Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI.

Published byDelilah Carpenter Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI."— Presentation transcript:

1 1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI Meeting July 24, 2001 Architecture Technology Corporation Specialists in Computer Architecture

2 2 Background - Research Goals n Develop and demonstrate organic survivability techniques for mission-critical GIG applications n Focus on network borne DDoS attacks packet floodingpacket flooding host take- downhost take- down

3 3 Background - RFITS Approach n Attacker needs knowledge of vulnerabilitiesvulnerabilities choke pointschoke points system “posture”system “posture” n Randomized failover makes prediction of system posture difficult buys sufficient time for attack neutralization to be accomplishedbuys sufficient time for attack neutralization to be accomplished

4 4 Status n Completed and delivered RFITS Applications Handbook Compilation of survivability design patternsCompilation of survivability design patterns Primarily targeted towards two kinds of middleware servicesPrimarily targeted towards two kinds of middleware services –Survivable information transport services (SITS) –Survivable server groups (SSG) n Commenced prototype implementation of selected RFITS techniques n This presentation focuses on subset of SITS techniques

5 5 SITS Technique #1 Applicability - Protects many-to-one and one-to-one information flows against DDoS attacks Attacks addressed - spoofed packet floods Assumptions - A priori security association exists between end points - Attack traffic generated by outsiders - Attack traffic generated by outsiders Technique chokes off attack traffic as close as possible to the source

6 6 SITS Technique #1 (Cont’d) - Destination S can only be reached via IP multicast address, say M1 - Using RSVP, router R1 configured to filter out all downstream traffic except multicast packets - Upon detecting a flooding attack, S switches to a new multicast address M2 and securely notifies clients; it also de-registers from M1 - Clients send packets to M2; spoofed traffic goes to M1and is filtered out at R5 and R6

7 7 SITS Technique #2 n Protects many-to-one information flows against attack traffic generated by insider

8 8 SITS Technique #2 n Clients partitioned among multiple multicast channels n Upon detection of a flooding attack, suspect group is re- partitioned among new multicast channels n Enables isolation and choking off of attack traffic close to source

9 9 SITS Technique #3 - Variant of technique #1 - Uses source selective multicast (SSM) to conserve multicast addresses - S selects sources C1 and C2 for its address M1 - Using RSVP, router R1 configured to filter out all downstream traffic except multicast packets from C1 and C2 - Upon detecting a flooding attack, C1 and C2 reconfigured with new source addresses - S associates M1 with new addresses of C1, C2 - Using RSVP, R1 is configured with new filters for C1,C2

10 10 SITS Technique #4 n Variant of technique #3 n Uses unicast destination addresses instead of multicast addresses Can be deployed on today’s Internet; not dependent on widespread deployment of IP multicast Can be deployed on today’s Internet; not dependent on widespread deployment of IP multicast n However, unlike technique #3, filters attack traffic at R1 instead of close to the source at R5 and R6

11 11 VPN Gateway Prototype n Interconnects geographically distributed sub-nets of an enterprise-wide private network using secure, DoS-resistant VPNs n Implementation status Unit testing of VPN gateway software completed; integration testing in progressUnit testing of VPN gateway software completed; integration testing in progress Initial release of prototype to be completed by Sept. 1, 2001Initial release of prototype to be completed by Sept. 1, 2001 Final release scheduled for December 2001Final release scheduled for December 2001

12 12 Planned Prototyping Effort n Initial RFITS Prototyping - Dec. 2001 Standalone demonstration of prototype products implementing RFITS survivability techniquesStandalone demonstration of prototype products implementing RFITS survivability techniques –RFITS VPN Gateway –RFITS VPN Client n Final RFITS Prototyping - Sept. 2002 Enterprise-wide survivable application using integrated set of RFITS techniquesEnterprise-wide survivable application using integrated set of RFITS techniques

Download ppt "1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI."

Similar presentations

Internetworking II: MPLS, Security, and Traffic Engineering

Internetworking II: MPLS, Security, and Traffic Engineering
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.

DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.

DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
© 2007 Cisco Systems, Inc. All rights reserved. Valašské Meziříčí 25.4.2015 1 Connecting to the Network.

© 2007 Cisco Systems, Inc. All rights reserved. Valašské Meziříčí Connecting to the Network.
Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Doug Long Architecture Technology Corporation Odyssey Research Associates DARPA.

Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Doug Long Architecture Technology Corporation Odyssey Research Associates DARPA.
Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Noel Schmidt Architecture Technology Corporation Odyssey Research Associates DARPA.

Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Noel Schmidt Architecture Technology Corporation Odyssey Research Associates DARPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies

Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Randomized Failover Intrusion- Tolerant Systems (RFITS) Ranga Ramanujan, Maher Kaddoura, John Wu, Clint Sanders, Doug Harper, David Baca Architecture Technology.

Randomized Failover Intrusion- Tolerant Systems (RFITS) Ranga Ramanujan, Maher Kaddoura, John Wu, Clint Sanders, Doug Harper, David Baca Architecture Technology.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World

Similar presentations

Ads by Google