Expanding Network Testing with Virtual Cyber Ranges

Stuart M. Dyer, CISMSVP, Business Development & Operations

TeleniX CorporationTel: 410-772-3275

stuart.dyer@telenix.com

Realistic, Repeatable, Flexible, Inexpensive Cyber Testing

Huntsville ITEA SymposiumNovember 5, 2015

• Cyber Testing Challenges• Bottom Line Up Front (BLUF)• Virtual Emulation Environment (VEE)/Virtual Cyber

Range (VCR)• How a VEE-enabled Virtual Cyber Range (VCR) Can

Support Low-Cost Cyber Testing• Cyber Testing Comparisons• VEE/VCR Summary

22

• Demand for Cyber testing continues to outstrip supply.

• Different and competing demand signals for cyber ranges e.g. testing, training, exercises….

• Current DoD Cyber Ranges can only support a fraction of the demand.

• Building, installing, operating and maintaining cyber ranges can be costly and time consuming.

• Agility and flexibility are challenges given the dynamic pace of technology changes.

• Fidelity of realism is lost since real networks are not used.

3

Early and continuous Network and Cyber Testing is critical to credible results, but can be cost ineffective.

Telenix's Virtual Emulation Environment (VEE)/Virtual Cyber Range (VCR) reverse engineers a network from data collected on it to provide a clone from which we gain deep visibility into network operations, understand network dynamics, and actually be able to test against attack surfaces and practice defending the network on the clone.

VEE uses actual internet code for all protocols powering the Global Internet 4

Clone network in VEE– Using actual network protocol

implementations and configurations

Reverse-engineer a network in VEE– Pcap, router configs, netflow,

SNMP…

Emulate network clone in VEE– Packet encapsulations, route tables,

link bandwidth utilization, …

5VEE uses actual code for protocols powering the Global Internet

VEE Internet-in-a-Box

1. Manually – Drag/Drop/Connect Library of pre-config. components

Hosts, Routers, switches, …

2. Automatically Generate Notional Networks

# nodes - 50Aver. node degree = 3

3. Reverse Engineer Network from Data Collection on it

Three data feeds: • Full capture (top middle rectangle)• Router configs (big circle)• Netflow (left and right vertical)

6

Note: Pre-configured components are virtual clones of vendors’ networking products. They are created based on publically available information about these products.

Configure network infrastructure– SDH, GigEther, LANs, MANs, WANs,

IPv4/IPv6, RIP, OSPF, BGP, LDP, MPLS, DNS, DHCP, Clients, Servers, …

– SS7, WDM, CDMA, GSM, P2P, VoIP

Configure network security– Firewalls, ACLs, IPSec, IKE/ISAKMP,

VPNs, HAIPE, vulnerabilities, malware, NVD, DISA STIGs….

Configure wireless/mobility devices– IEEE 802.11, Mobile-IP, MANETs…

Use realistic data sets for testing– Sufficient size, proper

encapsulations

7

VEE: Clone networks (e.g. SCADA) controlling critical infrastructures to harden against cyber attacks

Emulate and Harden Networks Controlling Critical Infrastructures

8

VEE: Virtual Cyber RangeVirtual Cyber Range (VCR)• Seamless integration of TeleniX VEE with real or virtualized

servers or networks via an Ethernet Switch

VCR on three Mini-ITXs• One Mini-ITX

o VEE emulating network• One Mini-ITX

o Cluster A hosting servers• One Mini-ITX

o Cluster B hosting more servers & cyber attack tools or test drivers

Connect VCR to other VCRso Create a System of Systems

Plug and play for cyber testing or training

o Configure defensive or offensive cyber tools for DCO/CDX, OCO and DODIN testing/training

VCR resides in a case not much bigger than a lunchbox

Switch

Virtual Cyber Range for Cyber Testing/Training

9

10

Real Router

/ Switch

Windows

Linux/UNIX

Virtual Router

Virtual System

Virtual-Live Integration for cyber testing and cyber training

Plug-and-Play cyber T&E of

a network device by

attaching to an Ethernet

port

11

Real Router

/ Switch

Windows

Linux/UNIX

Virtual Router

Virtual System

Virtual-Live Integration for cyber testing and cyber training

Plug-and-Play cyber T&E of

a network device by

attaching to an Ethernet

port

12

Real Router

/ Switch

Windows

Linux/UNIX

Virtual Router

Virtual System

Virtual-Live Integration for cyber testing and cyber training

Plug-and-Play cyber T&E of

a network device by

attaching to an Ethernet

port

Real Network

13

VisionInterconnected Virtual Cyber Ranges (VCRs)

Cyber Warriors TrainingCyber Warfighting Systems Testing

Anywhere and Anytime

VEE has been used to test networks in design, development and employed prior to HW and SW additions/ modifications

14

Clone & Emulate

Network with Full-Fidelity

Reverse-Engineer Network to Create

Network/Cyber Situational Awareness

Emulate Cyber

Command & Control (C2)

Test network responses to cyber attacks with minimal HW

Test Interfaces

with Joint & Allied nets

Emulate Cyberspace Operations: CND, CNA,

CNE

14

Cyber Testing Solutions ComparisonsChallenge Cyber Farm

ApproachVirtual Cyber Range

Approach

Test Environment Basis

CustomHardware/Software

Low-cost laptop to server class multi-core class machine (s)

Expense ($) $$$$$$ $$

Scalability Limited – adding custom HW/SW upgrade is expensive

Inexpensive – adding commodity machine and/or added functionality is low cost

Space needed Dedicated room and rack(s)

Essentially none

15

Cyber Testing Solutions ComparisonsChallenges Cyber Farm

ApproachVirtual Cyber Range

Approach

Resources to operate & manage

Dedicated team of administrators and network engineers

User operates and manages his own progression on his own laptop

Classified Environment Access

Dedicated SCIF with Electromagnetic Controls surrounding the range

Any SCIF and a small Faraday Cage

User control over cyber testing

Limited – may require strict scheduling of times for use

Unlimited – Cyber Testing anywhere and anytime

AC Power Significant for large configurations

Insignificant

16

• Network clones reverse-engineered from net data– Several major Government/DoD networks already cloned

• Network emulations including prototypes with realistic responses down to the bit level and with precise timing

• Interface VCR to real server hardware/devices and actual networks to allow rapid testing of fielded systems

• Expand test environments with low-cost clones of Service, Joint, and Allied networks for System of Systems testing

• Available under license to Government Agencies

17

Low-Cost, High Fidelity Cyber Testing Using VEE/VCR

Questions?

18

Low-Cost, High Fidelity Cyber Testing Using VEE/VCR

POCs:Dr. Deepinder SidhuChief technologist

TeleniX Corporationdsidhu@telenix.com

Or Stuart M. Dyer

Stuart.Dyer@telenix.com410-772-3275

VEE

Network/Cyber Training

Clone & Emulate Actual Networks for

Cyber Testing/Training

Virtual Cyber RangeFor Realistic Network Testing and Training

19

Operational DoD networks today are systems of systems (SoS) containing highly complex mixes and interconnections of architectures and technologies. They are difficult to understand, costly to upgrade, expensive to operate, and inherently unreliable. They are vulnerable to cyber-attacks, human errors, and can present serious national security risks.

To meet these challenges, large scale cyber test facilities are being built by DoD. But in providing the best network fidelity available, these facilities have become very expensive hardware-based test environments requiring considerable support.

But what if you could virtualize all the hardware in a network and run that network with all the software of the internet within a single computer with bit-level fidelity and precise timing? Long years of work on this problem within the Intelligence Community (IC) have produced the capability to create such high-fidelity network clones and that capability, the Virtual Emulation Environment (VEE) is now being offered to other DoD agencies and their contractors.

These virtual networks can be populated by reverse engineering them from network traffic of the actual network. The resultant virtual network is an identical clone of the real network using actual internet software and virtualized hardware that portrays servers and other devices down to the details of specific vendor models and virtually places them in specific geographic locations. The VEE clone then emulates the real network to the extent that IC reviewers cannot distinguish real from virtual packet traffic.

The VEE capability is now being configured into compact Virtual Cyber Ranges (VCR) composed of three processors with an Ethernet switch in a lunch box size custom enclosure. One processor operates as a virtual switch to support plug-and-play between virtual networks (operating on the other two processors) and live networks. The Ethernet switch has additional ports to connect more external real or virtualized servers or more VEEs or routers/ networks. A KVM switch allows switching among VEE on one processor and client and server side VMs on the other two processors using only one monitor. Despite its small size, the VCR virtualizes hundred servers and tens of thousands of networked devices and can be expanded by simply adding another laptop. We have already ported all major servers and attack tools on the VMs.

For man-in-the-loop cyber testing, the VCRs are also being used to support IC Cyber Defense Exercises (CDX). These are similar in scope and complexity to CDX that have been conducted in previous years, but without the need to assemble significant numbers of servers and related hardware in an environmentally controlled area, thus minimizing requirements for power, space, maintenance, and specialized software. The system allows multiple teams (Blue, Red, and White) to operate simultaneously within the same virtual network allowing near real-time assessment of the progress of the exercise. The combination of minimal hardware requirements and rapid network configuration has reduced CDX planning time from months to days.

This briefing describes the current VEE capabilities, discusses some of the uses being made of the VEE-enabled VCRs, and outlines their future expansion.

Abstract

20

MissionNetwork/Cyber

Situational Awareness,

Cyber/SIGINT Mission Support:

Before (Plan, Optimize, Train,

Rehearse), During (Expected),

After (BDA)

TrainingTCP/IP, Routing,

Cyber/SIGINT Warriors Training,

Cyber War Gaming,Cyber Flag Exercises,Red/Blue Teaming,

Cyber Mission Forces Training, Joint Training,

Leadership Training

RDT&EProtocols, Testing,

Performance, Security,

Policies, Scalability, Survivability,

CND/CNA/CNE,Live/Virtual Integration

Network Cloning & Emulation

Near Real-Time Cyber Situational Awareness

VEE

IT OperationsPlan, Analyze, Verify,

Predict, Optimize,Prioritize, Diagnose, Resolve, Alert, SLAs,

Performance, Security, Resilience,

Risks, TOC/ROI

NetMappingReverse-Engineer

Network from data (Pcap, NetFlow,

Configs, SNMP, …)Network Situational

Awareness, Visualization,

Cloning/Emulation,Geo-Location,

End-to-End Flows

CyberCyber Situational

Awareness, Validate Policies/Rules

(Configs, Firewalls, VPNs, DISA STIGs, PCI-DSS…), NVD,

Vulnerabilities, NVD,Hardening, MalwareFISMA Compliance,

Change Alerts

Network Virtualization: Significant Internet, Army and IC Applications

Network Cloning

• Clone behavior is indistinguishable from the real network

• Clone requires no validation since it is identical to its real counterpart

• All decisions in clone made by actual code and network state – no randomness

• Clone evolves to actual system • Clone answers any/all questions about

net over its life-cycle• Virtual host/routers in network clone run

complete TCP/IP stack under FreeBSD kernel as in real net

• Clone uses identical code and configurations of a real network

• Clone can be used to diagnose and solve operational problems such as routing

• Clone uses 100% of actual code

Network Modeling

• No mathematical basis for the model to behave like a real system

• Virtually impossible to validate a model-based network

• Many decisions in network model made by calling random numbers

• Models often thrown away after use• Often build new models to answer new

questions• Model has no OS kernel in model nodes,

mimics TCP/IP using small amount of code in nodes, runs as app

• No model has ever become reference implementation of any Internet protocol

• Model “mimics” some limited aspect of a network with small amount of code

• Typically uses <20% code with abstractions21

Comparison of Cloning and Modeling

Role-Based Multi-Party Web Interface for Multiple Teams Simultaneously Operating within the Same Cloned Network

22

GUI Widgets Data Output Categories

Test Summaries

Infection graphs

Activity graphs

Detailed Test Logs

Network Topology

Malware Topology

Terrestrial Topology

Test Report Generation

Test Event InsertionGraphing Engine –

Force Directed Layout Algorithm