Presentation on theme: "Arrow color indicates specific subset of Security Service Desk Common Backplane API. is DC Backplane API impledmented by the Backplane Services. Devices."— Presentation transcript:
Arrow color indicates specific subset of Security Service Desk Common Backplane API. is DC Backplane API impledmented by the Backplane Services. Devices Users * Certificates Security Policies Authorizations Discovery Coordinator Services in Security Service Desk Discovery Coordinator Authori- zation Manager Network Manager Display Manager Sockets VPN Communication (e.g. Network Layer) Policy Manager Authentication Manager GIDOs VPN Encrypted GIDOs or Intrusion Correlation Engine Response Selector Incident Recovery Engine Incident Investigation Engine Vulnerability Assessor Decision Engine Certification Manager Boundary Manager Object Mgmt DB GIDOs CIDF /IDIP Engine Message Layer Security Service Desk Security Service Desk Common Backplane Policy Projector Response Recommendation Engine Log Query 9 Sep 1998
Discovery Coordinator / Security Service Desk Functions Intrusion Correlator Response Recommendation Engines Policy Projector The purpose of the policy projector is to receive qualitative policy from the SSD Policy Server, transform it into qualitative policy, taking into account the mission and each assigned operation with their associated information assets and produce a reviewable, editable quantitative policy. The quantitative policy is then projected (distributed) to intrusion detection response components including the following: · Intrusion Correlator(s) · Response Recommendation Engine(s) · Response Selector · Intrusion Detector(s) · Intrusion Responder(s) The purpose of the intrusion correlator is to receive descriptions of "out of the ordinary" network events from distributed intrusion detectors and produce summaries of (potential) attacks. Two types of correlators are identified: "statistical" and "signature". Statistical correlators measure network activity to establish a baseline of "normal" activity as a function of time, and activity type. Signature correlators identify potential intrusions based on a signature that may include dynamic measures and known packet contents. The purpose of the Response Recommendation Engine is to receive statements of intrusions and based on the current network topology and type of intrusion, produce possible valid responses. 9 Sep 1998
Discovery Coordinator / Security Service Desk Functions Cont. Response Selector Log Query (i) Process registration (v) Response Formatting (ii) Host registration (vi) Logging (iii) Command Routing (vii) Event Triggering (iv) Health Monitoring (viii) Time Triggering Backplane Server The response selection engine receives inputs from all Suggestion Engines within the scope of the Discovery Coordinator. The response recommendation engine applies a weight to each input and using the current network topology and current response policy selects the response that minimizes impact on the missions and supported operations. The response selector is also aware of the status of the Discovery coordinator. If the Response Selector detects that the Discovery Coordinator operation has been compromised in any way, as indicated by DC_Not OK, then... If the Response Selector detects that the Security Service Desk operation has been compromised in any way, as indicated by SSD_Not OK, then if the Backup_SSD has been defined, the Response Selector establishes itself with the Backup_SSD and messages from the former primary SSD are ignored. The Log Query provides the capability to request a search of the Discovery Coordinator Log based on event types and / or time periods. The Log Query also provides the capability to request periodic reports as a function of event type be sent to a system asset. The backplane server provides common services required by Discovery Coordinator applications including: 9 Sep 1998
Discovery Coordinator Functions 9 Sep 1998 Context and Top Level Flow Attack Summary Valid, Reasonable Responses Correlate Intrusions Produce Response Recommen dations Response Selector “Decision Engine” “Cost Model” “GrIDS” ** Policy Projector Policy Extractor Network Manager DC API Report_Requests (8) Downloaded Intrusion Detection and Response Policy Commands (2), (3),(4), (5), (6) Event Trigger Requests (7) Editable IDR Policy Coordination & Numerical Weighting Parms Object Base GUI Object Base GUI Security Administrator Adjustments Heartbeat with InfoCon State and Slide Bar (1) IDR Coord. Parameters (As GIDOs) Intrusion Detection & Response Components DC API Refined Numerical Weighting and Response Policy Intrusion Detection & Response Components Intrusion Descriptions (As GIDOs) Examine Log Cmds (9) Situation Awareness Component Backplane Server Service Layer (i) Process registration (v) Response Formatter (ii) Host registration (vi) Logger (iii) Command Routing (vii) Event Trigger (iv) Health Monitor (viii) Time Trigger Log Query Intrusion Detection Situation Display Intrusion Response Situation Display Network Manager Local Domain Topology Intrusion Responses (As GIDOs) Policy Manager Recommended Intrusion Response Response Authorization ODB API NwM API Is runtime OR Gate ODB API Object Base GUI Situation Awareness Component To Situation Awareness Component SACSAC Query Responses
9 Sep 1998 Discovery Coordinator Architecture Communication (e.g. Network Layer) with/ without VPN CIDF /IDIP Engine Message Layer* (i) Reliable Transport, (ii) Cryptographic authentication of nodes (iii) Privacy (Encryption) Intrusion Correlator(s) DC Policy Projector Response Recommendation Engine(s) Response Selector DC Backplane Server Service Layer Application Layer *Note: For the other SSD modules to communicate with DC modules (of the SSD), this architecture requires that (1) the SSD use the DC Backplane services and (2) the SSD use either the CIDF / IDIP Engine or another mutually agreeable Message layer which provides: (i) Reliable Transport, (ii) Cryptographic authentication of nodes, and (iii) Privacy (Encryption). Sockets Log Query (i) Process registration (v) Response Formatter (ii) Host registration (vi) Logger (iii) Command Routing (vii) Event Trigger (iv) Health Monitor (viii) Time Trigger DC API Nw MgrAPI ODBAPI SSD Supplied Assurance protocols ??? = Indicated pluggable components such as GrIDS, Emerald,...