Presentation is loading. Please wait.

Presentation is loading. Please wait.

Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute 2008. 10. 22.

Published byHarold Hutchinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute 2008. 10. 22."— Presentation transcript:

1 Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Neuman @USC Informatino Sciences Institute 2008. 10. 22 Presented by Jaeryong Hwang Presentation at he DETER Community Workshop on Cyber Security Experimentation and Test, August 2007

2 What is the DETER? ... to provide the scientific knowledge required to enable the development of solutions to cyber security problems of international importance  Through the creation of an experimental infrastructure network -- networks, tools, methodologies, and supporting processes – to support experimentation on research and advanced development of security technologies. 2

3 Outline  DETER Testbed Goals  DETER Architecture  Experiments  Conclusion 3

4 DETER Testbed Goals  Facilitate scientific experimentation  Establish baseline for validation of new approaches  To protect the public internet from the side effects of security experiments Saturated Links Broken routing Exfiltration of malicious code  Provide access for wide community of users 4

5 The DETER Testbed Provides  Fidelity: Realism of environment Number and kinds of nodes, services  Repeatability: Controlled experiments Can be rerun, varying only desired characteristics. Unlike the real internet  Programmability: Ability to modify algorithms To test new things.  Scalability: Ability to add more nodes Multiple clusters Virtualizations  Isolation and containment Protects experiment and protects others 5

6 DETER Architecture  Emulation cluster based upon University of Utah’s Emulab Basically homogeneous In some cases we have integrated experimenter specific nodes. Controlled hardware heterogeneity Specialized Devices including Routers, ID systems, etc.  Implements network services – DNS, BGP  Provides containment, security, & usability 6

7  Cluster of N nearly identical experimental nodes, interconnected dynamically into arbitrary topologies using VLAN switches 7

8 8

9 Interconnecting Clusters  Two clusters: USC -ISI, UCB  One control site (ISI) One user entry point, accounts, control  Connection CENIC: CalREN-HPR(California Research and Education Network)  VLAN switches interconnected using proprietary layer 2 tunnels Form one pool of nodes to be allocated User can control whether span multiple clusters The tunnels may be encrypted using IPSec 9

10 10

11 Handling Scary Code  Objective: Variable-safety testbed Adaptable to threat level of experiment Supports shared, remote experimenter access for low- threat code; varying degrees of isolation Research question: can we design DETER to safely handle the entire range of threats, or will really scary stuff have to run in some other isolated containment facility? 11

12 Security is Critical  Security must be balanced with needs of researchers Defenses employed by the test-bed must balance the requirements of containment, isolation, and confidentiality, with the need for remote management of experiments  Possible consequences of breach are considered Experiments are categorized according to the consequences of loss of containment, and procedures applied according to that categorization 12

13 Achieving Security  Operational Procedures for proposing and reviewing experiments. Guidelines for categorizing safety of experiments. External Red-Teaming Procedures used by investigators  Technical Firewall, routing, intrusion detection and network isolation techniques Data protection, system protection, and state destruction techniques 13

14 Experiment Safety Panel  Experiment description provided by investigator: Identify containment, isolation, confidentiality, and other security considerations  Panel assesses proposed category: Determines safety category, level of isolation required Assesses if isolation can be maintained Imposes technical measures to assure isolation requirements are met 14

15 Experiments: Worms  Modeling the scanning characteristics of several worms  Some common techniques Use of virtualization extends size of modeled  parts of internet. Worms are emulated instead of using live malicious code  Live Malicious code One experiment collected real worm traces on the testbed for use in other experiments. 15

16 Experiments: DDoS  Tested ability of tools to isolate attack traffic To pick it out from background traffic Testbed provided environment where it was OK to mount DDoS attack without affecting production links  Tested several real DDoS defense tools Symantec ManHunt and NFR Sentivist  Resulted in a methodology for analyzing effectiveness of such tools 16

17 Experiments: Routing  Tested resiliency of secure routing protocols to attack Two protocols SBGP, SoBGP Two Attacks Differential Damping Penalty, and Origin AS Changes Two detection methods: Signature and statistics-based  Testbed enabled large scale experiment that could not have been performed on the production network 17

18 Lessons Learned  Security Experiments tend to be Larger Malicious code is designed to spread network wide, and effects are not seen until significant infection occurs  Support for special hardware Experimenters need ability to test their own boxes, not just code  Most experiments do not need strongest containment Most of our security experiments did not use live malicious code, and vlan and firewall approaches were sufficient for containment. 18

19 Distribution of US DETER users 19

20 Conclusion  Provides investigators with the ability to run experiments using potentially risky code, on an isolated experimental network  For updates and related information http://www.isi.edu/deter http://www.deterlab.net 20

Download ppt "Design Deployment and Use of the DETER Testbed Terry Benzel, Robert Braden, Dongho Kim, Clifford Informatino Sciences Institute 2008. 10. 22."

Similar presentations

TIED: A Cluster of One TIED: Trial Integration Environment DETER built on.

TIED: A Cluster of One TIED: Trial Integration Environment DETER built on.
Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.

Resonance: Dynamic Access Control in Enterprise Networks Ankur Nayak, Alex Reimers, Nick Feamster, Russ Clark School of Computer Science Georgia Institute.
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.

SAFE Blueprint and the Security Ecosystem. 2 Chapter Topics  SAFE Blueprint Overview  Achieving the Balance  Defining Customer Expectations  Design.
1.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.

1.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 1: Introducing Windows Server.
The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.

The Challenges of Repeatable Experiment Archiving – Lessons from DETER Stephen Schwab SPARTA, Inc. d.b.a. Cobham Analytic Solutions May 25, 2010.
Lecture 7 Page 1 CS 236, Spring 2008 Proving It CS 236 Advanced Computer Security Peter Reiher May 13, 2008.

Lecture 7 Page 1 CS 236, Spring 2008 Proving It CS 236 Advanced Computer Security Peter Reiher May 13, 2008.
Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.
Extensible Networking Platform 1 1 - IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood

Extensible Networking Platform IWAN 2005 Extensible Network Configuration and Communication Framework Todd Sproull and John Lockwood
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
An Assessment of Mobile Ad-Hoc Network (MANET) Issues Jerry Usery CS 526 May 12 th, 2008.

An Assessment of Mobile Ad-Hoc Network (MANET) Issues Jerry Usery CS 526 May 12 th, 2008.
1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.

1 Emulab Security. 2 Current Security Model Threat model: No malicious authenticated users, Bad Guys are all “outside” –Protect against accidents on the.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
1 Next-Generation Secure Internet: Security Overview and Context Adrian Perrig in collaboration with Steven Bellovin, David Clark, Dawn Song.

1 Next-Generation Secure Internet: Security Overview and Context Adrian Perrig in collaboration with Steven Bellovin, David Clark, Dawn Song.
1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.

1 Experiments and Tools for DDoS Attacks Roman Chertov, Sonia Fahmy, Rupak Sanjel, Ness Shroff Center for Education and Research in Information Assurance.
ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

1 Sonia Fahmy Ness Shroff Students: Roman Chertov Rupak Sanjel Center for Education and Research in Information Assurance and Security (CERIAS) Purdue.

Similar presentations

Ads by Google