lawrence berkeley national laboratory 1 james rothfuss computer protection program manager lawrence...

1

Lawrence Berkeley National Laboratory

James RothfussComputer Protection Program Manager

Lawrence Berkeley National Lab

Internet2Security at Line Speed Workshop

August 12, 2003

Protection of anOpen Computing Environment

2


Presentation will cover:

• Types of Protection• Berkeley Lab Philosophy• Bro• NETS

3


Classical Notion of Security

SecureRestrictControl

Hide

4


Often “Classical Security” is not appropriate

The tools can be so secure that their value is marginal

Consider:When the goal is RESEARCH,

a missed scientific breakthroughmay be more costly and damaging than

the worst “hacker” incident

5


ClassifiedProtection

Commercial

Academic

ClassifiedProtection

Commercial

Academic

Protective measures can be different without be less effective

6


Service Protection

vs

Information Protection

7


Wea

pons

Res

earc

h

Usene

t new

sgro

ups

Yaho

o

Open

Resea

rch

Onlin

e St

ore

Banking

ServiceProtection

InformationProtection

Primary protection concerns

8


Protective measures are based on the

known attacks.

System weaknesses are identified and

protected.

“Threat”Based

Protection

“Vulnerability”Based

Protection

AntivirusIntrusion Detection

FirewallsPatching

Bro NETS

9


• Open by default, restrict as necessary

• Protect rather than Secure

• Utilize both Threat and Vulnerability Protection

• Strive for Dynamic Protection

Underling LBNL Philosophies

Protecting an Open Environment is NOT EASY

Quality People are extremely important

10


LBL Intrusion Detection - Bro

• Analyzes network traffic for attacks and policy violations

• Operational 24x7 since 1996(> 4 billion connections monitored &

archived)

• Coupled with border router, provides an adaptive firewall

• Currently operational @ LBNL, NERSC, UCB, JGI, ESNET, ICSI …

“Threat”Based

Protection

11


• Taps GigEther fiber link passively, sends up a copy of all network traffic.Network

How Bro Works

12


• Kernel filters down high-volume stream via standard libpcap packet capture library.

Network

libpcap

Packet Stream

Filtered PacketStream

TcpdumpFilter

How Bro Works

13


• “Event engine” distills filtered stream into high-level, policy-neutral events reflecting underlying network activity– E.g., connection_attempt, http_reply, user_logged_in

Network

libpcap

Event Engine

Packet Stream


TcpdumpFilter

EventStream

EventControl

How Bro Works

14


• “Policy script” processes event stream, incorporates:– Context from past events– Site’s particular policies

Network

libpcap

Event Engine

Policy Script Interpreter

Packet Stream


TcpdumpFilter

EventStream

EventControl

Real-time NotificationRecord To Disk

PolicyScript

How Bro Works

15


How Bro Works

• “Policy script” processes event stream, incorporates:– Context from past events– Site’s particular policies

• … and takes action: • Records to disk• Generates alerts via syslog or paging• Executes programs as a form of response

Network

libpcap

Event Engine

Policy Script Interpreter

Packet Stream


TcpdumpFilter

EventStream

EventControl

Real-time NotificationRecord To Disk

PolicyScript

16


Bro policy scripts

• Written in a specialized language for networks– Network types (IP addresses, connections, protocol, etc.)

– Typed constanst, variables

– Network operators (comparison, ranges, etc.)

– Control statements (IF/THEN, etc.)

– Regular expressions

• Can– Generate alerts

– Reset connections

– Call exterior programs

17


Teasers

• Stepping Stone Detection (Telnet to SSH to Host)• Non-standard port backdoor detection• Work with Force Ten and Juniper for tighter

“firewall” integration.• Real Experiences

– Max Butler (aka, MaxVision)

– Worms (Code Red, Nimda)

– Three lettered agency “gray hat”

– Boyz from Brazil

18


V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX Security Symposium, San Antonio, TX, January 1998. A later version appears in Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999.

Y. Zhang and V. Paxson, Detecting Backdoors, Proc. 9th USENIX Security Symposium, August 2000.

Y. Zhang and V. Paxson, Detecting Stepping Stones, Proc. 9th USENIX Security Symposium, August 2000.

M. Handley, C. Kreibich and V. Paxson, Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. Proc. 10th USENIX Security Symposium, August 2001.

S. Staniford, V. Paxson and N. Weaver, How to 0wn the Internet in Your Spare Time, Proc. 11th USENIX Security Symposium 2002.

D. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale Stepping-Stone Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay, Proc. RAID 2002.

D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the Sapphire/Slammer Worm, technical report, February 2003.

Ruoming Pang and Vern Paxson, A High-level Programming Environment for Packet Trace Anonymization and Transformation, Proc. ACM SIGCOMM 2003, to appear.

R. Sommer and V. Paxson, Detecting Network Intruders Using Contextual Signatures, in submission.

Want to know more?

19



Protection

Network Equipment Tracking System

NETS

20


Current Method of Vulnerability Based Protection

Range ofProtection

• Analyze network• Guess at “reasonable” firewall rules• Hope the rules stay current (assume a static network)

SafetySecurity

Protection

CapabilityPerformance

Access

Static

Point of Optimum Protection

21


Continuous Optimization

• Constant analysis of network• Protection measures adapt

SafetySecurityProtection

CapabilityPerformanceAccess

Dynamic Point ofOptimization

Optimum balance between protection and access

22


Current NETS Prototype

OracleDatabase

DNS forward

Port Locator

ARPwatch

DNS reverse

DHCP Server Logs

Policies &Business

Rules

Reports

ScanDispatcher

Targeted Systems

LBLnet

Control

Future

23


NETS VisionFully automated vulnerability

discovery and elimination

• Network information continuously collected

• Systems continuously scanned

• Network vulnerabilities detected as they appear

• Vulnerabilities immediately resolved

•Automatically Blocked

•Automatically alert owners/sys admins

•Automatically remove blocks when vulnerabilities are fixed

Safe systems given full access -Internet access is maximized

24


Future Integration With BroNETS uses Bro

information toprioritize

vulnerabilitiesbased a on threat

Bro NETSExtra attentiongiven to vulnerabilities with a high risk of attack

Extra attentionto attacks

againstknown

weaknesses

Bro uses NETS information to prioritize threats based on vulnerabilities

25


Views of Protection

“Threat”Based

Protection


Protection

26


NETS and Bro Integration

Network protection adapts based on both threats and vulnerabilities

“Threat”and

“Vulnerability” Based

Protection

lawrence berkeley national laboratory 1 james rothfuss computer protection program manager lawrence...

Documents