S E C U R E C O M P U T I N G Intrusion Tolerant Server Infrastructure Dick O’Brien, Tammy Kappel, Clint Bitzer OASIS PI Meeting March 14, 2002.

Slides:



Advertisements
Similar presentations
Presented by Nikita Shah 5th IT ( )
Advertisements

Mitigating Layer 2 Attacks
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lesson 1: Configuring Network Load Balancing
Lesson 19: Configuring Windows Firewall
Maintaining and Updating Windows Server 2008
Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Maintaining Windows Server 2008 File Services
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Barracuda Load Balancer Server Availability and Scalability.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Hands-On Microsoft Windows Server 2008
Module 13: Network Load Balancing Fundamentals. Server Availability and Scalability Overview Windows Network Load Balancing Configuring Windows Network.
Distributed IDS The implementation of a Distributed Intrusion Detection System over a medium scale open network where the focus is availability of services.
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.
© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
1Cisco Security NOW © 2003, Cisco Systems, Inc. All rights reserved. THIS IS THE POWER OF CISCO SECURITY. now.
Module 14: Configuring Server Security Compliance
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.
Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.
OV Copyright © 2011 Element K Content LLC. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
What’s New in Fireware v11.9.5
CSCI 530 Lab Intrusion Detection Systems IDS. A collection of techniques and methodologies used to monitor suspicious activities both at the network and.
FORESEC Academy FORESEC Academy Security Essentials (III)
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
1 Quick Overview Overview Network –IPTables –Snort Intrusion Detection –Tripwire –AIDE –Samhain Monitoring & Configuration –Beltaine –Lemon –Prelude Conclusions.
1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking.
SNORT Biopsy: A Forensic Analysis on Intrusion Detection System By Asif Syed Chowdhury.
Securing the Network Infrastructure. Firewalls Typically used to filter packets Designed to prevent malicious packets from entering the network or its.
Intrusion Intrusion Detection Systems with Snort Hailun Yan 564-project.
Switch Features Most enterprise-capable switches have a number of features that make the switch attractive for large organizations. The following is a.
S E C U R E C O M P U T I N G Not For Public Release 1 Intrusion Tolerant Server Infrastructure Dick O’Brien OASIS PI Meeting July 25, 2001.
INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 12: Planning and Implementing Server Availability and Scalability.
Cryptography and Network Security Sixth Edition by William Stallings.
Module 10: Windows Firewall and Caching Fundamentals.
Network Security Terms. Perimeter is the fortified boundary of the network that might include the following aspects: 1.Border routers 2.Firewalls 3.IDSs.
Aaron Corso COSC Spring What is LAMP?  A ‘solution stack’, or package of an OS and software consisting of:  Linux  Apache  MySQL  PHP.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Maintaining and Updating Windows Server 2008 Lesson 8.
Some Great Open Source Intrusion Detection Systems (IDSs)
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.
Network Load Balancing Addressing
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 12: Planning and Implementing Server Availability and Scalability.
Scaling Network Load Balancing Clusters
Proventia Network Intrusion Prevention System
High Performance Computing Lab.
Configuring Windows Firewall with Advanced Security
Security Methods and Practice CET4884
Securing the Network Perimeter with ISA 2004
Network Load Balancing
Information Technology Unit State Treasury Agency Ministry of Finance Azerbaijan Republic Elnur Aliev Baku April 11, 2018.
IS3440 Linux Security Unit 6 Using Layered Security for Access Control
IS3440 Linux Security Unit 9 Linux System Logging and Monitoring
TRIP WIRE INTRUSION DETECTION SYSYTEM Presented by.
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

S E C U R E C O M P U T I N G Intrusion Tolerant Server Infrastructure Dick O’Brien, Tammy Kappel, Clint Bitzer OASIS PI Meeting March 14, 2002

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Outline OverviewOverview New TechnologiesNew Technologies –Load Distribution –PEN Alerts –Automated Response

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, ITSI Objective Develop an Intrusion Tolerant Server Infrastructure that uses independent network layer enforcement mechanisms to:Develop an Intrusion Tolerant Server Infrastructure that uses independent network layer enforcement mechanisms to: –Reduce intrusions –Prevent propagation of intrusions that do occur –Provide automated load shifting when intrusions are detected –Support automated server recovery Provide uninterrupted service even in the face of malicious attacks that may be successful against one of the systems

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, ITSI Functionality ITSI is a combination of existing and new technologies ExistingExisting –Autonomic Distributed Firewall (3Com Embedded Firewall) Provides network access controlProvides network access control –Heterogeneous web servers –Hardened platforms Linux platform based on Immunix 7.0 and SELinux LSMLinux platform based on Immunix 7.0 and SELinux LSM Windows 2000 uses Kernel Loadable WrappersWindows 2000 uses Kernel Loadable Wrappers –Intrusion Detection Systems NewNew –Load distribution –ADF PEN alerts –Automated response

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, ITSI Prototype SELinux Web ServerWin2k Web Server Windows 2000 IIS Web Server & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 SE Linux Apache & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 AIC Windows 2000 ADF Policy Server Alert Handler Cluster Manager ID Management Embedded Firewall NIC Response/Recovery Controller Application DB Clients

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, PEN Policy External PEN policy Incoming – only allow traffic to web server Outgoing – only allow responses No sniffing, No spoofing Audit any violations Internal PEN policy Incoming – only allow traffic from DB and AIC Outgoing – only allow traffic to DB and AIC No sniffing, No spoofing Audit any violations DB AIC

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Summary Intrusion tolerance through – –Hardened, heterogeneous platforms – –Automatic response capabilities – –Load sharing between the servers – –Extensive auditing and alert capabilities No need for additional firewalls Scalability through the ability to easily add additional platforms Maintainability through the ability to easily remove and service a platform

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Load Distribution SELinux Web ServerWin2k Web Server Windows 2000 IIS Web Server & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 SE Linux Apache & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 AIC Windows 2000 ADF Policy Server Alert Handler Cluster Manager ID Management Embedded Firewall NIC Response/Recovery Controller Application DB Clients

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Load Distribution PEN Agent PEN 2 PEN 1 Load Sharing Rules PEN Agent PEN 2 PEN 1 Load Sharing Rules New Rules from AIC Apache Web Server IIS We b Server

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Approach Clusters are created with multiple servers sharing a virtual IP addressClusters are created with multiple servers sharing a virtual IP address The shared virtual IP is mapped to a shared MACThe shared virtual IP is mapped to a shared MAC Each server receives all traffic addressed to the shared MACEach server receives all traffic addressed to the shared MAC Rules on the PEN determine what traffic to process and what to throw away based on source IPRules on the PEN determine what traffic to process and what to throw away based on source IP Traffic load can be shifted by modifying PEN rulesTraffic load can be shifted by modifying PEN rules

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Configuration

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Lessons Learned Load distribution can be done using special PEN rules with no modification of the PEN firmwareLoad distribution can be done using special PEN rules with no modification of the PEN firmware Shared MAC approach works for servers on a shared network segmentShared MAC approach works for servers on a shared network segment More general approach is feasibleMore general approach is feasible –Develop a centralized approach to changing the MAC used by an EFW NIC from the AIC –Use a multicast address –Do load distribution based on source ports as well as source IP –Add load balancing –Have NICs negotiate load distribution by themselves

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, PEN Alerts SELinux Web ServerWin2k Web Server Windows 2000 IIS Web Server & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 SE Linux Apache & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 AIC Windows 2000 ADF Policy Server Alert Handler Cluster Manager ID Management Embedded Firewall – NIC Response/Recovery Controller Application DB Clients

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, PEN Alerts Alerts are based on audit from the PENAlerts are based on audit from the PEN Alerts are raised onAlerts are raised on –Spoofing violations –Sniffing violations –Matching on any filter rule that has alerting enabled Such as, no initiation of TCP connectionsSuch as, no initiation of TCP connections Alert actions supportedAlert actions supported –Notify Response Server –NT event log –SNMP trap –

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Approach Store Audit Insert Alert? 1Audit DB Initiate Alert Alert Handler Threshold Exceeded? Alert Configurations Read Alert Actions Audit DB Audit Event

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Configuration

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Lessons Learned By basing the alert functionality on the PEN audit, no changes were necessary to the PEN firmwareBy basing the alert functionality on the PEN audit, no changes were necessary to the PEN firmware PEN alerts could be used as sensors for other intrusion detection/response systemsPEN alerts could be used as sensors for other intrusion detection/response systems –PEN alerts, such as No Spoofing, No Sniffing, or No TCP initiation, will not generate false positives –Interface is through the AIC which collects all audit and generates alerts

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, ITSI Prototype SELinux Web ServerWin2k Web Server Windows 2000 IIS Web Server & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 SE Linux Apache & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 AIC Windows 2000 ADF Policy Server Alert Handler Cluster Manager ID Management Embedded Firewall – NIC Response/Recovery Controller Application DB Clients

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, PEN Responses ShiftingShifting –Traffic can be shifted to another server if one goes down BlockingBlocking –Traffic from specified IP addresses can be blocked AuditingAuditing –Traffic from a specified IP address can be audited FishbowlingFishbowling –Traffic from a specified IP address can be routed to a particular server

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Host Response Agents Detection/Initiating AgentDetection/Initiating Agent – Interfaces with local ID systems to detect intrusions – Initiates Local Responses – Sends Intrusion Event Data to AIC Response/Recovery AgentResponse/Recovery Agent – Performs Local Responses per AIC Check critical files (using Veracity or Tripwire)Check critical files (using Veracity or Tripwire) Disable userDisable user Kill processKill process ShutdownShutdown –Local recovery Restore files, restore registryRestore files, restore registry

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Response Server Receives Events from Agents Receives Events from Agents Correlates Events Based on Priority Correlates Events Based on Priority Enables User Customizable Responses Based on Event Types Enables User Customizable Responses Based on Event Types Initiates Responses Initiates Responses Manages Web Server Load Sharing Manages Web Server Load Sharing Manages ID Software Manages ID Software Controls Embedded Firewalls Controls Embedded Firewalls

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Response Configuration

S E C U R E C O M P U T I N G OASIS PI Meeting March 14, Response Components Response Agent Responder Response Agent Initiator Event Handler Event Correlator ResponseInitiator Send Events: Log Event Log Event Restart Restart Store Events Reinitiate Load Share Thru Policy Server Read Config Files: Response Configuration Response Configuration Server Config Server Config Service Data Service Data List of Responses Send Responses Read New Events Local Response File DisableSource Execute Custom Responses Check & Restore Shutdown

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.