1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI.

Slides:



Advertisements
Similar presentations
Internetworking II: MPLS, Security, and Traffic Engineering
Advertisements

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Guide to Network Defense and Countermeasures Second Edition
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.
IUT– Network Security Course 1 Network Security Firewalls.
FIREWALLS Chapter 11.
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
© 2007 Cisco Systems, Inc. All rights reserved. Valašské Meziříčí Connecting to the Network.
Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Doug Long Architecture Technology Corporation Odyssey Research Associates DARPA.
Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Noel Schmidt Architecture Technology Corporation Odyssey Research Associates DARPA.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Randomized Failover Intrusion- Tolerant Systems (RFITS) Ranga Ramanujan, Maher Kaddoura, John Wu, Clint Sanders, Doug Harper, David Baca Architecture Technology.
Firewalls and Intrusion Detection Systems
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Security Awareness: Applying Practical Security in Your World
ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
Firewalls1 Firewalls Mert Özarar Bilkent University, Turkey
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
The Socket Handoff Defense to DoS Attacks Katia Sycara, PI Overview Key Benefits of Socket Handoff Discovery Features.
Firewalls and VPNS Team 9 Keith Elliot David Snyder Matthew While.
Secure Network Design: Designing a Secure Local Area Network IT352 | Network Security |Najwa AlGhamdi1 Case Study
And how they are used. Hubs send data to all of the devices that are plugged into them. They have no ability to send packets to the correct ports. Cost~$35.
Networking Components By: Michael J. Hardrick. HUB  A low cost device that sends data from one computer to all others usually operating on Layer 1 of.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Windows Internet Connection Sharing Dave Eitelbach Program Manager Networking And Communications Microsoft Corporation.
1Federal Network Systems, LLC CIS Network Security Instructor Professor Mort Anvair Notice: Use and Disclosure of Data. Limited Data Rights. This proposal.
Why do we need Firewalls? Internet connectivity is a must for most people and organizations  especially for me But a convenient Internet connectivity.
FIREWALL Mạng máy tính nâng cao-V1.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
1 Pertemuan 13 IDS dan Firewall Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
P RESENTED B Y - Subhomita Gupta Roll no: 10 T OPICS TO BE DISCUSS ARE : Introduction to Firewalls  History Working of Firewalls Needs Advantages and.
FIREWALLS Vivek Srinivasan. Contents Introduction Need for firewalls Different types of firewalls Conclusion.
Firewalls  Firewall sits between the corporate network and the Internet Prevents unauthorized access from the InternetPrevents unauthorized access from.
Network Security Technologies CS490 - Security in Computing Copyright © 2005 by Scott Orr and the Trustees of Indiana University.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Proxy Servers.
Firewall Security.
The Intranet.
Randomized Failover Intrusion- Tolerant Systems (RFITS) Ranga Ramanujan, Maher Kaddoura, Carla Marceau, Clint Sanders, Doug Harper, David Baca Architecture.
Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:
Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
DoS/DDoS attack and defense
SEMINAR ON IP SPOOFING. IP spoofing is the creation of IP packets using forged (spoofed) source IP address. In the April 1989, AT & T Bell a lab was among.
Networking Aspects in the DPASA Survivability Architecture: An Experience Report Michael Atighetchi BBN Technologies.
NAT/PAT by S K SATAPATHY
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using.
Networking Components Quick Guide. Hubs Device that splits a network connection into multiple computers Data is transmitted to all devices attached Computers.
COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.
A presentation by John Rowley for IUP COSC 356 Dr. William Oblitey Faculty member in attendance.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
Virtual Private Network (VPN) 1. A corporation with multiple geographic sites can use one of two approaches to building a corporate intranet. – Private.
Firewall Techniques Matt Cupp.
Visit for more Learning Resources
CONTRA Camouflage of Network Traffic to Resist Attack (Intrusion Tolerance Using Masking, Redundancy and Dispersion) DARPA OASIS PI Meeting – Hilton Head.
Introduction to Networking
6.6 Firewalls Packet Filter (=filtering router)
* Essential Network Security Book Slides.
Firewalls Routers, Switches, Hubs VPNs
Presentation transcript:

1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI Meeting July 24, 2001 Architecture Technology Corporation Specialists in Computer Architecture

2 Background - Research Goals n Develop and demonstrate organic survivability techniques for mission-critical GIG applications n Focus on network borne DDoS attacks packet floodingpacket flooding host take- downhost take- down

3 Background - RFITS Approach n Attacker needs knowledge of vulnerabilitiesvulnerabilities choke pointschoke points system “posture”system “posture” n Randomized failover makes prediction of system posture difficult buys sufficient time for attack neutralization to be accomplishedbuys sufficient time for attack neutralization to be accomplished

4 Status n Completed and delivered RFITS Applications Handbook Compilation of survivability design patternsCompilation of survivability design patterns Primarily targeted towards two kinds of middleware servicesPrimarily targeted towards two kinds of middleware services –Survivable information transport services (SITS) –Survivable server groups (SSG) n Commenced prototype implementation of selected RFITS techniques n This presentation focuses on subset of SITS techniques

5 SITS Technique #1 Applicability - Protects many-to-one and one-to-one information flows against DDoS attacks Attacks addressed - spoofed packet floods Assumptions - A priori security association exists between end points - Attack traffic generated by outsiders - Attack traffic generated by outsiders Technique chokes off attack traffic as close as possible to the source

6 SITS Technique #1 (Cont’d) - Destination S can only be reached via IP multicast address, say M1 - Using RSVP, router R1 configured to filter out all downstream traffic except multicast packets - Upon detecting a flooding attack, S switches to a new multicast address M2 and securely notifies clients; it also de-registers from M1 - Clients send packets to M2; spoofed traffic goes to M1and is filtered out at R5 and R6

7 SITS Technique #2 n Protects many-to-one information flows against attack traffic generated by insider

8 SITS Technique #2 n Clients partitioned among multiple multicast channels n Upon detection of a flooding attack, suspect group is re- partitioned among new multicast channels n Enables isolation and choking off of attack traffic close to source

9 SITS Technique #3 - Variant of technique #1 - Uses source selective multicast (SSM) to conserve multicast addresses - S selects sources C1 and C2 for its address M1 - Using RSVP, router R1 configured to filter out all downstream traffic except multicast packets from C1 and C2 - Upon detecting a flooding attack, C1 and C2 reconfigured with new source addresses - S associates M1 with new addresses of C1, C2 - Using RSVP, R1 is configured with new filters for C1,C2

10 SITS Technique #4 n Variant of technique #3 n Uses unicast destination addresses instead of multicast addresses Can be deployed on today’s Internet; not dependent on widespread deployment of IP multicast Can be deployed on today’s Internet; not dependent on widespread deployment of IP multicast n However, unlike technique #3, filters attack traffic at R1 instead of close to the source at R5 and R6

11 VPN Gateway Prototype n Interconnects geographically distributed sub-nets of an enterprise-wide private network using secure, DoS-resistant VPNs n Implementation status Unit testing of VPN gateway software completed; integration testing in progressUnit testing of VPN gateway software completed; integration testing in progress Initial release of prototype to be completed by Sept. 1, 2001Initial release of prototype to be completed by Sept. 1, 2001 Final release scheduled for December 2001Final release scheduled for December 2001

12 Planned Prototyping Effort n Initial RFITS Prototyping - Dec Standalone demonstration of prototype products implementing RFITS survivability techniquesStandalone demonstration of prototype products implementing RFITS survivability techniques –RFITS VPN Gateway –RFITS VPN Client n Final RFITS Prototyping - Sept Enterprise-wide survivable application using integrated set of RFITS techniquesEnterprise-wide survivable application using integrated set of RFITS techniques

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.