Security Alert Systems May 21st, 2003 cs239-1 Martin Lukac

Overview ● Revere ● CERT ● Dshield

Revere ● Designed for rapid and widespread dissemination of information on a VERY LARGE SCALE – Warning signals – Firewall updates – Intrusion detection system updates – Certificate Revocation – Virus updates – Software security updates

Difficulties ● Need for speed – Must be faster than attacks ● Need for scalability – Not totally centralized – Must expect variability ● Guarantee of coverage – Redundancy so there are no cut off points ● Security – Duh! Very tempting target

Revere ● Overlay network – Large scale – Self organizing – Resilient & Redundant ● Low volume of small messages – Simple lightweight dissemination ● Relatively heavy overlay management

RBONE ● Three way handshake protocol First use various ways to locate node Next, send attach request Parent decides whether to adopt Child decides whether to accept potential parent

Handshake cont. ● There are timeouts ● Each node wants multiple parents – Nodes continuously search for parents – Number of parents predefined ● Nodes also have predefined limit for the number of children ● Adjusting the limits affects the resiliency of the RBONE as well as the bandwidth and overhead of each node

Parent Selection ● Want to select parent to achieve possible efficiency and resiliency ● Multiple parents so node only misses update if all its paths back to center are broken – One parent is along the fastest path back to dissemination center – Other parents have paths as disjoint at possible back to distribution center How find these paths?

Parent Selection cont. ● Path vector: potential path for delivering security updates from a dissemination center to a node ● Parent path vector: ppv(n,p) = fastest path from center to n with p as the last hop before n ● Node path vector: npv(n) = fastest parent path vector among all of n's parents How compare resiliency?

Resiliency comparison ● Start with fastest parent – Compare every other PPV to fastest parent by number of overlapping nodes along path – Greater overlap means weaker resiliency ● Will end up with parents with same resiliency – Choose highest resilient parent, and repeat first step with this parent as the 'fastest parent'

Selection ● Potential parents sends their NPVs along with their AttachACK ● The node uses the potential parents NPV and the RTT to derive its PPV – RTT obtained from AttachReq ● The node then compares all the resiliency of all the PPVs

Adaptive ● What is done when node goes down? ● Explicit notification – Tear down messages – Not reliable ● Implicit notification – Heartbeats ● Carry other useful information – Timestamps (for RTTs), changed NPVs (for dynamic adjustment of child NPVs)

Dissemination ● Push – Store and forward from dissemination center – Clearly nodes get multiple copies, so updates carry sequence numbers ● Pull – All nodes do not keep updates – After being temporarily disconnected or turned off, nodes can query for updates – Queries go to repository nodes

Repositories ● Dynamic ● Nodes nominate themselves to be a repository – Add themselves to repository candidate list ● List propagates through heartbeats back to center – Center selects repositories from list ● Propagates choices back through heartbeats ● Handles failures and demotions all through heartbeats

Security Threats ● Security update interception – Dropping, misdirecting, delaying, damaging, forging, or replaying security updates ● Repository corruption – Tampered or incomplete updates ● Key theft at dissemination center – Center impersonation ● RBone attack – False RBone information, replay control messages, impersonation

Dissemination Security ● Public key crypto approach – Center signs all updates ● Multiple resilient delivery paths – Helps make sure updates get everywhere – Helps against subverted repositories ● Nodes can contact more than one repository ● All nodes do duplicate checking

Key corruption ● Impersonation detection – Out of band – Reverse traversal back to center ● Key Invalidation – One simple message: Revocation, signed by revoked key ● Switch to new pre installed key ● Redeliver missed or corrupted updates

Rbone Security ● Each node sets up its own rules for trust judgment – No centralized control ● Different trust levels: complete trust, selective trust, and no trust ● Direct trust – Node trust configured ● Indirect trust – Deduce trust based on third parties, or use trust authority (like CA, but for trust, not identity authentication

Authentication ● Still need to authenticate identity and verify messages of other nodes ● Each node may have a different set of authentication schemes

Revere Conclusion ● Can have multiple Rbones ● Good results has potential to be fast and scale well

CERT ● Computer Emergency Response Team ● At Software Engineering Institute at CMU ● DARPA funded ● Started after Morris worm in November 1988 ● They do lots of stuff

What CERT does... ● Vulnerability analysis and incident handling – Monitor public sources of info – Receive vulnerability reports – Work with vendors – Since 1988, they've received more than 642,365 messages and more than 21,895 calls reporting computer security incidents or requesting information, and they've handled more than 182,460 computer security incidents

More stuff... ● Education and training ● Survivable network technology – Analysis of how susceptible systems are – Finding ways to improve the design of systems – Developing techniques to assess and predict current and potential threats to the Internet. Involves examining large sets of network data to identify unauthorized and potentially malicious activity.

Ever more stuff... ● Information dissemination – Web, , phone, usenet ● Alerts – Advisories – Incident notes and vulnerability notes – CERT summaries ● Security practices and tech tips

AirCERT ● Place Internet-based security event sensors on the networks of various organizations ● The sensors will log locally selected information on detected security events and anomalies to both a local database and a central database located at CERT ● Developing prototype system using open source and low-cost components ● They hope to get to get all sorts of sensors from different vendors to work together

Dshield ● Distributed Intrusion Detection System

Dshield ● Take inputs from a lot of different firewalls and routers ● Automatic submission built into clients, submission, web submission ● Show web pages

Questions ● Revere – What do we do with the updates? Trust? Sometimes easy to decide, sometimes not – What if a router goes down? Even though paths are separate on the application level, still might be going through the same routers – Should vendors be responsible for creating the dissemination centers? CERT? Govt? ● Does Dshield really help? ● Will there ever be a point when a system like Revere might prevent a new attack?