Presentation is loading. Please wait.

Presentation is loading. Please wait.

S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.

Published byBrian Richard Modified over 8 years ago

Similar presentations

Presentation on theme: "S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001."— Presentation transcript:

1 S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001

2 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 2 Outline Technical ObjectiveTechnical Objective Technical ApproachTechnical Approach –Architecture –Load Sharing –Detection –Hardened Servers –Response Technology TransitionTechnology Transition Demo ScenariosDemo Scenarios

3 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 3 Technical Objective Develop an Intrusion Tolerant Server Infrastructure that uses independent network layer enforcement mechanisms to:Develop an Intrusion Tolerant Server Infrastructure that uses independent network layer enforcement mechanisms to: –Reduce intrusions –Prevent propagation of intrusions that do occur –Provide automated load shifting when intrusions are detected –Support automated server recovery

4 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 4 Technical Approach Intrusion tolerant server componentsIntrusion tolerant server components –Load distribution and network response capability using the ADF Policy Enforcing NICs –Server hardening to reduce effectiveness of penetrations –Intrusion detection systems that primarily reside on server hosts – –An Availability and Integrity Controller (AIC) to manage the system and respond to intrusions reported to it

5 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 5 ITSI Architecture Web Server – 2Web Server – 1 Windows 2000 IIS Web Server Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall – NIC 2 Embedded Firewall – NIC 1 SE Linux Apache Web Server Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall – NIC 2 Embedded Firewall – NIC 1 AIC Windows 2000 ADF Policy Server Alert Handler Cluster Manager ID Management Embedded Firewall – NIC 2 Response/Recovery Controller

6 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 6 Policy Enforcing NICs ADF PENs are network interface cards that have been enhanced to provide additional controlsADF PENs are network interface cards that have been enhanced to provide additional controls –Packet Filtering –IPSEC support –Network layer audit –Host independent –Centrally managed ITSI addsITSI adds –Load sharing –Blocking and fishbowling –Alerts

7 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 7 Load Sharing Each server receives all traffic addressed to the shared virtual IPEach server receives all traffic addressed to the shared virtual IP Rules on the PEN determine what traffic to process and what to throw away based on source IPRules on the PEN determine what traffic to process and what to throw away based on source IP Traffic load can be shifted by modifying PEN rulesTraffic load can be shifted by modifying PEN rules PEN Agent PEN 2 PEN 1 Load Sharing Rules PEN Agent PEN 2 PEN 1 Load Sharing Rules New Rules from AIC Apache Web Server IIS We b Server

8 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 8 PEN Enhancements BlockingBlocking –Traffic from specified IP addresses can be blocked FishbowlingFishbowling –Traffic from a specified IP address can be handled by a particular web server –All traffic from the specified IP address can be audited AlertsAlerts –On the AIC the Alert Handler can generate alerts in response to specific audit events

9 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 9 Hardened Servers SE LinuxSE Linux –Type Enforcement for protecting components Web ServerWeb Server Snort IDSnort ID ITSI Detection/Response agentITSI Detection/Response agent PEN agentPEN agent –Stackguarded Apache web server Windows 2000Windows 2000 –Wrapped components using Kernel Loadable Wrappers IISIIS ISS RealSecureISS RealSecure ITSI Detection/Response agentITSI Detection/Response agent PEN agentPEN agent

10 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 10 Detection PEN based audit from both web serversPEN based audit from both web servers –Sniffing attempts –Spoofing attempts –Attempts at initiating unauthorized TCP connections Intrusion Detection systemsIntrusion Detection systems –Snort on SE Linux –ISS RealSecure on Windows 2000 –Tripwire TE violations audited on SE LinuxTE violations audited on SE Linux Wrapper violations audited on Windows 2000Wrapper violations audited on Windows 2000 AIC receives alerts and determines response strategy and actionsAIC receives alerts and determines response strategy and actions

11 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 11 AIC Functions ADF PEN managementADF PEN management –Packet filtering policies, IPSEC policies ITSI addsITSI adds –Load sharing/redirection policies –Intrusion detection system interface –Anomaly logging, reporting and analysis –Response strategies –Recovery and restoration

12 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 12 ITSI – Demonstration Software Architecture Intrusion Detection Software Operating System Security NIC Based Firewall Availability and Integrity Controller(AIC) Windows 2000 Embedded Firewall Response Agent Initiator Responder Perl / CGI IIS Web Server ID Software Host IDNetwork ISS Server Sensor Web Server - 1 SE Linux Embedded Firewall Response Agent Initiator Responder Perl / CGI Apache Web Server ID Software HostNetwork SE Log Analyzer Snort Web Server - 2 Layered Security Architecture ITSI Developed Components ITSI Developed Components Windows 2000 Embedded Firewall Policy Server Policy Manager Audit Manager Response Server Event Handler Event Correlator Response Initiator ISS Manager Cluster Manager Alert Handler Response Interface

13 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 13 Response Capabilities Availability & Integrity Controller (AIC) - Windows 2000 IIS Web Server - Windows 2000 Apache Web Server - SE Linux Capabilities: Receives Events from Web Servers Receives Events from Web Servers Correlates Events Based on Priority Correlates Events Based on Priority Enables User Customizable Responses Based on Event Types Enables User Customizable Responses Based on Event Types Initiates Responses Initiates Responses Manages Web Server Load Sharing Manages Web Server Load Sharing Manages ID Software Manages ID Software Controls Embedded Firewalls Controls Embedded Firewalls Capabilities: Detects Intrusions Detects Intrusions Initiates Local Responses Initiates Local Responses Sends Intrusion Event Data to AIC Sends Intrusion Event Data to AIC Performs Local Responses per AIC Performs Local Responses per AIC Localized Recovery Localized Recovery

14 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 14 Response Components Response Agent Responder Response Agent Initiator Event Handler Event Correlator ResponseInitiator Send Events: Log Event Log Event Restart Restart Store Events Reinitiate Load Share Thru Policy Server Read Config Files: Response Configuration Response Configuration Server Config Server Config Service Data Service Data List of Responses Send Responses: Disable Source Disable Source Shutdown Shutdown Check & Restore Check & Restore Read New Events Local Response File DisableSource Execute Custom Responses Check & Restore Shutdown

15 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 15 Priority : Tells Correlator What Responses to Perform for Each Server Values: ( 1-4 ) where 1 is the highest. Type : Type of Event Detected Values: Intrusion – Event representing known intrusion. Suspicious – Event representing known intrusion with false positives or suspicious activity. Severity: Event Severity Values: High, Medium or Low Source: Source Associated with Event Occurrence Values: NEWORK_IP_ADDRESS, USER_ID, PROCESS_ID Response Configuration File 2SUSPICIOUSHIGHNETWORK_IP_ADDRESSCHECK_RESTOREBLOCK_SOURCE_IPSECURITY_IN_QUESTIONPriorityTypeSeveritySourceResponses Security Status

16 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 16 Responses: Responses Performed for the Event Responses: Responses Performed for the Event Custom Responses Executed on the Web Server Machine by the Responder : Custom Responses Executed on the Web Server Machine by the Responder : CHECK_RESTORE - Expected to Check Local Server Integrity and Fix Whatever is Necessary if Possible CHECK_RESTORE - Expected to Check Local Server Integrity and Fix Whatever is Necessary if Possible DISABLE_SOURCE - Expected to Disable Process ID or USER ID of the Server Machine DISABLE_SOURCE - Expected to Disable Process ID or USER ID of the Server Machine SHUTDOWN_REQ - Expected to Shutdown the Server SHUTDOWN_REQ - Expected to Shutdown the Server Responses Executed on the AIC by the Response Initiator : Responses Executed on the AIC by the Response Initiator : BLOCK_SOURCE_IP – Call to Policy Server to Block Source IP on Specified Server NIC(s) BLOCK_SOURCE_IP – Call to Policy Server to Block Source IP on Specified Server NIC(s) SHIFT_ALL – Call to Policy Server to Shift All Traffic From Specified Server SHIFT_ALL – Call to Policy Server to Shift All Traffic From Specified Server SHIFT_EXCL_IP – Call to Policy Server to Shift All Traffic From NIC Except Specified IP & Turn Audit On SHIFT_EXCL_IP – Call to Policy Server to Shift All Traffic From NIC Except Specified IP & Turn Audit On Response Configuration File (cont) 2SUSPICIOUSHIGHNETWORK_IP_ADDRESSCHECK_RESTOREBLOCK_SOURCE_IPSECURITY_IN_QUESTIONPriorityTypeSeveritySourceResponses Security Status

17 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 17 Technology Transition Hardened Server OPX experimentHardened Server OPX experiment Commercial transition of results into Embedded Firewall productCommercial transition of results into Embedded Firewall product

18 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 18 Demo Scenarios

19 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 19 Windows2000Windows2000 IIS Web Server ISS Network ID Response Agent - ResponderResponse Agent - Initiator ISS Host ID Embedded Firewall – NIC 1 Load Sharing Demo AIC Windows2000Windows2000 Policy Manager Audit Manager Event Handler ISS Manager Embedded Firewall Cluster Manager Alert Handler Event Correlator Respons e Initiator SE LinuxSE Linux Apache Web Server Snort Network ID Response Agent - ResponderResponse Agent - Initiator SE Log Analz – Host ID Embedded Firewall – NIC 2 Web Server – 2 Browse Web Server Laptop – 1 Web Server – 1 Laptop - 2 Browse Web Server Load Sharing Initialization: Load is Set via Policy Server Load is Set via Policy Server Demonstration is based on Even/Odd IP Address Demonstration is based on Even/Odd IP Address Even IP’s Are Received by Server 1 Even IP’s Are Received by Server 1 Odd IP’s Are Received by Server 2 Odd IP’s Are Received by Server 2 Server Unreachable? To NIC 1 NIC2 Server Down = True Redistribute Load to NIC 1 From Web Browsers Receive Traffic from Laptop 1 & 2 & 2 To NIC 1 Send Reset Load Sharing to NIC 1 & 2 From AIC Receive Rule to Accept All Traffic Even Traffic From AIC Receive Rule to Accept Odd Traffic Receive Heartbeats From All Nics To AIC Send Heartbeat To AIC Send Heartbeat From Web Browsers Receive Traffic from Laptop 2

20 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 20 Windows2000Windows2000 IIS Web Server ISS Network ID Response Agent - ResponderResponse Agent - Initiator ISS Host ID Embedded Firewall – NIC 1 Port Scan Detection Port Scan Attack Demo - Win 2k AIC W in d o w s 2 0 0 0 Policy Manager Audit Manager Event Handler ISS Manager Embedded Firewall Cluster Manager Alert Handler Event Correlator Respons e Initiator SE LinuxSE Linux Apache Web Server Snort Network ID Response Agent - ResponderResponse Agent - Initiator SE Log Analz – Host ID Embedded Firewall – NIC 2 Web Server – 2 Initiate Port Scan From Laptop 1 Port Scan Traffic Store Event Retrieve Events Determine Response Perform Responses Send Block Request on IP Send NIC 1 Block IP Rule To NIC 1 Receive Event: Intrusion Source – IP Source – IP From Server 1 Send Event: Intrusion & Source IP To AIC From AIC Receive Block IP Rule Laptop – 1 Web Server – 1 Laptop - 2 Send Check & Restore Response – Server 1 To Server 1 From AIC Receive \ Perform Check & Restore Response

21 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 21 Windows2000Windows2000 IIS Web Server ISS Network ID Response Agent - ResponderResponse Agent - Initiator ISS Host ID Embedded Firewall – NIC 1 CGI Attack Demo: SE Linux AIC Windows2000Windows2000 Policy Manager Audit Manager Event Handler ISS Manager Embedded Firewall Cluster Manager Alert Handler Event Correlator Respons e Initiator SE LinuxSE Linux Apache Web Server Snort Network ID Response Agent - ResponderResponse Agent - Initiator SE Log Analz – Host ID Embedded Firewall – NIC 2 Web Server – 2 Initiate CGI Attack From Laptop 2 CGI Attack Store Event Retrieve Events Determine Response Perform Responses Send Block Request on IP Send NIC 2 Block IP Rule To NIC 2 Receive Event: Intrusion Source IP Source IP From Server 2 From AIC Receive Block IP Rule Laptop – 1 Web Server – 1 Laptop - 2 Send Check & Restore Response – Server 2 To Server 2 Send Event: Intrusion & Source IP To AIC CGI Attack Detection From AIC Receive \ Perform Check & Restore Response

22 S E C U R E C O M P U T I N G OASIS PI Meeting - Not For Public Release July 25, 2001 22 Windows2000Windows2000 IIS Web Server ISS Network ID Response Agent - ResponderResponse Agent - Initiator ISS Host ID Embedded Firewall – NIC 1 ASP DOT Detection IIS Attack Demo : Win2K AIC Windows2000Windows2000 Policy Manager Audit Manager Event Handler ISS Manager Embedded Firewall Cluster Manager Alert Handler Event Correlator ResponseInitiator SE LinuxSE Linux Apache Web Server Snort Network ID Response Agent - ResponderResponse Agent - Initiator SE Log Analz – Host ID Embedded Firewall – NIC 2 Web Server – 2 Initiate ASP DOT Attack From Laptop 1 ASP Dot Attack Store Event Retrieve Events Determine Response Perform Responses Send : Shift All Handle IP Audit On Send NIC 1 – Handle IP, Audit On & Shift All From To NIC 1 Receive Event: Suspicious Source IP Source IP From Server 1 Send Event: Suspicious & Source IP To AIC From AIC Receive: Shift All From, Handle IP& Audit On Laptop – 1 Web Server – 1 Laptop - 2 Send Check & Restore Response – Server 1 To Server 1 From AIC Receive \ Perform Check & Restore Response Audit All Cluster Nics Send NIC 2 – Shift All To Except Handle IP, Audit On To NIC 2 From AIC Receive; Shift All To Except Handle & Audit On

Download ppt "S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001."

Similar presentations

High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.

High Availability Deep Dive What’s New in vSphere 5 David Lane, Virtualization Engineer High Point Solutions.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.

A survey of commercial tools for intrusion detection 1. Introduction 2. Systems analyzed 3. Methodology 4. Results 5. Conclusions Cao er Kai. INSA lab.
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.

Intrusion Detection Systems CS391. Overview  Define the types of Intrusion Detection Systems (IDS).  Set up an IDS.  Manage an IDS.  Understand intrusion.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Department Of Computer Engineering

Department Of Computer Engineering
INTRUSION DETECTION SYSTEM

INTRUSION DETECTION SYSTEM
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.
1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Intrusion Protection Mark Shtern. Protection systems Firewalls Intrusion detection and protection systems Honeypots System Auditing.

Similar presentations

Ads by Google