Presentation is loading. Please wait.

Presentation is loading. Please wait.

S E C U R E C O M P U T I N G Intrusion Tolerant Server Infrastructure Dick O’Brien, Tammy Kappel, Clint Bitzer OASIS PI Meeting March 14, 2002.

Published byJessica Cox Modified over 8 years ago

Similar presentations

Presentation on theme: "S E C U R E C O M P U T I N G Intrusion Tolerant Server Infrastructure Dick O’Brien, Tammy Kappel, Clint Bitzer OASIS PI Meeting March 14, 2002."— Presentation transcript:

1 S E C U R E C O M P U T I N G Intrusion Tolerant Server Infrastructure Dick O’Brien, Tammy Kappel, Clint Bitzer OASIS PI Meeting March 14, 2002

2 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 2 Outline OverviewOverview New TechnologiesNew Technologies –Load Distribution –PEN Alerts –Automated Response

3 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 3 ITSI Objective Develop an Intrusion Tolerant Server Infrastructure that uses independent network layer enforcement mechanisms to:Develop an Intrusion Tolerant Server Infrastructure that uses independent network layer enforcement mechanisms to: –Reduce intrusions –Prevent propagation of intrusions that do occur –Provide automated load shifting when intrusions are detected –Support automated server recovery Provide uninterrupted service even in the face of malicious attacks that may be successful against one of the systems

4 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 4 ITSI Functionality ITSI is a combination of existing and new technologies ExistingExisting –Autonomic Distributed Firewall (3Com Embedded Firewall) Provides network access controlProvides network access control –Heterogeneous web servers –Hardened platforms Linux platform based on Immunix 7.0 and SELinux LSMLinux platform based on Immunix 7.0 and SELinux LSM Windows 2000 uses Kernel Loadable WrappersWindows 2000 uses Kernel Loadable Wrappers –Intrusion Detection Systems NewNew –Load distribution –ADF PEN alerts –Automated response

5 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 5 ITSI Prototype SELinux Web ServerWin2k Web Server Windows 2000 IIS Web Server & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 SE Linux Apache & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 AIC Windows 2000 ADF Policy Server Alert Handler Cluster Manager ID Management Embedded Firewall NIC Response/Recovery Controller Application DB Clients

6 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 6 PEN Policy External PEN policy Incoming – only allow traffic to web server Outgoing – only allow responses No sniffing, No spoofing Audit any violations Internal PEN policy Incoming – only allow traffic from DB and AIC Outgoing – only allow traffic to DB and AIC No sniffing, No spoofing Audit any violations DB AIC

7 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 7 Summary Intrusion tolerance through – –Hardened, heterogeneous platforms – –Automatic response capabilities – –Load sharing between the servers – –Extensive auditing and alert capabilities No need for additional firewalls Scalability through the ability to easily add additional platforms Maintainability through the ability to easily remove and service a platform

8 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 8 Load Distribution SELinux Web ServerWin2k Web Server Windows 2000 IIS Web Server & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 SE Linux Apache & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 AIC Windows 2000 ADF Policy Server Alert Handler Cluster Manager ID Management Embedded Firewall NIC Response/Recovery Controller Application DB Clients

9 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 9 Load Distribution PEN Agent PEN 2 PEN 1 Load Sharing Rules PEN Agent PEN 2 PEN 1 Load Sharing Rules New Rules from AIC Apache Web Server IIS We b Server

10 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 10 Approach Clusters are created with multiple servers sharing a virtual IP addressClusters are created with multiple servers sharing a virtual IP address The shared virtual IP is mapped to a shared MACThe shared virtual IP is mapped to a shared MAC Each server receives all traffic addressed to the shared MACEach server receives all traffic addressed to the shared MAC Rules on the PEN determine what traffic to process and what to throw away based on source IPRules on the PEN determine what traffic to process and what to throw away based on source IP Traffic load can be shifted by modifying PEN rulesTraffic load can be shifted by modifying PEN rules

11 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 11Configuration

12 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 12 Lessons Learned Load distribution can be done using special PEN rules with no modification of the PEN firmwareLoad distribution can be done using special PEN rules with no modification of the PEN firmware Shared MAC approach works for servers on a shared network segmentShared MAC approach works for servers on a shared network segment More general approach is feasibleMore general approach is feasible –Develop a centralized approach to changing the MAC used by an EFW NIC from the AIC –Use a multicast address –Do load distribution based on source ports as well as source IP –Add load balancing –Have NICs negotiate load distribution by themselves

13 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 13 PEN Alerts SELinux Web ServerWin2k Web Server Windows 2000 IIS Web Server & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 SE Linux Apache & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 AIC Windows 2000 ADF Policy Server Alert Handler Cluster Manager ID Management Embedded Firewall – NIC Response/Recovery Controller Application DB Clients

14 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 14 PEN Alerts Alerts are based on audit from the PENAlerts are based on audit from the PEN Alerts are raised onAlerts are raised on –Spoofing violations –Sniffing violations –Matching on any filter rule that has alerting enabled Such as, no initiation of TCP connectionsSuch as, no initiation of TCP connections Alert actions supportedAlert actions supported –Notify Response Server –NT event log –SNMP trap –Email

15 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 15 Approach Store Audit Insert Alert? 1Audit DB Initiate Alert Alert Handler Threshold Exceeded? Alert Configurations Read Alert Actions Audit DB Audit Event

16 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 16 Configuration

17 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 17 Lessons Learned By basing the alert functionality on the PEN audit, no changes were necessary to the PEN firmwareBy basing the alert functionality on the PEN audit, no changes were necessary to the PEN firmware PEN alerts could be used as sensors for other intrusion detection/response systemsPEN alerts could be used as sensors for other intrusion detection/response systems –PEN alerts, such as No Spoofing, No Sniffing, or No TCP initiation, will not generate false positives –Interface is through the AIC which collects all audit and generates alerts

18 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 18 ITSI Prototype SELinux Web ServerWin2k Web Server Windows 2000 IIS Web Server & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 SE Linux Apache & PHP Response/ Recovery Agent Detection/ Initiating Agent Intrusion Detection Embedded Firewall NIC 2 Embedded Firewall NIC 1 AIC Windows 2000 ADF Policy Server Alert Handler Cluster Manager ID Management Embedded Firewall – NIC Response/Recovery Controller Application DB Clients

19 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 19 PEN Responses ShiftingShifting –Traffic can be shifted to another server if one goes down BlockingBlocking –Traffic from specified IP addresses can be blocked AuditingAuditing –Traffic from a specified IP address can be audited FishbowlingFishbowling –Traffic from a specified IP address can be routed to a particular server

20 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 20 Host Response Agents Detection/Initiating AgentDetection/Initiating Agent – Interfaces with local ID systems to detect intrusions – Initiates Local Responses – Sends Intrusion Event Data to AIC Response/Recovery AgentResponse/Recovery Agent – Performs Local Responses per AIC Check critical files (using Veracity or Tripwire)Check critical files (using Veracity or Tripwire) Disable userDisable user Kill processKill process ShutdownShutdown –Local recovery Restore files, restore registryRestore files, restore registry

21 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 21 Response Server Receives Events from Agents Receives Events from Agents Correlates Events Based on Priority Correlates Events Based on Priority Enables User Customizable Responses Based on Event Types Enables User Customizable Responses Based on Event Types Initiates Responses Initiates Responses Manages Web Server Load Sharing Manages Web Server Load Sharing Manages ID Software Manages ID Software Controls Embedded Firewalls Controls Embedded Firewalls

22 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 22 Response Configuration

23 S E C U R E C O M P U T I N G OASIS PI Meeting March 14, 2002 23 Response Components Response Agent Responder Response Agent Initiator Event Handler Event Correlator ResponseInitiator Send Events: Log Event Log Event Restart Restart Store Events Reinitiate Load Share Thru Policy Server Read Config Files: Response Configuration Response Configuration Server Config Server Config Service Data Service Data List of Responses Send Responses Read New Events Local Response File DisableSource Execute Custom Responses Check & Restore Shutdown

Download ppt "S E C U R E C O M P U T I N G Intrusion Tolerant Server Infrastructure Dick O’Brien, Tammy Kappel, Clint Bitzer OASIS PI Meeting March 14, 2002."

Similar presentations

Presented by Nikita Shah 5th IT ( )

Presented by Nikita Shah 5th IT ( )
Mitigating Layer 2 Attacks

Mitigating Layer 2 Attacks
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
Maintaining and Updating Windows Server 2008

Maintaining and Updating Windows Server 2008
Host Intrusion Prevention Systems & Beyond

Host Intrusion Prevention Systems & Beyond
Department Of Computer Engineering

Department Of Computer Engineering
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.

Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
Maintaining Windows Server 2008 File Services

Maintaining Windows Server 2008 File Services
Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.

Intrusion Prevention, Detection & Response. IDS vs IPS IDS = Intrusion detection system IPS = intrusion prevention system.
Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls.
1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.

1 Intrusion Detection Systems. 2 Intrusion Detection Intrusion is any use or attempted use of a system that exceeds authentication limits Intrusions are.
Barracuda Load Balancer Server Availability and Scalability.

Barracuda Load Balancer Server Availability and Scalability.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server 2008
Module 13: Network Load Balancing Fundamentals. Server Availability and Scalability Overview Windows Network Load Balancing Configuring Windows Network.

Module 13: Network Load Balancing Fundamentals. Server Availability and Scalability Overview Windows Network Load Balancing Configuring Windows Network.

Similar presentations

Ads by Google