Lawrence Berkeley National Laboratory
Download
Report
Transcript Lawrence Berkeley National Laboratory
Lawrence Berkeley National Laboratory
Protection of an
Open Computing Environment
James Rothfuss
Computer Protection Program Manager
Lawrence Berkeley National Lab
Internet2
Security at Line Speed Workshop
August 12, 2003
1
Lawrence Berkeley National Laboratory
Presentation will cover:
•
•
•
•
Types of Protection
Berkeley Lab Philosophy
Bro
NETS
2
Lawrence Berkeley National Laboratory
Classical Notion of Security
Secure
Restrict
Control
Hide
3
Lawrence Berkeley National Laboratory
Often “Classical Security”
is not appropriate
The tools can be so secure that their value is marginal
Consider:
When the goal is RESEARCH,
a missed scientific breakthrough
may be more costly and damaging than
the worst “hacker” incident
4
Lawrence Berkeley National Laboratory
Protective measures can be different
without be less effective
Classified
Protection
Commercial
Academic
Classified
Protection
Commercial
Academic
5
Lawrence Berkeley National Laboratory
Service Protection
vs
Information Protection
6
Lawrence Berkeley National Laboratory
Primary protection concerns
Service
Protection
Information
Protection
7
Lawrence Berkeley National Laboratory
“Threat”
Based
Protection
“Vulnerability”
Based
Protection
Protective
measures are
based on the
known attacks.
System
weaknesses are
identified and
protected.
Antivirus
Intrusion Detection
Firewalls
Patching
Bro
NETS
8
Lawrence Berkeley National Laboratory
Underling LBNL Philosophies
•
•
•
•
Open by default, restrict as necessary
Protect rather than Secure
Utilize both Threat and Vulnerability Protection
Strive for Dynamic Protection
Protecting an Open Environment is NOT EASY
Quality People are extremely important
9
Lawrence Berkeley National Laboratory
LBL Intrusion Detection - Bro
• Analyzes network traffic for attacks
and policy violations
• Operational 24x7 since 1996
(> 4 billion connections monitored &
archived)
“Threat”
Based
Protection
• Coupled with border router, provides
an adaptive firewall
• Currently operational @ LBNL,
NERSC, UCB, JGI, ESNET, ICSI …
10
Lawrence Berkeley National Laboratory
How Bro Works
Network
• Taps GigEther fiber link passively,
sends up a copy of all network traffic.
11
Lawrence Berkeley National Laboratory
How Bro Works
Tcpdump
Filter
Filtered Packet
Stream
libpcap
• Kernel filters down high-volume stream
via standard libpcap packet capture
library.
Packet Stream
Network
12
Lawrence Berkeley National Laboratory
How Bro Works
Event
Control
Event
Stream
Event Engine
Tcpdump
Filter
Filtered Packet
Stream
• “Event engine” distills filtered stream
into high-level, policy-neutral events
reflecting underlying network activity
–
E.g., connection_attempt, http_reply,
user_logged_in
libpcap
Packet Stream
Network
13
Lawrence Berkeley National Laboratory
How Bro Works
Policy
Script
Real-time Notification
Record To Disk
Policy Script Interpreter
Event
Control
Event
Stream
• “Policy script” processes event stream,
incorporates:
–
–
Context from past events
Site’s particular policies
Event Engine
Tcpdump
Filter
Filtered Packet
Stream
libpcap
Packet Stream
Network
14
Lawrence Berkeley National Laboratory
How Bro Works
Policy
Script
Real-time Notification
Record To Disk
Policy Script Interpreter
Event
Control
Event
Stream
Event Engine
Tcpdump
Filter
Filtered Packet
Stream
libpcap
• “Policy script” processes event stream,
incorporates:
–
–
Context from past events
Site’s particular policies
• … and takes action:
• Records to disk
• Generates alerts via syslog or paging
• Executes programs as a form of
response
Packet Stream
Network
15
Lawrence Berkeley National Laboratory
Bro policy scripts
• Written in a specialized language for networks
–
–
–
–
–
Network types (IP addresses, connections, protocol, etc.)
Typed constanst, variables
Network operators (comparison, ranges, etc.)
Control statements (IF/THEN, etc.)
Regular expressions
• Can
– Generate alerts
– Reset connections
– Call exterior programs
16
Lawrence Berkeley National Laboratory
Teasers
• Stepping Stone Detection (Telnet to SSH to Host)
• Non-standard port backdoor detection
• Work with Force Ten and Juniper for tighter
“firewall” integration.
• Real Experiences
–
–
–
–
Max Butler (aka, MaxVision)
Worms (Code Red, Nimda)
Three lettered agency “gray hat”
Boyz from Brazil
17
Lawrence Berkeley National Laboratory
Want to know more?
V. Paxson, Bro: A System for Detecting Network Intruders in Real-Time. Proceedings of the 7th USENIX
Security Symposium, San Antonio, TX, January 1998. A later version appears in Computer Networks, 31(2324), pp. 2435-2463, 14 Dec. 1999.
Y. Zhang and V. Paxson, Detecting Backdoors, Proc. 9th USENIX Security Symposium, August 2000.
Y. Zhang and V. Paxson, Detecting Stepping Stones, Proc. 9th USENIX Security Symposium, August 2000.
M. Handley, C. Kreibich and V. Paxson, Network Intrusion Detection: Evasion, Traffic Normalization, and
End-to-End Protocol Semantics. Proc. 10th USENIX Security Symposium, August 2001.
S. Staniford, V. Paxson and N. Weaver, How to 0wn the Internet in Your Spare Time, Proc. 11th USENIX
Security Symposium 2002.
D. Donoho, A. G. Flesia, U. Shankar, V. Paxson, J. Coit, and S. Staniford, Multiscale Stepping-Stone
Detection: Detecting Pairs of Jittered Interactive Streams by Exploiting Maximum Tolerable Delay, Proc.
RAID 2002.
D. Moore, V. Paxson, S. Savage, C. Shannon, S. Staniford and N. Weaver, The Spread of the
Sapphire/Slammer Worm, technical report, February 2003.
Ruoming Pang and Vern Paxson, A High-level Programming Environment for Packet Trace Anonymization
and Transformation, Proc. ACM SIGCOMM 2003, to appear.
R. Sommer and V. Paxson, Detecting Network Intruders Using Contextual Signatures, in submission.
18
Lawrence Berkeley National Laboratory
“Vulnerability”
Based
Protection
Network Equipment Tracking System
NETS
19
Lawrence Berkeley National Laboratory
Current Method of Vulnerability Based Protection
Safety
Security
Protection
Capability
Performance
Access
Static
Range of
Protection
Point of Optimum Protection
• Analyze network
• Guess at “reasonable” firewall rules
• Hope the rules stay current (assume a static network)
20
Lawrence Berkeley National Laboratory
Continuous Optimization
Capability
Performance
Access
Safety
Security
Protection
Dynamic Point of
Optimization
• Constant analysis of network
• Protection measures adapt
Optimum balance between protection and access
21
Lawrence Berkeley National Laboratory
Current NETS Prototype
LBLnet
DNS forward
Targeted
Systems
DNS reverse
Policies &
Business
Rules
ARPwatch
Port Locator
DHCP Server Logs
Oracle
Database
Scan
Dispatcher
Future
Reports
Control
22
Lawrence Berkeley National Laboratory
NETS Vision
Fully automated vulnerability
discovery and elimination
• Network information continuously collected
• Systems continuously scanned
• Network vulnerabilities detected as they appear
• Vulnerabilities immediately resolved
•Automatically Blocked
•Automatically alert owners/sys admins
•Automatically remove blocks when vulnerabilities are fixed
Safe systems given full access
-Internet access is maximized
23
Lawrence Berkeley National Laboratory
Future Integration With Bro
NETS uses Bro
information to
prioritize
vulnerabilities
based a on threat
Extra attention
given to
vulnerabilities
with a high risk
of attack
Bro
NETS
Extra attention
to attacks
against
known
weaknesses
Bro uses NETS
information to
prioritize threats
based on
vulnerabilities
24
Lawrence Berkeley National Laboratory
Views of Protection
“Threat”
Based
Protection
“Vulnerability”
Based
Protection
25
Lawrence Berkeley National Laboratory
NETS and Bro Integration
“Threat”
and
“Vulnerability”
Based
Protection
Network protection adapts based on
both threats and vulnerabilities
26