -- put together suggestions of what makes sense to be done at the end-user site and what makes sense to do centrally (to list and to wiki).
**Shared Darknet**
Doug discussed policy issues concerning sharing the data collected from the shared darknet contributors. For example, will there be different access for different groups of people? REN-ISAC core personnel will have access to do notification and trend analysis. Some sites will be helping with software development for the trend analysis. Some researchers may be interested in using the data. All of these examples may require different levels of access.
While different levels of access may be necessary, some feel it runs counter to the concept of a trust community. An option would be to have the source data available to all REN-ISAC members. Another issue is whether to allow those providing the data to control the level of access. In addition, some institutions will sanitize the data before it reaches the shared darknet.
[AI] {Doug and Brian} and possibly David Ripley will discuss proposed participation guidelines for the shared darknet.
**REN-ISAC meeting**
CSI2 has a dinner scheduled Wednesday, April 11, at the security professionals meeting. If funding allows, the TAG will also be invited.
**Cambridge Meeting Follow-up**
[AI] {Dean} and {SteveO} will prepare a draft report from the Cambridge Face2Face and distribute a draft to the list for review by March 23.
**RENOIR**
Phil provided a list of adjustments for RENOIR, based on the Cambridge working group meeting:
Create diagram for proposed encryption mechanisms
- all keys server side
- all but private key server side
Consider whether encrypted tickets could be set to open or restricted, provided no one had added additional information. Phil believes not, but wants to think about this.
Consider whether access control or encryption could be done within a ticket for specific
user-defined fields. This is exceedingly complicated, but not impossible. The recommendation is to not pursue this for now, but include it for possible future consideration.
There was a request to implement only portions of the IODEF model. Phil will go through the fields and post his recommendation to the CSI2 email list.
The consensus it to have a web client that connects to a SOAP engine.
Data deletion methodologies – consider purging data with limited usefulness, such as lists of IP addresses scanning a campus. Phil will add this to the data deletion methodologies on the wiki.
There were questions at the face2face as to how RENOIR would be used in specific cases, including:
- Institutions participating in a botnet
- X11 compromise
- Reporting (SMTP, Eddy, RSS, etc) Use Cases to non-members
- Lack of reporting just listening
- Data/webapp breach
Phil has created a project management repository for development tools at csi2.wpi.edu. He will email the user ID and password to the list.
**Open Source Security Tools**
[AI] {Joe} is compiling information in this are and will email to the CSI2 list. Both Kevin Amorin and Brian Smith-Sweeny have volunteered time to help in this area.
**REN-ISAC Meeting**
The REN-ISAC member meeting on April 12 is full, with 70 people registered. There will be a wait-list created of about 10 names. Brian and, perhaps, David will do a presentation on the shared darknet.
**Next call** is scheduled for March 29, 2007.