The Internet Early Warning System (SAT INET) has been developed and implemented by the Information Security Incident Response Team of the National Cryptologic Centre (CCN-CERT) to detect real time threats and incidents in the traffic that flows through the internal network of the participating Body and the Internet. Its mission is to detect attack and threat patterns by analyzing traffic and traffic flow. Under no circumstances does the system analyze the content of the traffic that is irrelevant to detect a given threat.
In order to implement the system, an individual probe needs to be installed in the public network of the Body. This probe collects any relevant security information, and, after a first filtering, sends the security events to the central system where they are correlated with the different elements and domains (bodies). The participating Body is then reported on the corresponding warnings and alerts about the detected incidents.
The probe is a high performance dedicated server that includes a number of open source and commercial detection and monitoring tools (NIDS, arpwatch, ntop, etc..) and has two different network interfaces:
- Analysis interface: it receives traffic of any nature to be analyzed. This interface does not modify traffic. It only reads the traffic that is necessary to operate (no sensitive data —payload—).
- Management interface: it connects to the Internet in a secure manner with the monitoring/correlation central system, and uses the infrastructure of the Body or an independent connection.
Fig. Internet Early Warning System Architecture