Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lawrence Berkeley National Laboratory 1 James Rothfuss Computer Protection Program Manager Lawrence Berkeley National Lab Internet2 Security at Line Speed.

Published byClementine Freeman Modified over 8 years ago

Similar presentations

Presentation on theme: "Lawrence Berkeley National Laboratory 1 James Rothfuss Computer Protection Program Manager Lawrence Berkeley National Lab Internet2 Security at Line Speed."— Presentation transcript:

1 Lawrence Berkeley National Laboratory 1 James Rothfuss Computer Protection Program Manager Lawrence Berkeley National Lab Internet2 Security at Line Speed Workshop August 12, 2003 Protection of an Open Computing Environment

2 Lawrence Berkeley National Laboratory 2 Presentation will cover: Types of Protection Berkeley Lab Philosophy Bro NETS

3 Lawrence Berkeley National Laboratory 3 Classical Notion of Security Secure Restrict Control Hide

4 Lawrence Berkeley National Laboratory 4 Often “Classical Security” is not appropriate The tools can be so secure that their value is marginal Consider: When the goal is RESEARCH, a missed scientific breakthrough may be more costly and damaging than the worst “hacker” incident

5 Lawrence Berkeley National Laboratory 5 Classified Protection Commercial Academic Classified Protection Commercial Academic Protective measures can be different without be less effective

6 Lawrence Berkeley National Laboratory 6 Service Protection vs Information Protection

7 Lawrence Berkeley National Laboratory 7 Weapons Research Usenet newsgroups Yahoo Open Research Online Store Banking Service Protection Information Protection Primary protection concerns

8 Lawrence Berkeley National Laboratory 8 Protective measures are based on the known attacks. System weaknesses are identified and protected. “Threat” Based Protection “Vulnerability” Based Protection Antivirus Intrusion Detection Firewalls Patching BroNETS

9 Lawrence Berkeley National Laboratory 9 Open by default, restrict as necessary Protect rather than Secure Utilize both Threat and Vulnerability Protection Strive for Dynamic Protection Underling LBNL Philosophies Protecting an Open Environment is NOT EASY Quality People are extremely important

10 Lawrence Berkeley National Laboratory 10 LBL Intrusion Detection - Bro Analyzes network traffic for attacks and policy violations Operational 24x7 since 1996 (> 4 billion connections monitored & archived) Coupled with border router, provides an adaptive firewall Currently operational @ LBNL, NERSC, UCB, JGI, ESNET, ICSI … “Threat” Based Protection

11 Lawrence Berkeley National Laboratory 11 Taps GigEther fiber link passively, sends up a copy of all network traffic. Network How Bro Works

12 Lawrence Berkeley National Laboratory 12 Kernel filters down high-volume stream via standard libpcap packet capture library. Network libpcap Packet Stream Filtered Packet Stream Tcpdump Filter How Bro Works

13 Lawrence Berkeley National Laboratory 13 “Event engine” distills filtered stream into high-level, policy-neutral events reflecting underlying network activity –E.g., connection_attempt, http_reply, user_logged_in Network libpcap Event Engine Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control How Bro Works

14 Lawrence Berkeley National Laboratory 14 “Policy script” processes event stream, incorporates: –Context from past events –Site’s particular policies Network libpcap Event Engine Policy Script Interpreter Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control Real-time Notification Record To Disk Policy Script How Bro Works

15 Lawrence Berkeley National Laboratory 15 How Bro Works “Policy script” processes event stream, incorporates: –Context from past events –Site’s particular policies … and takes action : Records to disk Generates alerts via syslog or paging Executes programs as a form of response Network libpcap Event Engine Policy Script Interpreter Packet Stream Filtered Packet Stream Tcpdump Filter Event Stream Event Control Real-time Notification Record To Disk Policy Script

16 Lawrence Berkeley National Laboratory 16 Bro policy scripts Written in a specialized language for networks –Network types (IP addresses, connections, protocol, etc.) –Typed constanst, variables –Network operators (comparison, ranges, etc.) –Control statements (IF/THEN, etc.) –Regular expressions Can –Generate alerts –Reset connections –Call exterior programs

17 Lawrence Berkeley National Laboratory 17 Teasers Stepping Stone Detection (Telnet to SSH to Host) Non-standard port backdoor detection Work with Force Ten and Juniper for tighter “firewall” integration. Real Experiences –Max Butler (aka, MaxVision) –Worms (Code Red, Nimda) –Three lettered agency “gray hat” –Boyz from Brazil

18 Lawrence Berkeley National Laboratory 18 V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998. A later version appears in Computer Networks, 31(23- 24), pp. 2435-2463, 14 Dec. 1999. Y. Zhang and V. Paxson, Detecting Backdoors, Proc. 9th USENIX Security Symposium, August 2000. Y. Zhang and V. Paxson, Detecting Stepping Stones, Proc. 9th USENIX Security Symposium, August 2000. M. Handley, C. Kreibich and V. Paxson, Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Proc. 10th USENIX Security Symposium, August 2001. S. Staniford, V. Paxson and N. Weaver, How to 0wn the Internet in Your Spare Time, Proc. 11th USENIX Security Symposium 2002. D. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay, Proc. RAID 2002. D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the Sapphire/Slammer Worm, technical report, February 2003. Ruoming Pang and Vern Paxson, A High-level Programming Environment for Packet Trace Anonymization and Transformation, Proc. ACM SIGCOMM 2003, to appear. R. Sommer and V. Paxson, Detecting Network Intruders Using Contextual Signatures, in submission. Want to know more?

19 Lawrence Berkeley National Laboratory 19 “Vulnerability” Based Protection Network Equipment Tracking System NETS

20 Lawrence Berkeley National Laboratory 20 Current Method of Vulnerability Based Protection Range of Protection Analyze network Guess at “reasonable” firewall rules Hope the rules stay current (assume a static network) Safety Security Protection Capability Performance Access Static Point of Optimum Protection

21 Lawrence Berkeley National Laboratory 21 Continuous Optimization Constant analysis of network Protection measures adapt Safety Security Protection Capability Performance Access Dynamic Point of Optimization Optimum balance between protection and access

22 Lawrence Berkeley National Laboratory 22 Current NETS Prototype Oracle Database DNS forward Port Locator ARPwatch DNS reverse DHCP Server Logs Policies & Business Rules Reports Scan Dispatcher Targeted Systems LBLnet Control Future

23 Lawrence Berkeley National Laboratory 23 NETS Vision Fully automated vulnerability discovery and elimination Network information continuously collected Systems continuously scanned Network vulnerabilities detected as they appear Vulnerabilities immediately resolved Automatically Blocked Automatically alert owners/sys admins Automatically remove blocks when vulnerabilities are fixed Safe systems given full access -Internet access is maximized

24 Lawrence Berkeley National Laboratory 24 Future Integration With Bro NETS uses Bro information to prioritize vulnerabilities based a on threat BroNETS Extra attention given to vulnerabilities with a high risk of attack Extra attention to attacks against known weaknesses Bro uses NETS information to prioritize threats based on vulnerabilities

25 Lawrence Berkeley National Laboratory 25 Views of Protection “Threat” Based Protection “Vulnerability” Based Protection

26 Lawrence Berkeley National Laboratory 26 NETS and Bro Integration Network protection adapts based on both threats and vulnerabilities “Threat” and “Vulnerability” Based Protection

Download ppt "Lawrence Berkeley National Laboratory 1 James Rothfuss Computer Protection Program Manager Lawrence Berkeley National Lab Internet2 Security at Line Speed."

Similar presentations

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.

Intrusion Detection Systems (I) CS 6262 Fall 02. Definitions Intrusion Intrusion A set of actions aimed to compromise the security goals, namely A set.
Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.

Bro: A System for Detecting Network Intruders in Real-Time Vern Paxson Lawrence Berkeley National Laboratory,Berkeley, CA A stand-alone system for detecting.
F3 Collecting Network Based Evidence (NBE)

F3 Collecting Network Based Evidence (NBE)
SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.

SIEM Based Intrusion Detection Jim Beechey May 2010 GSEC, GCIA, GCIH, GCFA, GCWN twitter: jim_beechey.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Intrusion Detection Systems By: William Pinkerton and Sean Burnside.

Intrusion Detection Systems By: William Pinkerton and Sean Burnside.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
seminar on Intrusion detection system

seminar on Intrusion detection system
Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS 395-0 Professor Yan Chen.

Bro: A System for Detecting Network Intruders in Real-Time Presented by Zachary Schneirov CS Professor Yan Chen.
1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.

1 The Spread of the Sapphire/Slammer Worm D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford, N. Weaver Presented by Stefan Birrer.
Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,

Intrusion Detection Systems. Definitions Intrusion –A set of actions aimed to compromise the security goals, namely Integrity, confidentiality, or availability,
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.

Intrusion Detection - Arun Hodigere. Intrusion and Intrusion Detection Intrusion : Attempting to break into or misuse your system. Intruders may be from.
Lecture 11 Intrusion Detection (cont)

Lecture 11 Intrusion Detection (cont)
Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli.

Bro: A System for Detecting network Intruders in Real-Time Vern Paxson Klevis Luli.
Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.

Network Intrusion Detection Systems Slides by: MM Clements A Adekunle The University of Greenwich.
INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

INTRUSION DETECTION SYSTEMS Tristan Walters Rayce West.

Similar presentations

Ads by Google