Network Privacy Statement and Conference Monitoring

Cisco CSIRT Mobile Networking and Monitoring for FIRST 2013 Conference

Cisco's Computer Security Incident Response Team (CSIRT) has developed a mobile monitoring and networking solution for providing on-site network and computer security monitoring during conferences and events. The first use of the solution at FIRST 2007 was showcased in a Cisco-on-Cisco article. In 2012, Cisco CSIRT had a deployment at the Cisco House of the London Olympics. The CSIRT team monitors 2-3 events per year with this kit, and usually sends 1-2 people to each event to provide security monitoring and a follow-up report.

Purpose of On-Site Monitoring

  • Showcase security event monitoring and technology.
  • Provide secure on-site networking for conference attendees.
  • Provide on-site computer and network security to prevent disruption and loss of intellectual property.

What Cisco CSIRT Provides

Along with security engineers, CSIRT provides a mobile, shippable rack containing everything needed to host a secure wireless network for conference attendees. The rack contains the following:

  • Cisco 3750X & 3560 series POE+ switches to provide access layer switching
  • Cisco will also provide secured wireless access with:
    • Cisco Virtual Wireless Controllers
    • Cisco Aironet 1252/1262 Access Points (802.11a/b/g/n)
    • Cisco Mobility Services Engine Virtual Appliance
    • Cisco Prime Infrastructure
    • Cisco Identity Services Engine
  • Cisco 5550 series Adaptive Security Appliance (ASA)
  • Cisco IPS 4255 Sensor used to detect network security events
  • Cisco Virtual Web Security Appliance (WSA) to automatically block malicious web traffic via Cisco's SenderBase.
  • Lancope StealthWatch Virtual Edition for collecting and analyzing netflow
  • FireEye Web Malware Protection System for advanced malware prevention
  • Splunk for parsing and indexing security events and logs
  • Cisco UCS C220 running:
    • Virtualized appliances
    • Splunk
    • Additional logging and network services


Monitoring Results

CSIRT will document the results of the event monitoring in a report similar to the report for FIRST 2008, which will detail:

  • types of traffic seen
  • site configuration
  • false positives
  • security incidents identified
  • actions taken

Your Privacy

Your privacy will be protected throughout the duration of Cisco CSIRT's security monitoring effort. Be assured that Cisco CSIRT analyzes only aggregate traffic; traffic will not be attributed to specific individuals in the course of normal monitoring nor in reporting. Cisco CSIRT will monitor for disruptive security incidents in order to contain them. Some additional notes:

  • 802.1x is deployed with generic user names. Cisco CSIRT does not have a mapping of generic user to attendee.
  • Netflow collection, DNS logging, and packet capture is performed and used for aggregate statistics and in the event of a security incident.  
  • The IronPort WSA will transparently proxy all plain-text, port 80 (i.e. non-SSL) web traffic for the purpose of blocking malicious software from infiltrating the FIRST conference network.
  • Encrypted traffic (HTTPS, SSH, VPN, etc.) will not be inspected or recorded by the monitoring equipment.

Support

You may direct questions about this setup, such as the network, security, or privacy assurances, to the Cisco team by emailing first-2013-bangkok@cisco.com.