2004 Olympics IT Team Readies Active Defense

The backbone network for the Athens Summer Games is three times the size of the 2002 Winter Olympics network. With some 900 Windows 2000 and Unix servers and 2,500 network devices, this supersized IP backbone is a big target for break-in attempts and could be prone to extraneous alarms triggered by any suspicious activity. To help manage the load, the IT team purchased Computer Associates' eTrust Security Command Center, which automates the alarm-gathering process (see "The Hard Sell,"). ETrust collects security and system data from different tools in real time, then filters, aggregates and correlates the alarms. Philipps estimates that about 200,000 alarms will sound during the Games.

"We needed more intelligence in the way we process the logs we receive," says Yan Noblot, information security manager for the Summer Olympics network. "With the larger amount of information security, we would have been overloaded."

Closing Down the Attack

As in Games past, the Olympic IT security team has minimized the risk of attack by keeping the 155-Mbps Sonet SDH and gigabit backbone closed to outside traffic. Internet traffic can't enter the backbone, and even Internet e-mail is off-limits. Network users go through a stringent accreditation process akin to obtaining a visa, and they can only send e-mail over the Internet using a separate, one-way connection. "We have several layers of firewalls, and we have an IDS [intrusion-detection system], so people on the Internet can't get in," Noblot says. "We've reduced our exposure as much as possible."

The network is split into seven virtual LANs, each of which contains its own security policies and systems. If one VLAN is attacked, the team can isolate it and protect the rest of the network. The security team also took the painstaking extra step of removing extraneous hardware from the more than 10,000 workstations at the Games before they were installed. "If we had a workstation that didn't need a CD-ROM drive or a USB, we removed it," Noblot says.Major media organizations covering the Athens Games, such as broadcaster NBC, are bringing their own LANs and Internet access. The Olympic backbone supports key IOC applications, such as games management, venue results, information diffusion and media.

Know Thy Enemy

Firewall scans and denial-of-service attacks were the big security threats at the 2002 Winter Games. This year, the security team expects attackers to try to exploit operating system vulnerabilities, such as using RPCs (remote procedure calls) in Windows.

Although Noblot can't divulge details, he says he and his team have spent the past few months patching or modifying Windows 2000 operating system settings in preparation for RPC attacks, and hardening them at the highest level of security. And during the Games, the IRT will use an automated vulnerability-management tool, Computer Associates' eTrust eVM, to constantly assess any weaknesses and remedy them, Noblot says.

Meanwhile, the eTrust Security Command Center tool, dubbed Security Information Manager, or SIM, by the Olympic team, will use the "normal" network behavior rules set by Noblot and his team to filter out false alarms, trace potential intruders' IP addresses and aggregate duplicate alarms.The Command Center tool's correlation feature is especially powerful. "We write rules that help the system assign priorities," Noblot says. "If the tool sees someone logging on a few minutes after they logged off and from 50 kilometers away, then we have [suspicious activity]."

But the tool doesn't automatically respond to the alarms. That's up to the IRT--and that's just the way Noblot likes it. "The [television] graphics during the Games are the information that comes from us in real time," he says. "You don't want the IDS to tell the firewall to shut down that link, because it could shut down the [television] feed. The SIM tool is here to report clear, relevant and significant information to us, and it still has to go through real people."

The Olympic team has been testing the entire network infrastructure since last August and undertook several technical rehearsals during which an Atos shadow team launched a variety of surprise "attacks." The tests gave the IRT a chance to practice its security response, as well as to tweak the SIM rules as needed. Unlike the tools used during the Salt Lake City Games, the new tool knows when activity is coming from an administration location, so it doesn't sound a false alarm. And it quickly gives the team specific information on a real alarm.

Even with the extreme security the Olympic IT team has put in place for the network, there's still no way to keep the backbone totally clean. "We're not fooling ourselves that something couldn't happen," Noblot says. "We've got to monitor everything and be ready. I hope my shift at the Games is the most boring time of my day."

Avoiding Past MistakesEven with the sensitive physical security and cybersecurity concerns surrounding the 2004 Summer Olympics in Athens, the Atos Origin IT organization still had to convince the Athens Olympic Organizing Committee that investing in an automated network alarm tool was worthwhile.

The IT team's main argument was a retrospective on the barrage of alarms that nearly overwhelmed the 2002 Salt Lake City Winter Games security team. Claude Philipps, chief technology integrator for the Summer Olympics, and his team used the Salt Lake City Games experience as a case study to explain why automation is so important to the much larger Summer Games in Athens.

"We had to build a business case and then get financial approval from the Olympic Committee," says Philipps.

Philipps and his team did get funding for the tool, though he would not disclose how much money was spent. "Given the strong willingness of the Athens committee to improve security for their Games as much as possible, once the budget was found, getting the committee's approval was pretty smooth," Philipps says.

The IT team then went through the required, formal RFP process and settled on Computer Associates' eTrust Security Command Center, which collects security and system data from different tools in real time, then filters, aggregates and correlates them. "Before, we were doing a lot of filtering and aggregation. But correlation is something very new," says Yan Noblot, the Summer Games' information security manager.It's all about prioritizing. "If we catch someone trying to unsuccessfully access the system, we can look at the IP address," Noblot says. "If it's from the Information Technology Center, it's a systems administrator there. If it's from somewhere else, then it's suspicious," he says.

Yan Noblot: information security manager, Atos Origin, 2004 Summer Olympic Games

Yan Noblot, 28, is responsible for securing the 2004 Athens Summer Olympic Games network and bringing the same security technologies and practices to the upcoming 2006 Winter Olympic Games in Torino, Italy. Among his tasks was to configure the security monitoring tool that filters, aggregates and correlates network alarms. Noblot has been with Atos and the Olympics project for five years and in IT for seven. He holds an engineering degree from cole Nationale Supérieure des Télécommunications de Paris and is working on his Executive MBA through Erasmus University Rotterdam in the Netherlands.

Why false alarms are inevitable: To get all of the critical alarms, we need to be able to accept some false positives as well.

Infamous false positive: During the tuning of the tool, we were receiving alarms when Hewlett-Packard OpenView was pinging the network to monitor the availability of the servers. This, of course, is a false positive, since HP OpenView is responsible for monitoring the availability of our infrastructure.Olympian pressure: Every SIM [security information manager] rule must be written correctly the first time in the real-time environment of the Games. It has to work perfectly the first time--we're not allowed to have failures.

Olympic event Noblot won't miss: Judo. I practiced judo for 14 years.

Is there an IT life after the Olympics? Yes--as long as it's challenging.

For fun: Going to the movies, traveling with my wife.

Wheels: Citroen C3--very practical for parallel parking in the Athens streets.0